(Feb 2014) There is a bug in Mac OS X 10.9 (Mavericks), as well as the iPhone/iPad OS, that means that secure websites can still be impersonated. That is, even though the URL begins with https and the browser shows a "lock," a bad guy may intercept and spoof what you see on the screen. Apple released OS X 10.9.2 on 25 February 2014, fixing this security bug and several other problems. If you took my advice and did not install Mavericks yet, you are safe. I plan to wait until other people report success before I update.
(Jan 2014) Some home routers have "back doors" built into them by their manufacturers. Problems have been found in Cisco, D-Link, Netgear, and Linksys routers. These back doors allow a bad guy to take over your router and silently redirect your web browsing to fake sites. They could spoof your online banking site and steal your money, or do other bad things. If you use one of these routers, check into this.
(Jan 2014) There are "undelivered item" emails being sent that contain links that will install Mac malware without asking you for a password. The malware gives complete access to all files on your Mac to the bad guys, and lets them run any command, including installing more malware. Be vigilant, and use Firefox or Chrome instead of Safari.
(Jan 2014) Some users of the Chrome browser who installed third-party extensions are being flooded with spam, which could include ads that send the user to infection sources. This happens when spammers buy the rights to a formerly-trusted extension from the developer, and send an automatic update that adds the spamming. Be cautious about which browser add-ons you choose.
(11/29/13) Hack attempts are extra common in the year-end season. Many people are getting forged mail or text messages, ostensibly from Google, saying "your mail has been hacked." Forged messages from UPS, banks, etc with ZIP attachments containing virus droppers are also spreading: I get a few a week. Don't open ZIP attachments unless you are sure they are not forged; scan such files for virus before using.
(08/06/13) There are new phishing scam emails: one that says "your account has been suspended" and appears to come from Apple and one that appears to be a connection request on LinedIn. Don't Click Links In Email unless you are sure they are not forged.
Criminals are working hard to get you to run their programs on your Mac. If you click on a link in a malicious e-mail or view a web page that contains an attack, your computer can be infected with malware. This can cost you money and time, get you in trouble with friends and the law, steal your identity, or mess up your computer.
If Facebook, or any web page, says you should install a Flash upgrade or a Video Codec, DON'T CLICK IT. Don't Install "Mac Defender", or similar fake anti-virus scareware.
To update Apple software, start with the java.com, and find and download the update. (Some software, such as Adobe Flash, has an "automatic update" option. Turn it on.)menu item. To update non-Apple software safely, restart your browser, type in the URL of the company website, e.g.
Because I am a "security guy," I put up with some inconvenience to keep my computers more secure. Everyone's security situation is different, and these tactics may be too much, or not enough, for people with different concerns. The measures you should take depend on what you are trying to defend against, and the value to you of the information on your computer that you want to protect. (Many of these measures also work or have analogues on other systems such as Linux and Unix.) Some of these steps may be too detailed for the general reader, but perhaps they will suggest the complexity of the security problem and the need to use multiple solutions.
Apple has produced Security Feature Guides for OS versions from 10.3 (Panther) to 10.6 (Snow Leopard) with advice from the NSA. They are very thorough. There are some security measures that I have not chosen, after considering my security risks:
Here is a good set of Safety Tips from Sophos.
Almost all malware programs out there are not actually viruses but Trojan Horses. That is, the threats are programs that trick YOU into typing your admin password and installing them. For example, if you get a mail message that says "From: Microsoft" and has a link to click that will update Microsoft Word, DON'T. Similarly for mail that appears to be from PayPal, EBay, or your bank. (Mail senders can be forged. Links in mail may not go where you think.) If you're browsing a web page and you get a popup window that wants you to update your Flash player, DON'T. (There are multiple fake updaters for Flash, some spread via Facebook.) There are current attacks on Macs that do these things.
I have written elsewhere about general suggestions on home computer security. Summary:
Use common sense. To avoid malware problems, use good sense when surfing and clicking. Don't enter sensitive information, like credit card numbers, into untrusted or insecure web pages. Be suspicious. Watch out for scams and fraud. Here is a nice article: Mac security: scams and fraud.
