Why Macs are just as safe as Windows 7 PCs

Why Macs are just as safe as Windows 7 PCs

“There are no real-life viruses for Mac OS X. There never have been.”

A point of frequent disagreement between Mac and Windows evangelists is security. With the arrival of OS X, Apple and some of its customers used the threat of viruses on Windows as a key selling point for its Mac line of computers. After that came a backlash of articles and posts claiming that OS X was in fact no safer than Windows and could even be at more risk.

There are three key areas to look at when it comes to this topic: Hacking, and its security implications for OS X, Security through obscurity, and System architecture. Read on to see why I argue that Mac OS X is just as safe as Windows 7, and how it might actually be even more secure than Microsoft’s latest OS.

[Image includes elements created by Graham Colm]

Hacking, PwntoOwn and implications for OS X

Every year, Apple’s web browser Safari gets some bad press for being ‘the first browser to be hacked’ at the Pwn2own security event. The results of the contest are frequently used to dismiss Apple’s claims that its products are ‘more secure’. I’m convinced that the vast majority of people who read reports (often on mainstream news sites like The Guardian) about Mac OS being ‘hacked’ at Pwn2own have little understanding of what the term ‘hacked’ means, or the terms of the contest.

In order to win the Pwn2own contest, a hacker exploits a pre-existing security vulnerability in a web browser, and typically executes malicious code on a specially designed website in order to read the contents of a file on the local machine’s filesystem, and save a file to that same filesystem. These are important vulnerabilities which any software or security professional would take seriously. This is called ‘hacking’ in the computer security industry (note that to a less experienced user, the term ‘hack’ might well have a much more vague meaning in mind when they read the term). The person or team who manages to exploit such a vulnerability in the shortest time wins the test machine or device as a prize.

My problem with the many articles I see about this every year stems from what a typical user thinks of when she or he hears that a MacBook Pro running Safari was ‘hacked’. It is understandable that they would immediately think that a MacBook Pro is somehow a less secure computer than an equivalent Dell notebook. Because a Safari on a Mac was ‘hacked’ first, sometimes ‘in 5 seconds‘, it might be natural to assume that we’d be better off selecting another computer system.

Of course, this isn’t what being exploited first in the contest means. What losing Pwn2own really means is that the hackers had a prepared vulnerability that they could exploit within 5 seconds. These vulnerabilities are often prepared over a period of weeks or even months before the contest. So while a relatively inexperienced user might fear the ‘5 second’ warning, this is at best a pretty old fashioned way of drawing attention to the Pwn2own contest itself. At worst, it’s an overly simplistic catchphrase used by forum bores to confuse less experienced computer buyers.

Finally, it’s very rarely noted that Internet Explorer on Windows 7 was also successfully hacked during the contest. Funny, that. The truth is that Safari on OS X getting hacked fastest at Pwn2own doesn’t prove that OS X is inferior to Windows. It means that in a contest, the competitors planning to hack Safari on OS X were better prepared and were allowed to go first, in the knowledge that ‘Mac OS X hacked first’ headlines generate much publicity for the event.

Security through Obscurity

Another oft-repeated claim in the debate on Mac security is this old chestnut:

It does seem, as has been well-reported, that that are far fewer exploits hitting Macs than their Windows-based cousins. But it’s hardly because Macs are immune from attack. Indeed, according to security researcher Nitesh Dhanjani, it has much more to do with market share — there simply aren’t anywhere near as many Macs out there as there are Windows machines. [From Yahoo Australia]

Taken at face value, this argument works extremely well, and in two interesting ways. Firstly, it explains away any possible chance that Macs might have an inherently more stable or secure architecture by bringing it all down to market share: “If there were more Macs, there would be more viruses”. Secondly, it helps antivirus vendors shift units of what is arguably useless Mac antivirus software, by scaring recent Mac buyers: “When there are more Macs, there will be more viruses”.

There are no real-life viruses for Mac OS X. There never have been. There have been a small number of ‘proof of concept’ viruses developed (with notorious difficulty), and rated as very low risk by security firms. After much research, we’ve found only a handful of Trojans in the wild. One of these, ‘Macarena‘ was bundled with an illegal ‘warez’ download of iWork but required SUDO (super user) access in order to execute. Another was the ‘OSX/Koobface.A‘ Trojan, alleged to have been installed via malicious links on Facebook and MySpace. Security firm Intego, while promoting its Mac antivirus app also notes that this Trojan can’t be made to work. In other words, OSX/Koobface.A isn’t even a proof of concept. We welcome anyone who can provide us with evidence of a real-life virus in the wild which successfully infects Mac OS X 10.6.7.

As with Microsoft Windows, pretty much every report of a virus on Mac OS X originates from a company that intends to make money out of security software. Given the paucity of evidence for real life threats, it seems that some less scrupulous firms are exaggerating the level of risk to scare less experienced Mac users into purchasing antivirus software. Last week, we received a press release from anti-virus firm Kaspersky claiming that ‘over 300 viruses for Mac are detected every day’. I tried to contact the antivirus vendor via Twitter to obtain some corroborating evidence for this claim. Kaspersky has, so far, failed to respond.

The problem with the market share myth is that it’s extremely difficult to disprove. Reliable market share figures are hard to come by, though they seem to range from about 7-13% for Mac OS X. So around 10%, then. We have found no evidence that virus writers or botnet managers from around the world have agreed, colluded or otherwise decided, not to attack the Mac OS install base which we estimate to be anywhere between 80-100M machines. Indeed, given the average cost of a Mac computer, we might expect that trojan, keylogger, virus and botnet developers might be interested in accessing this relatively middle and high income set of consumers.

We cannot prove why there are no real life security threats for Mac OS X. But the absence of a single functioning attack in an install base of up to 100 million machines, coupled with evidence of the difficulty of developing code that will successfully execute malicious software in virus form leads us to believe that it is the system architecture of Mac OS X which makes it very difficult to successfully infect a Mac computer.

We built this system on BSD!

Mac OS X is a UNIX-like operating system. Its kernel, XNU, uses FreeBSD as its main codebase. This basis, similar to that used on many server and mainframe systems, is one that offers a huge developer community, stability and security. Because of the open-source nature of OS X’s foundations, security holes and similar issues are normally detected relatively quickly. FreeBSD recently underwent a massive security audit in an attempt to detect and patch as many security holes as possible. This is in contrast with the Windows kernel and system which remain closed to non-Microsoft personnel. A FreeBSD-style security audit would be impossible in Windows.

Additionally, the system architecture – the very way the OS makes system calls (requesting a service from the kernel) – in UNIX is more secure than it is in Windows. Because of the way that Windows has developed over the years, it has evolved into a system that demands for far more system calls than a UNIX system would for the same task. Essentially, UNIX is cleaner and makes fewer calls; Windows is thus inherently harder to secure.

In summary

If you’ve made it this far, you’ll have seen that much of the talk about security threats in OS X is caused by either ignorance or malice. It’s important to make one thing clear in closing: no operating system or computer is ever going to be 100% secure and immune from threat. Sensible, cautious use of your computer, whether it’s running Windows, OS X or Linux, is the best way to keep your machine clean and secure.

Loading comments