The best myths are those that contain a whisper of truth. Likewise, the theory that everyone can prevent malware infections with nothing more than Internet “common sense” and an adblocker is unfortunately misguided because it takes a piece or two of good advice and bends it beyond reason. These safety tips certainly don’t suffice in the Windows world, nor do they work 100% in Mac-land.
Malicious ads are undeniably a problem. And common sense, while seldom common, can certainly help keep you safe from low-hanging fruit threats. That said, I think we’ve all had a “click-whoops” that’s caused us to do something we didn’t intend to do. It may have been a mistimed “Reply All” or accidentally closing a file you didn’t mean to, but accidents happen on computers just like in real life.
But even then, you still have not closed all the windows of opportunity for malware to get through. Just ask Twitter, Facebook, Apple, and Microsoft. The malware that hit them was not a malvertisement, nor was it a case of double-clicking something they shouldn’t have. The forums their developers visited were compromised and malicious code was added. This is a very common scenario, and it’s part of why Flashback was so successful.
The problem may have been prevented if the developers didn’t have Java installed, but they may need to use Java for work purposes – not everyone is able to disable it, for a variety of possible reasons. Using Java when you know about all its vulnerabilities doesn’t mean you lack common sense. Like it or lump it, Java is a very popular technology, and most developers (and many other jobs) can’t reasonably ignore it.
Right now, plugins like Java and Flash and 3rd party software like Microsoft Office are a very low-hanging fruit for malware writers; much of what’s hitting Macs involves exploiting them. Because they know many people have a vulnerable version of one of these products, that’s where they’re focusing their efforts. If the products cease to be popular or vulnerable, they will shift their focus to something else. If you don’t use any of these three (how do you watch cat videos!?), you’re safer than average. If you add common sense to that, the currently popular sorts of malware might not hit you.
We don’t know what tomorrow will hold or how long this trend will persist. And, more importantly, malware is not the only security threat out there. Common sense will not protect your data against attackers that have gathered your password from an undisclosed breach. Or direct attack. Or theft of your device. Keep that in mind and understand that a mix of common sense and other precautions (like firewalls and anti-virus software) to create a layered defense is your safest bet.