Mac malware: Over-hyped or underrated?

Are the days of Mac security supremacy over — or did they ever really exist at all? Either way, there's a two-fold threat to Mac users
Written by Will Taylor, Contributor

I have owned and enjoyed using Windows PCs and Macs throughout the last decade, during which time my professional life has centred around an IT security consulting business.

The easily surprised will be suitably open-mouthed to discover that I have secured more than my fair share of office Macs in that time. Someone had to say it: Macs are not immune to security issues. 

That someone was never likely to be Apple, which still flies the "Mac doesn't get PC viruses" flag — and flies it proudly, as if it were some miracle of secure design the company had implemented.

Apple highlights, on its website and aimed at anyone thinking of purchasing a Mac, the fact that — and I quote: "A Mac isn't susceptible to the thousands of viruses plaguing Windows-based computers. That's thanks to built-in defenses in Mac OS X that keep you safe, without any work on your part."

No prizes for spotting the factual fly in this marketing ointment — namely that immunity to viruses written to exploit the Windows OS has nothing to do with defence systems built into the Mac OS X, and everything to do with those viruses being unable to run on a platform they were not coded for.

It's like saying that a plastic bookcase is totally immune to the woodworm that attacks wooden furniture. Not only is Apple guilty of comparing Bramleys with bananas, but of much more concern it is also guilty of sustaining a dangerously false sense of security among users in the face of an expanding threat surface exposed to cybercriminals.

Not from viruses, Apple is right there, but when was the last time you heard of a Windows user suffering from a virus infection either? The real threat to Mac users is twofold and takes the form of Mac malware and user apathy.

Two-fold threat

Mac malware? Yes it certainly exists — not to the extent of Windows malware, or even Android malware, but it is out there and it is active.

Someone had to say it: Macs are not immune to security issues.

When ZDNet contributor Ed Bott recently looked at the malware numbers game, he discovered that in March 2012, only two newly named entries were added to the Symantec definitions database each day — 66 in all to be precise. Of these, 36 were properly 'new' Trojan, worms and the like, and only one of these was specifically targeting OS X.

Between 5 and 12 April, there were a total of 12 new detections added to that certified definition file, and one of those was also a piece of Mac OS X malware. This does not represent any great spike in Mac malware activity, nor does it mean that OS X is inherently insecure — but it does put paid to the nonsense that Apple perpetuates with those 'we are not susceptible' statements.

Mac Defender fake antivirus program image

The recent Flashback Trojan and Mac Defender scareware (pictured) show that Macs are not immune to security threats. Photo credit: CNET UK

And that's the real problem facing the workplace: ill-informed users plus equally ill-informed tech support equals apathy overload.

Take Flashback as a very good example of this apathetic approach to Mac insecurity. Apple had already patched the Java vulnerability being exploited, but far too many Apple users had not applied that patch, nor the one that Microsoft had issued for Mac Office in 2009 that would have prevented the problem.

Why would they, when Apple tells them they don't have to do any work to remain safe? The end result was a predicted infection rate of around 650,000 Mac users, and around $10,000 (£6,329) per day in profit for the distributors of that malware through the ad-clicking it generated.

Throw in the Mac Defender fake AV outbreak from last year and the Gh0st RAT APT from this, and the secure Mac facade starts to show cracks. DNSchanger Trojans, Rogue AV and software-specific exploits are the kinds of threats that Windows users have become used to, and therefore more likely to protect themselves against. All are starting to spread into the Mac OS X arena.

The truth of the matter, as Rik Ferguson told ZDNet UK last month, is that "in-built Mac security software is woefully underpowered and built along traditional file-signature update lines. Put simply, it will not stop most threats, including zero-day attacks". This, alongside the consumerisation of enterprise IT, is a recipe for disaster.

The good news for enterprises feeling the squeeze is that Mac security need not be a cost issue, as the same basic controls and strategies apply as they would to any other device. Don't panic — just be aware of the risk, accept that risk and mitigate against it.

Steps to secure your Macs

  • Apply patches as soon as they become available
  • Manage and protect all devices — Mac or PC — via a unified console
  • Enforce access controls at the network level, such as a Next Generation Intrusion Prevention System or a Next Generation Firewall
  • Only allow fully sanctioned devices onto the network, as these are more likely to be properly protected (Mac or PC) than unsanctioned BYOD kit
  • Implement cloud-based, reputation- and behaviour-related threat detection methodology; do not rely upon outdated signature file detection

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Editorial standards