OS X Security is a Lot Better Than You Thought

| Particle Debris

Just about every week we see articles rolled out about how a security researcher has found a scary security flaw in OS X. It makes for great headlines, but how are the every day Mac users actually affected by these headlines, and how should they react?


An interesting, almost inflammatory article this week got me thinking again about OS X security. For your inspection, I present "Apple Leaves Two Obvious Security Weaknesses In Mac OS X El Capitan." What's happening here is that there are eyeballs to be captured and money to be made by pointing out various security flaws that researchers have found in OS X. This article is typical of Forbes, a publication often long on anti-Apple perspectives and correspondingly short on technical depth.

The reality is that there is a technology race between Apple software engineers and potential exploiters. Often, these security flaws are very theoretical, hard to implement, depend on user cooperation to do something stupid, and/or require physical access to the local network or the Mac. At the very least, it's a race between a fix rolled out by Apple and widely available kits for the black hats to add to their libraries.

Apple has a reputation for being focused on user security, and so these flaws are taken seriously by the company. One reason they take so long to fix is that a sound response often requires attention to the overall architecture of OS X. Put another way, Microsoft learned the hard way, about a decade ago, that hurried patches often just result in more problems down the road and yet more frantic offshoot patches that don't address the fundamentals.

When Apple works on security flaws in OS X, the engineers have to not only take into account how OS X is structured but also have to take into account future plans for how the next generation(s) of OS X will be architected.

The best way to analyze the real world progress is to not only monitor the potential flaws but to be alert to actual users who've been victimized by such flaws. More often than not, we don't hear about that because Apple manages to get the fixes out before the exploit is widely implemented.

Plus, Apple has other tools at its disposal, such as the XProtect mechanism. Finally, if the user has antivirus software installed that can scan the browser's incoming HTTP steam for the characteristic code signatures of exploits, there's an extra layer of protection. I always recommend that.

The end result is that in a few cases, inexperienced users report getting burned but, in the vast scheme of things, OS X remains a very safe environment, provided the user is also savvy and careful. The same can be said for Microsoft Windows ever since Microsoft got really serious about security starting with Windows 7.

In summary, OS X security is multi-layered. It's about smart Apple engineers, user awareness, smart practices, attention to updates, avoidance of known offenders like Adobe Flash and the use of antivirus software. This is why I always advise customers to move along with the technology timeline and, as quickly as reasonably possible, update to the latest version of OS X, now at version 10.11 El Capitan. 

Articles like the one I linked to at Forbes should be taken as part of one's modern technology education as opposed to a quantitative assessment of Apple's presumed incompetence.

There's more on the next page about OS security.

Next page: the tech news debris for the week of September 28. An Apple Watch for Christmas?

Popular TMO Stories



Don’t think for a second that in spite of their prevalence, chrome books are the first *choice* in education. They are being imposed, the result of deals between the corporations running the charter movement, naturally, the tech companies, and educational boards hungry to line their pockets with federal moneys via the common core and its requisite testing. None of it has one iota to do with educating students, with what teachers and students want, or even with what is effective. With the decline of its advertising model, google and its ilk are finding all kinds of new ways to weasel themselves into our lives, and by extension, our data.

My wife taught at a district in California for a number of years (having resigned about six months ago, so this perspective is fairly fresh) and the students honestly preferred pen, paper, and books to the google gear that had been foisted upon them by the educational ‘consulting firms’ from the Bay (nearly always fly by night start-ups with no direct relationship to or experience in the field of education).

You don’t have to take just my word for it, either. Education is strictly a business at this point in the U.S., from pre-k to college, and the students and faculty are incidental to it all:



I don’t think you will hear the [National Security Agency] asking for a back door. … There have been different conversations with the FBI, I think, over time. … But my own view is everyone’s coming around to some core tenants. And those core tenants are that encryption is a must in today’s world.

tenet: a principle or belief, especially one of the main principles of a philosophy
tenant:  a person who occupies land or property rented from a landlord.
sic: used in brackets after a quoted word that is odd or erroneous to advise readers that the word is quoted exactly as published in the original.

C’mon, TMO. I understand that you are quoting 9to5Mac transcription of an NPR interview. Perhaps even transcribed & misspelled by speech-to-text software. But you are the publishers of the last mile of this quote, and should have entered [sic] after each instance of the misspelled tenet as ‘tenant.” Assuming, of course, that the meaning of words is important to you, and that you recognized the error.


