Macs are More Secure

By David Morgenstern  |  Posted 2007-06-01 Print this article Print

Perhaps the reason for the discovery of more exploits for Mac OS X isnt as much a reflection of Apples quality of programming engineering (or its lack), but rather the fact that automated security tools have improved. Security blogger Ryan Naraine told me that instead of poring over code into the early hours, security researchers now can let tools run overnight and check in the morning for a new crop of likely holes. He also suggested that security researchers are turning toward investigating Apple more now that the company has popular Windows programs such as iTunes and QuickTime for Java.
However, credit must go to Apple, according to wireless security blogger Glenn Fleishman, based in Seattle. He pointed to the companys reaction to Januarys Month of Apple Bugs Project as an example of how serious the company is about patching the exploits promptly.
"The prediction beforehand was that Apple would be all pissy about it and it would take a long time to fix the bugs and that they would ignore it. Instead, [Apple] kept coming out with patch after patch and in a nice touch credited [the Project]." Both Fleishman and Hipschman said that while bugs are constantly being uncovered, Mac OS X appears harder to exploit than Windows. Hipschman said Apple has turned off a lot of services in OS X that make Windows vulnerable, especially in Windows XP. One example he noted was that Apple offers users an opportunity during installation to enter an administrator password, rather than defaulting to admin user status without a password. Fleishman said that while there have been exploits demonstrated on the Mac, many are very difficult to accomplish out in the wild. "No one has come up with a good vector to spread infection on the Mac; thats what stymies people," he said. "Even if you came up with the worlds best Wi-Fi exploit drive around the city, and actually take ownership of 100 Macs, even then, with root-level access on a Mac, you cant just deploy [an exploit] exponentially or even arithmetically. You cant even add one more," he said. Also, Fleishman noted that Apple Mail has proved difficult for malware authors to exploit for payloads. Most of the concern in the Mac community is over data in transit and wireless security, he said. "Its all really marginal stuff." In addition, Fleishman wondered about reports of successful Mac zombie attacks in the past year. "I believe [the zombie attacks] have happened, and I wouldnt be surprised if some Macs were owned and turned into zombies. But how many worldwide? Was it 100 [machines]? Compare that to the numbers for PCs," he said. Finally, I believe theres another reason for the Macs amazing security record, beyond the technical and beyond any protection afforded by its supposed market "obscurity." The protection is cultural. Its that legendary "strong" installed base of loyal users. As I said before, Mac users love the Mac. Most dont want to do something that will harm the platform. That loyalty includes programmers. So they avoid attacking other Mac users and stick to Windows. Thats an easier and more successful target anyway. Will there be unfortunate attacks? Of course—its the world we live in. Consider this: The Mac is the most homogeneous computing platform in the world. That should make it the most vulnerable. Instead, it has the strongest real-world record when it comes to exploits. Surely, that record will continue. What do you think? Does the Mac record impress, or is it all a distortion? Let us know here. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

David Morgenstern is Executive Editor/Special Projects of eWEEK. Previously, he served as the news editor of Ziff Davis Internet and editor for Ziff Davis' Storage Supersite.

In 'the days,' he was an award-winning editor with the heralded MacWEEK newsweekly as well as eMediaweekly, a trade publication for managers of professional digital content creation.

David has also worked on the vendor side of the industry, including companies offering professional displays and color-calibration technology, and Internet video.

He can be reached here.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel