“[Analysts] do agree on one area where Apple has an advantage: Security. Macs are targeted by viruses and hacking attacks far less often than machines running Microsoft’s Windows simply because there are fewer of them around. Computer criminals strive for maximum impact, so they pay less attention to the relatively small number of Mac users,” Arik Hesseldahl writes for BusinessWeek.
“While Microsoft struggles to build firewalls, anti-spyware, and anti-virus technology into Windows, Mac users are for the most part untroubled by these annoyances, and that’s a point it could press, says Richard Forno, a principal consultant with KRVW Associates, a computer-security firm in Alexandria, Va. ‘I’m seeing more and more people in the security business using Macs and saying they trust them and don’t have to cope with viruses and other hassles,’ he says. ‘I just wish Apple would market its security as a key feature to corporate customers.’ Of course, the more popular Apple machines become, the more likely they are to be targeted by hackers and virus writers,” Hesseldahl writes.
Full article here.
MacDailyNews Take: The idea that Windows’ morass of security woes exists because more people use Windows and that Macs have no security problems because less people use Macs, is simply not true. Mac OS X is not more secure than Windows because less people use OS X, making it less of a target. By design, Mac OS X is simply more secure than Windows. Period. For reference and reasons why Mac OS X is more secure than Windows, read The New York Times’ David Pogue’s mea culpa on the subject of the “Mac Security Via Obscurity” myth here.
Hesseldahl is the same writer who wrote for Forbes back in June 2003, “Naysayers have been calling for Apple’s demise for years. But Apple not only has survived but thrived, it seems, at least partially by the sheer force of Jobs’ will and his ability to maintain the ferocious loyalty of Apple’s users, who still account for 10% of the world’s computer users, while its sales usually account for about 3% to 5% of the world global PC market.”
So, if Macs account for 10% or so (some say as much as 16%), then, according to Mr. Hesseldahl himself, Macs aren’t “obscure” at all. Therefore, the Apple Mac platform’s ironclad security simply cannot logically be attributed to obscurity.
There are zero-percent (0%) of viruses for the Mac OS X platform that should, logically, have some 10-16% of the world’s viruses if platforms’ install bases dictated the numbers of viruses. The fact that Mac OS X has zero (0) viruses discounts “security via obscurity.” There should be at least some Mac OS X viruses. There are none. The reason for this fact is not attributable solely to “obscurity,” it’s attributable to superior security design.
Still not convinced? Try this one on for size: according to Apple, there are “close to 16 million Mac OS X users” in the world and there are still zero (0) viruses. According to CNET, the Windows Vista Beta was released “to about 10,000 testers” at the time the first Windows Vista virus arrived. So much for the security via obscurity myth.
Arik Hesseldahl’s email address is:
Related MacDailyNews articles:
Hackers already targeting viruses for Microsoft’s Windows Vista – August 04, 2005
16-percent of computer users are unaffected by viruses, malware because they use Apple Macs – June 15, 2005
ZDNet: How many Mac OS X users affected by the last 100 viruses? None, zero, not one, not ever – August 18, 2005
Intel CEO Otellini: If you want security now, buy a Macintosh instead of a Wintel PC – May 25, 2005
Apple touts Mac OS X security advantages over Windows – April 13, 2005
97,467 Microsoft Windows viruses vs. zero for Apple Mac’s OS X – April 05, 2005
Apple’s Mac OS X is virus-free – March 18, 2005
Cybersecurity advisor Clarke questions why anybody would buy from Microsoft – February 18, 2005
Security test: Windows XP system easily compromised while Apple’s Mac OS X stands safe and secure – November 30, 2004
Microsoft: The safest way to run Windows is on your Mac – October 08, 2004
Information Security Investigator says switch from Windows to Mac OS X for security – September 24, 2004
Columnist tries the ‘security through obscurity’ myth to defend Windows vs. Macs on virus front – October 1, 2003
New York Times: Mac OS X ‘much more secure than Windows XP’ – September 18, 2003
Fortune columnist: ‘get a Mac’ to thwart viruses; right answer for the wrong reasons – September 02, 2003
Shattering the Mac OS X ‘security through obscurity’ myth – August 28, 2003
Virus and worm problems not just due to market share; Windows inherently insecure vs. Mac OS X – August 24, 2003
‘pete’ I may have missed it, but has anyone said “it can’t happen here”?
To paraphrase the collective “wisdom” of the enlightened posters: The chance of Mac OS X being turned into some sleezbag hacker’s bitch (like Windows PC’s do every millisecond) is remote enough for us to go skipping along singing happy songs and playing with daisies.
However, should the dark day every come when even the mighty Mac OS X is overcome, we’ll load virus/trojan detection software and fear for our lives online the way Windows PC users do now.
Rock on Steve
Ted wrote “The very reason Apple does not market OSX for it’s security benefits is because they know very well that the OS is not immune.”