I installed the free version of the ClamXAV anti-malware scanner on my Mac. This program does not splice into Mail or the file system to watch for new files: it only scans directories you point it at. So far it has not found any problems on my computer, when I use it to check attachments sent me by others.
Malware scanners can check your whole hard drive, or selected files, when you tell them to. Malware checkers attach themselves into programs on your computer, such as Mail, and check files when they enter your computer; to do this they have to hook into applications and system facilities in ways that the malware cannot bypass. Such hookups are sometimes broken by OS updates, or lead to problems using your computer, or consume excessive resources.
Anti-malware programs' definition files must be updated very often in order to be useful. Anti-malware companies constantly capture and analyze new malware that is designed to evade existing detectors. Then they update their malware definitions and detection methods, and make updates available to you. Your computer can be attacked before you get protection installed. Recently, there have been multiple malware variants released in a single day, faster than the anti-malware software can be updated to catch it. See Rich Mogull's article "Do You Need Mac Antivirus Software in 2013?" for his view.
Mac anti-malware packages are available from Sophos, Intego, F-Secure, PC Tools, BitDefender, McAfee, ClamXav, Norton, SecureMac, and Avast!. They all claim to the the best.
Beware: the bad guys are sending out spam email offering you fake anti-virus software. I get a couple of these a day. If you install it, it may pretend to work, while taking over your system.
(January 2013) Two vulnerabilities in Ruby on Rails made over 200,000 websites exploitable. Clicking on an infected website could lead to multiple attacks: some might try to spoof popup windows that ask for your password, and others might find a hole that can be exploited without asking. Hacking toolkits are expected to exploit both holes soon. Click cautiously and apply security patches when available.
(August 2012) More malware that can infect Macs has been discovered. Click cautiously and apply security patches when available.
The FBI is investigating cases where malware was installed on travelers' laptops through application software updates on hotel internet connections.
Several Trojan Horse attacks are also being distributed via infected Microsoft Word files.
Make sure you apply the latest update to Word 2011. (Only Snow Leopard and below are vulnerable to this attack.)
There is also a serious security threat that attacks Macs that just visit an infected web page:
the malware tries to steal financial passwords from your computer.
It has been estimated that over 500,000 Macs have been infected.
Protect your computer by installing the Apple update for Java from .
See the page on The Flashback Malware for detailed instructions.
(Jan 2014) There are still 22,000 Macs infected by Flashback.
(April 2012) There are recent attacks on Macs that send infected Word documents in e-mail attachments. These exploit a hole that Microsoft patched years ago. Make sure your Microsoft products are up-to-date, by using the built-in Microsoft updater.
(March 2012) The various incarnations of the Flashback Trojan use ever changing tricks to get you to install it. Vist a hacked website, and you may see dialog boxes requesting your admin password with various excuses (such as a fake password dialog box from "Software Update"), or you may see a request to accept a certificate that claims to be from Apple but is not. If you get fooled, you are in big trouble: the Trojan will install code into your browser so it can steal your banking passwords and watch your traffic. Many blogs have been hacked recently, to send malware to your browser or redirect it to a malicious page that does so. Using Firefox with FlashBlock and NoScript or Chrome with ScriptNo will help catch these attacks. OpenDNS will also prevent access to some malicious URLs. Make sure you have Java up to date, and do not accept fake (self signed) Apple certificates.
Macs used to have fewer security problems than Windows because hackers concentrated on the flaws in Windows, but those days have passed. Over time, Windows has improved, and Apple should be working hard to improve also. Mac OS, Windows, Linux, and other Unix descendants are all written in the C language using informal processes. Brilliant programmers have failed to produce secure systems using this approach in many years of trying.
It is your responsibility to keep informed about your computer's security. Attackers will continue to try new ways to break into your computer and your online accounts. Even if you were fully protected yesterday, some new attack might be discovered tomorrow.
I think Microsoft does a better job with their code auditing than folks like Apple do. We've only seen a scratching of the surface as far as Apple vulnerabilities because nobody cares to find them. There's nothing inherent with Apple themselves and their development.
-- Marc Maiffret, former hacker