Apple has a real security opportunity, but will it seize the moment?

To Apple's dismay, that bull's eye on its back is growing like skin cancer.

Or, you could say the Apple of 2011 is starting to resemble the Microsoft of 2001.

There's been a lot of drama this week over a scareware campaign targeting those die-hard Mac users, and we're still not used to seeing this sort of thing.

Remember the "I'm a Mac, I'm a PC" commercial a few years back where the Mac, dressed casually and looking all rock-star like, boasted to the PC in the stuffy suit that he doesn't get viruses? Well, the Mac hasn't shaved in a few days and he's looking a bit haggard -- kind of like someone who has caught a bad virus.

My Computerworld colleague, Gregg Keizer, captured the latest in this saga in the article "Newest MacDefender Scareware Installs Without a Password." He writes:

Hours after Apple owned up to a fake security software scam campaign, the "scareware" gang released a new variant, with a new name and a streamlined installation process that doesn't prompt victims for their password, a French antivirus firm said today.

"Given the timing, and the new name, it does seem like this was their reaction to Apple's support document," said Peter James, a spokesman for Intego, a maker of Mac-specific security software.

On Tuesday, Apple acknowledged the threat posed by what security experts call "scareware" or "rogueware." bogus security software that claims a computer is heavily infected with worms, viruses and other malware. Once installed, such software nags users with pervasive pop-ups and fake alerts until they fork over a fee to purchase the worthless program.

Apple also said it would update Mac OS X, adding the ability of the operating system to detect and delete the MacDefender scareware.

The group responsible for MacDefender -- and other earlier variants named MacProtector and MacSecurity -- must have read the news, said James.

"They changed the name to MacGuard, and released it today, maybe just to give Apple the finger," James said.

The cyber criminals also changed the way they distribute the fake security program, breaking it into two parts: a small downloader, dubbed "avRunner," which once on a Mac reaches out to a hacker-controlled site to download the phony MacGuard security software.

But the new version also includes a more important twist.

"Unlike the previous variants, no administrator password is required to install the downloader," said James. "People will still see an installer screen -- [the attackers] haven't gotten to the point where they're completely avoiding that yet -- but all one needs to do to install is click 'OK' a couple of times. So it's one less hurdle."Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

I'm not trying to rub salt in the wound of all my Mac-using friends by pointing this stuff out. I'm not anti-Apple. I can't wait to get an iPad.

But now that attacks are no longer a fuzzy theoretical concept for the Mac crowd, Apple needs to seize the moment and show it's serious about security.

Microsoft stumbled all over the place in the beginning before it finally started to make real security headway. In my view, it took the company a couple years after Bill Gates issued his Trustworthy Computing memo to start getting it right with Windows XP SP2. Even then, Microsoft had a long way to go.

Apple now has a unique opportunity to go all-out on security and avoid a lot of the missteps Microsoft took early on.

The company can meet the challenge as long as its hubris is kept in check.

--Bill Brenner

Related:

Copyright © 2011 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!