But unless I install an infected application, how exactly will I be owned? There are proof-of-concept viruses and worms, but right now there are only Trojans.
Malicious javascript via browser bug. Malicious font handling exploit in the browser. Malicious HTML rendering bug in the web content.
All of these possibilities exist to own anyone running OS X prior to 10.9 or 10.10. And no doubt unknown possibilities or un patched holes in 10.10 and 10.11 as well.
It's only dumb luck and smaller OS X market share (why bother target OS X when you can just get 90% of people by targeting windows?) that people haven't been owned like this yet.
True, if a virus suddenly comes to life that can silently break through any browser or OS' security, I'll be vulnerable, but so will you. The current OS X virus protection packages will be ineffectual at stoping a zero-day exploits because they don't know what to look for. They're better on Windows because there is a long history of viruses and an understanding of how they work.
I'm not opposed to AV programs, but they seem more trouble than they're worth at the moment.
True, a zero day may get through. However some AV programs do heuristics (i.e., they make an intelligent guess at flagging code that looks dodgy). AV definitions are often updated multiple times per day (i.e., you will be protected before Apple patch the hole and perhaps before you read about the malware or the site operator fixes their hacked site). Malware definitions are much quicker to push out than developing, testing and distributing a security update is.
And the other benefit of AV is that you aren't passing windows viruses on to windows using friends or colleagues. You can safely detect Windows malware with no risk of being owned and warn others.
An AV package can protect against a firmware hack being run in the first place if it is the type that runs on your machine via a web exploit or whatever and then infects your firmware. Being owned by a hacked thunderbolt (or USB) device - there's not a lot you can do other than have fixed EFI firmware in your mac.
But that doesn't mean you just throw your hands up and say "it's possible that some vectors can bypass my scanner! there's no point at all!". You just take physical security of your machine more seriously. If someone malicious has unfettered, unsupervised physical access to your hardware, you're boned. End of story.
Last edited: