Is a Mac really more secure?

[Swad]

Good reading from Infoworld's Tom Yager regarding what has to be the nastiest piece of Window's malware I've seen. I think it's safe to say that most Windows users - even conscientious ones - have had a least one or two "Thank God for that backup image." moments due to malicious code... I know I have.

 

At the end of the article, Tom dissects what allowed the exploit to occur on his Windows box and (you saw this part coming, didn't you?) then explains why something similar couldn't happen under OS X.

 

I'm no server guru, so I'll take Tom at his word. I do know, however, that pride always comes before a fall, and while OS X is indeed more secure, I'm of the opinion that any dominant OS is going to be exploited.

 

What do you think? Is Windows more vulnerable by its very nature or does OS X have similar but unique security questions?

[A Nonny Moose]

Windows has this little problem of allowing things to come in (install itself) through the background and I've yet to see something like that happen in OS X. For that one reason alone, OS X is more secure.

 

Now it isn't 100% secure, and neither is Windows or Linux. ANYONE who thinks their OS is 100% secure, IMHO, deserves to be hacked to death.

[ayyash]

100% secure OS is a myth.

[embries]

Interesting read. Sounds like some of his frustration is the overall design of the windows administrative systems. I don't think that anyone would argue that, given enough training and experience, a UNIX/POSIX/etc system admin will have more control over the nuts and bolts of the operation of the system versus a similarly trained Windows admin. Does that make it "more secure?"

 

Not particularly. According to his article the flaw in the Windows OS is the ability to "hide" things (in the registry, NTFS streams, using the SYSTEM user account). We know from experience, however, where to look for these things when we have a problem as a Windows Admin. Coming to Mac OSX server, I'd be similarly baffled at where a malicious person might "hide" things, even though I could see their processes running in launchd. How was it started, where did it come from, how did it get on the system could all be daunting challenges to someone who is not familiar with the OS

 

These are what we call the tricks of the trade if you will for Windows admins. Here's an example of what I do with a new server install (like the recent Server2003/Exchange2003 dbstore I installed). I keep an image of my server installs. I image after OS installation, then again after software installation and configuration. I generally do not maintain an image beyond this point, unless significant changes to the system are made (new software added, major patches that require some kind of reconfiguration are released, new hardware is added). I maintain backups of the data directories for the software that is in use on the servers. If disaster strikes, rebuilding from this image should be a simple matter of running windows updates, any other minor software patches, and then import the data from the backup. The reason for this is to address his concern of hidden malware. If I have a clean image just after software configuration, I don't want to replace that image with anything that may have been corrupted down the line by some hidden file or process and it is tough to say what caused a server to go down when you walk in and it's "just dead". With a properly patched system, and with proper firewall protections in place, it is the simplest way (least time consuming from an administrative standpoint, slightly more time consuming from a recovery standpoint).

 

Also with this post-install image, I'm able to look at the number of processes that the computer and all its attendant software will be using. I can see (and document) the active processes which can help to identify any rogue processes at any point in the future. I have some software that I use which will record this information for me and I can quickly compare the process tree from previous time points to the current process tree looking for differences. This is why I call it the tricks of the trade because nobody told me when I started that I need to know exactly which processes were running on the server directly after install and configuration, but we learn through experience that this is valuable information in time of crisis. You also collect that wealth of IT resources for your field where you can go to find information about these processes - what does this process do and what software package does it belong to? Still more tricks of the trade.

 

I'm in the process of getting myself some type of OSX server to begin this type of learning process for OSX. Why? Because I'm sure there are little tidbits like this that are equally important to the OSX administrator that could be written in an `expose` driven by frustration when one of us Windows Admins has a catastrophic event occur on his OSX server. I'm interested in testing the Active Directory compatibility of OSX Server, and I'm very intrigued by the "teams" concept they've announced for Leopard server (could it be the sharepoint/exchange/SBS killer that I've been dreaming of?).

