How Secure Are Macs?

The Classic Mac OS had well under 100 viruses through its history, and Mac OS X has even less after 11 years. (Can you name even one?) That's no reason to be complacent, because while OS X viruses are virtually nonexistent in the wild, there are other types of malware designed to infect Macs. Most of these are Trojans, malware that you download thinking it's a legitimate app or plugin, such as Flash.

Some Mac users believe that older versions of Mac OS X and older browsers are less secure, while others believe that older versions and browsers are such small targets that they are far less likely to be attacked. After all, what hacker wants to brag about hacking a 5-year-old operating system or a long discontinued version of Safari, Firefox, or some other browser?

This week our staff looks at Mac security - viruses, different types of malware, preventive measures, anti-malware apps, and other resources.

Alan Zisman (Zis Mac): Computerworld story this past Tuesday: Avira Unveils Mac Antivirus Software.

Despite this, the amount of virus and related malware targeting the Mac platform remains tiny. I'm more worried about malware targeting third-party software such as Adobe Reader (noting that this is less-widespread on Macs since Preview offers built-in PDF capabilities).

Nevertheless, for the past year or so, I've been routinely installing the free Sophos antivirus on Macs I have contact with.

Dan Knight (Mac Musings): There was another malware article on Tuesday, New Exploit Uses Old Office Vulnerability for OS X Malware Delivery on Cnet. This program uses copies of Office 2004 and 2008 that don't have recent security updates (Microsoft fixed this problem in Summer 2009), so its target audience is probably quite small.

Alan Zisman: My line with Windows users for the past while is that it's been important to keep the third-party stuff up to date: Acrobat Reader, Flash, Shockwave, QuickTime, Microsoft Office, etc. That is where the bulk of the malware has been happening. It hasn't been clear whether things like (Windows) Flash vulnerabilities also affected Mac users, but that was certainly the case way-back-when with (for example) Microsoft Word Macro malware.

In any event, it's probably good advice for Mac users as well - who are, I suspect, just as prone as Windows-users to click "Later" when an update dialogue box appears on top of their Facebook session.

Speaking of Facebook, it appears that the latest twist on third-party malware is with social networking add-on apps - and I don't see any reason why Mac-users would be invulnerable to these.

Allison Payne (The Budget Mac): Security on the Mac platform is something I tend not to think about too much. It just hasn't ever been a problem the way it is with Windows. I'm more comfortable relying on Apple's own built-in security systems, rather than installing a third-party antivirus program that could have its own holes waiting to be exploited.

Thinking back on conversations I've had on this topic over the years, the old chestnut about Macs not being targeted because there aren't enough of them and there's no money to be made never rang true for me. First, there are a lot more Macs and iOS devices now than when that argument first surfaced, and yet still almost no exploits in the wild. Second, Macs are known as premium products; there is money to be made off of the luxury-goods-buying demographic. Third, wouldn't hackers salivate at the chance to take down the OS everyone "knows" is super-secure?

In practice, of course, I'm always conscientious about security, and safe internet surfing habits are important regardless of what platform you use. Identity theft is a huge problem that overlaps with general computer security issues, but it is its own behemoth that everyone should do his/her best to guard against.

Dan Knight: One thing I should clarify is that computer security is defined differently than in the real world. Computer security is a theoretical concept that examines the number and kind of issues in an operating system or application, not the actual existence of programs that leverage those security holes in the real world. Thus computer scientists can say that Mac OS X is less secure than Windows or Linux even though there are virtually no computer viruses (and very little malware at all) beyond the Windows platform.

It's like saying your house is less secure because you have a window open or haven't locked the door, which is technically true but doesn't take into consideration the actual crime rate in your neighborhood.

Simon Royal (Mac Spectrum): Security is one of the points that drew me to the Mac platform 12 years ago. Fed up with the need for anti-virus slowing down my Windows machine, it amazed me that the Mac was free of such software and worries. In the 11 years I have been using a Mac, I have transitioned from Mac OS 9 through to every version of Mac OS X, and only once have I thought about anti-virus. I installed a few but soon realised it was a waste of time and system resources.

In short, Mac anti-virus at present is only there to prevent you passing infected files on to Windows users. I'm sorry, but that is their responsibility, not mine. Why should I drag my machine to help them out.

While a few pre-OS X Mac viruses were found, there have only been a couple of "proof-of-concept" OS X attacks, but nothing in the wild.

I agree with Allison, the "there aren't enough users" argument doesn't hold up anymore. Mac users are at an all time high, and with iOS devices so popular, Apple users are no longer relegated to the nerdy bunch, now everyone wants to be a Mac or iDevice user. The Unix underpinnings of Mac OS X are what make it secure and hard to get in to. iDevices I am not so sure about, easy to jailbreak and exploit.

Jason Schrader (Maximize Your Mac): I just bought a new iPad. I wonder what will happen with security on mobile devices. I would think that would be where hackers and spammers would hit next, as there are so many users. There are millions of iPhones and iPads out there with no protection. There is no security software on my PowerBook, as I have never seen a virus in the twenty years I have been using Macs. That said, I only worry about my PCs, which certainly have security software!

Alan Zisman: While I'm not suggesting your PowerBook is infected, note that one of the lessons from the Windows infestation is that you can easily be infested without seeing any indication. Being part of a botnet serving spam doesn't necessarily leave many traces.

Austin Leeds (Apple Everywhere): There's already Android malware, but I've yet to see a serious threat to iOS.

Phil Herlihy (The Usefulness Equation): There is a growing collection of Trojans for OS X. As was said in the thread already, your machine doesn't need to seem infected, to be infected. These programs exploit the feeling of security on the platform to let you take your guard down.

Safari is riddled with exploitable holes, but there are only a few that actually gain client-side code execution.

All the Unix base does is shift the blame over to the user. There are security practices on OS X that are frowned upon, the "black box" administrator access request box is one. The program doesn't state it's purposes for requesting administrator access, and users grow accustomed to seeing those prompts during a software install. How easy would it be to modify an installer package in a way that makes the Trojan install completely transparent? Not that hard. Also, for the record, iDevices run the Unix base all the same. That code is the Darwin kernel compiled to run on ARM chips. I'm not denying the difference, but merely stating that it's not as different as it seems.

Apple is re-creating this problem in a new way with the App Store. Users blindly accepting that an app is secure because it has passed Apple's checks. Notice the recent trend of apps taking data they weren't privileged to? Unless they bridge that disconnect, these problems will continue.

Austin Leeds: Even a fortress in a war zone won't hold out for long when it's being shelled, whereas a glass Apple Store may last for years....