Top (Mac OS) X Security Myths

You've heard the rumors: Macs are safer than PCs. Macs don't need separate antivirus software. Snow Leopard is the safest OS in existence. The list goes on and on. But how many of those claims are the truth and how many are just, well, myths? We explored fact vs. fiction, and here is what we came up with.

Thanks to aggressive marketing from Apple, Mac users often think they are impervious to the viruses, Trojans and numerous other assaults that have plagued Windows users for decades. Security experts say that if Mac users are less susceptible to attack, it's simply due to the fact that there are fewer viruses written for Macs than for Windows. That is rapidly changing, however, as Macs gain market share. Meanwhile, users who have the unfortunate experience of being attacked by information-stealing Trojans will likely have their systems compromised and their data stolen ... just like every other PC user out there.

Not true. In fact, studies have shown that Macs actually have MORE vulnerabilities than their Windows counterparts, experts say. The reason? Constituting a "seek and ye shall find" phenomenon, it was simply a matter of attention, experts say. Some maintain that Apple's credibility in the security community increased as it gained traction in the marketplace. Others contend that a disproportionate amount of researchers in the field prefer Apple, and subsequently put their efforts into finding Windows' vulnerabilities instead. But once security experts began to seriously research Apple, the number of vulnerabilities increased exponentially, experts say. However, whether exploits target those vulnerabilities is another question.



"We can compare it to the situation with Internet Explorer and Firefox. Lots of people were saying that [Firefox] was so much more secure than IE," said Roel Schouwenberg, senior antivirus researcher for Moscow-based Kaspersky Lab. "It actually gained in popularity. Now all of a sudden a lot of vulnerabilities were being found in Firefox. I don't think you can underestimate the importance of market share."

Not so. Not even Apple says that anymore, even if it has downplayed the fact that users also should equip themselves with third-party antivirus software. There are just too many Mac Trojans and viruses out there that can evade Mac's built-in security systems -- and the numbers are growing.

"If you look at the Apple consumer base, and how they generally tend to think about security, the vast majority of Apple users will assume this is all they need," Schouwenberg said. "It's really nothing fancy and it can be easily bypassed."

Fortunately, there also are a number of antivirus offerings specifically designed for the Mac OS X platform.

Or not. If anything, experts say, the antivirus feature lulls users into a false sense of security -- that is to say, even more than the one they already had. Apple turned heads earlier this month with the release of its Mac OS X version 10.6 Snow Leopard, which touted that it came equipped with antivirus and additional security features. However, upon closer inspection, security experts said that the built-in antivirus feature was designed to block a whopping total of two -- yes, two -- Mac Trojans, despite the fact that researchers have detected dozens of malicious threats that target the Mac OS X platform. According to researchers at Intego, the built-in antivirus only scans files on a handful of applications, including Safari, Mail, iChat, Firefox, Entourage and a few other browsers, but fails to scan from other sources, such as BitTorrent or FTP files.

No. Actually, experts maintain that most of the attacks targeting Mac OS X will exploit the Web browser, and ultimately, the user's behavior. As in any PC, the biggest threat typically starts with the user and quite often via e-mail -- falling for phishing sites, clicking on malicious links, surfing infected Web sites, etc.



And as with their PC counterparts, Mac Trojans are becoming more sophisticated and stealthy, frequently designed to steal information and evade antivirus software. This means that as Mac's market share further grows well into the double digits, users can only expect to see more Trojans, worms and other Web-based threats taking over their favorite machines.



"The main danger for Mac comes not from the operating system but it comes from the behavior of the user," said David Perry, director of global education for Trend Micro. "Falling for bad phishing Web sites, responding to ads on Craigslist -- that is enough so that the end user requires additional protection."

Er, no. In fact, the company's historic lack of emphasis on security issues has left Apple vastly underprepared to deal with the barrage of anticipated Mac malware coming down the pike. Experts contend that Apple lacks the necessary manpower to create and test patches on a monthly basis and still needs the extensive specialized team needed to develop significant changes to Mac OS X internals that would make the platform more resilient to sophisticated malware attacks. And security experts also emphasize that Cupertino needs to stay on top of security issues in its open source projects and third-party components.





However, Apple appears to be trying. In light of a groundswell of Mac OS X malware, Apple recently hired its first security guru, the former head of security architecture at One Laptop Per Child (OLPC) Ivan Krstic, to oversee the security division at Apple.

Not necessarily, security experts say. This is simply due to the fact that there still isn't the necessary volume of vulnerabilities to warrant a monthly update cycle. However, experts agree that Apple could definitely stand to address security bugs in a more timely manner. After all, there are more efficient ways to repair vulnerabilities than with a patch that averages 70 to 80 fixes every few months.



Meanwhile, Apple scrambled to repair a six-month-old critical Java vulnerability this spring after -- but only after -- researcher Landon Fuller published a proof of concept exploit exposing the flaw six months after it was first detected. Yowza.



However, Apple will likely consider a more frequent patch cycle as malware authors more frequently find ways to launch attacks that exploit its vulnerabilities.

Actually, some of the first and most destructive viruses were initially written for Mac, experts say -- back in the 1980s when Mac still had sizable market share. Viruses for Macs dropped significantly in the mid 90s, along with Mac's market share and credibility in the marketplace. But the viruses have since experienced a resurgence as Mac gained popularity after 2001 with its Tiger, Leopard and now Snow Leopard operating systems.

Granted, the number of Trojans and worms targeting the Mac platform does not even come close to the number for Windows platforms. That said, some of the current malware is pretty destructive. Last year a Mac Trojan swept from machine to machine, forcing users to download bogus antivirus software. Earlier this year, Mac users were pummeled with two variants of a Mac-only iServices Trojan distributed via pirated versions of Apple's productivity suite iWorks and cracked Adobe Photoshop CS4 applications. The Trojans later developed into a full-fledged global botnet that infected more than 40,000 Macs. And experts say that Mac users can expect to see more drive-by and browser attacks.

Here's the thing -- experience is always the best teacher. Unlike PC owners, Mac users are simply not used to dealing with rampant malware, experts say. As a result, Mac users are much more likely than their Windows counterparts to underprotect their machines, or not protect them at all. PC owners acknowledge, in fact expect, that their machines will be riddled with security flaws, which leaves them susceptible to all kinds of malicious code. If their PCs are a little slow or erratic, most will simply download that antivirus upgrade they had been meaning to install and go about their day. Not so Mac owners, who often assume that they're perfectly safe, even when they're not. So the upshot is, Mac owners don't know what they don't know. And that could likely be the biggest mistake of all.