The Myth Of Complete Mac Security

Apple has long touted security as a selling point for Mac OS X. While it's the case that there are far more viruses for Windows than Mac, the notion that Mac users don't need to have any concerns about security is a myth that deserves to be well and truly busted.

It's widely acknowledged that the number of active, in-the-wild viruses, trojans and other nasties aimed specifically at Mac platforms is much lower than for Windows. In part, that's because the Unix roots of Mac OS X make it harder to devise that code. In greater part, it's because Mac simply isn't as popular a platform. Apple's large market share in smart phones and dominance in tablets hasn't yet made a serious dent in the popularity of Windows.

Windows security is much better than it once was — options like User Access Control cut off many obvious problems — but it still remains more vulnerable by virtue of sheer scale and a large pool of often ignorant users. But one platform being more targeted does not equate to its rival being completely safe.

Apple itself has acknowledged that security is an issue that needs addressing more. Its plans to incorporate Gatekeeper, an enhanced security platform, into the forthcoming Mountain Lion release underscore that point for anyone who didn't believe it when Apple added malware scanning technology to Snow Leopard. Gatekeeper's new contribution is allowing you to restrict app installation to apps from the approved Mac App Store. But as I commented at the time Gatekeeper was announced:

A common argument for buying a Mac is the idea that it’s “more secure” and “can’t get viruses”. The first is a vague and contestable statement; the second simply isn’t true. The two important points to recognise are that security is about much more than whether you get a classic computer “virus” — it encompasses anything that might compromise your personal data — and that a vital factor in keeping your system secure is human behaviour.

No matter what the merits of the underlying infrastructure, all that security protection can be eliminated by a user who is determined to install a given piece of software. Often that will be because of greed. One of the more active Mac vulnerabilities — one which actually led Apple to build the rudimentary XProtect scanner technology into the OS — got distribution by pretending to be a free installer for Apple's iWorks suite.

Gatekeeper's default option also isn't a perfect solution. Even assuming you're willing to restrict yourself in that way, it means you're relying solely on Apple to protect you, and that's unlikely to be a perfect solution. Obvious criminal code might get picked up, but security is also about protecting your personal data. Having allowed iOS apps to readily access personal contact data, Apple can hardly be said to have a perfect record.

And Gatekeeper doesn't do anything to address vulnerabilities that can be exploited using documents or web sites, or data downloaded via torrents or on USB sticks. Many of these vulnerabilities are fixed by Apple's regular system updates, but some users don't install these as regularly as they should, and some deliberately stick with older releases because they don't have suitable hardware or they don't like the changes in newer versions. Regardless, there's no guarantee that one day such a vulnerability won't be exploited before a patch becomes available.

To stay secure, Mac users need to follow the same fundamental steps as Windows users: ensure that their systems are regularly patched to eliminate newly-discovered vulnerabilities, exercise common sense when visiting unknown web sites and installing unfamiliar software, and adopting appropriate security technology such as firewalls, scanners and security suites. The risk of a malware infection might still be lower than on Windows, but it isn't non-existent, and a blasé attitude enhances that risk. Why wouldn't you take any reasonable steps to ensure your systems and personal data are secure?

Lifehacker 101 is a weekly feature covering fundamental techniques that Lifehacker constantly refers to, explaining them step-by-step. Hey, we were all newbies once, right?


Comments

    You have to think of all the people who did buy a Mac for this security "simplicity" because they are not very tech savvy and if they are asked whether they want to allow an app to access things, they will likely allow it and others as the weeks and months go by. Anyone who is tech savvy knows that nothing is 100% secure and is already taking the necessary steps to protect their data.. but it's all the others who have been lulled into a false sense of security that you need to worry about.. all the people who are generally not reading this blog....

    As a relatively new mac user , are there particular anti-virus and data protection software you would recommend?

