Why is Apple’s Mac OS X so much more secure than Microsoft’s Windows?

BBC News “ClickBack” program’s online column answers questions and comments from viewers on technology matters:

Henry Winckelmann from Oxford said:
I’m disappointed, but not particularly surprised, to see you reporting on potential security issues on the yet to be released Windows Vista. Isn’t it true to say that any such piece which does not refer to secure operating systems with a proven track record (such as Mac OS X) is simply encouraging ignorance in the computer-using population? Shouldn’t you at least state the obvious, namely that there are wildly better, well proven alternatives to the feature-poor, insecure code which finds its way out of Microsoft?

BBC’s ClickBack:
Welcome to the age-old argument about which is more secure – Windows, Linux or OSX.

Henry, if you are saying that Mac OSX has had less security attacks than Windows, then you are absolutely right. No-one has ever denied that.

The question has always been: Why? Is it because it is more secure? Or is it because fewer people try to hack Apple?

All the security experts we have spoken to say the same thing – whilst OSX is a beautiful piece of software, it is still a highly sophisticated operating system, and it still receives regular security patches, just like Windows.

Apple only has small percentage of the market, tiny compared to Microsoft, and the logic is that if you are going to write a piece of malware that goes after the most people, do you write it for OSX, which, according to Apple, has around 15 million users, or do you go for Windows, which, depending on whose numbers you use, has anything up to a billion users?

I think it is a fair argument.

Full article here.

[Thanks to MacDailyNews Reader “Mr Skills” for the heads up.]

MacDailyNews Take: Note first that ClickBack did not answer Mr. Winckelmann’s central question, to paraphrase, why did their report on personal computer security fail to mention the most secure PCs, Apple Macs?

Now, in their response, ClickBack asks whether Mac OS X is inherently more secure OR is Mac OS X more secure because fewer people try to hack it. The response is flawed. The real answer is quite simple: Mac OS X is inherently more secure AND Mac OS X is secure because fewer people try to hack it.

There are 19 million Mac OS X users according to Apple (Steve Jobs, WWDC 2006), not 15 million as ClickBack states. Regardless, this is certainly a smaller number than Windows users, but it is not a small number by any stretch of the imagination. The only small number is the number of Mac OS X viruses in the wild that have affected Mac OS X users: zero (0). The absence of a single virus, for over five years of Mac OS X’s existence, proves the platform’s inherent security. It is not without flaws, however: flaws that Apple routinely fixes before they affect users. Since fewer hackers are looking to exploit Mac OS X (and because Mac OS X’s Unix foundation is time-tested by decades of use), Mac OS X users are even safer.

Windows suffers such massive and ongoing security woes for the inverse reasons that Mac OS X avoids such issues: Windows is inherently insecure and Windows is insecure because many people try to hack it.

By design, Mac OS X is simply more secure than Windows. For reference and reasons why Mac OS X is more secure than Windows, read The New York Times’ David Pogue’s mea culpa on the subject of the “Mac Security Via Obscurity” myth here.

Related articles:
Apple Macs are far more secure than Windows PCs – September 26, 2006
Chicago Tribune falls for the ‘Security Via Obscurity’ myth – August 14, 2006
Oxymoron: Microsoft security – August 12, 2006
With exploits in wild, Microsoft Windows braces for yet another critical worm attack – August 11, 2006
Microsoft’s oft-delayed, much-pared-down Windows Vista hacked at Black Hat – August 07, 2006
Ballmer analyzes Microsoft’s One Big Mistake, Vista… er, ‘One Big’ Vista Mistake – August 02, 2006
Symantec details more security holes in Microsoft’s Windows Vista – July 26, 2006
Symantec researcher: At this time, there are no file-infecting viruses that can infect Mac OS X – July 13, 2006
Sophos: Apple Mac OS X’s security record unscathed; Windows Vista malware just a matter of time – July 07, 2006
Sophos Security: Dump Windows, Get a Mac – July 05, 2006
What Microsoft has chopped from Windows Vista, and when – June 27, 2006
Security company Sophos: Apple Mac the best route for security for the masses – December 06, 2005

