‘Over 40% [of computer users] think [that Macs are] only “somewhat” vulnerable.’ David Harley, ESET
Copyright © 2010 Virus Bulletin
Back in the 1990s, when I was working for a medical research organization, I wrote a report on the virus landscape. For completeness, I included a section on Mac issues. A Mac specialist whom I was working with at the time remarked that he was quite impressed with the report generally, but he confidently informed me that there weren’t any Mac viruses (there were, of course). Have things changed since then?
Last year, a survey carried out on behalf of ESET’s ‘Securing our eCity’ initiative found that many Mac (and PC) users in the US still assume that the Mac – or at any rate OS X – is a safe haven. More people own PCs than Macs, more people own both types of computer than own Macs alone, and 2.1% of users in the survey didn’t know what kind of computer they own (perhaps they’re the same 2.1% who think there are no PC vulnerabilities). Of all these groups, nearly 10% think that Macs aren’t vulnerable at all, and over 40% think they’re only ‘somewhat vulnerable’ – although it’s not obvious what the survey respondents understood by the term ‘vulnerable’.
According to the survey, no Mac user believes that PCs are safe from malware attacks, and only 1% of PC users do. (Perhaps that 1% accounts for the millions of machines that are still infected with Conficker, or are patiently broadcasting ancient mass‑mailers.)
I’d contend that while ‘somewhat vulnerable’ might be about right for systems/application vulnerabilities and exposure to current malware, the figures would be more alarming if the survey were more focused on the vulnerability of users rather than systems. Any computer user who believes his system is so safe that he doesn’t have to care about security (i.e. not vulnerable at all) is prime material for exploitation by social engineering.
In fact, while the general decline of old-school viral malware is reflected in the Macintosh statistics, there’s no shortage of other malicious code targeting OS X, including rootkits, fake codec trojans, DNS changers, fake AV, keyloggers and adware. Numerically, this is a fleabite compared to the many tens of thousands of unique malicious Windows binaries AV labs see on a daily basis, but ‘safe haven’ doesn’t seem quite the right description.
The last time I pointed to user complacency as a risk here (see VB, August 2004, p.2) it was condescendingly explained to me that Apple’s security model saves their customers from themselves (see VB, October 2004, p.16). At one time, Apple’s security model led the way on patching, and it still includes many potentially useful defensive techniques, but they’re generally more limited in implementation than is often assumed. This is certainly a far cry from the picture Apple has painted for so long where PC viruses are no threat at all (tell that one to the multi-platform enterprise administrator!) and your Mac is ‘safe out of the box’. In fact, looking at Apple’s notorious security page while writing this piece, I see some small but significant changes from previous versions. The ‘safe out of the box’ claim has gone, and security is now achievable ‘with virtually no effort on your part…’ The disparity between protection on 32-bit and 64-bit apps is addressed, with some positive spin. There’s even an admission that ‘since no system can be 100 per cent immune from every threat, anti-virus software may offer additional protection.’
Indeed, there’s probably no absolute need for anti‑malware on many Macs at the moment (as if most Mac users are going to be persuaded otherwise, short of an Autostart-sized panic!). Mac users are similarly placed to Windows users in the late 1990s: if you’re impervious to social engineering and can accept the risk from zero-day, self-launching exploits and cross‑platform malware, fine – only don’t assume that there is no Mac malware or that only viruses matter.
Of course, I haven’t even mentioned iGadgets and the limitations of security based on whitelisting and restricted privilege. But you may not want to get me started on that...