      Lifehacker recommends Trend Micro for all your security needs!
      TREND MICRO: YOUR DIGITAL LIFE - PROTECTED

        @liraniel:
        That made me lol, but yeah... Lifehacker's Security Centre covers any subject Angus wants to write about -- any subject that readers have asked about, or could do further clarification. As an editor, he doesn't care if the category is sponsored or not -- the content remains the same. If you have a Security Question for an upcoming Security 101: Ping Angus here.

          When a specific article or genre of articles is sponsored, it looks like an ad. And if it's an article that advises the audience towards the sort of conclusion that you could reasonably guess that the sponsor in question would agree with, then the article is perceived by the audience as an ad.

          This impression is even stronger if you ad the fact that if I click on "Lifehacker Security Centre" up the top here, even if I avoid the Trend Micro logo, a new tab opens directing me to the Trend Micro online store. Informed people are, quite justly, a suspicious mob, especially about clickable internet pictures and links. If you don't want your article coming across as an ad, don't allow your site name to be clickable as an ad for your sponsor.

          I really enjoy reading Lifehacker articles but I don't think I'm alone in being suspicious of these security centre 'articles'. And if I can't trust that Angus or yourself or anyone else at Lifehacker is writing freely on security issues, how can I trust that you guys write freely on other issues?

            So are you saying Mac users shouldn't be worried about security? Pretty sure Angus et al have a pretty good track record. I still get people saying to me macs are totally secure. Its a strong perception, and one that is indeed false.

            http://www.zdnet.com/blog/security/pwn2own-macbook-attack-charlie-miller-hacks-safari-again/5846

      Use virus barrier (intego) - it's good for what it does, and removes windows viruses so they won't spread from email or docs, although it is true and I've only encountered 2 infections on my mac that i might not have got if i didn't have it

      I use Sophos in a combined Windows/Mac environment and it's worked well to date. I'm averaging about 2 viruses a month on the mac's. I should explain though that these are viruses that are coming into the file store and thus can infect the Windows VM's that some users run as well as those Win users who are connecting to the local DropBox.

      If you are in a pure Mac/*nix environment you probably don't have much to worry about but if you have Win boxes sharing your infrastructure, inbound viruses coming in through mac clients and infecting your Win boxes is a definite issue.

        If you're in a pure Mac environment you have even more to worry about. Windows admins are justifiably paranoid, you can't be good at your job without it. :P On the other hand, Mac admins think there's less malware out there.

        "If you are in a pure Mac/*nix environment you probably don't have too much to worry about", that sort of attitude is the one which lets a rootkit sit in your kernel for twelve months. Goes for *nix too, they had the idea that they couldn't be touched and there was a fair few links in there MAN pages/depositories which had been changed and they didn't pick up on it for months.

        If you're taking care of computers then constantly be aware that your machines are probably infected. No matter your OS

    where's the story?

    where's the "blasé attitude"?
    evidence? impact?

    Angus, stop mis-informing people. Please name 1 virus that exists for OS X. And remember that a virus is self propagating and does not require human action to allow it to be installed. You are using the term virus too loosely. There are some Trojans and other assorted malware for OS X, of that there is no doubt, but they do require the uninitiated to either click on them or allow them access to install on your system.

    Do a simple search on the web. There are no true viruses for OS X.

      I'm not 100% informed on the issue, but "Leap-A" comes to mind.

        Leap-A (or oompa loompa) was a Trojan, not a virus.

          Wow. Split hairs why don't we. Weather its a virus, worm, trojan, or whatever does it really matter? The point is that Mac is not invulnerable to malware. If I get stung by an insect I could care less if its a bee, a wasp, or anything else....it still hurts.

            A trojan is installed by the user. A virus is not. That's a pretty thick hair

        The word "virus" in common usage includes all malware, including that which tricks the user into installing it. Mac fanboys around the globe laugh incessantly at Windows "viruses" that are not in actual fact viruses either, yet get extremely defensive by going "But but but, it's not actually a virus!" as soon as Macs are being talked about.

