Allowing Java access across the enterprise is a bad idea, Henderson maintains, "yet I continue to access networks using these attacks. The landscape is changing, as Apple recently decided to stop supporting Java. But users can still install the Oracle version, which will still make Java-based attacks viable."
Ironically, some Mac antivirus software such as Symantec's requires the use of Java to operate, forcing enterprises to enable the risky Java to gain antivirus protection. Likewise, Flash is required by some Web-based online meeting services, for YouTube, and for many companies' marketing websites.
The Mac hardware weaknesses you should know
Apple uses much of the same core hardware as Windows PCs: Intel processors, USB ports, SATA hard drives, and so on. Its hardware risks are similar for those components, says Henderson.
"There is debate about whether CPU attacks are real, but nonetheless, CPU, BIOS, and motherboards still remain a viable target for Tempest-like attacks," he says, which spy agencies like the NSA use. (They put monitoring radios and other spy gear inside the computer itself.)
Apple's management APIs don't provide a way to lock down USB or other ports. Monitoring external media connections through a host-based intrusion prevention system is a good first step for companies that do not want the inconvenience of disabling USB and similar ports, Henderson advises.
Apple does not support the Trusted Platform Module that Microsoft will require all PC makers to support starting next year, to make encryption keys much harder to hack.
Also, one of the Mac's conveniences -- its ability to be booted from any attached disk with OS X installed -- could be used to bypass OS X's password requirements, giving a thief access to the Mac's contents and time to try to break any encryption. Ironically, Macs support firmware passwords, a feature that can lock a Mac to a specific startup device, but few people know about it, Henderson notes. (You can access it only by booting from the recovery partition and running the OS X utilities there.)
The more integrated "all in one" hardware Apple provides in its thin laptops -- the Retina MacBook and MacBook Air -- and in its iMacs make tampering more difficult, Ullrich says. For example, it's not easy to remove an internal hard drive or flash drive to copy data from the drive.
Is iCloud a security risk?
OS X's reliance on iCloud to store online documents in apps such as the iWork suite or Omni Outliner could be a risk if those documents contain sensitive corporate information. If another Mac or iOS device uses the same iCloud account and isn't protected through encryption or a password, a thief could use that other device to access the files.
"If an employee has very confidential company data and is putting it on their iCloud and on their iPhone, the [need for] data management is expanded," creating a new exposure point, says James Robinson, director of information security at Accuvant, a provider of security services. (This risk is similar to the use of any cloud-storage service, such as Box, Dropbox, Google Drive, or Microsoft OneDrive.)
Exchange ActiveSync policies can enforce the use of encryption and passwords on a Mac or iOS device, and third-party management tools can use an Apple API to disable iCloud on iOS devices. But if a device is not under IT management, those protections can't be enabled or enforced.