Gartner Blog Network

Yes, Macs are Vulnerable Too.

by Neil MacDonald  |  September 25, 2009  |  6 Comments

Do Macintosh machines need AV?

My answer: Forget the OS. Do users download and install arbitrary code/applications? (don’t forget, this includes browser plug-ins as well). If so, I don’t care if you are running Macintosh, Linux, or Windows the answer is you need protection from malware, including signature-based mechanisms (historically referred to as AV…). Just like on Windows PCs signature-based detection mechanisms are not enough and we need to augment this with firewalling, application control and other styles of endpoint protection within an endpoint protection platform.

Don’t misinterpret a lack of publicized Mac attacks to mean that there is an underlying lack of vulnerabilities. There are plenty. See this chart from the latest IBM ISS X-Force security report:


This table shows the Operating Systems with the most security vulnerabilities in 2008. Compared to any single version of any other OS, Apple OS X takes the top spot.

Safari? It’s running neck and neck with IE in terms of the sheer number of vulnerabilities. Here’s similar data from the latest Symantec Internet Threat report:


And, it had the highest window of exposure in the last reporting period of the other major browsers. The vulnerability data should be a wake up call to Macintosh users.


To me, the data shows Apple needs to put more focus on security in its development (and response) process.

The vulnerabilities are there, including users that can be tricked into doing things they shouldn’t. Mac attacks happen and will become more prevalent as the OS continues to gain adoption. Most Mac users run with de-elevated privileges so that helps to mitigate some risk, but even if the attack runs in the context of the user, today’s financially-motivated attacks are happy to quietly harvest end-user data, send it out over standard ports and not try to infect system files.

Macs are not immune to today’s threats, nor does Apple’s code contain significantly fewer vulnerabilities than other OSs.

To me, its a matter of when, not if, large numbers of Apple users will be affected with an outbreak.

Category: beyond-anti-virus  endpoint-protection-platform  

Tags: apple  application-security  beyond-anti-virus  information-security  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Yes, Macs are Vulnerable Too.

  1. Scott Olson says:

    Good article Neil. This is actually one of my main concerns with my Macs. The big problem is that there isn’t really a viable security solution for Macs yet.

    Given the lack of a viable business market for the anti-virus vendors with Macs and their already diminishing effectiveness at protecting against new attacks, I am left with hoping for the best and patching every time Apple has a new update.

    Until there is a viable Mac security solution I still get nervous every time I click on a shortened URL or my machine runs slow.

  2. […] See original here: Yes, Macs are Vulnerable Too. […]

  3. […] ← Yes, Macs are Vulnerable Too. […]

  4. […] as to not attract too many trolls. I just wanted to share this with the security-minded. source:…ulnerable-too/ September 25th, 2009 […]

  5. BS says:

    –Sigh– Yet another security “expert” who uses flawed logic to defend his pet OS — Windows — for its inherent shortcomings in the security department.

    Fist of all, how many of these vulnerabilities listed are rated Critical by SANS? I will guarantee M$ has more critical vulns every year than OS X and Linux.

    Secondly, how many of these vulns are a result of third party applications that come bundled with OS X and Linux? I would bet a significant portion of them. As we all know Windows doesn’t come bundled with much of anything.

    Thirdly, I wonder how many vulnerabilities in Windows we never hear about? That is, vulnerabilities that M$ does not release to the public that are found in house? I would bet many.

    Fourthly, I wonder how quickly M$ patches their vulns on average compared to Linux? I KNOW the answer to this question — Linux smokes M$ is this department. (I can’t speak for Apple).

    Fifthly, and most importantly, if OS X and Linux are just as prone to viruses, then the salient question we must ask is “Where are they?” Linux has been around 17 years and OS X, for what, a decade? Why do we not even see a few viruses out in the wild spreading around? Just one? Where are they? OS X is 10% of the desktop market and Linux DOMINATES the server market, yet we still don’t see any viruses in the wild.

  6. Neil MacDonald says:


    Take a look at the posts again. This is not a Windows versus Apple discussion. The question any Mac user should ask is “Is Apple doing all it can to produce secure code?” . The data shows that the number of vulnerabilities is real.

    It doesn’t matter whether its Windows, Linux, Mac or any other OS. If its written by human beings and is operated by end-users that download and install arbitrary code, are tricked into clicking on links they shouldn’t and so on, the system is vulnerable and will be attacked.

    The fact that most users run as standard user on a Mac helps, but as I pointed out, this doesn’t protect from financially motivated and targeted attacks that go after user data.

    Take a look at this interesting article:

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.