Expert: McAfee Mac Security Report Is 'Scaremongering'

May 8, 2006

By Walaika K. Haskins

http://www.newsfactor.com/story.xhtml?story_id=43170



Andrew Jaquith, an analyst at the Yankee Group, called the McAfee report "sloppily written and sloppy in its use of statistics." It is, he said, "a speculative house of cards resting on a foundation of shaky statistics and questionable assumptions."

The prevailing belief among Mac users that their systems are more or less impervious to hack attacks might be incorrect, according to a report released late last week by security firm McAfee. The company found that the number of vulnerabilities in the Mac platform has increased exponentially over the past few years.

"Many believe that using an Apple operating system is a form of security in itself," said Stuart McClure, senior vice president in the Global Threats division at McAfee. But, he said, "Apple's Mac OS platform is just as vulnerable to targeted malware attacks as other operating systems."

McAfee's report follows on the heels of a study by the SANS Institute that placed Mac OS X at the top of its list of potential security vulnerabilities. Both reports join a litany of statements from security experts who have begun to rethink their assumptions about Mac users having little to worry about when it comes to malware attacks.

However, while many in the security industry have jumped on the "Mac is not secure" bandwagon, several experts have taken issue with the way the Mac is being positioned as a potentially insecure system.

Not Bulletproof

Andrew Jaquith, an analyst at the Yankee Group, is one such expert. He called the McAfee report "sloppily written and sloppy in its use of statistics." It is, he said, "a speculative house of cards resting on a foundation of shaky statistics and questionable assumptions."

As one example, said Jaquith, McAfee has confused software flaws with attacks. In the report, Jaquith said, the company cites vulnerability figures from Secunia, a security software firm, as "attacks," even though Secunia itself identifies them as "vulnerabilities."

Software flaws are not the same as attacks against the end user, Jaquith pointed out. "Saying otherwise is scaremongering, pure and simple," Jaquith said. "And, in fact, they don't document a single confirmed attack."

Jaquith did say that the Mac, like any other system, is not impenetrable. He also pointed out that Apple, for its part, has never claimed that Mac OS X is bulletproof. "No Mac users that I know think that way either."

Antivirus Capital

Rob Ayoub, an analyst at Frost & Sullivan, said that there is some truth that Mac OS X has a growing list of vulnerabilities. But, like Jaquith, Ayoub took issue with some of the report's statistics.

He pointed to the numbers in the report that indicated known Mac vulnerabilities increased by 228 percent, from 28 to 143, while Windows flaws increased only 73 percent. McAfee's failure to provide a specific number for Windows was significant, Ayoub said.

"I'm sure the Windows numbers are there, but my question is, '73 percent of what?'" Ayoub said. "We are seeing a marked increase in the number of flaws and attacks on Macs, but it's not anywhere close to Microsoft."

Ayoub did agree with the report's conclusion that Mac users should install security software on their systems. "I can't blame McAfee for wanting to capitalize on that," he said.

Unfortunately, he went on to say, "it's going to take something big like the major attacks and major loss of service" for Mac users to purchase antivirus software.


main page ATTRITION feedback