Apple - How to limit my Mac's exposure to malware?

Web browsing

The largest potential danger comes from the "Internet". My Mac is online most of its operating time and web browsers are among the most used applications on my Mac.

Therefore, the most important rules are:

• surf the web carefully
• don't just download any software you find

Browser choice

The browser choices, configurations and extensions offers various options to configure your security and privacy.

I like to use Chrome because it's known for having

• strict sandboxing
• updates itself, its extensions and flash plug-in automatically
• open extension design

Safari's extension design is more restricted, causing the JavaScriptBlocker for Safari not to be as functional as similar extensions for Chrome or Firefox: e.g. Web Bugs are not blocked.

Chrome is considered quite safe. It did not get exploited at the Pwn2Own hacking contest three years in a row (2009-2011). 2012 is the first year a team presented the use of a zero-day-exploit in Chrome.

The German Federal Office for Information Security (BSI) (similar to the NIST in the U.S.) recommends the use of Chrome because of its sandboxing technology and auto-updates.

Java

Chrome has disabled Java by default and asks you every time when it's required to run. You can disable Java for Safari as well. You won't miss it most of the time:

• Safari Preferences → Security → uncheck Enable Java
• Open /Applications/Utilities/Java Preferences.app → uncheck Enable applet plug-in and Web Start applications

Other options

• System Preferences → General → check Automatically update safe downloads list

Open Safari downloads manually:

• Safari Preferences → General → uncheck Open "safe" files after downloading

Flash and PDF viewer

Download Adobe flash only from the official website. However, you don't need to update it manually anymore. The latest Flash update for Mac adds auto-updates.

In Safari, you can use the ClickToFlash extension to manually allow flash to run in your browser.

You don't need to use Adobe's PDF viewer. Apples's preview works in Safari as well. You can remove the Adobe plug-in here:

• /Library/Internet Plug-ins/AdobePDFViewer.plugin

Passwords

For creating passwords you can use the Password Assistant provided by OS X. Go to /Applications/Utilites/Keychain Access.app → click the plus at the bottom left → click the key symbol.

Adblock lists

The Adblock and Adblock Plus extensions offer lists to improve your privacy and security.

• http://adblockplus.org/en/subscriptions

The lists are named:

• EasyPrivacy: privacy protection
• Malware Domains: malware protection
• Antisocial: blocks social integration.

Your first point ("Kept up with OS X system patches") is probably the most important. If you trace the history of exploits on OS X, most have come from:

• Java
• Flash
• PDFs
• Safari
• Giving privileges to unknown apps or clicking on unknown links

I'm not a security expert, but it seems like limiting your exposure to those things will decrease your exposure significantly.

Java

Java shouldn't be installed if you don't need it, and should only be turned on for the time you use it, if you do need it.

Flash

The same is true for Flash. If Safari is your browser of choice, then grab Chrome and Switch to open pages with Flash in Chrome (and only the pages that require Flash). Chrome has a sandbox for Flash and is considered quite safe.

PDFs

Applying Apple's patches should (eventually) save you from any PDF exploits. Using OS X's Preview to view PDFs rather than Adobe Acrobat is a good idea, too.

Safari

Keeping your browser up to date and limiting the amount of extensions you use is a good idea. Safari has an "Open safe files after downloading" option. If you're tuning for security, that's best turned off. Safari also includes malware detection. The latest Chrome and Firefox also make good browser choices.

Giving privileges to unknown apps or clicking on unknown links

Being super careful with links you click on and apps that ask for admin privileges also helps stop trojans and malware from doing bad things. If a service has sent you an email notification about something you need to take action on, you may be better visiting the site using your own bookmarks and not by clicking a link if the email, if you're suspicious of the email's origin.

Many different and long passwords

Using something like 1Password to generate and store your passwords can help, because it means you have a different password for each service, and they can be a huge string of seemingly random letters and numbers. Here's one I just generated as an example: lyLEnrFDnoDoBoS90PJZ. Doing so also means you can ensure your main computer (and 1Password) passwords are never used for websites or web services.

Long passwords take a long time to hack for brute force attacks. And using different passwords for everything means that one compromised service won't give the attacker your password for other services.

There's quite a few alternatives to 1Password, including OS X's in-built keychain (which is free with OS X).

Follow Mac tech blogs

If all else fails, and there's some kind of exploit that you're vulnerable to, you'll want to find out as soon as possible. Chances are it'll be big tech news, so following a few popular Mac tech sites should notify you within a day or so of the issue and you can take the needed action. The recent Flashback trojan has been big news. I found out about it because I follow Daring Fireball and Macworld. (It uses a Java exploit, so disabling or not installing Java would have saved you in that case.)

That is more or less it. I also like to run potentially unsafe stuff in a VM of some kind (I use Parallels, but for this the free VirtualBox works well enough); Parallels 7 can automatically install a virtual Mac image from the Lion recovery image, which is very convenient for this kind of sandboxing. (Yes, running Lion in a VM is now legal.)