Is Apple recklessly lulling Mac OS X owners into a false sense of security, or is the company right to downplay the risks from threats?
PC Pro's Davey Winder believes the company is using hyperbole to cover up the fact that the platform is under attack and that users are at risk:
Is it any wonder that many Mac owners think they are immune from the security problems faced by PC owners? Right there on the Apple website it states that "with virtually no effort on your part, OS X defends against viruses and other malicious applications, or malware".
OK, I agree that you put a Windows 7 box next to a Mac OS X box, and the Windows box will come under greater and more sustained attack from malware. But there's more bad stuff out there than malware. Take email phishing attacks that try to dupe the unwitting out of money. How does Mac OS X fare against that sort of attack? Not well it seems:
When security vendor ESET surveyed computer users about their perception of computer security, more than half thought PCs were either very or extremely vulnerable, whereas the figure was only 20% when it came to the Mac.
The same survey revealed that when it comes to phishing attacks, Mac users lost more money on average than PC owners did. Is Apple guilty of lulling its users into a false sense of security?
So while Windows malware won't run on Macs (and why would it, it's code designed for Windows), other tricks that the bad guys use against Windows users (such as email phishing) work. The OS might be more sophisticated (or just targeted less), but the users are respond just as well to social engineering tricks whether they're sitting in front of a Windows desktop or a Mac OS X desktop.
Note: It's worth pointing out that F-Secure's chief research officer Mikko Hypponen believes that the security offered by Windows 7 is better than that currently offered by Mac OS X.
Winder also takes to task Apple's claim that 'when a potential security threat arises, Apple responds quickly by providing software updates and security enhancements' by pointing out that the company took three years to fix a vulnerability related to a remote Trojan, and 91 days to patch another serious vulnerability. Is that really responding quickly? Apple also took its sweet time blocking those untrustworthy DigiNotar SSL certificates.
Then there's the issue of all the hyperbole on Apple's website. Here's no shortage of hype on Apple's security page for Mac OS X. Take a look for yourself. However, down the bottom of the page I did come across this:
So there's at least an admission from Apple that things can still go wrong, but the company still refuses to come out and clearly advise users that installing anti-malware and anti-spam software would dramatically increase protection offered to them, and not only protect them against malicious code, but also from themselves.
- Schneier on iPhone security
- Apple releases 10.7.3 update for Lion and 10.6.8 for Snow Leopard
- Is Apple's way of dealing with malware attacks the best way?
- Black Hat: 'OS X networks are significantly more vulnerable'
- Apple finally blocks untrusted DigiNotar SSL certificates in Mac OS X