The secure Mac: myth or legend?

Apple computers have built a solid reputation on being virus-free, but is the reality different from the image? We look at the security concerns affecting Mac users -- and whether there's cause for alarm.

US health authorities were chuffed recently to announce that canine rabies -- a once common viral infection dangerous to dogs as well as humans -- had been eliminated from the country after not even a single case had been reported since 2004.

A week later, Microsoft put its tail between its legs after it was revealed that its state-of-the-art Windows Vista operating system had fallen prey to Stoned.Angelina, a boot-sector virus that was first seen in 1994 and last seen in the wild in 2001. Nonetheless, up to 100,000 German Medion customers, Virus Bulletin reported, received new computers with the virus on their hard drives. Worse still, the virus went undetected by the bundled Bullguard antivirus software, which had removed the virus definition from its product due to its perceived extinction.

The fact that Stoned.Angelina is still circulating six years after it was last spotted is a reminder of the need for constant vigilance when it comes to system security. It's also a reminder that despite years of effort, the tens of thousands of active viruses currently prodding Windows systems remain a continuous threat.

For people contemplating a new hardware platform, this all adds up to one thing: Apple's Mac OS X, which conventional wisdom holds is impervious to viruses, is a more appealing choice than ever.

The ugly truth?
Discussions about the Mac-virus issue have raged on for years without resolution, often taking on an emotional aspect from avid Mac fans who recoil at the thought their systems could suffer Windows-like problems.

Certainly, virus-like code -- which is characterised by its ability to replicate itself between systems without human intervention -- has been almost nonexistent on Macs. It was only last year that researchers at antivirus vendor Sophos -- whose Sophos Anti-Virus SBE 2.0 supports OS X -- claimed the discovery of the first-ever Mac virus, OSX/Leap-A (a.k.a. OSX/Oompa-A), which propagates via Apple's iChat software.

Subsequent, isolated discoveries have unearthed the likes of OSX/Inqtana, a proof-of-concept virus that targets a flaw in OS X's Bluetooth code but has caused no real-world damage. Such discoveries have raised the hackles of Mac devotees, who pointed out that the Inqtana and Leap-A were mainly proof-of-concept viruses and that the Mac community has yet to suffer the crippling effects of a global infection, which these days is spotted by massive spikes in volumes of spam.

Not even the widely publicised Month of Apple Bugs, which highlighted a new Mac OS X exploit every day in January, has done much to damage the Mac's reputation as a fortress of system integrity. Its progenitors were instead criticised for releasing the vulnerabilities to the world, echoing sentiment towards antivirus vendors who, some argued, were launching a FUD (fear, uncertainty and doubt) campaign aimed at winning customers amongst paranoid Windows users making the jump to the Mac.

For recent converts and longtime users alike, the question still lingers: do Mac users need to run antivirus software?

Not really, says Kevin Long, a network and security specialist with Verizon Business Security Solutions and the company's Mac security expert. "The reason is not that there are no security issues on the Mac; it is not impervious," he explains. "But we have seen no replicating viruses on the Mac. And when we talk about risk, we use an equation -- threat times vulnerability times cost -- to figure out the cost of an attack."

Given this method, Long says the risks of introducing still-unstable antivirus software to protect against a still-minimal virus threat are just too great. "Antivirus software doesn't just sit on top of the operating system," he continues. "It has its fingers down deep in there, and if something goes wrong it can foul things up. Antivirus software on the Mac is just not as mature [as on Windows], and every time you put new processes on your system it can introduce stability and security issues."

AV writers' new tactic
All isn't completely lost for antivirus vendors, however: while most computer users tend to equate computer security with the risk of getting a virus, the more serious problems come from socially engineered attacks that can and do suck in users of Macs as easily as those using Windows machines.

Symantec's Norton Confidential security suite for Macs, for example, doesn't even mention the word 'virus' in its product literature but instead uses the blanket phrase 'vulnerability protection', which also includes issues such as operating system patches, protection from phishing e-mails, and online content filters.

This change in marketing tactic reflects the different reality of security on Windows and Mac machines -- but users shouldn't let their guard down even if the Mac is more inherently resilient. Mike Romo, US-based product manager for Macintosh products with Symantec, says that even Mac users need to consider the ongoing risk of macro viruses -- which rely on vulnerabilities in applications rather than operating systems -- and the potential role of Macs as transmitters of Windows viruses attached to forward e-mails.

"We're not so much worried about the infrastructure anymore," he explains. "It used to be people thinking about doing a weekly virus scan, but now it's people making sure the Web sites they visit are legitimate. This is a fundamental shift about how we discuss Internet security: the boxes themselves are much more stable than they've ever been. Apple has made sure the baseline defences of the system are already so high out of the box that for the most part, people don't need to think about them."

That doesn't mean Mac users -- many of whom adopted the platform because it is seen as being easy to use and secure -- can ignore the threat of security attacks altogether. Mac OS X ships with so many built-in system features -- including remote access software, the Apache Web server, IPFW firewall, and other components -- that Long says it's important that users take a few precautions even if they're not running antivirus software.

Long recommends every Mac user take two steps to improve their system security. First, he recommends that they turn on IPFW, which isn't necessarily turned on by default (System Preferences / Sharing / Firewall / Start). Second, he advises users to turn off the 'Open "safe" files after downloading' option in Safari (Safari / Preferences / General), which increases the chance that any new exploit-laden file could have a clear shot at the system.

"The things that worry me about Mac OS X have to do with the ways in which Apple tries to make things easy," he says.

New attack vectors
Another potentially worrying issue with the Mac is the growing number of people using Apple's Boot Camp or virtualisation software -- such as SWsoft Parallels and VMware Fusion -- to run Windows on their new Macs. Users need to be aware that even though a virtual Windows machine is running on a Mac, it's still vulnerable to the same problems as on a standalone machine -- and, therefore, needs the same kind of virus protection.

At a minimum, free antivirus software like Grisoft's AVG Anti-Virus Free Edition or ALWIL Software's free avast! antivirus should be installed on any Mac-based Windows installation to provide essential protection.

This isn't only for protecting the Windows system: while the design of virtualisation software inherently separates the Windows system from the host Mac computer, it's also a dead certainty that someone, somewhere, is trying to figure out how to use virtual Windows images as a back-door to attack a host Mac machine.

Another potentially game-changing issue when it comes to Mac security is the iPhone. Apple has so far closely managed developers' interaction with the new device, but an inevitable raised profile for developers means the company needs to ensure its security model is consistent with that in OS X. "The iPhone is the beginning of a completely new mobile platform," says Romo. "I hope Apple will open it up to third party developers, but I also see why they're not doing it at this early stage."

"Apple takes security very seriously," he continues. "For the most part, 99 percent of the time, Mac users should feel pretty good about their purchase, and feel great about walking into the world of Mac OS X, and trust Apple and companies like Symantec to be at the forefront of security and looking out to make sure people are protected."