A lot of noise is being generated by web news sites clamoring about the “first virus” discovered that attacks OS X. A closer look at the stories, however, reveals that the alarm is coming from a company that wants to sell Mac-based anti-virus software or services–something we’ve seen before, unreliable because they have a vested interest in scaring people into buying what they are selling.

An even closer look shows that this “virus” or “worm” is nothing but a very ineffective trojan horse. It is not a virus. First of all, it is not self-propagating, despite claims in the media; it requires active, two-step user intervention–no, user authentication–to set it off. Second, the user authentication must be highly ignorant: the file is supposed to be an image, but when you double-click on it, it asks for your administrative password, which any Mac user of more than one week would instantly recognize as system-level event. Such a ruse is immediately obvious–a photo never requires a password, certainly not your password, a password that then opens up access to your operating system. If you’ve used a Mac and installed anything at all, you recognize the password as necessary to install software or gain access to the inner workings of your computer, something a photo should not be doing. The security company ringing the alarms calls “ridiculous” the point that user authentication is required: “Many PC viruses needed user interaction to set off infection, he pointed out, and this was no different.” Baloney. This one requires an administrative password, not just a double-click on a file. Not even close to being the same thing.

So, yes, if a person is stupid enough to then enter their password, then–shock!–their system is compromised. But this is less a case of malware than it is of extreme user gullibility. I mean, I could direct any computer user to delete their system files or initialize their hard disk, and if they’re naive enough, they would do it. Does that constitute a “virus” or any weakness of the OS? Hell no. It means the user is not too bright. And to propagate, it would require a string of dumb users to contribute their security passwords to pass it on each and every time. Not too bloody likely. Such a trojan horse could never propagate very far at all.

Compare this to Windows, where double-clicking on a virus file immediately infects the machine, without asking for verification. That’s one big difference between the two systems; one gives you due warning and requires your willing assistance, whereas the other one allows you to be easily taken in unless you are very careful or knowledgeable. Anyone might try to open an image file, and on Windows, that’d be enough to infect the computer. How many would open an image file and then actively type in a password that allows access to their operating system?

An analogy to better understand might be an intruder at your door. You hear someone at the door, and have no peephole; you simply open the door and the intruder barges in and ransacks your house. That’s Windows. On the Mac, you hear someone at the door, and there is a peephole; you see that it’s someone dressed in a ski mask, poised to break in. If you then decide to open the door, it’s your own damned fault.

Apple could “plug” this “hole” simply by adding text to the password dialog box: “You have opened an application which could access your system resources and cause damage. If you did not double-click an application, or do not fully trust the source of this software, then do not enter your password.” Problem solved.

A final point: I can’t find any story on the issue which even describes any damage done by the file–many even reported that the trojan even failed to execute properly. Meh. Some threat. As I’ve always held, the Mac is not invulnerable–but it does have good security, which, if anything, this whole episode proves.