Not true. Apple openly advertises their anti-viral abilities. Their official training to its Apple Store employees (based on a friend, an Apple employee) states they may clearly mention Mac’s inherent virus protection. If you visit any Apple store, and ask any employee, they have no hesitation and quite proudly and openly mention Mac’s anti-viral natural abilities (unlike their obvious silence about rumors). But, they are also quite polite to mention that Apple doesn’t pride itself on the weaknesses of its competition, but on their own strengths; Apple employees do not gloat (which they easily could) over Microsoft’s troubles, but quickly turn to the Mac’s other two dozen obvious advantages.
If I didn’t make so much on art, I might consider sending Apple an employment application. Seems like good people. Their UK stores are seeking “Creative Specialists”. For a job, how tempting is that?!
Seahawk… Just wondering (and I really don’t know the answer) would servers be more attractive or better targets for hacking? It just seems to me to make sense that infecting a server would be more efficient in bringing down major corporations, shutting down websites and/or spreading viruses. Obviously, it would be a more difficult job since 1)Unix/Linux based systems have major shares of server markets, and 2)Servers are managed by administrators who are more likely to know what they are doing than the lay computer-user.
On that note, there were recent articles by Anandtech demonstrating that OS-X server had a number of weaknesses that would make it less likely to succeed in the corporate world.
By the way, the motives and methods of virus-writers are changing, or so suggests this BBC article:
http://news.bbc.co.uk/1/hi/technology/4205220.stm
It seems money, rather than fame or kicks, is becoming the main motive. Which is changing the methods: (quotes from the BBC article)
“Now most of the big outbreaks are professional operations… They are done in an organised manner from start to finish.”
“Few virus writers now want to hit the front pages… most prefer to have their creations sneak under the radar, rack up a few thousand unwitting victims who are then milked for money or saleable data.”
Now I’m wondering, if these assertions are true, just having a smaller market share may also mean we would more easily figure out who the culprits are. Hacking a Windows system is less likely to stand out now that it has become so “normal” to have an infected Windows system.
Microsoft Windows problem is; insecurity through inferiority!
Hey, a just got a virus!
Can I know sit down and load it up on someones mac!
HA!
That was great.
OH, by the way Bill. My OS is better than your OS!
MacMania:
The handle is “inaminit”, not Pete.
By the way, as a new Mac owner I appreciated the little tip on checking the IP addresses in the IPWF log. You’re right, it’s VERY reveling.
“It can’t happen here” is a generalized summation of the collected expressions that I’ve seen on this and other Mac boards. Far to many Mac users seem to have the attitude that viri simply can’t happen to a Mac. It’s not the hardware, but the software that hackers hack. And they have shown us over and over that any OS can be hacked, given the time and determination to do so. But I certainly agree, it would take a lot more work to do it to OS X.
A friend just forwarded me this email:
QUOTE
Please get your facts straight. The arguments above have been so thoroughly discredited that the only reason to repeat them, apart from ignorance, is because one may be a Microsoft apologist.
Read this and weep.
“Far less often” is factually wrong. There are NO VIRUSES AT ALL. Zero. Nada. Zip. Nashi. Rien. Nichts. Ling.
Nothing despite the 10 to 16 million Macs being out there, many (like mine) having found and discarded anti-virus software as useless.
You should have said:
>There are currently no viruses at all for Macs because, unlike Windows, the OS is more secure by design.
>Of course, the more popular Apple machines become, the greater the chance of some virus writer finding a way to penetrate it.
That would have spared you a few emails.
ENDQUOTE
The biggest obstacle to breaking Mac operating system security is a function Apple built into Mac OS X by design. Root is disabled by default. It does not even exist! You can enable it if you are savvy enough to locate its enabling location, but chances are unless you know what you are doing you won’t ever do it by accident. So what does this mean? Someone could tell you to delete a file in your system level files, and you won’t be able to. Now granted regular third party applications and your documents aren’t as secure, you can certainly back those up and never have to worry about them. The number one failure of all machines is users who don’t backup their data. That’s true on Macs and PCs. Eventually all hardware fails, and it is up to the user to know to backup their data. If they know that, then the security of the Mac is solid. And there is less to recover on a Mac, than there is on a PC that has been infected every which way till sunday.
Leo Laporte and Steve Gibson of grc.com have recently been talking about the possibility of privacy invading cookies being put on your machine by banner advertisers at sites you visit.
Leo goes into how to protect against this a bit at:
http://leoville.tv/radio/pmwiki.php/ShowNotes/Show171#toc12
HOWEVER, you will notice that of all the major browsers only Tiger’s Safari has the refuse 3rd party cookies option turned on by default. So once again the Mac is safer right out of the box (as long as they are using Safari on Tiger)
Even tho Leo has already mentioned it, the topic will be covered in more detail in a future podcast (look for Misfortune Cookies in the future episodes topics section):
http://grc.com/securitynow.htm
Ted: no one said ‘OS X is immune’. No OS is immune to attacks and/or virus like activity. Unices are attacked and are infected but they much less an interesting target in that they require much more expertise to be cracked than what you need on Windows (google for virus kit) where you basically only need to understand English and a very basic knowledge of anything computer. The rate of infection at peak spreading is what makes Unices way far less an interesting target: why bother for few % after very hard work when you may get enormous percentage with little to no effort?
kenh: you might be right but it becomes tiresome to repeat time after time the same things about Unix security vs Windows openness. Beware all, Windows was MADE open by design. It was a choice in order to make everything extremely easy is inter/intra communications among modules and programs. Easy for programmers, easy for users. Too bad it fired back and Windows has no way to step back: it is an open system, everything is allowed to exchange data with everything and order everything to do anything. Very easy for viruses but at the time no one thought about that.
