Apple has always boasted that "Mac OS X isn't plagued by constant attacks from viruses and malware" because its operating system was "designed with security in mind."
But about two weeks ago, Apple updated an old note on its support Web site advising its customers to use more than one antivirus application to make their computers more secure, affirming a longstanding divergence between its marketing and its technical concerns.
"Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult," the note explained.
Apple suggested three possible options: Intego VirusBarrier X5, McAfee VirusScan for Mac, and Symantec Norton Anti-Virus 11 for Macintosh.
Mac OS X has long been more secure than Windows by virtue of its obscurity, not to mention the arguable merits of its BSD Unix foundation. Because more than nine out of 10 computers ran Windows, malware authors had very little incentive to look for or exploit holes in Apple's operating system.
But the market share of Microsoft Windows among online computers has been falling, according to Net Applications. In 2004, Windows had 96.36% market share and the Mac had 3.25%. Windows has declined steadily since then, while Mac OS has gained. As of November 2008, Windows had 89.62% market share while Mac OS X had 8.87%, plus an additional 0.37% if you include the iPhone, for a total of 9.24%.
What's more, Apple's products, such as its iTunes software, its QuickTime media player, and its Safari Web browser, have become increasingly popular among Windows users.
As Apple's products have become more widely used, malware authors have also been moving up the stack, toward the application layer. Both Apple and Microsoft have made strides securing their operating system software, and that has encouraged malware authors to look for holes in higher-level applications like Adobe Flash, Apple QuickTime, Microsoft Windows Media Player, and various Web browsers.
Furthermore, some of the most profitable attacks these days rely on social engineering rather than a technical exploit. There's no need for a Trojan keylogger if an attacker can dupe the target into divulging his or her login name and password with a simple phishing message. There's no patch for gullibility.
Apple's advice to use multiple antivirus products may signal the end of an era of carefree computing for Mac users, many of whom have never bothered to install antivirus software. Consider that last week, CA identified two new Mac OS X Trojans.
"Mac OS X threats are still incomparable to Windows threats, but with the growing popularity of Mac systems we are unfortunately seeing attackers taking more interest," the CA blog post said.
This article was edited on 12/2 to clarify the release date of a brief posted by Apple's security support staff.
