Page last updated at 12:45 GMT, Tuesday, 17 January 2006

Mac security concerns answered

Technology commentator Bill Thompson responds to the feedback he received over his column suggesting that Mac users are too smug about computer security.

Apple boss Steve Jobs
Steve Jobs announced new Intel-based iMacs last week
The vehemence with which the Mac community greeted my modest suggestion that the security of Mac OS might not be absolute did not surprise me.

I knew when I started to write the column, and please let's be clear that this is a personal, by-lined column and does not claim to be a news report, that I was about to step into dangerous waters.

However the piece is not a troll, and I didn't write it just to get slashdotted and have my name traduced all over the comments pages and the blogosphere.

I wrote it because I'm a Mac user, among other things, and I worry that we do not take security seriously enough as a community.

Despite what some people seem to think having read the piece, I don't believe that Mac viruses already exist, and I think it's very unlikely that they ever will.

The security model in Unix-based operating systems like Darwin means that it is very hard to see how an infection could spread, even if an executable could be compromised.

But viruses aren't the end of the problem. There are lots of other malicious programs out there, and the Mac is vulnerable to some of them.

If we ignore this then when an effective piece of Mac malware does emerge, many will be defenceless, and that will damage individual users and the Macintosh ideology.

Issues tackled

Let's deal with the bits that are weak in my article.

First, I mentioned that my broadband connection means I have to scan for viruses, but failed to point out that I scan my Windows desktop and my children's Windows PCs.

I don't have anti-virus software for my Mac, and I don't think I need it.

Bill Thompson
I hope I achieved that goal, even if I did upset a lot of people who seem to feel that anything but fawning admiration for Apple is an act of betrayal by an apostate

I have never claimed there are Mac viruses out there, and I said in the piece that they are unlikely, but I should have made that clearer.

If a Mac virus emerged then I imagine we would all hear about it pretty quickly, and defensive measures could be taken then.

Second, I pointed out that Safari can install widgets without any user intervention, and didn't make it clear that Apple fixed this issue some time ago. This was an editing error on my part, and I apologise.

And finally, I didn't give details of where to go for more help. For example, has details of the Saint vulnerability scanner and Corsaire has a white paper on securing your Mac and I should have pointed to these.

Outstanding concerns

However the wider point, that there are exploitable vulnerabilities and sometimes Apple puts them there, remains.

Even if I'm careful to apply updates when they are made available, some people might not and their systems could be compromised. And there is always a gap between the discovery of an issue and an available fix, a gap which could be exploited.

Several people asked me for examples of worms, spyware, keyloggers and even viruses for the Mac.

As I've said - let me say it again - there aren't any viruses and I don't think there will be.

But spyware and keyloggers are written for Mac OS as for other Unixes, and could be installed on a compromised system by a worm or even by a Trojan that is installed with user permission.

The Sans vulnerabilities listing shows clearly that Darwin, the Mac kernel, has the same sort of security vulnerabilities as any Unix system.

Apple's update policy means that many security fixes are bundled together, but we have to rely on their assessment of what counts as a critical bug.

There isn't much Mac-specific malware apart from Opener, which disables the firewall and can destroy data, but there are many programs which attack Unix installations and these should be taken more seriously than they are by the Mac community.

Obscurity versus security

While the first response to all of this will be that none of these spread in the wild and all require some degree of user intervention to be installed, surely we can all agree that if a way around that protection could be found, then these exercises would become real threats.

The Corsaire white paper, Securing Mac OS X, talks in detail about how to improve the security of a Mac system. It takes work, because there are issues to be dealt with.

I believe that security through obscurity is no security at all, and that unless we have an open debate about the threats facing the Mac using community then we expose ourselves to danger.

We also expose those who know little about computers but chose the Mac because of its ease of use and elegance a disservice by encouraging them to think that they don't need to think about security at all.

When I write for the BBC I'm writing for a general audience with an interest in technology, not for the Slashdot crowd. I try very hard to be accurate and when I explain technical matters I will simplify but endeavour not to misrepresent.

In this article, I was speaking to an audience of Mac users of all skill levels, some of whom know nothing about computers. They need to understand that security matters to them just as much as it matters to Windows users.

I hope I achieved that goal, even if I did upset a lot of people who seem to feel that anything but fawning admiration for Apple is an act of betrayal by an apostate.

Bill Thompson is a regular commentator on the BBC World Service programme Go Digital


The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Americas Africa Europe Middle East South Asia Asia Pacific