Securing Macs in the enterprise

“If you’ve ever consulted with a computer security expert and they seemed a little paranoid, consider it a good thing – paranoia is an essential component to effective security,” Aaron Weiss writes for eSecurity Planet. “Conversely, lack of paranoia is a risk factor, which is a key weakness in security for Mac computers –particularly in the enterprise.”

“It is no myth that Macs are less prone to viruses and malware. There are several good reasons for this. Part of the explanation lies in the OS design. OS X requires an administrator password to install privileged code, thereby defending against the kinds of rampant ‘drive-by’ installs of malware that plagued Windows XP and to a lesser degree Windows Vista, despite Microsoft’s efforts to implement similar controls,” Weiss writes. “The network security landscape has become considerably more complex in the decade-plus since OS X was released, however. Viruses are old news, and even most modern Windows machines are well defended against them. ‘Bad guys’ are exploiting numerous new attack vectors from which the Mac is not necessarily immune.”

Weiss writes, “Java and Flash are just two examples that illustrate a key point in modern Mac security. Either these third-party runtimes need to be kept off the machine or else a policy for keeping them up to date must be rolled into any security maintenance plan.”

Read more in the full article here.

Related articles:
BYOD boosts Macs vs. WIndows PCs: The final barriers to widespread Mac adoption in the enterprise are eroding – February 19, 2013
Mac attack: The world finally begins ultimate personal computing upgrade – January 17, 2012
Apple Macs continue to invade the enterprise – September 5, 2012
Gartner: Apple Macs invading the Windows PC-dominated enterprise – June 6, 2012
Mac Attack: Get ready IT doofus, your world is about to be turned right-side-up – November 28, 2011
Hell freezes over: Forrester urges IT to support the Mac – October 27, 2011
Corporate Mac sales surge 66% as Apple makes huge enterprise gains – May 20, 2011
Mac vs. Windows in business case study: Macs have 1/3 fewer problems that are solved 30% faster – June 2, 2008
CIO: Apple’s Mac OS X is the most cost effective operating system – September 24, 2007
Apple Mac desktops, notebooks top PC Magazine’s Annual Reader Satisfaction survey – again – September 18, 2007
CIO: Eight financial reasons why you should be using Apple Mac – August 01, 2007
Switching business from Windows to Mac offers significant savings – July 23, 2007


    1. I know what you mean, having read plenty of mindless idiot FUD predictions of Mac DOOM since 2005 when Symantec started the trend.

      BUT: This article isn’t FUD. Pointing out that Oracle Java and Adobe Flash/Shockwave/Reader/AIR are THE WORST malware vectors for Mac is 100% correct. The single best strategy for keeping your Mac safe these days (apart from making regular backups) consists of removing ALL of these Oracle & Adobe malware rat holes from ALL your Apple devices.

      Clearly, Adobe & Oracle’s horrific flood of zero-day exploits have NOTHING to do with Apple, who have separated themselves from any responsibility for their use. It’s the USER’S responsibility. IOW: Be a user, not a LUSER.

      1. To avoid confusion, I should add that the Oracle Java problem is entirely due to Oracle’s consistently POS Java web browser plugin. Apple’s OS integrated implementation of Java 6, which can be crucial for running many applications, is NOT the problem. It has nothing to do with Java on the web.

  1. Flash and Java are tolerated in the PC world only because their security flaws are obscured by the massive security holes in Windows. It’s time to do away with both of those pieces of crap.

    1. I try. Man do I try, but people demand FLASH and Java, especially people who have to deal with crappy Government sites. Turn off JAVA in a law office and you will start hearing the howling within minutes. Turn off FLASH in any office and it’s amazing how many legitimately uses people have for FLASH. I thought it was all Whack-A-Mole traffic on AOL, but no, everyone from American Express on down seems to be doing crap with FLASH.

      With JAVA at least you can turn it off in the browsers and wait until someone actually truly does need it instead of leaving it sitting there ready to compromise.

      1. Sheesh. We’re back to dealing with US government crap security. I know at least a handful of top notch folks in the military who computer security extremely well and would NOT let this crap happen. But such is the leadership structure…

          1. I have determined that Glenfiddich Whisky Liqueur is most effective in banishing fear of the grammar police, though the jury is still out on its value in the realm of computer security.

    1. Why doesn’t Apple have “outbound firewall” functionality built in?

      I totally agree.

      However, having used Little Snitch as my reverse firewall for years, I have to point out that it is not for casual users. Granny would be ripping out her hair when it stopped apps from working correctly or kept throwing windows on the screen asking for outbound Internet connection permission. I’m used to it and even find it interesting and educational. But it’s not-for-newbies or even many intermediate users.

      Hopefully in the future, what we euphorically call ‘artificial intelligence’ will actually advance to the point where it can make intelligent decisions for beginning computer users. It could happen! Certainly not yet.

  2. I’ve always made it very clear to my clients that just about every single time you hear that the Mac is affected by some malicious exploit, it is a lie. A 3rd party piece of software has most likely been exploited and typically those are FLASH and JAVA. I also make it clear to my customers that those exploits almost always require the cooperation of the user.

