Are Mac's inherently safer?

Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.

The notion that virus writers would prefer to attack Windows because of its larger isntallation doesn't hold water. MacOS is also an extremely attractive target. Facts are 1) BSD/Unix has been hardened over many, many years and 2) the exposed code makes it far easier to find vulnerabilities requiring that the code be much, much more secure.

Obviously posting an opinion like this is a neat way of attracting publicity and negative remarks. But here's my take:

1) Windows security measures are essentially pointless because the biggest issues can't be fixed easily, i.e. ActiveX (it's an open, maximum threat, issue on pretty much any security advisory -- the workaround is to disable it) and a poor basic security model (any fool can go delete stuff in c:\windows and so can any piece of code). Arguing that gaping flaws like this are equivalent to as yet undiscovered flaws in Mac OS X is simply unsupportable.

2) Many of the "security" measures taken in Windows are more marketing exercises than actual security enhancements. E.g. the feature in Outlook that prevents you from saving certain email attachments to disk no matter how sure you are they are safe is so inconvenient that it may *seem* to some users as though it's actually secure. Meanwhile, on a Mac you will be politely warned if you download or save an attachment with an executable in it, and the first time you run an executable. It's not foolproof, but unlike the equivalent measures in Windows it is neither incredibly inconvenient NOR is it totally useless.

3) The argument that no-one is hacking Mac OS because only one computer in 25 is a Mac is specious. Given the instant publicity and infamy an ill-informed blog entry on Mac security gets, imagine the props for creating a successful Mac virus or worm. There's no glory in creating a Windows virus -- ANYONE can do that.

To date, the most publicized piece of Mac malware is a shell script which requires the user to download the script, execute it (something most users wouldn't know how to do) and enter an admin password. So, hackers *are* trying to crack the Mac, they just suck at it.

"What follows is my opinion based on...some assumptions about how hackers think."

Leo, did you really think this article through before you submitted it to your blog? If you were a hacker wouldn't you desperately be trying to create the very FIRST virus for OS X? Imagine the bragging rights & "respect" you'd gain...as opposed to writing the 385,721st virus for Windows...

BUY a Mac then try to equate it to Windows. Don't just sit on the other side and lob ignorant grenades at the platform.

The only way to settle the dispute for Mac OS is to gain the same level of share like Windows has in personal computers. Yes, there had been fewer viruses for Mac, but I bet there had been fewer hackers trying to wreck Mac. That's the whole point. One can always claim that Mac OS is inherently more secure etc. Although in truth, you never know in which and how many ways hackers would discover security holes and start exploiting them, had they been serious about Mac. It is possible that it would be difficult or may not be possible at all to attack Mac OS using the same method used in Windows. However, it is also possible that Mac will turn out producing some different kind of security holes compared to Windows. This whole issue of "relatively secure" is biased since Mac just doesnt have the same level of usage compared to Windows.

Leo contends that hackers ignore the mac community because it's so small. That doesn't take into account the animus that many pc guys have for the mac. I think they would like nothing more than to bring the mac community to it's knees.

Leo,
Wouldn't "I don't know" be a perfectly valid answer here?
There are entire classes of attack that MacOS X precludes by design. For example, there is no "root" or "Administrator" account that has unfettered access to the entire OS. If you want to change the System, you are prompted for your password and permission to do so, and then only if you have an Administrator flag. But even with an Administrator flag, anything you do will be logged as you, not as some generic "Administrator" user.
In addition, the "active content" (such as ActiveX) is generally Java or JavaScript on MacOS X, which is kept in a much tighter secure box than ActiveX. ActiveX has been a major source of vulnerabilities on Windows.
Most services are disabled by default on MacOS X and only run when/if needed and explicitly requested.
Another thing the Mac has going for it, for now at least, is the PowerPC has better protection against data being treated as code, so many "buffer overflows" are vastly more difficult to exploit. Intel is said to be adding this functionality next year, so hopefully Apple will not lose anything in the transition.
Furthermore, Apple has made it very easy for the expert user to use digital signatures in the default Mail client, as well as strongly encrypted email. Add to that the advanced spam filtering (one of the best client-side ones I've seen) and not auto-running anything, and you get a system where even if someone did write an email virus or worm, there are a lot more roadblocks to its propogation.
To sum up, in MacOS X there are fewer places for malware to hide, its harder to get there, and its harder to spread anywhere else once it's there. I agree with you that all current software likely has exploitable bugs, but in addition to your point about it not being worth it, the wall is also much higher around the Mac's security. So yes, the Mac is more secure AND it's more inherently secure.
Which is probably why not one single MacOS X-specific virus exists. Anywhere. At all. The only known virus, ironically, that can reproduce on a Mac are macro viruses written for Microsoft Office, if the user has MS Office installed.

