Third-party software for the Mac has and always will be an issue, says Foreground Security's Henderson. "The biggest flaw with any system is always third-party software," he says. "Even with sandboxing and software/hardware protection techniques, major exploit kits still heavily target browsers, and the last few big exploits have been via third-party applications."
Ironically, those vulnerabilities tend to exist in the same applications that provide a conduit for malware in Windows: Oracle Java, Adobe Flash, and Adobe Reader. Office macro vulnerabilities are not an issue in OS X only because Office for Mac doesn't support them and thus can't run them.
Allowing Java access across the enterprise is a bad idea, Henderson maintains, "yet I continue to access networks using these attacks. The landscape is changing, as Apple recently decided to stop supporting Java. But users can still install the Oracle version, which will still make Java-based attacks viable."
Ironically, some Mac antivirus software such as Symantec's requires the use of Java to operate, forcing enterprises to enable the risky Java to gain antivirus protection. Likewise, Flash is required by some Web-based online meeting services, for YouTube, and for many companies' marketing websites.
The Mac hardware weaknesses you should know
Apple uses much of the same core hardware as Windows PCs: Intel processors, USB ports, SATA hard drives, and so on. Its hardware risks are similar for those components, says Henderson.
"There is debate about whether CPU attacks are real, but nonetheless, CPU, BIOS, and motherboards still remain a viable target for Tempest-like attacks," he says, which spy agencies like the NSA use. (They put monitoring radios and other spy gear inside the computer itself.)
Apple's management APIs don't provide a way to lock down USB or other ports. Monitoring external media connections through a host-based intrusion prevention system is a good first step for companies that do not want the inconvenience of disabling USB and similar ports, Henderson advises.
Apple does not support the Trusted Platform Module that Microsoft will require all PC makers to support starting next year, to make encryption keys much harder to hack.
Also, one of the Mac's conveniences — its ability to be booted from any attached disk with OS X installed — could be used to bypass OS X's password requirements, giving a thief access to the Mac's contents and time to try to break any encryption. Ironically, Macs support firmware passwords, a feature that can lock a Mac to a specific startup device, but few people know about it, Henderson notes. (You can access it only by booting from the recovery partition and running the OS X utilities there.)
The more integrated "all in one" hardware Apple provides in its thin laptops — the Retina MacBook and MacBook Air — and in its iMacs make tampering more difficult, Ullrich says. For example, it's not easy to remove an internal hard drive or flash drive to copy data from the drive.
Sign up for Computerworld eNewsletters.