    As such, I do not install Macs and give clients privileged usernames. I have a privileged username, the office managers have a privileged username, but the rank and file users, from CEOs, COOs on down are not privileged. They cannot install software. Even if the important people demand privilege access, I surrender it, but tell them only use that username when something demands privileged access. That way they get one more chance to think about what they are doing. Are you installing software so you can see a video of Anna Kournikova eating a Dolphin steak in the nude, when I told you just about every possible video codec is installed already? If so, someone is trying to hack you.

    You have to explain to users in terms they can understand. I find it easier to explain social engineering in terms of the old Saturday Night life Land Shark skit. There are lots of Land Sharks out there pretending to be what they are not.

    Knock Knock… who’s there? FLASH UPDATE!

    In addition, monitoring logs for routers has become a daily job now. It isn’t just big companies that are being it constantly by Chinese Hackers.

    I will often set up a bait server, running OS X Server, and just watch the amount of traffic that server attracts. All break in attempts. When you follow the IP address back, it’s always somewhere in China. It’s creepy. They will bang the heck out of it with brute force attacks. Most of my clients work only locally so I block traffic from China, Eastern Europe, Estonia, Brazil, anywhere I get suspicious traffic from. Blocking email from those regions also prevents a great deal of spam.

    The sheer volume of hostile spam is also creepy. I have a client that gets millions of pieces of spam, from people guessing email addresses.

    If we could get rid of all the evil traffic on the Internet, think how fast we could download the latest episode of Doctor Who from iTunes. Heh.

    Security is full time in Mac installations as well now. Don’t let anyone tell you differently.

    1. As you’ve rightly said, it’s now the user that’s the weak link in the security chain for Macs and PCs.

      Even though a lot of attempts are coming from the Far East, don’t underestimate the script-kiddies — I tracked the biggest pain pounding on my personal server to a high school computer lab in Chicago. An email to the principal with the time/date data from a series of attacks managed to stop it. 🙂

      1. Kudos for handling that yourself without invoking Amun to arouse the IT authorities—who after all are little more effective than Keystone Kops facing a motley, polyglot array of miscreants.

        If only more users had your basic savvy, this problem might begin to recede like smallpox or measles have done in our lifetimes.

    2. I hear you! There’s nothing that’s done with Flash and Java that can’t be done with something more secure. People need to quit designing pages and applications that use them. It needs to become unacceptable to use them. I know, there are many sites, especially government sites that require them, and also include Microsoft specific shortcuts, like .net, in their coding. That’s just myopic and archaic thinking. This falls at the feet of IT managers. CTOs need to start replacing people who are still stuck in 1996.

      1. There is no realistic hope of getting rid of these IT decision makers or even of changing their mindset. Corporate HR policies, combined with a continued deference to enshrined IT job descriptions based on mysticism, protect self serving shamans. In large corporations, government agencies, and service providers, at least a generation must pass before tradition can be seriously challenged by new thinking. The problem is structural, and dying technologies cling to life because of this, and only because of it.

  3. Not to nitpick, but I take issue with one sentence in Weiss’s piece — “It is no myth that Macs are less prone to viruses and malware.”

    It would be more accurate to have written, “It is no myth that there are still no viruses for Macs running OS X, and they are also less prone to other forms of malware”.

    My sensitivity to this detail arises from a prickly discussion with a woman in my last workplace, who had read that “there are lots of viruses for Macs”. My efforts to explain the difference between viruses, worms and trojans were in vain.

    My IT department must have read the same story. Shortly after, they locked my Mac off the network on the grounds that it was “a security threat”.

    1. *GROAN* – The usual IT ignorance and anti-Apple FUD. Barf.

      I often have trouble explaining to computing ‘professionals’ that viruses are only one form of malware. On Mac, calling anything an ‘anti-virus’ is a total misnomer as there ARE NO actual ‘viruses’ for Mac OS X, never have been. Instead, there have been many Trojan horse malware for OS X, all of which use social engineering to induce LUSER behavior. There have been, thanks to the crap state of Oracle Java, a few ‘drive-by’ malware that automatically infect computers running the web Java plugin. That’s about it!

      IOW: NO current malware for OS X have anything-at-all to do with Apple’s implementation of OS X. That doesn’t mean OS X is perfect. Apple’s QuickTime used to be a horrible source of security holes and cross-site scripting attacks. But Apple has increasingly been focusing on security and has some excellent OS X features that block known malware infections.

      Apple, never perfect, always better than the alternatives. Sorry Apple haters, but that continues to be the case. Yes, OS X, as an OS, is even safer than Linux. Look it up please if you disagree.

  4. As an aside, regarding SPAM:

    I became a paying member of back when it started in 1998. I turn into them every single piece of verified SPAM I receive (unless I’ve been otherwise distracted). Over time I have received less and less SPAM to the point where I receive maybe one piece of spam every few days via Apple, Gmail or Time Warner email addresses. My best guess is that SPAMMERS have more than one list these days. One list is of viable emails ripe for SPAMMING. The other is a ‘Do Not SPAM’ list with people like me on it, because they know I’ll have their SPAM traced and get them knocked off the Internet.

    Is Granny going to use No way! But for me it has been a surprising success, to the point where it’s kind of disappointing to no longer be killing off SPAM RATS on a daily basis. Darn. (not .com!)

  5. Pwn2Own. All OSes with their firewalls up and no services open ALL can take the best hackers with ZERO OSes falling. Yes, even Windows. Open up services and use a browser and third party programs and any OS is open. Even OS X. Our friend from Moldavia proved that. OSX/Pintsized.A by-passed Gatekeeper and what the white/gray hats say X-Protect is an easy by-pass.
    Windows OS is getting infected by mostly third party programs too.
    OS X is enjoying security through obscurity still to this day. So many think the password is going to save them from the malware install. Authentication by-pass with elevated privileges if used in a couple exploit kits would devastate the Mac community AGAIN. As did Maxim Selihanovich of Saransk, in Mordovia.

    Get a competent malware writer who wants to spend the time to fuzz OS X and write exploit code and we will have another Flaskback own problem. Maybe this time it will be Quicktime. Just look at all the vuls Apple has. Anyone could be use against it. Just is………No one wants to spend the time. Thank God. Security through obscurity. I like that, because I have 5 Macs in the house!!!

    1. That fact that you erroneously refer to the Mac’s smaller market share as “security through obscurity” calls into question the validity of the rest of the information in your post.

      I would never suggest that OS X can’t be hacked; history clearly shows that it certainly can be vulnerable to an individual with enough knowledge, experience, and desire. After all, as you rightfully pointed out, NO system is invulnerable to attack.

      However, I take issue with your suggestion that somehow the Mac’s relative obscurity is what insulting it from exploits. Have you been to a college classroom or commons recently? A coffee shop? There are Macs everywhere! The Mac is starting to attain a significant marketshare, enough so that a well-done exploit should be well worth the effort.

      There are tens of millions of OS X computers in use daily. It’s a ‘high value’ group, a perfect storm of affluent and unsuspecting. Yet, the only expoits have been zero-day conducted by the best of the best, with none in the wild. Why is that? It clearly isn’t because of any imaginary ‘obscurity’ myth.

  6. 10% is still 10% and 90% is still 90%. I live by a rich community. It is full of BMWs. (low market share manufacture) Have you looked at rich communities lately? Tons of BMWs Go elsewhere not so many. You gave me a demographics that are fully loaded with people who are keyholes into using Apples just like they vote democrat. But my augment is not on that, that is a given.

    Organized crime is looking at how hard do we want to work of our money. Any business model would go after Windows full force because of the % and because of it still is easy pickings and of course, big and small business runs on Windows. Go after 10% or go after 90% that we have a full infrastructure setup to serve Windows malware that we are totally winning at, why screw around with fuzzing and writing exploits that take weeks and months to pull off.

    As for Apple being for the affluent, some yes but there are still a very high # of average liberal lower incomes types to fill the high percentage of Apple users. They are all not loaded with money. As unsuspecting, yep I agree with you there.

    The Grimes corollary “What ever is the most popular, is attacked the most”.

    I don’t want Macs to gain a high market share. Who wants to dick around with rootkits, auth. by-pass droppers ext… Not me or you. OS X is not OpenBSD even though you want it to be to think it is.

    Now I will give that may change in the new couple of OS versions when OS X will morph more like iOS with limiting code execution and scripting.

    I still stand by my security through obscurity statement. The desire is just not there, and the money faucet was shut down too quickly to make it worth it as in the Flashback case. I read somewhere and I will try to find that, that this was a test case that organised crime looked at from the outside and they saw how fast it was shut down they won’t lift a finger till it is a higher percentage and less news worthy.

  7. @botoncandy

    iOS is a phone and a tablet OS that is so limiting in code executing and scripting it is not in this conversation. That IS a safe OS. I love the walled garden. My family has 3 iPads.

    Feel better you said FUD? How cliche!

  8. @botoncandy

    It is not a myth. It is ONLY a myth with Mac zealots. Keep your dogma going. Organized crime just does not care about OS X. Which is good. I don’t want them to care. It affects me. But you automaton Mac zealots are totally clueless on how malware works. Malware if written for OS X vuls will act 100% like it does for Windows. Same pwnage factor. No one that is skilled has done it except for the guy in Moldavia.

    Oh, others write some common trojans, but linking all the server exploits, IP changes, C&C server jumps and getting it to work is a great feat to get it working smoothly.

    Security expert just laugh at the Mac zealots thinking OS X is somehow different from Windows when exploit code is written to do it’s dirty work. Your password, X-protect, and GateKeeper will all be by-passed with ease and the exploit will happen and will gain root and a payload drop with install. It just so happens no one cares yet about OS X. The one guy (that was skilled) that did, won. He did not want a trophy, it took Krebs to get his name out. He wanted ONLY your money. Security experts if they spent a month or two can do the same and guaranty gaining root in mass. They just don’t want to spend the time.

    Hence, security through obscurity. Or lets reword this for you, security through, I don’t want to write and test all that code because there is little value in going after Macs yet. Because there is too short a life span of the malware to make the months of work worth it.

    FUD, How cliche!

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.