No product or service can claim absolute security. Any that do should be met with a good measure of prudent skepticism. Let’s be clear: I’m not singling out Apple as a creator of inferior products or saying they don’t make quality products – far from it. Rather, we are exploring the mythology surrounding Apple products — which needs to dismantled. We need to speak to the facts if we are to be able to address the myriad of security risks that Apple (and all others) face. Every major vendor has a mythology that its brethren espouse without question. Apple fans are notorious in their consistent assertions (despite the facts) that their beloved products are without flaws. Nothing could be further from the truth. Herein we’ll explore some of the myths of Mac security that seem to persist despite the facts to the contrary.
Macs are ‘Secure’
Go to any Apple ‘genius bar’ or seen any of Apple’s Marketing and you’ll hear the spiel: “Apple devices don’t get viruses, they are ‘secure’ by default.” This is sales driven wishful thinking which Apple has perpetuated. No operating system without system hardening, anti-malware and a myriad of other security technologies is ‘secure.’ Security at a deeper level is never one single product in isolation but a variety of people, process, technologies that are layered upon each other offering defense in depth. Using a particular OS doesn’t give you ‘security’ in any sense if many other steps are not undertaken because security isn’t unidimensional.
As you read this now cybercriminals and nation-states are creating and exploiting all manner of vulnerabilities and creating malware for Apple products. No product is exempt from this. Even with built in Xprotect & Gatekeeper technology macOS (which we’ll explore later) still has a myriad of security headaches to address like any other operating system. Are they unique in being a target? Unfortunately no, but their mythology would have you believe they are invincible and they are not.
Macs Don’t get Viruses
This one laughable on soo many levels but it’s a myth Apple has actively promoted in its Marketing. First it shows that those engaging in this myth don’t understand information security fundamentals and they care more about sales than fact. Fact is, Viruses are only one of many types of malicious software or malware among a variety of other malicious software that exists today. The correct term that describes the multitude of software that does malicious or unwanted things is malware. So to say Macs don’t get viruses is to ignore the fact that malicious software has evolved far beyond the simple virus nuisance of the 80’s. It ignores a whole new class of malicious software threats in the form of APTs, cryptominers, trojans, rootkits, RATs, spyware, PUP (Potentially Unwanted Programs), crapware, ransomware, etc. Modern malware exists for MacOS and the ‘Mac’s Don’t Get Viruses’ myth isn’t based in any reality. For example, as of 2018, anti-malware vendor Mcafee lists 629,000 known malware samples. Additionally, anti-malware testing lab AV-Test showed nearly 90,000 malware samples in 2018 alone.
You Don’t Need to Upgrade
I’ve spoken to many Mac admin who have older systems which will not support the latest macOS version. Rather than upgrade this hardware, they assert that this hardware/software is ‘secure’ by default and doesn’t need to be upgraded. This is a dangerous myth. End of Life or End of Service software of any kind is a serious risk to any organization. Once a vendor has stopped supporting updates that may address known vulnerabilities users have no choice but to upgrade or accept a risk of perpetual zero day. This means the software vulnerabilities could be exploited at any time and there is no fix or remediation. When hardware support no longer exists it’s a dangerous path for companies to assume these ever expanding risks. Apple products (like any others) need active patch management or they suffer the same risks as any other operating system. Hardware that has reached the end of its support cycle needs to be retired or we face the same ever expanding risk.
MacOS Has Few to No Vulnerabilities
Another well perpetuated myth that it is invincible and without the vulnerabilities that plague all software. Vulnerabilities in software are weaknesses or flaws that leave it open to attack by cybercriminals or other malicious actors. A quick look at CVE Details show 2000+ known vulnerabilities for macOS since 1999. This number isn’t consequential in itself — but acknowledging the fact that macOS has vulnerabilities is. Like any other product on a corporate network it needs to have these vulnerabilities managed in an active way with patch management, best practice configuration, systems hardening and improved security awareness training. In fact, a quick perusal of the Apple Security Updates page is a great way to review the many security issues MacOS has faced and the patches which you can apply to mitigate them.
Apple Has Built In Anti-malware
Apple often claims that macOS contains built in protections from malware. macOS since version 10.6 has had rudimentary built-in anti-malware technology known as Xprotect. It’s severely lacking in anti-malware features and offers little protection from modern malware. Much like free anti-malware solutions built-in to Windows 7/10, it is insufficient and doesn’t provide the layered comprehensive protection delivered by modern commercial anti-malware technology. Additionally, Apple’s Gatekeeper allows users to specify software sources the user trusts. Users can set it to only trust apps from the App store and identified developers. However, users can directly override this and click (or be socially engineered/phished) to install malicious software. Gatekeeper technology will block some malware but not all malware and unfortunately it can (and is) often be easily subverted. Long story short, MacOS needs commercial anti-malware protection as part of a defense in depth strategy.
It is my hope that through this short (and no where near exhaustive) exploration even the most fervent of Apple fan have developed a healthy skepticism of these security myths. No company produces invincible products and our evaluation of them should be based on fact – not myth. Apple makes quite a few quality products including MacOS but it’s not without its flaws and imperfections. MacOS but it is not secure by default or impervious to the supernumerary risks that many other modern operating systems face.