Yay, iBuck! Give ‘em some stick!


“The end result is that in a few cases, inexperienced users report getting burned…”

The sad irony of the above quote is that it is exactly these people (the inexperienced), who most need the protections to not fail. People like us, who read TMO, tend to be aware and alert, and I doubt ever get infected or “taken” by exploits. It is the most vulnerable who suffer from these things. I doubt there is a solution, but I do make sure my parents use Macs, and I have to constnatly remind them of some things.


i hear you on the inexperienced users.  Good news is if a hacker gets a hold of my Mom’s computer, they are just going to see email updates from her pastor.

Lee Dronick

OS X security may be better, but Messages is still as clunky as it was. It too much of a programming challenge to use a Send button instead of pressing Return? If they can do it in iOS then they can do it in OS X.



This week’s selections on security should inform thoughtful assessment of not only how Apple, but any tech concern, needs to approach security - organically and not reactively or without a deeper understanding of how a threat and its correction affects users now and in the future. These also provide a reminder of responsible reporting by those who uncover vulnerabilities, and the need to channel their recommendations responsibly, without jeopardising the community before a real solution can be provided, which may take longer than a quick patch.

Nor is this surprising. As software becomes more advanced, they become more complex, which in future may resemble something almost life-like and organic. As we approach that stage, coders and engineers will increasingly need to borrow from the experience of those whose work is the restoration and preservation of organic life; namely that the superficial problem and its solution is not always the best, and may miss entirely the underlying malaise that, if not corrected, will continue to compromise that system. Indeed, we are better served with correcting the underlying problem than we are with the superficial fix, even if the latter brings a sense of immediate, albeit fleeting and false, relief.

Rather, it’s Jennifer Booton’s piece on ‘Goole unveils everything Apple…cheaper’ that, while making a salient point, obliquely underscores another that we sometimes fail to see. Namely,  having the likes of Google, MS, Samsung, Dell, and many others (whither HP?) targeting specific products that Apple have or are rumoured to make, not only creates a competitive market, to the benefit of consumers, the choice of products on which competition is based signals to consumers which of these products are potentially the most important for the future. For example, when Apple released the iPhone, if no one else emulated (okay, blatantly copied) it, but instead continued with Blackberry-like mini-buttoned micro-screened mono-chromed monstrosities, would the iPhone be the runaway success that it is today? I argue that it would not, however successful in its own right. It would have been seen as an outlier product proffered by a maverick company that would appeal to that 5% or so to whom Apple originally pitched. That everybody immediately moved to follow made it emphatically clear to even the most obtuse observer that the future was not only smartphones, but touchscreen accessible smartphones. And apps. Eight years, and multiple iterations later, and it’s a new planet, rife with new possibilities for productivity and unlocking human potential.

The same is true with competition in other product categories. These pitched battles include not only all iOS devices, but PCs and their OS, music, online and retail stores, wearables, television and soon, cars and then perhaps (my guess) robotics and prosthetics writ large (and by prosthetics, I don’t intend simply replacement of lost limbs, but physical enhancements that project human power every bit as much as our electronic devices enhance intellectual power).

As important as these theatres of contest are in identifying what is important, and potential new directions in tech, they also provide consumers with an opportunity to shape the direction, nature and scope of that change. This is Darwinian natural selection on a human, industrial scale, in which, by participating early and interactively, consumers shape those products and supportive systems just as effectively as do mating pairs within species for traits that get passed along and become dominant, simply because they are desirable and competitively advantageous. Early adopters play that role, and far from being the bleeding and geeky edge that does not represent the mainstream, these are often the vanguard of the next generation. More than that, they (or we, if you’re reading this) provide a catalyst to that next tier of inquisitive and adventurist consumer to also participate. In short, early adoption, when intelligently executed and interactively engaged both with fellow adopters and with manufacturers, is not foolish but transformative. It’s crowd-sourced leadership, and having a voice in the course of one’s own future.

This is a dialogue between companies and client-base, real or nascent, in which the company asks, ‘Is this important?’ and the client responds ‘Yes’ or ‘No’, or ‘Maybe, but only if you do this’, in turn providing opportunity to developers to address those expectations.

In sum; competition is not simply good but essential for identifying important developments and trends, as is client participation through adoption and feedback. This dynamic relationship, present today, is likely to become only more defined in future.

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account