Apple users: Try these five tips for better Mac security

Security for Macs is often a hotly-debated topic, perhaps because Apple has a reputation for security that is based more on a brand promise than reality.

Unfortunately, Apple doesn’t have a good reputation for transparency about security updates.

Unlike Microsoft, which has a long-standing and regular process for providing security updates, Apple simply provides updates when it feels like it.

This can leave many users unaware of the updates and even unconcerned with their own security.

Microsoft also has a long view about product retirement that appears to be totally lacking in Apple’s case.

Windows XP users have known for a long time (or should know by now) that Microsoft is ending support for XP in April.

But what about Mac users?

Does anyone really know when Apple will end support for previous releases of OS X, or even what its current commitment is to support those versions?

When Apple released OS X 10.9, better known as Mavericks, it included a raft of security fixes that didn’t come out for OS X 10.7 (Lion) or 10.8 (Mountain Lion).

Similarly, the OS X 10.9.1 point release was not accompanied by corresponding updates for 10.7 and 10.8 users.

But in Apple’s latest Mac security update, when Mavericks 10.9.2 was released, the company published security fixes for Lion and Mountain Lion at the same time.

Poor Snow Leopard (OS X 10.6) is left out in the cold.

It’s time to get Mavericks

In order to get Mac users to upgrade to OS X 10.9 Mavericks, Apple is giving away the upgrade for free: a good move by Apple, but not everyone is up to date.

Since Apple released Mavericks in October 2013, a lot of people have upgraded, but the majority of Mac users are still running something older.

For business users, companies have been even slower to upgrade than home users.

Our own survey of Macs running Sophos Anti-Virus, conducted at the start of 2014, showed that only about 18% of enterprise Mac users are running Mavericks, with 19% still running the out-of-support Snow Leopard.

Mavericks came out of the gate with numerous security improvements, and we recommend that the first thing you should do to stay secure on your Mac is to upgrade.

Just click on Software Update.. in the Apple menu to download Mavericks, or visit the Mac App Store.

Be warned: it’s a big update, totalling about 6GB for the Mavericks download and the update to the latest point release, OS X 10.9.2.

But you will be moving forward to the latest, fully-supported-and-patched OS X version.

Once you’ve upgraded to Mavericks, which you can consider our Tip Zero if you like, here are five steps you can take to give yourself an edge against cybercrime:

1. Stay current with security updates

It’s easy to keep your Mac up to date with security fixes.

You can use Software Update.. from the Apple menu to check for updates manually, or go to Apple Menu|System Preferences|App Store to set up your Mac to check for updates automatically:

OS X malware is much less common than malware attacking Windows, with the result that many Mac users seem to have adopted a rather casual attitude to security patches.

But cybercriminals are definitely trying to exploit Mac users who fall behind.

For example, we recently reported on digitally signed Mac malware that arrived as an undelivered courier item.

These phony package delivery messages actually contained malware designed to dig around in your Mac for interesting files, which the crooks then uploaded to a server under their control.

2. Turn off Java in your browser

One of the cybercriminals’ favorite targets is Java.

Although Java is disabled by default on Mavericks, it should be turned off if you’re not on Mavericks yet.

So, if you’re on a pre-Mavericks version of OS X, make sure you turn it off in your web browser.

Apple’s own employees had their Macs compromised by malware in February 2013 via a vulnerability in Java that criminals also exploited to compromise Mac users at Microsoft and Facebook around the same time.

In 2012, an attack on another vulnerability in Java infected 600,000 Macs with the Flashback malware (including some in Apple’s Cupertino headquarters).

The truth is, you probably don’t need Java to use the web, so having the Java plugin enabled just puts you at needless risk.

If you find that you do need Java after all, you can always turn it back on again.

3. Don’t forget security updates for non-Apple software such as Java and Flash

If you use Oracle Java and Adobe Flash, remember that they have their own security patches to apply.

→ Unfortunately, Oracle and Adobe use different update calendars. Oracle issues regular security patches on the Tuesday closest to the 17th of April, July, October and January. Adobe’s red-letter days are the second Tuesday in March, June, September and December.

In addition to scheduled updates, both Adobe and Oracle sometimes issue emergency fixes, often called out-of-band updates.

On Mavericks, Flash and Java have their own configuration items in the System Preferences window:

Both products can be set up to check for updates automatically:

4. Use Mac FileVault for full-disk encryption.

With so many ways for your files to fall into the wrong hands, full disk encryption (FDE) is an important defense.

If your whole disk is encrypted, no one without the encryption key can access any data on it at all.

Documents, downloads, applications, configuration settings, temporary files, everything – even the operating system itself – gets encrypted with FDE.

So if your Mac gets lost or stolen, you don’t have to worry about any of your data falling into the wrong hands.

Macs have the benefit of easy full-disk encryption with Mac FileVault.

You can turn on FileVault by going to System Preferences|Security & Privacy|FileVault:

When you turn on FileVault, you’ll get a back-up code, called the “recovery key,” in case you forget your password.

Write this code down and store it in a safe place.

5. Use a Mac anti-virus

There are still OS X threat deniers out there who tell us that they consider malware in its traditional sense to be impossible on OS X, “because you have to click on and run a program by yourself and then type your admin password into the warning popup.”

But at the recent PWN2OWN competition in Vancouver, Canada, Google’s security team was able to break out of Safari and run a program as the OS X administrator, just by browsing to a website.

So attackers can sidestep both of those giveaways when launching malware.

A good Mac anti-virus program will prevent malware from loading, whether you make a bad choice of software to install, or visit a booby trapped website by mistake.

The free home version of Sophos Anti-Virus for Mac gives you the same protection that Sophos provides for our business customers, but it’s completely, totally free.

Sophos Anti-Virus for Mac won’t slow your computer down, and it automatically updates to protect you from all the latest threats, based on intelligence from our SophosLabs.

Get it now – you’ll be glad you did when the next Mac malware threat rolls around.

(By the way, Sophos Anti-Virus for Mac also detects all the Windows malware that your Windows-using friends might email to you or pass to you via USB key.)