        Get off the high horse and stop being such a hypocrite. It's not very becoming.

      You're right Bernie and there hasn't been one since the introduction of OS X. You'd think the crooks would know about Macs by now. Viruses were 'invented' for Macs, I had to run Virus software on OS 9 because there were true viruses for Macs back then.

        Yes OS 9 was rife with viruses, and that seems to be the reason so many journalists make the mistake of thinking there are viruses for macs. Yes, on old macs running OS9, but not on OS X. Which has been out now for 12 years.

          Ummm... MS Windows anyone? Every newbie friend with a mac has this resource hogger somewhere. :)

          That Pwn2Own link shows a drive-by-download exploit for the Mac, that's literally what it sounds like. You visit the web page, you get the virus. Miller's particular download got him full shell command, that's the cruise missile of the virus world.

          I have four or so rootkits specific to Macs on my computer somewhere, not installed mind. I just like collecting the source for malware, see how people design them. I'd have more but had to format my comp because XP doesn't communicate with Vista on a LAN. -.-

          Anyway, rootkits for Macs have been around long enough for me to start a collection. Arguing that you're on a twelve year old OS which is invulnerable is insane. The most secure part of an Apple based OS is it's base, which is openDarwin, a Unix OS. But Apple messes with the code, and you end up with a very leaky, very unprotected system and little knowledge of how to defend it. It's okay, we were all like that once. But we can help, the first step to fixing your Mac is to admit that maybe, just maybe you're not as invulnerable as you think.

      Frankly, it's an irrelevant point . Arguing over whether a given bit of malicious software is a "true virus" is a lot less relevant than acknowledging that, like any computer system, Macs have the potential for security issues. You'll notice the headline doesn't use the word 'virus' and that malware, trojans and the like are all mentioned too.

        I disagree, it's not irrelevant, without good virus protection, you can not stop a virus, no matter how careful you are. But if your careful, you can mitigate Trojans, worms, malware etc... This is what made the mac better for most users. If you use Window, you have to use anti-virus software, you don't have to on a Mac.

          Ah, Appletards, sucking away on the koolaid, ready to fly to the attack if anyone insinuates that Apple isn't perfect. Deadset.

          I love how wrong so many blind apple fanbois are. Windows user here and no AV software on my PC, havn't had a virus on my system in years, the odd weak piece of malware but nothing I couldn't remove in 1 or 2 minutes. To the laymen worms, trojans, malware and spyware are all called viruses. I work in a computer store that does servicing and repairs and in 6 years I don't think I've seen a true virus. I've seen many different trojans and a heap of PUPs but no true viruses. Customers ask me what AV I use or recommend and I truthfully tell them that I don't use any and hate all AV software as I consider it bloatware but will still offer them whatever is ranked highly by AV-test at the time (currently Bit Defender or Avast for a free one because personally I've never seen AVG stop anything). Problem is these days many infections are all a result of social engineering (MS scam, Australia Post scam, etc) so no AV software is going to save you be it on OS X, Linux or Windows. However I am unaware of any scams specifically targeting the former 2 that I know of as they just don't have the market share to be worth it.

          For good evidence that Apple don't have the most secure software around you only have to look at the Pwn2Own hacking contests, at last year's event Safari was the first to fall despite being updated not long before the event.

          You can quibble all you like about the pure definition of the words but at the end of the day, OS X has vulnerabilities, Windows has vulnerabilities and even Linux in it's varying forms has vulnerabilities. It's just that it's not worth the effort even attempting to make a really good "piece of malicious code" that's only going to hit 1 in 10 computers if you're lucky.

          /rant

          PS: I have used OS X and it was the most infuriating experience I've ever had with a computer and hope I never have to use it again.

            If you're recommending an AV for Windows, try Malware Bytes. The free version is fine, doesn't run all the time but they don't need to. So long as they have a firewall enabled (even the basic Windows firewall is fine) and MB is scheduled to run once a week they'll be fine.

