"Apple is targeting the economics of malware, which is an excellent way to prevent any widespread attacks," Mogull says. Of course, even as Apple continues to harden the operating system, OS X will still be subject to targeted attacks. "But Macs today are safer in the enterprise than Windows, assuming you can get the manageability you want," he says.
Others aren't as keen on Macs' security level when it comes to malware. Despite the Flashback incident and recent Java attacks that could affect Macs just like Windows PCs, "most OS X users are still under the illusion that they are safe. They are far from safe," says Foreground Security's Henderson. Henderson laments that OS X users typically do not install antimalware software and vendors don't aggressively market their tools.
Of course, as any Mac user will tell you, it's extremely rare for a Mac to be infected by a virus -- most users have never had an infection, even over a decade's use. The Flashback incident in 2012 was the exception to that quiet. By contrast, Windows users are routinely infected both at home and at work, and there's a major new infection several times a year.
OS X users have to worry less about viruses due to the smart way that Apple has engineered security into its operating system, says Dan Guido, CTO of Trail of Bits, a company that provides security research and services.
"Features like Gatekeeper and the availability of the App Store on the Mac desktop do far more to keep users safe than installing antivirus software," Guido says. Apple also forbids use of Java 6 and earlier due to their security holes, and discourages use of Java 7. "We explored this phenomenon in our analysis of mobile malware ... and found that Apple knows these are hard obstacles for hackers to overcome."
The OS X weaknesses you should know
To be sure, even with the security improvements Apple has made, IT needs to be aware of other issues, Ullrich says:
- OS X often does not integrate well with commonly used configuration tools. Although OS X now integrates with an increasing number of mobile management tools, due to the security and management APIs shared with iOS, that's not yet a common management approach in the enterprise.
- Apple does not furnish long-term support for its operating systems, typically providing patches only for the current and previous version, requiring relatively fast updates. Apple has extended some security updates as far as back as 2009's OS X Snow Leopard, but usually after delay.
- Apple's built-in firewall configuration graphical interface is basic, though it can be improved with command-line or third-party tools.
- OS X tends to rely on Apple-provided, cloud-based services for backups, remote management, and password storage, which can be hard to control for corporate systems.
- Apple does not provide a security configuration guide for any recent version of OS X.
- Apple has been slow to release updates for OS X's open source components.
Third-party software for the Mac has and always will be an issue, says Foreground Security's Henderson. "The biggest flaw with any system is always third-party software," he says. "Even with sandboxing and software/hardware protection techniques, major exploit kits still heavily target browsers, and the last few big exploits have been via third-party applications."
Ironically, those vulnerabilities tend to exist in the same applications that provide a conduit for malware in Windows: Oracle Java, Adobe Flash, and Adobe Reader. Office macro vulnerabilities are not an issue in OS X only because Office for Mac doesn't support them and thus can't run them.