Can Mac Users Start Thinking Security?

Part of the reason Apple (Nasdaq: AAPL) has been held in such high esteem by its users and, more significantly, by many software security experts, has been the Mac's virus free operating environment. However, since early January, predictions have been flying that 2006 would be the year Apple would be knocked off its pedestal. If the events of the last few weeks are any indication, it appears that scenario may play out.

At least two worms have been discovered that target Mac OS X, Apple's latest operating system. Although they are relatively benign, few doubt that Apple malware issues will stay that way. Viruses and worms aimed at Macs are likely to accelerate in severity as well as in number. Hot on the heels of the worms came the announcement of a newly discovered vulnerability in Apple's Safari browser, for which the company has not yet introduced a patch.

In short, how long Apple will remain safe has suddenly become moot. The new question is this: How long will Mac users remain in denial about security?

Talking About It

The events of last week have opened a fresh dialogue.

"Last week's events have encouraged the Macintosh community to talk more about malware, viruses and other online threats, which I think is a healthy discussion and one that is often dismissed too quickly," Mike Romo, an analyst from Symantec (Nasdaq: SYMC), told MacNewsWorld.

"Mac users, like Windows users and others, need to practice -- as Eric Bangeman at Ars Technica suggests -- 'skeptical computing,'" Romo continued. "Be careful of what you do online, be wary of unsolicited attachments in your e-mail, and if you are a Mac user that works with a lot of Windows users, you might want to scan your drive for Windows and MS Office macro viruses once in awhile, just so you don't infect your friends and co-workers."

Still Dragging Their Feet

A large number of Mac users run no protection software at all, according to Ted Demopoulos, an IT consultant who specializes in security and whose clients include Cisco (Nasdaq: CSCO), Motorola (NYSE: MOT), T Rowe Price and the Department of Defense. "When I mention it to Mac users, they usually respond with 'Nothing ever happens to Macs,'" he commented.

It's questionable whether Mac users will change their behavior any time soon. "I do a fair amount of security awareness training, and people usually need to get burned a few times before they make a change," Demopoulos observed -- and then they need to get burned a little more to make those practices permanent. "Security awareness is like exercise -- you have to keep it up to benefit from it."

There is a certain sense of invincibility among Mac users, which makes it very likely that they -- and the IT security professionals supporting them -- will be slow to adopt some of the best practices that Windows users have had to learn, said Scott Carpenter, director of security labs at Secure Elements.

"Mac users have not been forced to deal with the storm of viruses and vulnerabilities that Windows users deal with on a daily basis, so they tend to feel that they are safer than their Windows counterparts," Carpenter told MacNewsWorld.

Security Lethargy

Certainly, Mac users are not ignorant of the existence of malware on the Internet. Many do have security software installed, even if there are fewer options available on the market. However, Mac users have not been on the receiving end of the countless lectures security firms have delivered to Windows users.

For instance, "many Windows users have been told time and time again to ensure that their anti-virus software is updated daily," Carpenter said. "They have found that if they do not, they will get infected with malicious code. Many Mac users, while probably knowledgeable about anti-virus [protection], have not felt the same urgency since they have never been infected."

The recently discovered browser vulnerability warrants user education and secure configurations, Carpenter added. "This specific Safari vulnerability requires a user to take an action by visiting a malicious Web site and clicking a link to the exploit. For this specific issue, a configuration setting in Safari can allow for malicious code by automatically running any script or application inside the zip file without the user confirming the action."

Mac users are not the only ones who have been somewhat complacent. Security analysts also could stand to be a little more vigilant, Carpenter said.

"What is more shocking about this vulnerability is that the Mac users can protect themselves today, but several of the security researchers have not disclosed a valid work around -- changing the configuration setting to disable the feature of "automatically opening" zip files. So end users need to be vigilant -- but so do the IT security professionals," he emphasized.

How Dire Is the Situation?

The recent attacks are not necessarily a prelude to a relentless wave of new malware threats aimed at Macs.

"While it is indeed notable that two examples of malicious threats targeting Macintosh systems appeared last week, I think it would be a mistake to leap to the conclusion that Macs are necessarily going to be the target of larger scale, more damaging threats all of a sudden," Romo said.

There have been viruses, worms and other malware targeting all previous versions of the Mac OS, as well as in Linux and every other OS as well, Demopoulos noted -- "just not very many."

There won't be an onslaught of "nasties" unleashed on Macs, he predicted, for two reasons:

"One, Macs are a much smaller target than Windows -- there are so many fewer Mac machines around. Two, most hackers know Windows well -- [and] perhaps Linux/Unix -- but special Mac knowledge is scarcer among hackers. This is also one of the reasons Cisco routers are rarely attacked. Most hackers know nothing about them."