I once wrote that supposed vulnerabilities in Apple Macs are just tempests in a teacup; that editors (and mainstream bloggers) should remember that when they bend over backwards to give security firms and contests free publicity in exchange for exciting headlines.
The point is, if Apple’s OS X ever became seriously vulnerable to a virus or worm in the wild, as Windows is routinely vulnerable to, it would create press headlines way, way beyond what you see now. Still, every tiny chance that a Mac might be vulnerable is seized upon by the press and bloggers and turned into a minor story (see “Safari vulnerability exposed in MacBook Pro hacking contest” in Jason D. O’Grady’s Apple blog, “MacBook hacked in contest at security event” in CNET News.com, or “A Mac gets whacked, a second survives” in The Register).
Can’t blame them — an OS X virus, worm, or zero-day exploit in the wild would be a major scoop. But it’s just not going to happen, as it would have happened already. This story (in particular the version in Infoworld, “Myth crushed as hacker shows Mac break-in“) is itself a Crushed Myth. The MacBook was not hacked remotely; the hack required user interaction; and the hack exploited a hole in the browser’s Java, not in OS X. Besides, the hack was part of a contest, not running in the wild. It turns out that the vulnerability that enabled the MacBook hack is in Apple’s version of Java, and not specific to Safari. If you use, for example, Firefox with Java enabled, you are vulnerable to this kind of attack.
For a good summary of this tempest in a teapot, see “InfoWorld Publishes False Report on Mac Security” in RoughlyDrafted. As the article points out, Apple makes responsible efforts to design security into its products, while Microsoft hasn’t until very recently.
It’s not that it is impossible to infect or exploit a Mac, it’s that Apple hasn’t shipped millions of Macs listening wide open for commands to act upon, or shipped a web browser designed to naively run programs like Microsoft’s ActiveX did, or installed an email program designed to automatically run commands that arrive as attachments as Outlook did.
Arguments about whether browser vulnerabilities reflect badly on the operating system miss the point: OS X does not require Safari, which you can remove easily if you want; whereas Windows not only fastens parts of Internet Explorer and Outlook to its basic functionality but also doesn’t let you remove them easily. OS X is built on the time-tested Unix core system designed from the ground up to be secure as multiuser systems; Windows is, well, not.