Reduce OS X security threats - ignore security software

• Tags:
• Mac OS X,
• Apple,
• Malware,
• Antivirus

Leader ZDNet.co.uk

Published: 05 May 2006 16:20 BST

• 
• 
• 
• 
• 

We were intrigued to receive a press release from McAfee today, warning us of vulnerabilities in Apple's Mac OS X operating system. Not only were these vulnerabilities growing at an alarming rate, said the release, but "as more companies deploy Mac systems running on the Intel platform in mixed environments, the risk of infection will most likely increase." Fortunately for all of us, a second release had the answer: "McAfee today announced antivirus support for Intel-based Apple computers. "

Phew. At last, the world is safe from the thousands of Intel-specific Mac viruses, worms, trojans and other malware that make today's OS X experience one long struggle against evil. Or it would be, were there any. Which there aren't. Not one.

It may be true, as McAfee says, that from 2003 to 2005 the number of discovered Mac vulnerabilities increased by 228 percent while Windows only saw a 73 percent increase. But that's like saying that in the last decade, deaths caused by choking on ice cream were up by 200 percent while deaths from smoking only went up by ten. Like the ice cream, shining light on McAfee's claims makes them melt away – when we asked the company how big the risks actually were, it admitted that there was "no significant risk" at the moment. But there might be in the future. People on Macs are complacent. Better safe than sorry.

Safety in this context means having a sober assessment of the risks and how to safely and effectively counter them. For as long as OS X has been in the wild, discovered weaknesses and example code have been used by interested parties to predict actual attacks. Nothing remotely serious has materialised. In fact, if you look down the CERT list of alerts for 2005, the only one that mentions an Apple product by name is one caused by a bug in Symantec's AntiVirus software for the Mac. Safe, effective risk management here involves taking the longest bargepole you can find and using it to not touch the snake oil.

McAfee should be ashamed of itself, for raising fears of risks that do not exist, for coupling risks to Intel chips by association – which borders on the libelous – and for encouraging the very complacency it claims to cure. This push to sell inappropriate solutions will damage security and hinder the fight against malware. It will introduce more complexity at the system's most vulnerable point, and discourage people from thinking about stuff like firewall configuration and proper privilege-based security. If you understand security, you will not buy this software.

OS X, like any complex computer system, is not invulnerable to attack. Educating users about modes of attack, keeping up to date with patches, watching for independent analysis of problems – all these are good ways to keep your guard up. Listening to someone crying wolf is not.

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular
• Most Discussed