Apple: ‘Get a Mac. Say ‘Buh-Bye’ to viruses’ – June 01, 2006
Apple Macs and viruses: Fact vs. FUD – May 26, 2006
‘Mac security’ garbage reports continue to proliferate – May 10, 2006
ZDNet: Reduce OS X security threats – ignore security software – May 05, 2006
Unix expert: Mac OS X much more secure than Windows; recent Mac OS X security stories are media hype – May 03, 2006
Macs and viruses: the true story – May 02, 2006
Anti-Mac FUD machine shifts into overdrive – May 01, 2006
FUD Alert: Viruses don’t catch up to the Mac – May 01, 2006
BusinessWeek: Apple should hire security czar to combat uninformed media FUD – March 09, 2006
Spate of recent Mac security stories signal that Microsoft, others getting nervous – March 06, 2006
Mafiasoft: Microsoft to charge $50 per year for security service to protect Windows – February 07, 2006
Computer columnist: anti-virus software purely optional for Apple Macs, not so for Windows – November 01, 2005
Hackers already targeting viruses for Microsoft’s Windows Vista – August 04, 2005
16-percent of computer users are unaffected by viruses, malware because they use Apple Macs – June 15, 2005

90 Comments

  1. I sent this.

    Your recent article on operating system security dances around the obvious point of the article. You are trying to advise users on how to maintain security when Vista is released. When challenged that the obvious answer is “Get a Mac.” you readily concede that Macs have few security issues, but then get sidetracked on why that is. I actually disagree with your arguments, but the key point is that to achieve computing security, the easiest solution is to “Get a Mac.” Macs have had no viruses, trojans or worms in five years of use of their OS X operating system, though there have been a few well publisized “proof of concept” “attacks”.
    Your “security through obscurity argument misses a key point. Very few Macs are protected by anti viral software or anti malware software, whereas any PC that is connected to the internet and is still functional will certainly be as protected as possible. Where I work, PCs that run Windows 98 are not allowed to connect to the internet and those running XP must be fully protected by anti viral and anti malware software. It has been two years since they promised to similarly protect the Macs, though they have not yet gotten to the task. In a University environment with computer labs that are 100% mac and internet useage that is very heavy, the lack of concern is telling.
    One other point that you may wish to consider is demographics. Mac users tend to be higher income that PC users and Macs tend to be disproportionately used by small businesses without IT departments. PCs, in contrast are ubiquitous in large businesses with large IT departments. When you consider points such as the ones that I have raised, unprotected Macs would seem to be a ripe, juicy peach, just waiting to be picked. In contrast, the few remaining unsecured PC users who are connected to the internet would be the equivalent of a dried up prune, still clinging to the tree. Obscure?, or ripe for the picking but still no attacks? The obvious answer to your security problem remains “Get a Mac.”.

  2. Stop spreading lies MacDailyNews.

    You say, “The only small number is the number of Mac OS X viruses in the wild that have affected Mac OS X users: zero (0). The absence of a single virus, for over five years of Mac OS X’s existence, proves the platform’s inherent security.”

    On the Get a Mac:Viruses page Apple says, “By the end of 2005, there were 114,000 known viruses for PCs. In March 2006 alone, there were 850 new threats detected against Windows. Zero for Mac.”

    As a footnote Apple says, “Numbers from Sophos, a world leader in integrated threat management solutions, developing protection against viruses, spyware, spam and policy abuse for business, education and government.”

    Oddly, a Sophos article, says, “it is correct to call OSX/Leap-A a virus or a worm. It is not correct to call OSX/Leap-A a Trojan horse.” See link subsection: Is Leap-A a virus or a Trojan?

    MDN needs to listen to Apple’s security source and realize there has been a virus for OSX. All Apple claims is, “In March 2006 alone, there were 850 new threats detected against Windows. Zero for Mac.” In other words, in March 2006, there were zero new viruses detected for Mac. This is still great compared to Windows, but MDN is wrong.

  3. “the logic is that if you are going to write a piece of malware that goes after the most people, do you write it for OSX,”

    That IS the question. Does the writer even KNOW the answer? No.

    People write Malware to make a statement, for ego. The smug-ass Mac users and their so called secure OS should be a much bigger target for that very reason, but they aren’t.

  4. The reasons there are hacks and viruses for Vista already:

    A) It has a ton of the same old code as XP, and probably all the way back to NT 3.51.

    B) No matter what we believe here in Macland (RDF Land), Vista will be wildly successful. The day Vista ships it will have a larger market share than OSX.

    The reasons for OSX not having any are because it is designed more secure AND it has a small market share. Too much work for so little pay-off. The companies that professional (criminal) hackers want into don’t use Macs, and script kiddies aren’t smart enough, no matter how notorious they would become.