Too Hot: absolutely. Servers are a much more interesting target in that usually in one go you may have access to informations allowing the access to thousands of users accounts but – per se – they do not present an easier target for this. Actually, servers are in general more protected than single platforms. The Anandtech was on performance not on security. One astonishing result is that it seems the announced micro-management of threads in Tiger is still inactive, behaving as it was in Panther. Apple needs to solve this otherwise people would buy an Xserve and slam Linux into it. Not great PR.
gopher: the disabled root is an additional security wrt to vanilla Unices in that it is the main target for this family of OSes. On Unix you go after weaknesses that allows for root escalation. Once you get that you have basically the same control as if you were on Windows. Still the same trouble remains: you have to find a copy-cat configuration in another Unix platform to spread. This is fundamentally different to Windows situation and it is what limits spreading in Unix world making them a much less attractive target. I hope people realizes that the majority of servers in the WORLD run some form of Unix, not Windows. They are the largest target, not Windows and in targets that make breaking havoc into CNN a script kiddie job. Actually, all these viral attacks on Windows are from kids: have you seen anyone arrested for attacks on Windows be anything but disgruntled kids? For one, if I was a manager for a large corporation, I would chose a system that requires wisdom, skill above the latest percentile of education levels, and decades of experience, not an teenager wanting to take revenge for a failed date.
I just wanted to let you all know that I have added a Security Features section in the Macintosh Wiki at:
http://wikitosh.com/wiki/pmwiki.php/Wikitosh/SecurityFeatures
Since I am far from being an expert on this any contributions from the high powered readers here would be greatly appreciated and hopefully will benefit other members of the Macintosh Community.
What’s that? Eunice is infected. Damn! Glad I used protection.
Q. If virus writers only target Windows, why did the Mac Classic O/S – and Atari and Amiga machines – have viruses, back in the day when the only way they could be transferred was by floppy disc? (And they still spread then).
And why didn’t they exist on the Unix machines of the day (yes, they were expensive, but every comp. sci student had access to them – and they were networked and had email).
JulesLt: way back in time, viruses for Unix were existing. They were very difficult to write (need of great technical knowledge and skill), spreading minimally, being a prank activity among researchers at labs.
Unix design made them nothing more than a joke among cognoscenti.
Then Windows 3.x came out. BANG. Revelation: viruses blossomed in no time, every one was able to write one with little knowledge, were spreading without effort, the ‘crack into one crack into all’ was at the grasp of everyone.
Thanks to Windows everyone concentrated into it leaving other OSes alone. At that time Windows had the same market share as Amiga today: virtually ZERO.
So much for the ridicule protection via obscurity.
Heck, already we have the first virus available for Windows VISTA and it is not even out yet!
To concur – I don’t believe OS/X is immune, but like most here, it is because it is better designed not obscurity. There have been a number of genuine hacker exploits of ‘obscure’ systems – hackers are definitely interested in Unix systems, servers (and routers – look at the talk on possible Cisco vulnerabilities).
I’ve known people with websites on Linux boxes who’ve found their websites defaced by hackers because they didn’t close exploits in their web server software.
To me that says ‘security through obscurity’ is a myth – even if there’s only 10 people out there capable of doing it, the Internet means they can, and can be just as effective as 100000 script kiddies.
What these things have in common is that they are typically ‘cracks’ rather than viruses. I might be able to create a program to automatically crack and deface a website using a known exploit, but that is not a self-reproducing program. ‘Worm’ style attacks are feasible on any server (but less likely on Unix), but that is less of a worry to the home desktop users.
Apple’s own record on design security isn’t perfect. The original Mac OS had viruses (my view : it’s origins were similar to Windows – the original OS was designed as a single user, non-connected system). In Tiger they opened a hole (quickly fixed) with widgets – effectively reproducing the same mistake as MS did with ActiveX in letting websites automatically download programs capable of modifying your computer. What’s notable to my mind is that the Apple virus count went down to zero when they moved to a Unix foundation, and that’s where the security comes in.
Seahawk – at last, someone who understands that Anandtech article – can’t believe number of people who’ve read this and completely failed to grasp the point other than ‘performance problem found in Mac OS’ (some not even distinguishing it was Server). It’s a flaw that would certainly make me reject using an xServe to run a website supporting hundreds of users, but would be completely irrelevant if I wanted to run a grid of 100 xServes to model the Big Bang.