 

At this moment in time, there's not a doubt in my mind that OSX is more secure. But I wouldn't go bashing on Windows because the sheer scale of the project they've undertaken is mind boggling and OSX (to this point) does not have the same scope of concerns. What do I mean? Windows has an ungodly number of legacy, 3rd party, and customized bits of hardware, middleware, firmware, and software that they are trying to keep compatible for as long as possible. Combine that with the number of platforms on which the OS runs and tries to maintain some level of inter-operability (Windows Mobile, TabletPC, EmbeddedOS, Itanium, and our 'lowly' x86's which come in their cornucopia of variants including the VIA series which are supported, not to mention the others I've forgotten about or are so obscure I don't know about). Balance that task with the huge base of already installed users in probably every country of the world and their varying requirements (you can't deliver security update CDs to the south pole via FedEx can you?).

 

Now, try to keep all of that in-line with the millions of developers on the platform who, in the course of their daily work, could be creating all manner of exploits to your system unwittingly or possibly even on purpose. Even if they're not creating the exploit, just the sheer number of developers will necessarily lead to uncovering almost every corner of the OS and thereby lead to uncovering even the most minuscule and unconventional methods for compromising a system which leaves the huge installed base vulnerable until you are 1. Notified of the problem 2. Able to verify, test, and determine the extent of the breach 3. Create some method of fixing the problem (if it can be done) 4. Notify the public of the problem 5. Distribute the fix

 

This is why I say that OSX has a security advantage "at this time." Apple has a reduced set of problems to deal with in comparison to Microsoft. First of all a major advantage is the authorized hardware. Sure Apple wants to support as many peripherals and gadgets as possible, but they offer a core set of hardware which they authorize. Keeping legacy support for hardware just got millions of times easier for Apple than their competitors. They don't have to guarantee you that your 3rd party automated toaster will work with their new OS. They might try to make it work for you, and the vendor might be in a real bind to get it working but for Apple the core set of hardware and software their customers "must have" is much smaller. Security wise, this is just easier because most often exploits use some legacy connector or compatibility mode for older software to compromise the system. Smaller number of legacy devices, smaller set of security issues.

 

The installed base is smaller. This is a "good thing" in terms of security. We all know the "lure" to hack the OS is lower because it is smaller, but unintentional discoveries of exploits are reduced. Many will argue that discovering the vulnerabilities leads to fixing them, but in reality vulnerabilities are generally dealt with in terms of which ones have the highest potential for damage, and the ones that are already being used to inflict damage. Leaving the vulnerability alone does not solve the problem, but it does create more work for the hacker who must first find the vulnerability, then create the tools to exploit that vulnerability. Furthermore, the potential for someone's application to unintentionally create a security breach is lowered because of the smaller user base, and the tighter integration of hardware.

 

Man I've been making a lot of long posts lately. I have a feeling I'm going on 'ignore' from some forum goers soon. As always, the above diatribe is my own opinion, it does not represent the views and opinions of other people (particularly those who are 'knowledgeable' or 'sane').

[Swad]

Nah, embries, we enjoy your posts. Thanks for your opinions.

[Chasmo]

While its true that the 100% secure OS is a myth, that a Mac is more secure, as it stands, is not. Many of the Mac people out there are saying you can't get virus's, you can't get broken into.....Simply not true. The truth is both of those things can happen, and in fact most in the industry are predicting that viruses will come soon to the mac. Malware is harder on the Mac, because in fact you do have to enter a password to change many of the setting that it so easy to do on a Windows box. Another myth is it just hasn't happened on a Mac, in the wild, because there are less users of Mac. With the advent of the Intel Macs, you can run the OS on most Windows boxes now. And the people that are designing these malwares and virus don't like hearing that you can't do it on a Mac so they are hard at work at it, just to say, I told you it wasn't so secure, its just a matter of time, but still it is harder to do, otherwise it would have happened already. Just my 2¢.

[milesce]

I have to say, to some extent the author clearly doesn't get it. It reminds me of a piece I read not long ago talking about how windows is better because it comes with a built-in defragmenter. As if you need such a thing on OSX.

 

What he didn't point out was the most obvious reason the exploit occured. He hadn't patched his system with security updates. Had it been up to date, the hackers wouldn't have had a chance. Buffer overflows aside, one of the most basic responsibilities of a system administrator is to patch his systems with the latest security updates.

