Apple Yanks Antivirus Advice from Web Site

Apple Inc. late Tuesday yanked a controversial support document from its Web site that had urged Mac users to run antivirus software because the recommendation was “old and inaccurate,” a company spokesman said today.

The document, which had become the focus of considerable discussion among Mac users and security experts this week, is no longer available on Apple’s support site. Instead, browsers directed to its location display a generic message: “We’re sorry. We can’t find the article you’re looking for.”

“We have removed the KnowledgeBase article because it was old and inaccurate,” Apple spokesman Bill Evans said in an e-mail Wednesday.

“The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box,” he went on. “However, since no system can be 100% immune from every threat, running antivirus software may offer additional protection.”

The now-missing document was brief — just 81 words — but it was enough to stir debate. “Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus-writing process more difficult,” the document said. It also listed three antivirus programs from McAfee Inc., Symantec Corp. and Intego, a small Mac-only security vendor.

Some users, bloggers and security professionals had viewed the document — which was actually a revision of one first posted last year — as a change of heart on the part of Apple, which has poked fun at its biggest rival, Microsoft Corp.’s Windows, for being susceptible to attacks in several television ads over the years.

Several security researchers applauded the move, and agreed that it was time for Mac users to start buying antivirus software. Others, however, called it a tempest in a teapot — though not necessarily because they agreed with Evans’ contention that the Mac’s operating system provides adequate protection against threats.

“There’s nothing inherent in the [Mac] OS to stop someone from writing a virus,” Charlie Miller, a researcher at Independent Security Evaluators and a noted Mac and iPhone vulnerability hunter, said in an interview Tuesday. “But at this point, no one’s taking the effort to go after the Mac.”

Andrew Storms, director of security operations at nCircle Network Security Inc., called the fracas “a big to-do about nothing,” but blamed Apple’s attitude as much as anything. “If it wasn’t for the fact that Apple has been so smug around malware and viruses and such, this would not have been such a big deal,” he said.

Today, Storms used the disappearance of the antivirus recommendation to chide Apple over its reputation for secrecy about security. “Finally, an Apple spokesperson discusses security,” he said. “Hey, Apple actually responded, so that’s certainly a good move.”

But he also argued that the whole incident — the quiet posting of the document then its disappearance — was a perfect example of Apple’s lack of transparency regarding security, something he’s criticized before. “The original document was posted in 2007, then updated in November 2008, but all it needed was one line that said ‘Posted 2007, revised 2008,’ to have avoided all this,” said Storms. “Instead, it became a big brouhaha because we didn’t have any information. Look at the message you get when you try to reach the document now. It doesn’t say anything about why it was pulled.”

Transparency, Storms continued, may not be of much importance to consumers — admittedly Apple’s biggest customers — but it does matter to businesses that use Macs. “The average consumer hasn’t a clue what it means when I say ‘transparency’ related to security,” said Storms. “They just want their iMac to work and not be full of viruses.

“But in the enterprise, [patching] takes resource planning,” he said.

In late September, Storms, Miller and Swa Frantzen of the SANS Institute’s Internet Storm Center debated Apple’s patching process; Storms and Miller took Apple to task for its laissez faire scheduling, or more accurately, the company’s lack of warning before it issues patches.

“I’m not saying Apple should hold back patches for some artificial schedule,” Storms elaborated today. “But there’s a difference between that and back-to-back days with patches, with no notice and no mitigation steps.

“Enterprises need intelligence and tools and information” to adequately handle security, none of which Apple provides in sufficient quantities for businesses, Storms said.

“Imagine if you got in your car and it said you had to take it into the shop today, or something bad was going to happen,” he said. “But you have kids to get to the soccer game and you have to go to work. You can’t just drop everything.”

From Storms’ perspective, Apple is that car. “You can’t treat enterprises like that,” he said.