You’ve probably heard the old myth that Macs don’t get viruses. Yes, macOS has fewer malware threats than Windows, but you’re sadly mistaken if you think your Mac is 100% free of any security flaws, pitfalls, and vulnerabilities. Apple works hard to keep our Macs safe from malware and other attacks with safeguards in place for software installations, but users still need to take some regular steps to keep their Macs as safe as possible. Here are a few ongoing security issues you need to know—and how you can make sure they don’t cause any trouble.
Old flaws and new chips
Intel-based Macs released between 2018 and 2020 used the T2 security chip. This chip handles encryption and decryption for things like encrypted storage and secure boot capabilities and contains the Secure Enclave for Touch ID.
Unfortunately, the T2 chip in these Macs has a security flaw that was never fixed. Researchers found a vulnerability in it that could allow someone with physical access to the computer to potentially bypass these security features. In other words, if someone gets their hands on your Mac, they might be able to bypass all of your security and read your files, install malicious software, or do other things that compromise your privacy and security. See our Complete list of Mac viruses, malware and trojans.
The T2 chip was used in Intel Macs manufactured between 2018 and 2020, just before the M1 came along.
The T2 chip was used in Intel Macs manufactured between 2018 and 2020, just before the M1 came along.
IDG
The T2 chip was used in Intel Macs manufactured between 2018 and 2020, just before the M1 came along.
IDG
IDG
To reduce the impact of this risk, you should keep regular backups and be sure to enable FileVault to encrypt your data. The T2 vulnerability can potentially bypass FileVault, but it’s one more layer of protection the attacker has to go through. If you lose data either through hardware failure or someone compromising your Mac, having a solid backup is crucial for recovery.
Newer Macs aren’t immune from vulnerabilities either. While Apple Silicon Macs may not suffer the T2 vulnerability, they’re not flawless. The so-called “Augury” and “GoFetch” flaws in M-series chips are hardware issues that cannot be patched without serious performance hits. The problem here is that when the Data-Memory Dependent Prefectcher (DMP) in the chips is idle, it can sometimes leak data, including encryption keys. At the time of this writing, nobody has actively exploited the vulnerability, but it’s still something to be aware of.
The key thing to remember is that an attacker needs physical access to your Mac. You can protect yourself by being vigilant about keeping your Mac physically secure. Don’t leave your Mac unattended in public places, and make sure it’s physically secure in your home or office.
For our recommendations of Mac Antivirus Software that we have tested see: Best Antivirus for Mac 2024: Top Security Software Compared.
Stop the steal
People sometimes think about their online security but don’t always pay attention to the physical security of their Macs. I’ve seen MacBooks just left lying on couches at libraries, coffee shops, and even busy airport waiting areas. These computers are just waiting to be stolen and taken away so the hacker can brute force their way in.
Even in the home or office, physical security is a must. If someone breaks in and steals your Mac, they could take advantage of the previously mentioned chip vulnerabilities and get to your data. Even if your Mac isn’t at risk for that, hackers have ways of guessing your login password.
The M-Series MacBooks don’t have a Kensington lock latch, but the MacBook M1 lock has a slim-profile adapter that will keep your MacBook tied down
The M-Series MacBooks don’t have a Kensington lock latch, but the MacBook M1 lock has a slim-profile adapter that will keep your MacBook tied down
Maclocks
The M-Series MacBooks don’t have a Kensington lock latch, but the MacBook M1 lock has a slim-profile adapter that will keep your MacBook tied down
Maclocks
Maclocks
Unfortunately, Apple doesn’t include a Kensington lock on newer MacBook models. You can, however, use the clever MacBook M1 lock, which installs in minutes and offers the physical security your MacBook lacks.
This physical security applies to your Time Machine backups, too, if they aren’t encrypted. By default, Time Machine backups typically are not encrypted, which means anybody gaining physical access to your backup drive could gain access to all of your files. Make sure that when you set up Time Machine, you turn on encryption. If you forget, you’ll need to delete the drive from Time Machine and set it up again, this time being sure to choose to encrypt the backup.
Update always and often
Some macOS apps (particularly third-party ones) do not follow best practices for security. They might use weak encryption, store passwords insecurely, or expose sensitive data to other apps. This can create vulnerabilities within the operating system itself.
For example, researchers recently outlined security vulnerabilities in Microsoft Office that could compromise your Mac’s security. Microsoft has indicated it won’t be patching this vulnerability, calling it “low risk.”
Nonetheless, it’s important to install updates for all your apps regularly. Developers do fix security issues via updates when they are considered important enough. If you learn that a third-party app you use i security issues the developers aren’t addressing, you need to decide whether to keep using that app.
The Mac App Store usually does a good job of keeping apps updated automatically, but we still recommend checking at least once a month for any updates that might not have been installed. To check, go to the Updates section in the left column of the App Store. You’ll see the latest app updates that were installed, as well as any apps that still need to be updated.
When updating an app, you’ll need to close that app for the update to install.
When updating an app, you’ll need to close that app for the update to install.
Foundry
When updating an app, you’ll need to close that app for the update to install.
Foundry
Foundry
For apps you’ve downloaded from outside the App Store, you will usually find an option to check for updates in that app’s menu bar option. Open the app, click the app’s name in the menu bar, and look for an option similar to Check for Updates.
The same goes for installing updates to macOS itself. When Apple learns of a security vulnerability, Software Update is the only way to fix it. These flaws can be in system extensions, launch daemons, agents, or other components of the operating system.
Apple also regularly patches security holes that threaten to bypass File Quarantine or Gatekeeper. There are also vulnerabilities in the sandboxing implementation macOS uses to keep apps from doing things they shouldn’t. Apple plays an ongoing game of whack-a-mole to fix these, but it’s up to you to make sure those fixes are installed. If you don’t install updates to macOS, attackers can exploit these flaws to bypass your Mac’s security and steal your data.
System Integrity Protection
Let’s talk about System Integrity Protection (SIP). This is a feature first introduced in OS X 10.11 El Capitan that helps prevent any user from modifying certain operating system directories and files. This keeps even the administrator user from changing those files, and some apps just can’t install or run if it’s enabled.
There are times when you may need to disable SIP, so Apple provided a way with Recovery Mode. However, since we all forget things sometimes, you may forget that you have disabled SIP. This can open your Mac to a ton of trouble, so make sure you turn SIP back on once you’re done installing the software.
Your Mac is only as secure as you make it
I don’t mean to scare you with these security concerns, but it’s worth being aware they exist. Apple does its best to keep us safe from malware, but it’s up to us to install updates when the tech giant patches a hole. The same goes for making sure we don’t run apps that bypass the built-in protection macOS offers.
For more advice on Mac security read:
