Is Apple OS X More Secure than Windows?

By John Viega
December 1, 2008 | Comments: 12

OS X Security is a pretty fun topic for me, because I love watching the carnage when people fight.

Before I register my opinion, I need to be clear that I've been operating almost exclusively on a Mac since OS X came out. I grew up in Unix, and never liked the lack of usability in Windows, so it was a good fit. However, I don't have any particular interest in making Apple look better than it really is, particularly when it comes to security. So I don't really consider myself a "fan boy". But I do know plenty of people over in Apple, and have some insight into what their product security team looks like.

Apple and it's fan boys will talk about how their platform is more secure, because there is so little malware for it. Security people will talk about how there are plenty of vulnerabilities published for OS X, and that it is certainly not more inherently secure than other operating systems.

Both sides are correct! Yes, there are plenty of vulnerabilities in OS X. I wouldn't necessarily say it's an undue number (though it's always alarming when security researchers find vulnerabilities by the dozen)... we all know secure software is difficult to write, and there are going to be problems. And in anything as large as an operating system, there are always going to be more security holes to find.

Comparing OS X to Windows directly here, Apple has not spent the massive amount of money on software security that Microsoft has. But, Microsoft spent a lot of money being pioneers and did start from WAY back (they used to have horrible security)... it's not fair to directly compare spend. Still, Microsoft has much more mature and better processes. I think they don't spend as efficiently as they could here, but they certainly spend a lot to make up for it.

And, the long-standing notion that Unix (thus OS X) is more securely designed than Windows is mostly a non-issue these days. I say this in part because the security model of Windows is a lot better (and has been ever since their consumer offering moved over to the NT kernel). But, it's also true that the differences are mostly irrelevant to attackers today. It may be harder to get administrative access on an OS X box than a Windows box. But, if there are gullible users in front of the computer, or if there are software flaws to exploit, it hardly matters. If the bad guy can run their own code on your computer through one of those two methods, then the bad guys are where they want to be. They don't really NEED administrative access. Neither OS has a strong advantage in terms of keeping away exploits, nor does either help keep gullible users from infecting themselves.

I think what's most important is that Apple seems to take things seriously and get patches out in a timely manner when things go public (the vast majority of malware that takes advantage of security holes in software take advantage of publicly disclosed information).

I'd say on the whole, neither OS has an inherent technical advantage. There are pluses and minuses in each column, but no clear winner.

At the same time, it's true that, from what I've seen, there are only about half a dozen truly unique pieces of malware out there (including the Leap Worm, the RSPlug Trojan and the OSX_LAMZEV backdoor). No matter how many vulnerabilities there have been in the OS, almost none of them have been leveraged by real malware. It's clear that it's far less risky (at the moment) to be a OS X user than a Windows user, even though OS X users probably aren't running AV, and even though Microsoft has spent billions improving the security of their offerings.

What gives??!! Why don't bad guys seem to be too interested in OS X? This seems like the really interesting question. It seems like OS X should be a huge target, since the market share is now so high-- according to a recent article, over 20% of new machines sold in the US are Macs (though Gartner claims their market share is 6%... there doesn't seem to be any good consensus). No matter who is right on the market share issue, I'll hazard a guess and say that about 7-10% of computers actually in use at any given moment are Apples (at least in the US). Even if it's only 3%, that seems like a huge base of PCs that should be an appealing target to bad guys looking to build a legion of infected hosts to use in spam campaigns, delivering ads and so on. Particularly considering that most people running Macs don't run AV (and that includes me!)

If you look at reported sales figures, Apple sold about 6M laptops, and 4M desktops in 2007. Also, I'd venture to guess that most Mac owners are something like me. They have a laptop as their primary machine, but they still have a desktop or two sitting around, maybe to have the bigger drive for all their photos, music and movies, or as a dedicated media editing workstation. But they don't really install a lot of software from the net on those machines, or spend too much time browsing the web. I've got two Apple desktops that are almost exclusively media PCs (when kids are around, they occasionally end up browsing to sites like disney.com or webkinz.com while supervised). And I've got a couple that are test machines, and usually turned off. When I was working for McAfee, I had a really nice desktop, but I only used it for stuff inside the VPN.

Those desktops typically aren't doing anything too risky, because they are secondary machines for most people. It's the laptops that we use to surf the shady side of the internet. The laptops are the bulk of the macs that get day-to-day internet use (I'd guess north of 80%).

If I were a bad guy, I'd be far less interested on "owning" a machine that changes location a lot and is frequently closed. It's a lot harder to count on those resources, contact them and leverage them. Since there are so few desktops in use, I'd posit that Apple has much smaller market share in terms of machines that are useful to attackers.

