That's what I used to think about my Macs, until a couple of months ago I got some malware on my Mini. If you use a firewall and don't do general internet browsing on Mini you might not need malware protection, but at this point I'd have to recommend it. I don't know if the McAfee software is lying or exaggerating, but it says it finds and fixes a substantial number of threats. (Yes, I'm a skeptic, but a careful skeptic.)
Excerpt from sans.org email concerning recent Apple software vulnerability issues:
"Top of the News
Apple Releases Updates to Fix Three Zero-Days
(May 24, 2021)
Apple released updates to macOS 11.4, 10.15, 10.14; iOS and iPadOS 14.6; watchOS 7.5 and tvOS 14.6 to address three zero day vulnerabilities hackers exploited in the wild. The XCSSET malware exploited the weakness in CVE-2021-30713 to bypass macOS privacy protections while CVE-2021-30663 and CVE-2021-30665 impact WebKit on Apple TV 4K and Apple TV HD devices. Zero-day vulnerabilities have been showing up more in Apple’s security advisories, often tagged as exploited prior to fixes being released.
Editor's Note
[
Ullrich]
This is the second time this month that Apple has patched actively exploited vulnerabilities. Either Apple's ecosystem is seeing more attention from attackers, or Apple is being more open in announcing if vulnerabilities are already exploited. Note that this round of updates provides patches for older versions of OS X, like Catalina and Mojave. The most important vulnerability is targeting developers via malicious XCode projects. Prioritize these patches if you are using XCode.
[
Neely]
Apple is releasing updates as rapidly as they can to thwart exploits actively being exploited. Unfortunately, this is shortening the update cycle. Even though you likely haven’t finished applying the last OS updates from the beginning of May, you need to keep rolling forward to get these deployed. CVE-2021-30713 is a flaw in the Transparency, Consent and Control (TCC) framework, while the others are focused on webkit, which impacts both mobile and desktop operating systems. Push the updates to your ADE devices to have users install immediately so you can focus on desktop devices running the other operating systems.
Read more in:
- support.apple.com: Apple security updates
- support.apple.com: About the security content of macOS Big Sur 11.4
- support.apple.com: About the security content of tvOS 14.6
- www.jamf.com: Zero-Day TCC bypass discovered in XCSSET malware
- www.bleepingcomputer.com: Apple fixes three zero-days, one abused by XCSSET macOS malware
- www.theregister.com: Apple patches macOS flaw exploited by malware to secretly snap screenshots
- arstechnica.com: Actively exploited macOS 0day let hackers take screenshots of infected Macs
Top of the News
Apple Releases Updates to Fix Three Zero-Days
(May 24, 2021)
Apple released updates to macOS 11.4, 10.15, 10.14; iOS and iPadOS 14.6; watchOS 7.5 and tvOS 14.6 to address three zero day vulnerabilities hackers exploited in the wild. The XCSSET malware exploited the weakness in CVE-2021-30713 to bypass macOS privacy protections while CVE-2021-30663 and CVE-2021-30665 impact WebKit on Apple TV 4K and Apple TV HD devices. Zero-day vulnerabilities have been showing up more in Apple’s security advisories, often tagged as exploited prior to fixes being released.
Editor's Note
[
Ullrich]
This is the second time this month that Apple has patched actively exploited vulnerabilities. Either Apple's ecosystem is seeing more attention from attackers, or Apple is being more open in announcing if vulnerabilities are already exploited. Note that this round of updates provides patches for older versions of OS X, like Catalina and Mojave. The most important vulnerability is targeting developers via malicious XCode projects. Prioritize these patches if you are using XCode.
[
Neely]
Apple is releasing updates as rapidly as they can to thwart exploits actively being exploited. Unfortunately, this is shortening the update cycle. Even though you likely haven’t finished applying the last OS updates from the beginning of May, you need to keep rolling forward to get these deployed. CVE-2021-30713 is a flaw in the Transparency, Consent and Control (TCC) framework, while the others are focused on webkit, which impacts both mobile and desktop operating systems. Push the updates to your ADE devices to have users install immediately so you can focus on desktop devices running the other operating systems.
Read more in:
- support.apple.com: Apple security updates
- support.apple.com: About the security content of macOS Big Sur 11.4
- support.apple.com: About the security content of tvOS 14.6
- www.jamf.com: Zero-Day TCC bypass discovered in XCSSET malware
- www.bleepingcomputer.com: Apple fixes three zero-days, one abused by XCSSET macOS malware
- www.theregister.com: Apple patches macOS flaw exploited by malware to secretly snap screenshots
- arstechnica.com: Actively exploited macOS 0day let hackers take screenshots of infected Macs
"