 

He says that "SYSTEM" can't be logged, but that's not actually true. It's easy enough (and recommended) to enable auditing on critical directories and objects.

 

He says that windows requires users to log in with admin priviledges to install software. Of course you can use "runas", the equivalent of sudo, to do the same thing. Speaking of which, how often does OSX prompt me to enter -- yes -- an administrative password -- in order to install software.

 

I love OSX, and made the full time switch (except for the occasional boot to Windows so I can run Half-Life) earlier this year. But as a 12 year Windows sysadmin, I have to suggest that the author of the article didn't really know what he was talking about. It may be that out of the box a windows server is more vulnerable (although I have my doubts) but certainly not if you have a competent sysadmin. I know that my servers (running IIS, Exchange and Coldfusion) have been sitting out there for years on the internet, happily running, and despite thousands of logged attempts hackers have made to crack them, they are still secure. The one time I had a problem -- in 1988 on an NT 4 web server, and one of my boxes was compromised by a hacker, I had it reimaged and back in production in about 2 hours after discovery.

 

And no, this isn't an invitation to try!

[Takuro]

I'm of the opinion that any dominant OS is going to be exploited.

And that's exactly why OS X is pretty safe: It isn't, by any means, a dominant OS. As long as an operating system can't run .exe files, I'm very certain that it's secure.

 

Sure, there are other exploits other than the conventional .exe execution, and I'm not trying to make it sound that simple. But that does knock at least 97% of common viruses from the list of things for Mac users to worry about. If OS X is exploited by a virus, I'm sure it's going to be in a very dramatic fashion that catches people off-guard and destroys their sense of "smugness." It never rains but it'll pour.

[bsmit007]

The only reason why Mac OS X is more "secure" is because hackers are not interested in affecting only 1% of the world. If I was a hacker, I would want maximum damage and for that I would have to use Windows as the majority of the public use that. Mac OS X is not safe due to superior product or bug free code or anything like that. If the majority of the people used Mac OS X thewn I am quite sure Apple would be facing the same problems Microsoft is facing today. If you want a more secure system you go for a Mac, if you want a more compatible system then you go with a Windows machines. There are always trade-offs.

[jgrimes80]

If I was a hacker, I'd be trying to destroy OSX's reputation...

 

Apple has proclaimed a superior OS for many years... what's the delay to prove Jobs wrong?

[RasmusseN]

everything is hackable

 

you also have to rember windows is the target apple is smaller company that microsoft they don't have to deal with as much stuff. this is generally why apple seems to have a better features.

 

Vulnerabilities

 

Myth - "The Windows Platform has more Security Vulnerabilities than the Linux/Unix Platform"

 

Reality - "Between January 2005 and December 2005 there were 5198 reported vulnerabilities: 812 Windows operating system vulnerabilities; 2328 Unix/Linux operating vulnerabilities; and 2058 Multiple operating system vulnerabilities" - Source

 

Notes - Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.

 

source: http://www.us-cert.gov/cas/bulletins/SB2005.html

[eLMafUDd]

Am I the only one who hasn't got a blue screen since windows 98, and hasn't had a virus crash my computer... Ever?

[A Nonny Moose]

Vulnerabilities

 

Myth - "The Windows Platform has more Security Vulnerabilities than the Linux/Unix Platform"

 

Reality - "Between January 2005 and December 2005 there were 5198 reported vulnerabilities: 812 Windows operating system vulnerabilities; 2328 Unix/Linux operating vulnerabilities; and 2058 Multiple operating system vulnerabilities" - Source

 

Notes - Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.

 

source: http://www.us-cert.gov/cas/bulletins/SB2005.html

 

I'm wondering what the demographics were on tis "open-source information." Just curious, because it could represent a biased sample if they were all running some kind of *nix (which is famous for open source stuffs).

[Urbz]

IMO, windows can be very secure with all the security updates and a nice virus-scanner and a competent spyware detector.

The average computer user is stupid. And the average computer user runs windows.

And i don't think Microsoft understands that.

How many average users still use dos games and windows 95 word processors?

There is no reason for microsoft to be this way. And by "this way" I mean flexible.

Microsoft is not flexible.

