No Immunity for Macs

Macintosh operating systems, specifically Mac OS X, have a reputation of being very secure, much more so than Windows XP.

Apple (Nasdaq: AAPL) touts that frequently and openly in its advertisements and television commercials. Is this reputation deserved? Frankly, yes, but with a big caveat -- the situation is changing.

The Danger of Popularity

Mac OS X is built on what is considered to be one of the more secure Unix-based operating systems, BSD. However, that's not the only reason Macs have had a reputation of being more secure.

Windows has the dominant market share, which gives attackers the largest number of targets to saturate when attacking networks -- and let's face it, Microsoft (Nasdaq: MSFT) has done a poor job in the past of building a secure operating system, browser and applications. This has changed significantly with the well accepted "patch Tuesday" process and a concentrated focus by Microsoft to improve Windows XP and the upcoming Windows Vista release.

This has created a false sense of security for Mac OS X users, though. While the Mac operating system is more secure than PC operating systems at this point in time, that doesn't mean Macs are immune. Overconfident Mac users may find themselves unprepared when a worm or exploit does hit.

Apple Becomes Vulnerable

In mid-2006, McAfee's Avert Labs reported that the number of Mac security vulnerabilities had increased 228 percent since 2003. Just recently, in August 2006, Apple released fixes for 26 security vulnerabilities in Mac OS X 10.4.7 and 10.3.9.

Two patches for code execution vulnerabilities were released almost immediately following the introduction of the Intel-based Mac Pro running Mac OS X 10.4.7. In the fall of 2006, a Symantec (Nasdaq: SYMC) study reported that the number of vulnerabilities in the Mac Safari Internet browser doubled during the first half of 2006 compared to the previous six months.

Commotion was stirred up at the 2006 Black Hat Conference in Las Vegas after speakers demonstrated a Macintosh vulnerability in third-party 802.11 WiFi drivers. While Apple attempted to defuse the criticism as a third-party problem, the company ended up delivering patches for two separate stack buffer overflow problems in the Apple AirPort wireless drivers.

The fact of the matter is that despite Apple's work to maintain the image of Macs as secure devices, researchers are concentrating much more heavily on finding underlying security vulnerabilities in Mac software. As a result, we are seeing security patches for Apple software now on a regular basis.

Intel-based Mac Pro introduces a new wrinkle in the Mac security fabric: virtualization. Windows XP can be run as a virtual machine on the Mac Pro, creating a situation where is it just as vulnerable as the any other unsecured or unpatched Windows device.

Mac Security Answers

What should Mac OS X users do to secure their computers? Here are some starting recommendations:

1. Don't be complacent. Take the security of any computing platform seriously, whether it's a Mac, PC, PDA or phone. The easiest device to compromise is the one that everyone assumes won't be attacked. Overconfident Mac users are ripe for the picking, so don't become the next security victim by believing your Mac cannot be compromised.
2. Apply security updates. Windows users have learned this lesson the hard way and so has the OS manufacturer, Microsoft. Beginning with Windows XP SP2, automatic application of security patches is enabled by default removing one less opportunity for the device to be left unprotected against the latest vulnerability. Whenever possible, apply a Mac OS X security patch automatically so your Mac is up to date with the latest security fixes.
3. Use a bi-directional personal firewall. The personal firewall provided with Mac OS X only offers protection for network connections that are inbound to the Mac. Consider upgrading to a third-party firewall, such as free Brickhouse software, that offers inbound and outbound firewall protection. Also, remember that the least intrusive and easiest-to-use personal firewall is one that will likely stay in use and not be disabled due to annoying pop-ups or configuration screens.
4. Practice good WiFi security connections. Use a good security and encryption technique, such as WEP, to secure the network. Be cautious when connecting to open networks -- such as at the airport or local coffee shop -- and never initiate a WiFi connection to an ad hoc network, unless you know what the device is on the other end and that it has been properly secured.
5. Use AV software. Don't take a chance of being the first Mac user to get the next e-mail-borne virus. Yes, it is common for Mac users to go without antivirus software, but this is slowly changing.
6. Use good security practices with Windows virtualization. Secure that Windows virtual session just like any other Windows computer on the network. Automatic updates, personal firewalls and antivirus software are musts for any Windows computer and virtual Windows XP session. A Mac Pro computer is no different.

Replacing complacency with good security practices can protect any Mac OS X user. Believing Macs are secure just because television advertisements say they are builds a false sense of security. The increase of Mac OS X vulnerabilities and the number of patches released clearly show that Mac security may soon be a thing of the past.