(I guess indentation doesn't work on your comments area...)

Wouldn't "I don't know" be a perfectly valid answer here?

There are entire classes of attack that MacOS X precludes by design. For example, there is no "root" or "Administrator" account that has unfettered access to the entire OS. If you want to change the System, you are prompted for your password and permission to do so, and then only if you have an Administrator flag. But even with an Administrator flag, anything you do will be logged as you, not as some generic "Administrator" user.
In addition, the "active content" (such as ActiveX) is generally Java or JavaScript on MacOS X, which is kept in a much tighter secure box than ActiveX. ActiveX has been a major source of vulnerabilities on Windows.

Most services are disabled by default on MacOS X and only run when/if needed and explicitly requested.

Another thing the Mac has going for it, for now at least, is the PowerPC has better protection against data being treated as code, so many "buffer overflows" are vastly more difficult to exploit. Intel is said to be adding this functionality next year, so hopefully Apple will not lose anything in the transition.

Furthermore, Apple has made it very easy for the expert user to use digital signatures in the default Mail client, as well as strongly encrypted email. Add to that the advanced spam filtering (one of the best client-side ones I've seen) and not auto-running anything, and you get a system where even if someone did write an email virus or worm, there are a lot more roadblocks to its propogation.

To sum up, in MacOS X there are fewer places for malware to hide, its harder to get there, and its harder to spread anywhere else once it's there. I agree with you that all current software likely has exploitable bugs, but in addition to your point about it not being worth it, the wall is also much higher around the Mac's security. So yes, the Mac is more secure AND it's more inherently secure.

Which is probably why not one single MacOS X-specific virus exists. Anywhere. At all. The only known virus, ironically, that can reproduce on a Mac are macro viruses written for Microsoft Office, if the user has MS Office installed.

Hey I'm Leo, I've never driven a Ferrari before but I've driven a Skoda and I can tell you that they are as fast as Ferraris. How did I know this? Well, they both have 4 wheels and an engine...

Come on Leo, get real. You simply cannot compare two OS's when you only use one. There is something called RESEARCH that typical journalists conduct before they start typing. Five years of OS X and no viruses. Vista has not even been released to the general public and there have already been exploits.

One more thing - going by your rationale, McDonalds MUST be simpy the best restaurant in the world, since they have the most outlets. Right? Wrong. It's QUALITY not quantity that matters, and OS X has been built from the ground up focused on security. Micro$oft's half assed SP2 is nothing more than a placebo.

"I put "counter-argument" in quotes, only because we arrive at the same conclusion - Mac's are safer - we just get there through very different means.

I encourage you to read the many comments below. The furor is that I've come to the right conclusion - Mac's are safer - for the wrong reasons."

The same conclusion? Your conclusion is that Macs are less vulnerable because they have a lower installed base and hackers only want to hit the big target. Just about everyone else's conclusion is that Macs are less vulnerable (or NOT vulnerable at this point) because of superior design and security. How are those the same conclusions?

By the way, if I'm a hacker there is nothing I would like more than the notariety of being the first person in the world to write a virus that breaks the Mac OS X cherry.

Yes, you got flamed by Mac users, but justifiably so. You obviously don't know what you're talking about.

After reading your article, I conclude that nobody should ever "ask-leo" anything and expect a logical answer. Too many assumptions in a situation where there are easily verified facts. You do get credit for at least stating your assumptions (e.g. with regard to how you think a hacker might behave, how you think software in general behaves). That you wandered around and guessed the right answer is neither here nor there. So, several points for frank disclosure. However, serveral million points off for failing to grasp the fundamental importance of things like total number of software defects overall, ability of a process to alter the kernal, and other basic issues of operating system architecture, not to mention failing to understand why open source is safer. You know what they say -- when you asssume... Please go back to your high school and surrender your diploma at your earliest convenience.

To post a comment on "Are Mac's inherently safer?", please return to that article's main page.