I'll believe Mac malware is a problem when I see it
The real world state of security on Macs has long baffled security experts. From a simple analysis of attack surface and opportunities, the Mac is not just vulnerable to attack, but far more so than Windows. And yet attacks on Mac users are rare while Windows malware continues to thrive.
What explains this? The consensus, and it's an opinion I share, is that the people who write the important malware are unconvinced that the cost/benefit of writing a parallel code base of malware for the Mac is worthwhile to them. People argue about what the real installed bases of Windows PC and Macs are, but it would appear that these developers don't think there are enough Macs out there to make it worth their while.
There are two very general ways for malware to get on to your system. The less common way is to exploit a software vulnerability. In the most extreme cases, like SQL Slammer, this can happen over the Internet with no actions necessary on the victim's part. Alternatively, you might view a web page that exploits a flaw in your web browser in order to run native code on the system.
The more common scenario explaining the vast majority of Windows infections is social engineering. An email or web page tries to convince the user to download and run a malicious program. A classic example (one seen even on the Mac) is a video that the user might want to see, but in order to view it they have to download a codec or install a fake Flash update.
Both methods would seem to find fertile ground among Mac users. In 2010 Apple patched about 200 vulnerabilities in Mac OS, and that's not including separate patches to Safari, QuickTime, Java, iTunes and other Apple software commonly, if not universally, found on Macs. Apple is also notorious for taking months, even years to patch some vulnerabilities.
On the social engineering front, I prefer to think that Mac users are no more or less stupid than Windows users. Some would make the case that the absence of malware attacks on Macs might make users more cavalier than Windows users. It's all theoretical since there's no real world data to test the proposition.
It is easy to construct scenarios for malware to target Mac users directly, which would seem to be a necessary element of any Mac malware campaign. You could spam addresses in the mac.com or me.com domains. You could target universities and the few companies dominated by Macs. You could use SEO to target searches with 'Mac' or 'Apple' in them. And it's no big trick for a web site to check whether the client is Mac or Windows and serve appropriate malware.
Mac OS X has long run users by default in a less-privileged context. But users need to do things like install software, so they can be persuaded to run as admin. And if you go over those OS X vulnerabilities you'll find that many are privilege escalation bugs. At best, OS X is in a position similar now to Windows 7 and Vista, which also run users by default as standard users. This situation implies that Windows malware is largely a phenomenon of XP, which is at least partly true.
So what's different today? Why now would the Malware Industrial Complex decide to start paying more attention to Apple users? I don't see any reason for it. Not to speak ill of those in the security industry warning of the threat, many of whom are my friends, but they all have an interest in this. I'm sure nearly all of the reports you'll see on such things come from companies trying to get Mac anti-malware products off the ground.
I would tell any Mac user to run anti-malware, but honestly the imperative is not the same as on Windows. Anyone on Windows without anti-malware is at best reckless and probably just plain stupid and irresponsible. The security industry wants that same judgement to apply to Mac users as well. A real outbreak of Mac malware, or at least the belief in one, is the best possible thing for them.
But malware authors, it would seem, are lazy, and always take the path of least resistance. One implication of that is to target the platform with about 90 percent of the market rather than the one in single digits. This basic situation is unlikely to change, so I don't see why the calculations of malware authors should change either.
Larry Seltzer is a freelance writer and consultant, dealing mostly with security matters. He has written recently for Infoworld, eWEEK, Dr. Dobb's Journal, and is a Contibuting Editor at PC Magazine and author of their Security Watch blog. He has also written for Symantec Authentication (formerly VeriSign) and Lumension's Intelligent Whitelisting site.