Macs and Malware: The Straight Dope

— -- Earlier this week, Washington Post blogger Brian Krebs stunned the computing world with the revelation that Apple had quietly been recommending anti-virus software for users of Mac OS X. This news flew in the face of popular wisdom (and Apple advertising), which holds that only Windows users need fear malware and other online attacks. But the shock didn't last long. Apple quickly went into spin-control mode, claiming that the online Knowledge Base article in question was out of date and that Macs were indeed perfectly safe out of the box.

Apple enthusiasts breathed a sigh of relief, while detractors grumbled various opinions, the gist of which amounted to "pride goeth before a fall." So who's right? Is Mac OS X the impenetrable fortress that Apple makes it out to be, or is it really a lurking malware death trap?

First things first: Sit down. Take a deep breath. Pour another cup of coffee. The answer lies somewhere in the middle.

The oft-repeated mantra that Mac OS X is safer from malware attacks than Windows is actually true. To gain control of your system, viruses and Trojan horse programs typically need to hijack low-level OS functions. Before Vista, this was pretty easy to do on Windows. But Unix-like systems -- including Mac OS X and Linux -- make it hard for malware to muck about with their internals, because software does not run with administrative privilege by default. It's as if there's a firewall in place between your applications and the important parts of the system.

Popular wisdom also says that Macs are not good targets for viruses because Apple's market share is so low. This is also true. Like real-world viruses, computer viruses can't spread very well when they don't encounter other computers to infect. Thus, more viruses are written for Windows -- which has the most market share -- than for Mac OS X.

But that's not to say Mac users should be complacent. It's important to understand that the nature of online attacks has changed. In the old days, malware was often little more than a form of online vandalism. The goal was to gain control of your computer for some malicious or annoying purpose. But modern cyber-attacks are growing ever more sophisticated, and they are launched not by vindictive teens but by international criminal organizations. Today the real target isn't your PC; it's your money.

Mac users can fall victim to online fraud just like Windows users can. Phishing attacks, whether they are conducted through e-mail or Web pages, often require no special software. This kind of attack relies on tricking users into compromising their own security, so Mac OS X's internal protections are no defense. Unaware users can easily give away their passwords, credit card numbers, or even bank account information.

Still other attacks bypass the OS completely. Instead, they exploit flaws in Web browsers or in browser plug-ins -- such as Flash or Adobe Reader -- to divert form input from Web site to another. Because these plug-ins run cross-platform code, Macs are just as vulnerable as PCs. And again, financial information is the usual target.

Anti-malware software for Macs and PCs can help to defend against these threats. The most important thing to understand, however, that the tools of the modern cyber-criminal are deception and manipulation. Smashing straight through your computer's defenses like a battering ram is too difficult. Instead, today's attackers will try to trick you. If you rely on anti-malware software to do all the work for you, you're still not secure.

Believe it or not, I own Windows PCs that don't run any kind of resident anti-malware software; but when I do run a periodic virus scan, they come up free and clear. The key lies in knowing not to run software from unknown sources, never to give away passwords to sites you don't recognize, and all the other tenets of safe online computing. A well-informed, security-aware user is always the best defense -- and that goes for Macs and PCs alike.

How are you keeping your computers safe from malware? Sound off in the PC World community forums.

Neil McAllister is a freelance technology writer based in San Francisco.