Apple fearlessly "transitions" whenever a change has to be made. Coapland (typo?) was dumped because it was gonna suck and they switch OSes completely. When everyone was done using OS 9 stuff (for the most part) they killed classic. before then, classic ran all you're OS 9 apps on this newer OS. And a few years ago, they were dealing with a user-base on the brink of leaving, especially if they didn't own iMacs.

If Microsoft did this, there would be minimal damage. Where are these average (stupid) users going to go? I'm sure they'll all switch to linux, yes. Or maybe they're all gonna throw their budget 500$ dell and get 1500$ iMacs. They wont go anywhere.

This is why i think Microsoft is stupid. They need to rid themselves of all things that suck "under-the-hood" like the registry and all those freakin annoying cryptic services. All they need to keep is the ui, because to the end-user, it is what makes windows, well, windows.

Doing so would make their OS much more secure. If it's broke, fix it. But when you're fixing it for more than 10 years, replace the damn thing.

 

Sorry for being off topic. I just wanted to point out why i think Microsoft's Windows is less secure. Obviously, i'm speaking about the end user experience. Not folks like us who know how to install operating systems and stuff.

 

-Urby

[jgrimes80]

Sorry for being off topic. I just wanted to point out why i think Microsoft's Windows is less secure. Obviously, i'm speaking about the end user experience. Not folks like us who know how to install operating systems and stuff.

 

-Urby

 

I'm greatly inclined to agree with you... I've had 98/2000/XP and OS9/OSX running side by side for years. No virus on niether. Then again, I'm not downloading random applications, opening random e-mail attachments, nor surfing pornography. My worst crime is cruising forums of interest; but it's yet to be a problem.

 

I have my complaints/smiley faces with both, time has proven OSX to be my favorite though...

[gwprod12]

I agree about dropping legacy {censored} like a hot potato. Who really needs a parallel printer port these days?

 

MSN Premium has a utility called spysweeper. It's actually the best malware scanners I've ever used. And honestly, it should be included with windows. Windows should also require a password to make any changes to the registry or system folders.

[bofors]

The only reason why Mac OS X is more "secure" is because hackers are not interested in affecting only 1% of the world.

 

Really? Can you prove that? By your logic if there are 1000 viruses for Windows, we should see about 10 for OS X. Clearly, you are wrong, there are none. Furthermore, you presumption is inconsistent with the history of computer malware and specifically the fact that Apple OS's prior to OS X have been affected: http://www.claws-and-paws.com/virus/papers...er-viruses.html

 

Moreover, on a regular basis would-be security "experts" roll out their latest attempts to destroy OS X's clean record, the lastest of course being the bogus MacBook "Wifi Attack": http://forum.insanelymac.com/index.php?showtopic=23315 These attempts have systematically failed for some reasons other than lack of interest.

 

These reasons are why the NSA uses OS X for security, try looking at Chapter 2 and note that they do not mention this "minority platform excuse": http://www.nsa.gov/snac/os/applemac/I331-009R-2004.pdf

[lord_muad_dib]

problems usually are between the chair and the keyboard.

 

that said.... crackers always play with SOFTWARE flaws.

every system is crackable due faulty software

[sev7en]

I guess it's more safe than Windows places but only because it's less populated... just that.

[A Nonny Moose]

IMO, windows can be very secure with all the security updates and a nice virus-scanner and a competent spyware detector.

The average computer user is stupid. And the average computer user runs windows.

And i don't think Microsoft understands that.

 

I think MS has to understand that. I mean, these stupid users will call the company with any complaint they have (including "My coffee holder {CD tray} is busted")

 

How many average users still use dos games and windows 95 word processors?

There is no reason for microsoft to be this way. And by "this way" I mean flexible.

Microsoft is not flexible.

Apple fearlessly "transitions" whenever a change has to be made. Coapland (typo?) was dumped because it was gonna suck and they switch OSes completely. When everyone was done using OS 9 stuff (for the most part) they killed classic. before then, classic ran all you're OS 9 apps on this newer OS. And a few years ago, they were dealing with a user-base on the brink of leaving, especially if they didn't own iMacs.

If Microsoft did this, there would be minimal damage. Where are these average (stupid) users going to go? I'm sure they'll all switch to linux, yes. Or maybe they're all gonna throw their budget 500$ dell and get 1500$ iMacs. They wont go anywhere.

This is why i think Microsoft is stupid. They need to rid themselves of all things that suck "under-the-hood" like the registry and all those freakin annoying cryptic services. All they need to keep is the ui, because to the end-user, it is what makes windows, well, windows.

Doing so would make their OS much more secure. If it's broke, fix it. But when you're fixing it for more than 10 years, replace the damn thing.

 

Sorry for being off topic. I just wanted to point out why i think Microsoft's Windows is less secure. Obviously, i'm speaking about the end user experience. Not folks like us who know how to install operating systems and stuff.

 

-Urby

 

I do agree with you that MS needs to kill the legacy {censored} and it's something I've said for years. However, you'd be surprised at how many people are still using Office 97. This was one of the main things for Vista--break all legacy support so you are forced to buy the new version of Office. Obviously, that one piece of security didn't make it to Windows Vista, and instead we have a "sandbox" Windows that I'm sure some 15 year old kid will figure out a way around in ten minutes. Microsoft (and savvy users) can make Windows secure and do it fast. The problem is that Microsoft is unwilling or unable to do it and savvy users are few and far between on any platform.

[JustInSane]

Choosing Windows over Mac is like choosing to live in a bad neighborhood over a gated community.

 

Suppose you have two houses with equal security systems (alarms, locks, surveillance, etc). One is in a gang territory in Queens, and the other is in a remote rural gated community. The security system of the house in Queens will be tested on a regular basis (and not by you). The Flanders house in Mr. Rogers friendly gated community may never get tested. I would much more readily trust the house in the gated community - so much that I may leave the front door unlocked, and the alarm unarmed, and still (rightly) feel more secure.

 

Folks will often claim that Mac is no more secure than Windows - and that the lack of problems is an illusion because of the lack of attacks. That's almost true, but it's foolish to completely neglect the benefit of not being under constant attack. These people are focused on the vulnerabilities, but failing to assess the threats.

Edited December 29, 2006 by JustInSane

[poplars]

it is definately possible to hack OSX. I know someone who used to be friends with Steve Jobs (no joke) he said he has some of the original passwords for the operating system and still knows of some back doors that still exist to this day (or so he says.) Windows is the controller of the market, therefore (and nobody likes to hear this) all the hackers drift towards destroying the one that is the most popular. If Mac OS X were the most popular . . . guess what? It'd be hacked regularly.

[bwhsh8r]

Good reading from Infoworld's Tom Yager regarding what has to be the nastiest piece of Window's malware I've seen. I think it's safe to say that most Windows users - even conscientious ones - have had a least one or two "Thank God for that backup image." moments due to malicious code... I know I have.

 

lmao, backup images? i just wipe the harddrive and start from scratch and osx = security through obscurity, that and microsoft has a disadvantage because of the "hybrid kernel" (aka a monolithic kernel that is structured somewhat like a microkernel) that cannot be updated unlike osx, so that instead of trying to patch out the hole, osx can completely remove it.

 

you can keep windows safe, but you really have to try hard, osx is secure because no one wants to write viri for it (not enough market share) windows is easier to hack and write viruses for (and has a huge market share, so why work harder to infect a fiew computers when you can work less and infect alot more?) thats my theory and im sticking to it but poplars said, it can be hacked and its only a matter of time until it is, but i highly doubt it will be very serious and also i highly doubt it will take long for it to be fixed into uselessness.

[JustInSane]

If Mac OS X were the most popular . . . guess what? It'd be hacked regularly.

Sure, but it's not the case that OS X is more popular. So intelligent users can take advantage of the situation, and run Mac OS free from threats.

 

I'm grateful that Windows exists, so attackers have something to do while I get my work done on non-Windows machines.

Edited December 29, 2006 by JustInSane

[bwhsh8r]

Sure, but that's not the case. So intelligent users can take advantage of the situation, and run Mac OS free from threats.

 

I'm grateful that Windows exists, so attackers have something to do while I get my work done on non-Windows machines.

 

read my above post, i totally agree, but sadly, im stuck on windows oh well, will give osx86 a shot in time.