Apple's antivirus advice 'big to-do about nothing,' says researcher

The fact of the matter, continued Storms, is that security professionals urge users of all platforms to defend their systems with layers of protection -- only one of which may be antivirus software -- and make the same recommendations to everyone when it comes to current threats.

"It's the human and the human information that is at risk today," said Storms. "Criminals just want your private information, your online bank account or credit card or Social Security number."

Yet Storms understands how a short Apple support note can generate interest far above what something similar issued by, say, Microsoft, would create. "If Apple would say something about security, like 'We've said this before, this is just an update,' it wouldn't have been such a big deal. But it won't."

Storms has been critical of Apple's security procedures in the past, most recently in September when he took the company to task for its ad hoc scheduling of patches for Mac OS X and its other software.

"People have this conception that Macs can't have malware," said Charlie Miller, a researcher at Baltimore-based Independent Security Evaluators. He seconded Storms' theory about why a simple notice from Apple got so much attention. "Obviously, that's false. I've written exploits [for the Mac], and there's nothing inherent in the [Mac] OS to stop someone from writing a virus. But at this point, no one's taking the effort to go after the Mac."

But Miller, who regularly roots out Mac and iPhone vulnerabilities and is perhaps best-known for walking away with a $10,000 prize for hacking a MacBook Air laptop in under two minutes last March, pooh-poohed Apple's recommendation using the same logic as many longtime users.

"Windows has 90% of the market, but [attackers] give it 100% of their time," he said, echoing the idea that hackers target the largest pool of victims.

Criticizing security software for its cost -- both in dollars and in the processor cycles it consumes -- Miller admitted that he doesn't bother running any on his Macs. "I don't think it protects me as well as it says," he argued. "If I was worried about attacks, I would use it, but I'm not worried."

He acknowledged, however, that he isn't a typical user, and he noted that the time may come when he would have to eat his words. "When Macs make up 30% [of the computer market], maybe then there would be an explosion [of malware]."

"Macs do get attacked," Storms added. "They've died two years in a row at 'PWN to OWN'," he said, referring to the contest that Miller won this year, and that New York-based researcher Dino Dai Zovi won in 2007 when he broke into a Mac laptop using a Safari browser bug.

"It's true that the Mac is not a large target," Storms said. "It's still not. But we're not in the old world of viruses, we're in the world where [malware] grabs passwords. It doesn't matter if you have a Mac or a Windows machine; criminals don't care."

Read more about security in Computerworld's Security Knowledge Center.