Mac OS X = Security?
You've heard the rumors: Macs are safer than PCs. Macs don't need separate
antivirus software. Snow Leopard is the safest OS in existence. The list goes
on and on. But how many of those claims are the truth and how many are just,
well, myths? We explored fact vs. fiction, and here is what we came up with.
Myth 1: Macs Are Safer Than PCs
Thanks to aggressive marketing from Apple, Mac users often think they are
impervious to the viruses, Trojans and numerous other assaults that have plagued
Windows users for decades. Security experts say that if Mac users are less
susceptible to attack, it's simply due to the fact that there are fewer viruses
written for Macs than for Windows. That is rapidly changing, however, as Macs gain
market share. Meanwhile, users who have the unfortunate experience of being attacked
by information-stealing Trojans will likely have their systems compromised and their
data stolen ... just like every other PC user out there.
Myth 2: Macs Have Fewer Vulnerabilities Than Windows
Not true. In fact, studies have shown that Macs actually have MORE vulnerabilities
than their Windows counterparts, experts say. The reason? Constituting a "seek and ye
shall find" phenomenon, it was simply a matter of attention, experts say. Some maintain
that Apple's credibility in the security community increased as it gained traction in
the marketplace. Others contend that a disproportionate amount of researchers in the
field prefer Apple, and subsequently put their efforts into finding Windows'
vulnerabilities instead. But once security experts began to seriously research Apple,
the number of vulnerabilities increased exponentially, experts say. However, whether
exploits target those vulnerabilities is another question.
"We can compare it to the situation with Internet Explorer and Firefox. Lots of
people were saying that [Firefox] was so much more secure than IE," said Roel
Schouwenberg, senior antivirus researcher for Moscow-based Kaspersky Lab. "It actually
gained in popularity. Now all of a sudden a lot of vulnerabilities were being found in
Firefox. I don't think you can underestimate the importance of market share."
Myth 3: Mac OS X Users Don't Need A Separate Antivirus Solution
Not so. Not even Apple says that anymore, even if it has downplayed the fact that users
also should equip themselves with third-party antivirus software. There are just too
many Mac Trojans and viruses out there that can evade Mac's built-in security systems --
and the numbers are growing. "If you look at the Apple consumer base, and how they
generally tend to think about security, the vast majority of Apple users will assume
this is all they need," Schouwenberg said. "It's really nothing fancy and it can be
easily bypassed." Fortunately, there also are a number of antivirus offerings
specifically designed for the Mac OS X platform.
Myth 4: The Antivirus Feature In Snow Leopard Is Enough To Protect Users
Or not. If anything, experts say, the antivirus feature lulls users into a false sense
of security -- that is to say, even more than the one they already had. Apple turned
heads earlier this month with the release of its Mac OS X version 10.6 Snow Leopard,
which touted that it came equipped with antivirus and additional security features.
However, upon closer inspection, security experts said that the built-in antivirus
feature was designed to block a whopping total of two -- yes, two -- Mac Trojans,
despite the fact that researchers have detected dozens of malicious threats that target
the Mac OS X platform. According to researchers at Intego, the built-in antivirus only
scans files on a handful of applications, including Safari, Mail, iChat, Firefox,
Entourage and a few other browsers, but fails to scan from other sources, such as
BitTorrent or FTP files.
Myth 5: Most Mac Exploits Target The Operating System
No. Actually, experts maintain that most of the attacks targeting Mac OS X will exploit
the Web browser, and ultimately, the user's behavior. As in any PC, the biggest threat
typically starts with the user and quite often via e-mail -- falling for phishing
sites, clicking on malicious links, surfing infected Web sites, etc.
And as with their PC counterparts, Mac Trojans are becoming more sophisticated and
stealthy, frequently designed to steal information and evade antivirus software. This
means that as Mac's market share further grows well into the double digits, users can
only expect to see more Trojans, worms and other Web-based threats taking over their
"The main danger for Mac comes not from the operating system but it comes from the
behavior of the user," said David Perry, director of global education for Trend
Micro. "Falling for bad phishing Web sites, responding to ads on Craigslist -- that
is enough so that the end user requires additional protection."
Myth 6: Apple Is Just Like Microsoft And Has An Army Of Security Henchmen
Er, no. In fact, the company's historic lack of emphasis on security issues has left
Apple vastly underprepared to deal with the barrage of anticipated Mac malware coming
down the pike. Experts contend that Apple lacks the necessary manpower to create and
test patches on a monthly basis and still needs the extensive specialized team needed
to develop significant changes to Mac OS X internals that would make the platform more
resilient to sophisticated malware attacks. And security experts also emphasize that
Cupertino needs to stay on top of security issues in its open source projects and
However, Apple appears to be trying. In light of a groundswell of Mac OS X malware,
Apple recently hired its first security guru, the former head of security architecture
at One Laptop Per Child (OLPC) Ivan Krstic, to oversee the security division at Apple.
Myth 7: Apple Needs To Implement A Monthly Update Cycle Like Microsoft
Not necessarily, security experts say. This is simply due to the fact that there still
isn't the necessary volume of vulnerabilities to warrant a monthly update cycle. However,
experts agree that Apple could definitely stand to address security bugs in a more timely
manner. After all, there are more efficient ways to repair vulnerabilities than with a
patch that averages 70 to 80 fixes every few months.
Meanwhile, Apple scrambled to repair a six-month-old critical Java vulnerability this
spring after -- but only after -- researcher Landon Fuller published a proof of concept
exploit exposing the flaw six months after it was first detected. Yowza.
However, Apple will likely consider a more frequent patch cycle as malware authors
more frequently find ways to launch attacks that exploit its vulnerabilities.
Myth 8: Unlike Windows Viruses, Mac Malware Is A Recent Phenomenon
Actually, some of the first and most destructive viruses were initially written for Mac,
experts say -- back in the 1980s when Mac still had sizable market share. Viruses for
Macs dropped significantly in the mid 90s, along with Mac's market share and credibility
in the marketplace. But the viruses have since experienced a resurgence as Mac gained
popularity after 2001 with its Tiger, Leopard and now Snow Leopard operating systems.
Myth 9: There Is Only A Handful Of Mac Malware, And It's Pretty Benign
Granted, the number of Trojans and worms targeting the Mac platform does not even come
close to the number for Windows platforms. That said, some of the current malware is
pretty destructive. Last year a Mac Trojan swept from machine to machine, forcing users
to download bogus antivirus software. Earlier this year, Mac users were pummeled with
two variants of a Mac-only iServices Trojan distributed via pirated versions of Apple's
productivity suite iWorks and cracked Adobe Photoshop CS4 applications. The Trojans later
developed into a full-fledged global botnet that infected more than 40,000 Macs. And
experts say that Mac users can expect to see more drive-by and browser attacks.
Myth 10: Mac Users Will Surely Complain When Security Issues Become A Problem
Here's the thing -- experience is always the best teacher. Unlike PC owners, Mac users
are simply not used to dealing with rampant malware, experts say. As a result, Mac users
are much more likely than their Windows counterparts to underprotect their machines, or
not protect them at all. PC owners acknowledge, in fact expect, that their machines will
be riddled with security flaws, which leaves them susceptible to all kinds of malicious
code. If their PCs are a little slow or erratic, most will simply download that antivirus
upgrade they had been meaning to install and go about their day. Not so Mac owners, who
often assume that they're perfectly safe, even when they're not. So the upshot is, Mac
owners don't know what they don't know. And that could likely be the biggest mistake of