        You seem to think its relevant you highlight that quote in your article, specifically mentioning viruses. Eg.

        "A common argument for buying a Mac is the idea that it’s “more secure” and “can’t get viruses”. The first is a vague and contestable statement; the second simply isn’t true. The two important points to recognise are that security is about much more than whether you get a classic computer “virus” — it encompasses anything that might compromise your personal data — and that a vital factor in keeping your system secure is human behaviour."

      By making the claim that there are no true viruses for macs, you have proven that mac users ARE pretentious and condescending.

      You proved your point, but you proved mine too.

    Back in 2006 when I only used Windows, I had to constantly use anti-virus tools, especially on the kids and wife's PC's. I was running XP, which wasn't as good as Win 7. I also made the mistake of using Nortons which was a real resource hog, often using over 90% of the CPU. So I switched to the Mac when they started using Intel. Since then I don't use any anti virus running on the Mac, but I am careful about clicking on dodgy links and ignore unsolicited emails, etc...

    So the whole family (6 Macs) for 6 years and never any Trojan, malware etc... And we belt the web a lot.

    You might argue that I've been lucky, but even so you'd have to say the odds favour the argument that life for a Mac user is a LOT more secure than for Windows.

      Given that you've said yourself you're being "careful", I don't think you've reached a different conclusion than the article did.

        It's true, I'm always careful, but that's not true for my wife and kids. They are far from careful, and still after 6 years, not a single bug.

        On the other hand back in 2006 on Win XP, running anti virus software and being careful, I still got viruses on my system. You couldn't stop the new ones. Anti virus tools could only detect known viruses and had to wait for a new one to be released before they could work out how to detect them. It was a never ending catch up game, one where the user always paid the price. And I got sick of it. Too many times I had to clean up or reformat the wifes PC.

        Again I say, 6 years and 6 Macs in the family ... Not one bug.

          Not one bug you are aware of. I am a Mac user and have been for many years. Malicious software, be it a virus, trojan, spyware what have you, exist on OS X and with more and more users making the "Switch" there will only be more. Malicious software has been around for years on Macs. (Melissa-X, OSX/Leap-A, OSX.Macarena, OSX.lservice, OSX/HellRTS etc etc) I agree reducing risky behaviour reduces the likelihood of being "infected" but why risk is it. Good anti-virus applications for free and they don't use many resources.

        I think the point Bernie is making is that the best defence against viruses on a Mac (or any computer imho) is not clicking of dodgy sh*t. Not "adopting appropriate security technology such as firewalls, scanners and security suites", which is only part of what you would define as 'careful'.

        Theres no like button here so...LIKE!

      Erm.. I ran Windows O/S my whole life after my beloved Amiga500 died in an electrical storm. Until recently (as recently as the last year or so) I have never run active virus protection nor daily scans. Every time I did a "check up", just in case I missed anything, it never found a single virus.. not ever. I've only just started to use one recently because the active virus protection software and scans aren't as system resource heavy as they used to be and it doesn't make a difference to my daily usage.

      So have I also been lucky or is it also a case of Windows being more secure than Mac? Hrmm.. I think the former. The same story, with the opposite operating system..

      Again, this is article's "victims" are those who are NOT tech savvy enough to not click on the wrong things and install everything they come across like they do with their iPhones. Apple vet their iTunes software.. but a user that is in the mindset of downloading anything that is new and shiny is going to get themselves into a world of hurt regardless of the operating system in place.

    I havent had a virus checker on my windows PC's for many many years, NEVER had an issue.
    and i have had issues with staff that i support with macs and malware, trojans or viruses and the like.