    I do think that we will be hit in a big way sometime in the future. And that WILL be tied to market share.

  5. Hmmm…

    Also from Sophos: “Leap-A will leave them [Mac users] shellshocked”. I don’t know about you, but shellshocked is not what came to mind for me. They also describe a second virus which they acknowledge will have a difficult time surviving in the wild because Apple solved the problem ~8 months earlier. It sounds like they have found something that can technically be described as a virus, but which could also be more simply described as a non-event. In both cases, the viruses seemed to require a significant amount of hand-holding to spread, or even survive. MDN has in the past discussed these issues as “proof of concept” viruses. It is not so much telling lies as getting fatigued with splitting hairs.

    I am speaking on behalf of someone else, so this may not be true, but it does seem plausible.

    Sophos is in the business of selling protection, so it is in their self-interest to split hairs over a definition if it allows them to justify a sensationalist headline. Then again, MDN can be just a tad sensationalist at times . . .

  6. One element that no one pointed out is that mac users love their machines and don’t want to harm them. This is less incentive for hackers.

    Regardless macs are more secure. They run on a flavor of UNIX which runs many mission critical aps. I wonder if there are any stats on mission critical apps in Winblows vs UNIX.

  7. JEG,

    The bloody Australian Tax Office online tax submission forms are Windows only. I would guess that Australia is not the only country to leave the collection of tax receipts in the secure hands of Microsoft.

  8. Microsoft Windows 2000 has been security certified to EAL4 by the NSA. See . It doesn’t have to be insecure – it can be very secure if properly configured. I don’t believe MacOS has even got the lowest level of certification.

  9. Quote Reality Check: ..”Microsoft Windows 2000 has been security certified to EAL4 by the NSA…”

    Yeah, I can just see Mom and Pop achieving that level of security with a standard install…

  10. Coming from a 25 year computer and network tech. Any system that is based on UNIX has always been more secured. Nothing is completely secrue unless you never go online/internet and download or use your browser. So in this day an age, nothing is 100% secured. After saying that. I have used and still use all three OS and manage all three as networks too. The one that takes most of my time is WINDOWS products. Even LiNUX does not have as much problem. I have found over the years is its not the brand it is how the OS is designed and controlled from the very start that matters. If you keep the guts of the OS under wraps and have total control then it will be harder to have viruses that do a lot of damage. Yes every OS has its viruses, but with the wild design and lack of control that WINDOWS and the reputation they have, I am not surprised of the problems that windows has. I am surprised that over the years that LINUX has been around that it has not had more issues than any other OS since it is much more open source type of OS. Strange…… Any way. As I sit here and start my nightly windows security check procedure, I have already found three unapproved possible viruses or attacks on our network, but all the other OS netowrks are all GREEN.. So its simple math.. If you open the doors then the masses will come, if you keep the doors slightly open and control who can and cant come in, it is easier to watch.

    Good Ngiht

  11. One of the responders has stated that there have not been one virus or attacks on APPLE OS X well that is completely false.. There have been nuemerous attacks, and a few viruses. But its how the OS is designed that prevents the viruses and attacks from getting to do much damage. You see it is hard to get in the door when there is so mant OS system checks and re checks and user pop up windows that keep the user informed of what is going on second by second with the OS. Not too mention that most of the hgh security functions of OS X and LINUX come out of the box with them turned on. WINDOWS does not. Most of them that I have delt with have to be turned on. If you are not aware of this then you use your computer right out of the box and BAM you get a virus. There have been both attacks and viruses with all of Apples OS products over the years, it is how APPLE handles and controls their OS that makes a huge difference. If Apple slips up in this area once, then OS X will be like WINDOWS. CONTROL is the key…..

  12. MacPilot

    “One of the responders has stated that there have not been one virus or attacks on APPLE OS X well that is completely false.”

    You may have been referring to my comments. I have no special knowledge, other than what I read online. There have been a number of incidents that have been seemingly trumped up stunts as well as viruses that are pretty lame. I would be grateful for information that is devoid of agendas if you have something to share. I tried the DOE link above, but the information was pretty stale.

    Thanks

  13. This is the government-funded Microsoft-loving liberal-literati BBC we are talking about, so no surprises about the attitude here.

    It’s a surety that hackers will home in on easy meat like Windows, but this is not because of numbers per se, just that it’s more open.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.