How safe is Safari from spyware?

Spyware doesn't have anything to do with your browser. Not directly anyway.

No browser is safe if you've unwittingly installed spyware, such as a keylogger or other malware that can steal your ID, bank account numbers, passwords, etc. as you type them in or use them in some other way.

Your best defense is to refuse any app to install where you don't know its origin. Like web sites that tell you to install the latest version of Flash to use their site. Don't trust those for a nano second. Download and install Flash directly from Adobe only. Another is insisting you need to install a new codec to view some sort of video. Cancel out of those immediately.

Torrents are an extremely good way to get malware on your computer. Don't ever install illegal software from any such file sharing sites. There is no way for you to know what else is in the "free" software you're installing.

One way you might get spyware through Safari is if you install a Safari extension from an untrustworthy source. Also, it's a good idea to turn off Java in Safari preferences to avoid some of the recent Java hacks. Note that Java is different than JavaScript, you should leave JavaScript on.

As far as additional protection, on the whole the biggest vulnerability is the user. Many of today's hacks depend on fooling the user, like sending you an email that gets you to click on a link to a bad web site. Therefore, the best protection is to be vigilant and careful about what you click on. Kurt's advice along these lines is very good.

If you want to talk about safety and browsers, Firefox with the Add-on NoScript provides the best safety of any browser. It affords fine tuned control over JavaScript.

Many browser exploits are delivered via JavaScript. See this on using NS.

Also, Safari for Snow Leopard doesn't appear to be getting any more updates, consequently it is missing further security patches. Firefox is being updated.

Besides that, here's a good general introduction to the topic of malware.

http://www.reedcorner.net/mmg/

Does Norton AV provide any protection over and above personal discipline?

Anything Norton for Mac should be avoided. It has a fine history of trashing many OS X computers. If you must, or just want to run some sort of AV software, use the free ClamX.

P.S Any way to "know" you are safe from past practices?

Not easily. Well written malware does its best to make sure you don't know it's there.

WZZZ,

Many browser exploits are delivered via JavaScript.

That would be Java, not JavaScript. Or at least the recent Flashback exploit, and the others that followed trying to use the same flaw were all Java related. Can't say I've seen an exploit related to JavaScript.

Also, Safari for Snow Leopard doesn't appear to be getting any more updates, consequently it is missing further security patches.

A new security update for Snow Leopard was released just last week. Though I wouldn't hold out much hope we'll see too many more.

Kurt Lang wrote:

WZZZ,

Many browser exploits are delivered via JavaScript.

That would be Java, not JavaScript. Or at least the recent Flashback exploit, and the others that followed trying to use the same flaw were all Java related. Can't say I've seen an exploit related to JavaScript.

Also, Safari for Snow Leopard doesn't appear to be getting any more updates, consequently it is missing further security patches.

A new security update for Snow Leopard was released just last week. Though I wouldn't hold out much hope we'll see too many more.

Kurt, I was talking about JavaScript, specifically certain browser exploits, not Java. Have a look through this and this to see what I was talking about.

And I wasn't talking about the recent Security Update for Snow (tell me about it!) I meant that Safari 5.1.7, apparently being the final version for Snow, didn't get the security patches that the new Safari for Lion or ML got. It's being left behind.

Kurt, I was talking about JavaScript not Java. Have a look through this to see what I was talking about.

That's better. The original link had none of this info. It was just a primer on how to use the NoScript plugin.

I meant that Safari 5.1.7, apparently being the final version for Snow, didn't get the security patches that the new Safari for Lion or ML got.

Sure it did. Here's the link for the full listing of security updates in the Snow Leopard 2012-004 update. Within that, you can click on various links that show which versions of Safari got what updates. One of them is specifically for 5.1.7.

But that's just for WebKit. There are many more vulnerabilities patched in the new Safari 6. (It may be some of these were included in the 5.1.7 update, if that was released around the same time.)

http://support.apple.com/kb/HT5400

http://support.apple.com/kb/HT5502

Also for NoScript, this was in my edited post, but I don't think you saw it.

http://noscript.net/faq#xss

My first post, which brought up the subject of NS, was for the OP and meant to be fairly non-technical; that's why I didn't provide those links earlier.

Message was edited by: WZZZ

(It may be some of these were included in the 5.1.7 update, if that was released around the same time.)

Nope, this is all there was. Only patches for WebKit.

http://support.apple.com/kb/HT5282

Btw: NoScript is not a Plug-in. It's an extension and exists solely in the browser.

Orionzx wrote:

Thanks for the input. Very helpful and I do try to use practices you and Network 23 suggested. However, not sure about some of the other family "users". Does Norton AV provide any protection over and above personal discipline?

Don't install it. I've read many unhappy reports from Mac users where Norton trashed their system, and I can't recall any happy users of Norton AV.

OS X itself provides a level of protection when you launch an app for the first time after downloading it. You might have seen this, it asks you if you really want to launch it .That's to help ward off apps that you didn't realize you were installing. I'm not sure if there is other extra software that can provide meaningful protection above that.

I'm not sure if there is other extra software that can provide meaningful protection above that.

Besides quarantining, there is, of course, XProtect. But its limitation is it will only check items that are normally subject to quarantine.

http://support.apple.com/kb/ht3662

Orionzx wrote:

Any input from the community on the safety of Safari with Mac OSX 10.6 from spyware would be appreciated.

Using the generally accepted definition of "Spyware", it would almost have to have been installed by somebody having access to your computer or your permission to share it over your network. There are some recent Trojans which have the potential to install such things, but so far no reports of anything like that.

Glad you've updated to 10.6 as your profile still says you are running 10.5.8 which is more vulnerable to malware infection.

WZZZ wrote:

Many browser exploits are delivered via JavaScript.

Admittedly JavaScript is responsible for a lot of annoying features (e.g. redirects, obscured url's, pop-ups, pop-unders, assorted adware), I am not aware of any malware-like exploitation that can impact OS X or any of it's applications. ClamAV currently has definitions for 1369 JS exploits and none of them are marked as OSX. Clearly it could be done, just that as far as we know it hasn't yet.

I've used NoScript for years, but only because it's so good at at removing annoying content.

WZZZ wrote:

But that's just for WebKit. There are many more vulnerabilities patched in the new Safari 6. (It may be some of these were included in the 5.1.7 update, if that was released around the same time.)

But look at the Apple Security announcement for Safar 6.0, only 4 of the 121 patches were for Safari, the rest were all WebKit. The ratio for 6.0.1 would appear to be similar. I would have to agree that the 5.1.7 WebKit update covers considerably fewer issues and fully accept the premise that it's much more vulnerable than Safari 6.0.x.