When I was learning medicine by spending free time in a very busy A&E/ER, each nursing station kept a multilingual phrasebook covering a huge range of injuries and illnesses. The hospital was in Cardiff’s Tiger Bay, which in those days was an international port and hosted a very broad range of nationalities.
I learned the importance of being able to communicate accurately with every patient: how subtle differences between typhoid and typhus, malaria and malaise, yellow fever and jaundice, made huge differences to both the patient and their carers. And how, when you did arrive at a diagnosis, it was essential that the patient understood exactly what you meant.
Although there are many differences between computer malware and human illness, the importance of precise and unambiguous communication is just the same. Telling someone that their Mac has been affected by malware is a bit like telling a patient that they’re sick – for many, that news was already self-evident. What’s important is which malware.
In medicine, disease and illness has an exhaustive nomenclature which is laid out in the International Classification of Diseases, standardised for the world by the World Health Organisation. This is what is used for recording fundamental events in life and death, and is the basis for insurance, epidemiology, public health, hospital management, mortality data, and more.
One of the major problems with computer security is that there is no such agreed international terminology for malware. This is unsurprising given the division of interests over different hardware and operating systems, but for Macs there is only one major player, who owns the hardware and the OS: Apple. That Apple has failed to establish such a terminology for Mac malware is a glaring omission.
Not only does Apple not lead in nomenclature, but it deliberately obfuscates. In the last week, it has pushed updates to both its XProtect and MRT malware protection tools to address a new form of malware which it has named OSX.28a9883 variant A. No one else on the planet knows what Apple means by this, whether it is Apple’s internal name for malware which we know by another name, or this malware has not been identified by anyone outside Apple.
Presumably, should XProtect detect this new malware on your Mac, and MRT remove it, you would be informed that your Mac had been affected by OSX.28a9883.A.
Doctor: We’ve got the test results back, and they confirm you have a medical condition.
Patient: So what’s the diagnosis?
Doctor: I can’t tell you that, but we’ve given it a code, 28a9883.
Apple, you have got to be joking. This is the behaviour of a character in a farce, not of serious computer security software.
The oddest thing about this is how great a disservice it does to Apple and its products. From time to time, Apple likes to use the macOS security record as one of the strengths of its platform. Minimising the impact of malware on Mac users should be an important corporate goal. Giving malware cryptic names only delays other Mac security vendors taking action against that malware, and keeps users in the dark over what they should do to keep clear.
People didn’t eradicate smallpox, or now come close to eradicating poliomyelitis, by being secretive about them. Quite the contrary, public health education has played a major role in the prevention of all forms of disease, and accurate, standardised terminology is at the heart of that.
If Apple is serious about security and keeping on top of macOS malware to the benefit of Mac users, then it will take the initiative, establish standard nomenclature, and work with the security community to tackle these problems.
Continuing to push silent updates to undocumented security tools for malware like OSX.28a9883 variant A helps no one – not Apple, nor security researchers, nor system administrators, nor users. It just keeps postponing the day that a malware product will bring widespread pain and grief to everyone, and the illusion of macOS’s invulnerability will finally be shattered.