Apple's Mac computers and its OS X operating system have enjoyed a reputation of being relatively secure over the years. But in fact, experts say, the Apple OS has had security issues that might have been downplayed only because the vulnerabilities were not exploited.
As more enterprises deploy Macs, the state of OS X security is more likely to be a topic of discussion in IT strategy meetings. Indications are that Macs will continue to find their way into the workplace, as Gartner has noted. Apple's mobile iPhone and iPads are already well accepted by enterprise IT. While Mac laptops and desktops remain "not commonly accepted by IT," that will change as Apple continues to benefit from consumerization and adapt iOS technology into OS X, Gartner says.
[ Also on InfoWorld: A clear-eyed guide to Android security. | It's time to rethink security. Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. ]
Apple security issues made headlines in late February when the company confirmed a major security flaw in the iPhone's and iPad's iOS and in the Mac's OS X. The flaw causes iOS's browser engine and many of Apple's Mac applications to skip a critical verification check that is supposed to occur when many Transport Layer Security (TLS) and Secure Sockets Layer (SSL) connections are being negotiated over unsecured Wi-Fi networks, which could allow man-in-the-middle attacks in public hotspots. The company quickly released a fix for mobile devices running iOS, but took several days to patch OS X.
Whether OS X is more or less secure than other operating systems today is difficult to say -- it's hard to compare the number of vulnerabilities in different operating systems.
For example, many vulnerabilities currently used to attack Windows aren't vulnerabilities in the core Windows OS, says Johannes Ullrich, chief research officer at the SANS Institute, a research and education organization for security professionals. Instead, many "Windows" vulnerabilities are actually in third-party software like Oracle Java, Microsoft Office macros, Adobe Reader, and Adobe Flash.
"At the same time, most malware seen for OS X does not use any [inherent OS] vulnerability at all, but instead tricks the user into installing the malicious application," Ullrich says.
As with Windows, user awareness and the need to train Mac users to not click on certain things is a necessary but difficult task, says Henry Henderson, senior penetration tester at Foreground Security, a security consulting firm. "Defense-in-depth only helps if you train your users and have the proper tools in place to detect the basic things," he says.
"I don't think either operating system today has a significant advantage when it comes to security, and the market share is still the most important issue when it comes to the prevalence of malware for either operating system," Ullrich says.