Why a vulnerable Mac is not necessarily an insecure one

Over the years I have been on the receiving end of many an email-bashing for suggesting that Apple needs to take security more seriously. So it may come as something of a surprise to discover I disagree with the conclusion of newly released research which appears to suggest that Mac users have inadequate protection against attack, and that this is particularly concerning given the number of high severity security vulnerabilities for Mac OS X.

The research from San Francisco based managed infrastructure and security specialists Opswat(www.opswat.com), which has a high SMB/enterprise market share for peer-to-peer file multiple antivirus engine scanning and document sanitisation (deployed to more than a 100 million endpoints), included data from Macs for the first time. This enabled the company to make a direct comparison between Windows and Mac devices, and that's where it gets interesting and, in my opinion, goes a bit astray.

OK, let's get the nitty gritty out of the way first. The market share report included data for peer-to-peer file sharing products, the use of file sharing, antivirus software and RTP (Real Time Protection) between both Windows and Mac users. Because it included Mac device data, it drew comparisons between the security practices of the two.

While 75.5 per cent of Windows users had at least one antivirus product installed, only 50 per cent of Mac users did. The conclusion drawn being that many Mac devices are left without adequate protection given "the number of high severity security vulnerabilities for Mac OS X." Windows users also outperformed Mac users with their use of RTP, 61 per cent of Windows AV with RTP enabled against 35 per cent of Mac AV, an important part of protecting a device from malware and other Potentially Unwanted Applications (PUAs). There wasn't much difference between Windows (31.1 per cent) and Mac (25.7 per cent) when it came to installed P2P file-sharing installations being found.

Adam Winn, senior manager for Opswat, said "the prevalence of P2P file sharing software in combination with the relatively low utilisation of real time protection is not a good indicator of the overall security status of Windows and Mac computers in BYOD and small business environments. Peer-to-peer file sharing software by itself is generally harmless and can be used very effectively for rapidly and legally downloading files. Unfortunately the P2P installers are usually bundled with adware, and sometimes even malware."

Which I have no beef with, at all, as it does not make a big hoo-ha over the difference in machines. However, I do have a beef (even as a vegan) with the idea that Mac users are insecure because there are vulnerabilities out there and they don't use antivirus.

We are told, time and time again (and I may well be guilty for having repeated this in the past) that the only reason Mac users are not falling victim at the same rate as Windows ones is that the cyber criminals only focus on the Windows market as it's so much bigger and therefore so much more profitable.

Which is good as far as it goes, which isn't very far. Data is data, and Apple users are a pretty wealthy and desirable demographic don't you think? If it were really that easy to exploit a known 'high severity' vulnerability which could give the attacker the keys to the kingdom that, well, someone would be doing it and doing it wholesale by now? And there's the thing, if they were then the media column inches would be full of it, and they are not.

I spoke to Troy Gill, manager of security research at AppRiver, who told me he was not surprised to find that Mac users have a much less proactive approach when it comes to installing AV and using real time file protection.

"One thing I think the data did an excellent job of illustrating is that is seems that if the blackhats were to suddenly (and collectively) shift their efforts to targeting Mac instead of Windows," he said, "then Mac users would likely not fare much better than Windows users have."

But they won't, I'm willing to bet, and not just because it's a numbers game but because the exploits are not out there. Just because there's a vulnerability does not mean there is an exploit. Just because that vulnerability is similar to a Windows one does not mean that writing an exploit is as simple. Just because, just because, just because!

We should really be concerned about the number of successful exploits per platform rather than the number of unexploited vulnerabilities. Now, can someone take that Apple Fatwa off my head?