[JohnTHaller]

Now that Mac OS X has hit about 7% of internet users, it's profitable enough for adware/malware folks to target.

Most of the infections on Windows aren't due to some huge security issue on Windows that Macs are magically immune to. They are due to the users themselves installing adware or malware-infected software from sites online. Now that there are more Macs out there, the reward is greater. So, there is more revenue to be made form adware-laden software and a better return for the time investment/risk of creating malware for Macs (to send out spam, be used in DDoS attacks, sniff for and steal financial info and passwords, etc).

[nkozyra]

This is a common (and tired) response but it's really not entirely true - Windows does in fact have a lot of potentially catastrophic holes that are innately tied to higher privileges for users.

Most of what Windows has implemented since 7 with UAC, MSSE and now integrated with Defender is a layer on top that introduces some failsafes. I won't argue that it's been a massive and much-needed improvement to Windows, but Java and Flash still provide viable vectors to bypass it and infect a Windows machine.

Designing actual viruses - stuff that has the ability to read and modify the filesystem - is still harder to pull off undetected on OSX. This article intimates as much. Most of what's included here is either bundled applications you don't want - but you still have to actively find and then agree to - or browser modifications. Neither of those is within 500 sqmi of, say, CryptoLocker.

[JohnTHaller]

I never claimed that Windows or Mac OS X are more or less secure than the other. I very specifically said the following:

"Most of the infections on Windows aren't due to some huge security issue on Windows that Macs are magically immune to. They are due to the users themselves installing adware or malware-infected software from sites online."

This is 100% accurate and what most home users have to deal with in terms of issues on Windows. The vast majority of Windows issues that end users experience and get frustrated over have nothing to do with Java or Flash flaws or needing to compromise a system. The users themselves give the apps permission to install and do their thing.

It's also worth noting that Java and Flash don't provide much of an attack vector for the majority of Windows users you and I know anymore either. Firefox won't permit outdated versions of the Java or Flash plugins with security issues to run and will direct you to update. Chrome has its own version of Flash built in and automatically updated with the browser and disables Java by default. Even Internet Explorer blocks outdated ActiveX plugins like old and insecure versions of Flash and Java these days.

[nkozyra]

I still don't think that's true - visiting a malicious site without any action still provides far more of a risk on Windows than it does on OSX.

Are there improvements on the browser and OS side that are helping? Sure. Do those impact the vast majority of Windows users? Probably not. Look at browser & OS version usage and you'll see that the "users you and I know" are probably not indicative of the majority of users in general. At least not yet.

[JohnTHaller]

All major browsers on Windows block outdated Flash and Java by default. All major browsers on Windows are automatically updated to the latest version by default. So, for the vast majority of Windows users, the attack vectors you're mentioning simply don't apply anymore. That means users you and I know and most users we don't.

What I'd meant by that line was that this doesn't apply to users in other countries where the majority of users are still using hacked (and completely insecure) versions of Windows XP. Sadly, Windows XP still represents about 19% of online users. Thankfully, most of those users are using a 3rd party browser as IE 6 is down around 1%.

[lawnchair_larry]

This is a commonly held misconception among OS X fans, but it's in no way true. It hasn't been since Windows 98. The claim doesn't even make sense - if your user, privileged or not, can read or write files, that means malware can modify the filesystem. The OS has no mechanism for making this easy to detect relative to any other OS. CryptoLocker would run with absolutely no problems on OS X if someone ported it.

Remember, you don't need administrative privileges to destroy everything belonging to the user, which is most things you care about. And even if you do, elevating is trivial on both Windows and OS X.

Java and Flash behave no differently on OS X than Windows. They are no more or less of a hole in either OS. In fact, there are more protections against Java and Flash bugs on Windows. There just also happens to be more attacker investment in those platforms as well.

[Someone1234]

> but Java and Flash still provide viable vectors to bypass it and infect a Windows machine.

...Unlike Mac which doesn't have Java or Flash?

[nkozyra]

The key word here is "viable."

[coldtea]

>Now that Mac OS X has hit about 7% of internet users, it's profitable enough for adware/malware folks to target.

I keep hearing this stats, and it's not true that a platform is hit based on how much share it has.

Share does affect the volume of the available malware, but not whether it exists or not. And for 10+ years on Mac it was unexisting -- all such cases touted by the media were proven to be trojan horses, not viruses and such.

Contrast with Mac OS classic that was plagued by lots of viruses, despite having 2% market share at best at the time. Or even platforms like the Amiga and Atari -- viruses were prevalent.

[JohnTHaller]

Most of the issues Windows users encounter aren't viruses and the like that you're thinking of in the Mac OS classic, DOS and Windows 9x days of old. Those could self-propogate, infect apps, and be carried from user to user.

Most of the issues today are about money or reputation.

Adware and spyware makes money for the publisher, so they target areas where they can do that. It's actually legal and semi-legitimate. It's an annoyance for the end user, of course. A freeware publisher doesn't make any money from their app but they can make money from bundling an ad replacer, search engine replacer, browser extension, etc with their free software. So, they do.

Malware follows the same trail. You can distribute cracked software online over torrents like Photoshop and the like but sneak your remote-controllable malware into it. Then you get more installs you can use to direct a DDoS bot attack or to watch for and steal financial details from the local machine. Maybe look for the default install of a cryptocurrency client and grab the local wallet, for instance. Note that this is more difficult on both modern Windows and modern Mac than it was back in the days of Mac classic.

[tracker1]

Most adware/malware are trojan horses... I don't think anyone is implying different... the fact of the matter is, it's annoying, and it's as effective against OSX users as it is with Windows users... or possibly more so.

I don't install too much outside a package manager in any OS... just the same, it is a pretty significant issue.

[coldtea]

>just the same, it is a pretty significant issue.

Not sure how significant. Haven't seen anything in the wild on OS X -- and I do install lots outside of package managers...

[tracker1]

I've seen a few nasty browser trojans on OSX installs with friends/family... it's really weird to see them actually... one I noticed/found when I asked a friend to pull something up on amazon and saw extra ads...

A few on windows are doing transparent proxies, which are pretty nasty (not just the lenovo one).

[kstrauser]

We've heard for years that Macs are overpriced, that their owners overpay for style over substance. The "rich but stupid" demographic seems like an ideal target, even if they only made up 1% of Internet users. Banks make up less than 1% of businesses but people still specialize in robbing them.

I don't believe the "overpriced Mac sheeple" meme at all, but there always seemed to be an overlap between people who dismiss them as "safe because they're so rare" and "Apple tax LOL" critics. That always struck me as an interesting dichotomy.