Now, I'm sure Windows laptop usage is similar to Apple usage. People who own a Windows laptop are probably a lot less likely to use their desktops. But, there are lots more Windows desktops out there already, and there are plenty of people who only have a Windows desktop. Those people who aren't too computer savvy and don't have a laptop, but still heavily use the Internet are the most likely to fall prey to social engineering attacks.

Plus, it costs more to produce malware for OS X, because the tools aren't available that lower the cost. I have not yet seen something akin to the Pinch malware creation tool for OS X. Therefore, if you're a bad guy, you need to come up with Apple development skills, whereas before you didn't need to have any particular skills at all.

Eventually Apples might be the lowest hanging fruit, but there seem to be plenty of Windows PCs that are still ready to be owned. And for most people it is far less costly to own those PCs. Therefore, simple malware economics is doing a good job of protecting Mac users... no AV necessary. But, Apple has just started recommending AV, and I think for non-technical users in particular, that's always a good idea.

But when the day comes and there are lots of real threats out there for OS X coming out on a frequent basis, that's when it will be important for everybody to have some malware protection on their Macs. Until then, it's one less thing I have to buy!


You might also be interested in:

12 Comments

Biggest security hole in OS X? My account has sudo access to everything by default.

What's the point in having security layers if everyone know the password is sudo?

Your account would have sudo access because you set it up as an admin account.

Non-admin accounts don't have sudo access.

Furthermore, even if sudo does not remove your right to do something, it does slap you in the face and say, "Hey, you are about to do something important. Are you sure?"

Bob,

By default if you setup an admin account it has sudo access. To access any root functionality using sudo it prompts you for your admin account password. What you talkin' bout, when you say "the password is sudo"?

Sure, there are plenty of laptops being sold, but most of them are cheap. I've heard it said that Apple sells 60% of the laptops costing over $1000. So, the Macs are sold to people who have money. You would think that these computers would be a juicy target, but they are not. Go figure.

Interesting point about notebooks being less interesting for the bad guys. If you are right, then the fact that Macs have always been better at sleeping and thus automatic sleep is on more often will also have an effect. I hadn't thought of that.

Add Macs sleep more often to the other things that make the Mac less attractive.

1. Smaller market share means less targets. (This is always overstated but is at least partially the reason for less attacks.)

2. OS X has always had auto update on by default. This means that things like the current botnet hole happening to Windows is much less likely because patches are delivered in a timely manner. Windows is patched but this malware is still spreading.

3. There is no history of successful Mac malware to work from. WIthout existing examples, a malware author has to be original. This is much less cost effective than working with an existing model that is known to work and generate revenue.

4. The OS X community is closer nit than the sprawling Windows world. If something does happen, there is an immediate reaction and many people attempt to find and publish a fix. Witness the month of apple bugs where programmers were, independent of Apple, attempting to close the holes as they were published.

5. Unix (and thus OS X) has a better security model than Windows. It is mature and designed for shared computers with individual user accounts. While not perfect, it has less design issues than Windows to start with making it harder to find exploits. The exploits are found but are usually quickly patched.

Now add that OS X based computers are more likely to be sleeping at off hours and you have a pretty good idea why the Mac is a less desirable target.

Pretty much any old rock will break a Window.

I have used Macs and been on the web since 1992. During those 16 or so years I have never had a computer infection of any sort and have not had any protective software other than OSX's built in firewall.
Show me a Windows user who has had that sort of user experience, and then I will say YES, Windows is just as safe as my Mac.

Thanks for the comments. To James: Some good additional points in there.

For Richard, I have had at least one Windows machine since about 1992. Until 2001 when OS X came out, it was my primary desktop OS. I've never been infected. I know plenty of other people who have never been infected. To some degree, that's been luck, but I also attribute it to:

1) Making sure I keep up with MS software updates, to keep my window of vulnerability for vulnerable services low.
2) Making sure I don't install questionable software by doing my own research, which can be tough, when plenty of otherwise legitimate programs bundle adware or spyware.
3) Making sure no services on my machines are exposed to the Internet.

Plenty of geeks are equally vigilant (or more so), and have never been infected. Plenty of non-technical users can say the same thing. For instance, my mother has never been infected, even though she's not really technically savvy. But, she generally doesn't go around running software, just using the software I put on there for her. And, her computer has always been invisible to the outside world, beyond her web activities.

I've certainly seen tech savvy people that have more risky behavior and end up getting infected. Especially at universities where their vulnerable services are more likely to be visible to a bad guy (who already has a toehold on the machine). There are also plenty of people who are more risk tolerant in installing things like screen savers and utility apps that might be bundling something bad.

For Louis, I think the reality is, the more you spend, the better educated on risks you're likely to be. Partially it's because wealthier people tend to be better educated in general. There could also be some element of, "I only paid $200 for this computer, I just use it to get information, as long as I can do that, I don't care about anything else."

Market share and vulnerabilities aren't particularly related - any platform that's reasonably popular will be attacked, so vulnerabilities are more a measure of the ability of the attacks to be successful. For example, look at web site defacement (from a few years ago, when data is available) - while Apache is the most popular web server, IIS is used by the majority of hacked web sites. So while Apache might make 'the best target' based on popularity, it turns out that IIS is more often run insecurely, making attacks on IIS more effective.

The reason that there aren't any Mac OS X viruses isn't due to some abstract "security", it is because Apple and Microsoft made very different design decisions. Microsoft has a fundamentally insecure software model due to its desktop OS roots, such as not having multi-user permissions enforced by default until very recently, and desire for 'features' such as COM/ActiveX in IE and Outlook that allow for sexy integration that creates security attack vectors. This is because MS has always considered convenience more important than security. Those decisions made their OS appealing to consumers, but created channels of attack that they've had to spend billions of dollars to try to secure, and which cannot, with any level of investment, be made more secure than OS's that don't have those risk features. Mac OS X and Linux never created those problems, so they haven't had to fix them.

As an example how how MS thinks about security, consider user logins in Windows 95 (it's an old story, but an illuminating one). When you boot Win95, it has a login panel asking for a username and password, which makes you feel secure. But because MS didn't want to deal with the support issues of real security, they added a nifty 'feature' to reduce customer support calls - if you fail the password entry three times, it let you in anyway. So people got to feel secure, and nobody ever had to call MS to complain about a lost password. :-)

If you configure Windows securely (e.g. don't run as Administrator, leave UAC on, disable unneeded services, etc.) and don't use Outlook or IE, Windows is actually fairly secure. This is how Mac's (and Linux) run out of the box, and are the reason that they're so much more secure than Windows by default. Unfortunately, most users won't do this, and when configured securely Vista is terribly annoying, so few users will run this way, so while MS technically made their OS nearly as secure as Mac OS X or Linux, it's almost never run that way (except when managed by corporate IT).

Apple has done a really bad job with the Mac OS and you'll know why in less than a minute.
Apple has significantly less hardware vendors to worry about than windows does because they hand pick their hardware and sell their own systems bundled with their software. (this should significantly reduce the number of bugs that will creep in)

The new Macs are Unix based and should be *secure* by default - they have some of their jobs done for them already.

with these two advantages, you would think Mac would be 2 times more secure than the average Linux distribution and 5 times more secure yet.... fill in the blanks for ya self

Laird,

I mostly disagree with you. There are far more factors than you're looking at in the economics, such as the cost to develop malware for the mac (which is higher) and the likelihood of people being socially engineered (which I'd say is lower).

Most of the differences in the MS and Apple security models are for when the attacker already has a foothold on the machine. At that point, the differences are usually irrelevant, because the attacker can do most of what he wanted with just the user's privileges.

Apple's software security also isn't any better than Microsoft's. They just weren't as much of a target because the economics kept them safe when their market share was low.

Ya, Mac's are so secure, right? I know this is an old thread, but I think it's funny how far Apple has fallen. Or, I guess it has been that way for a while, but Apple's lies have made the sheep go blind.
http://blogs.computerworld.com/15605/hacker_pwn2own_organizer_windows_7_is_safer_than_snow_leopard
5 seconds to break through into OS X from Safari, and if you do a little more research, it took the guy breaking into Windows Vista a couple of minutes through IE 8. Apple's apparently great security and up to date browser got beat by IE 8, viewed as the worst browser, and I'm not gonna lie, it sucks, but IE 9 Beta is good, and Chrome takes the cake as the best browser in my opinion, and it is also more secure. Unlike OS X, it uses real sand boxing, which Apple says it does, but this seems to prove it wrong.
http://www.securemac.com/boonana-bulletin.php
Mac security is a load of bull. This trojan bypasses everything, and opens up the potential for some serious attacks. Can you say... botnets? Once hackers start working more on this, Apple will fall, as consumers will lose faith. Already starting, I know of 3 Mac users who will be switching back to PC's for their next system, and already spend more time in the Windows partition on their system. So, in other workds, I will be sitting back with my free anti-virus and firewalls, and watching as Apple burns because of it's lies. If it actually made it's own OS to begin with, maybe it would be a little bit more secure. Take a look at the amount of updates it has to make for security? The last one was what, 600 MB according to one of my friends? Wow, I don't think that in the 2 years of owning a Vista/7 system I have had to do that many updates. I would know, as for most of it I was on dial up, which would have been hell.

I pity you blind sheep, I really do, but you guys are getting nailed to the wall. Overpriced tech, crappy security... what next? App developers installing keyloggers on your iPhones? Oh, right, they are almost there, according to the new press release that Apple knew that developers were able to track your personal iPhone by acquiring your unique device identity. Have fun with your waste of money!

News Topics

Recommended for You

Got a Question?