    I wonder how many people ever checksum their downloaded files ...not many I'd say. Nearly everyone I know downloads a file then just click it. That excludes the ones who click run instead of save of course.
    Let's face it 90% are clueless on M or W. Many Mac users (I own a couple, albeit old ones) I know left windows because it was to 'hard' , they liked Mac because it did everything for them. By that I mean they didn't want to learn anything they just want it to work. That's not a great attitude if your trying to avoid getting hit with a V, T or whatever. I know graphic designers that have been on Mac since Photoshop was invented and don't know what 'terminal' does.

    Those who say thy haven't got a virus are the ones who have it

    I had a much longer comment but turned it into an article instead:

    http://www.mactalk.com.au/content/your-mac-safe-internet-2197/

    I use ClamXav. Its included Sentry app has pulled up a few email worms from Mail and yelled at me for downloading a pirated game (I wanted Alpha Centauri!) from usenet. That's about it.

    Macs aren't inherently less likely to be infected w/ malware, I don't think. It is the market share. Why write malware that can affect 1/10 of the market when you can write one that can affect 9/10? The best defence is to be informed & educated.

    "...the notion that Mac users don’t need to have any concerns about security is a myth that deserves to be well and truly busted."
    This is true. Anyone who lives with digital devices needs to be aware of ssecurity and protecting their personal information. You shouldn't send your bank account details or transfer money to Nigerian Prince/ess, no matter how rich or deserving they may be.

    Howwever... Security and viruses are not the same issue. Computer viruses and illegal/unethical hacks are designed to perform operations without end-user knowledge and/or interaction. Bot nets for distributing spam emails, zombie machines for DDOS attacks, or software designed to unwittingly send your personal and financial details elsewhere are a very serious problem - but not on Macs.

    Macs are a smaller target due to their lower numbers, however Macs tend to be high-end machines, connnected to high bandwidth connections. They would be an ideal platform for some of the activities mentioned above. But there has been 0% significant penetration of OS X machines.

    It's a concept that's alien to Windows users, but on a Mac you do NOT need active anti-virus or anti-spyware software. You can use those CPU cycles for your own things (which is a major reason why Macs often seem "faster" than Windows PCs).

      There's botnets on Macs, rootkits, the works. Macs are also in a growing userbase, and CEO's love to have them around. Or iPhones? They're running a slimmed down version of the same OS, which should matter a great deal to you since they own a huge share of the "smartphone" market. Given that the iPhone is running a slimmed down version of the basic Mac OS, any malware made for the iPhone will work on the iPad, and with very little modification will work for the desktop/laptop Mac.

      http://www.blackhat.com/presentations/bh-usa-09/DAIZOVI/BHUSA09-Daizovi-AdvOSXRootkits-SLIDES.pdf

      http://www.f-secure.com/weblog/archives/00002300.html

      The first is information, nice to know. The second is from F-Secure and shows unique threats on the Mac, from 2011. They count a little differently, so when you see "15 backdoors", that's 15 different programs, not 15 programs found. Malware definitely exists for the Mac, and is in fact better placed since Mac users are unlikely to notice their computer is a virtual zombie for a long time. Bot kits don't last that long, but knowing you can just change controllers and keep your base is nice.

    On a non-malware security note, last time I bought a MacBook (2010), it was VERY easy to boot directly into terminal without a boot disc, and then enter a couple of lines of code (that I had memorised in case of drunken password changes) to reset the first-use menu. You could then create a new administrator account, free .Mac trials and all, and then had the choice of either resetting the owner's password immediately and loosing their keychain passwords, deleting their account, or (I assume) backing up a few files to brute-force their keychain and get any passwords stored in it later, and then either of the former. That didn't seem very secure to me.

      Many fun times have been had in the shops with that little one. Though wiping the hard drive (or any important part of it) is usually more fun in that case.

    If you design a virus, you're better off targeting PC because the user-base is many orders of magnitude larger - while writing a virus is just as difficult for either platform. What would you choose if you wanted to hit the largest number of people with the same effort?

      @Ryan
      Include iPhones and iPads in your estimate since they all use the same OS base, now what do the numbers look like?

Join the discussion!

Trending Stories Right Now