“While an increasing number of bugs have been found in Apple’s Mac OS X operating system, security researchers say it isn’t a high security risk and it’s still more secure than Windows XP,” Sharon Gaudin reports for InformationWeek. “Is it more secure than Windows Vista? The jury is still out on that one.”
MacDailyNews Take: How long is this jury going to take, exactly? Mac OS X is over 6-years-old, with 22 million users. No Mac OS X user in the wild has been affected by malware. Related article from just yesterday: Security flaw puts puts Windows, including Vista, PCs at risk; malware already observed in the wild – March 30, 2007. Some people can ignore the obvious forever, it seems.
Gaudin continues, “‘Vulnerabilities just don’t equal attacks,’ said Craig Schmugar, a threat researcher at McAfee, in an interview. ‘Some people are saying the Mac is less secure than Windows because there have been more vulnerabilities in it than in Windows, but there are far fewer attacks reported on Mac OS X than Windows.'”
MacDailyNews Take: For one thing, there have not been “more vulnerabilities” for Mac OS X vs. Windows pre-Vista. For Vista, maybe so far, but it’s only been out for a few months vs. over six years! Give it a few more weeks. Also, does the severity of vulnerabilities count for anything? It should. Fact: Vista already has at least one vulnerability being exploited against actual users in the wild. Mac OS X has none. And, don’t try “Security via Obscurity,” as Mac OS X has 22 million users vs. Windows Vista’s “20 million” claimed by Microsoft. Vista is more “obscure” than Mac OS X, but it’s already been compromised, affecting actual sufferers in the wild. Mac OS X users continue to be unaffected. To say “there are far fewer attacks reported on Mac OS X than Windows” is the height of understatement.
Gaudin continues, “Last year, McAfee reported that the discovery of vulnerabilities in the Macintosh platform increased by 228% in the past three years, from 45 found in 2003 to 143 in 2005. In the same period, Windows had a 73% increase.”
MacDailyNews Take: Lies. Damn lies. And statistics. 73% of what? McAfee never said, but it’s a helluva lot more than increasing from 45 to 143 vulnerbilities and, again, a number the WIndows vulnerabilites actually affected Windows sufferers in the wild. Related article: Analyst: McAfee’s recent Apple Mac security report is ‘sloppy scaremongering’ – May 08, 2006. A vulnerability does not equal an attack.
Gaudin continues, “While Apple’s numbers may not be what they were, it doesn’t mean the Mac suddenly has become a risky operating system, according to Johannes Ullrich, chief research officer at the SANS Institute and CTO for the Internet Storm Center. ‘It’s still safer, but not as safe as Apple pretends it is,’ Ullrich said in an interview. ‘Some features, like the firewall, aren’t all that great. But, yes, it’s still pretty safe.'”
MacDailyNews Take: Mac OS X is “still pretty safe?” Yeah, you could say that. What is this, a “Who Can Make the Biggest Understatement” contest?
Gaudin continues, “Paul Henry, VP of Secure Computing and a recent Mac convert, said it’s all a matter of scale. The cyber bad guys target the richest market, and that’s not the Mac platform.”
MacDailyNews Take: Once again, 22 million Mac OS X users unaffected vs. “20 million” Vista users, some of whom are already affected by malware. Richest market? Those who surf the Web using a Mac tend to be better educated and make more money than their PC-using counterparts, according to a 2002 report from Nielsen/NetRatings: http://news.com.com/2100-1040-943519.html
Gaudin continues, “Marius van Oers, a virus research engineer at McAfee, posted a blog last week that showed there are more than 236,000 pieces of malware ‘in the wild.’ The vast majority are aimed at the Windows environment. Only about 700 are meant for the various Unix/Linux distributions, van Oers wrote. How many are for the Mac OS X platform? Seven or less, he said, calling the threat ‘pretty much non-existent at the moment.’ For older builds of the Mac OS, there are 69 known malicious items…”
MacDailyNews Take: Mac OS is dead. Has been for many years. Do they go back to Windows 3.1 to include “malicious items,” too? Of the “seven or less” Mac OS X malware instances, how many affected users in the wild? That we know of, none. Zero.
Gaudin continues, “‘It is clear that OS X malware is not taking off yet. With an estimated OS X market share of about 5% on the desktop systems, one would expect to see more malware for OS X,'” [van Oers wrote].”
MacDailyNews Take: Finally, someone’s making sense.
Full article here.
MacDailyNews Take: Our headline is fact, whether some people like that fact or not.
Related articles:
Security flaw puts puts Windows, including Vista, PCs at risk; malware already observed in the wild – March 30, 2007
National Security Agency gives Apple’s Mac OS X 10.4 Tiger glowing security endorsement – March 22, 2007
Lack of Apple Mac malware baffles expert – March 21, 2007
Microsoft’s Live OneCare ‘security’ failureware: dead last in test of 17 Windows security apps – March 07, 2007
Bill Gates has lost his mind: calls Apple liars, copiers; slams Mac OS X security vs. Windows – February 02, 2007
Security firm: 38-percent of malware already Windows Vista-compatible – January 22, 2007
FUD Alert: CNET tries to equate Windows’ insecurity to handful of Mac OS X proof-of-concepts – December 02, 2006
Microsoft’s Windows is inherently more vulnerable to severe malware than Apple’s Mac OS X – August 23, 2006
Chicago Tribune falls for the ‘Security Via Obscurity’ myth – August 14, 2006
Symantec details more security holes in Microsoft’s Windows Vista – July 26, 2006
Symantec researcher: At this time, there are no file-infecting viruses that can infect Mac OS X – July 13, 2006
Sophos: Apple Mac OS X’s security record unscathed; Windows Vista malware just a matter of time – July 07, 2006
Gartner analyst tries to propagate discounted Mac OS X ‘security via obscurity’ myth via BBC – July 06, 2006
Sophos Security: Dump Windows, Get a Mac – July 05, 2006
Security company Sophos: Apple Mac the best route for security for the masses – December 06, 2005
Apple Macs are inherently safer and more secure than Microsoft Windows – November 22, 2005
BusinessWeek columnist propagates discounted ‘Apple Mac security via obscurity myth’ – September 06, 2005
16-percent of computer users are unaffected by viruses, malware because they use Apple Macs – June 15, 2005
Another columnist trots out Mac OS X ‘Security through Obscurity’ myth – April 03, 2004
Columnist tries the ‘security through obscurity’ myth to defend Windows vs. Macs on virus front – October 01, 2003
Shattering the Mac OS X ‘security through obscurity’ myth – August 28, 2003
Virus and worm problems not just due to market share; Windows inherently insecure vs. Mac OS X – August 24, 2003
If Vista is as secure as OSX, is it made so by asking you every 10 seconds if it can do what it’s doing? That’s been my experience so far. And to tell you the truth, all those Cancel or Allows become invisible after a while, so I just hit Allow all the time. I’m sure I won’t notice when something bad is happening, and I’ll hit Allow, and then MS can say it’s all my fault. Whatever. My Macs remain virus free.
One exploit in the last 10 years was due to a flaw in phpBB, in which the attacker hosed my bulletin board database. But that had nothing to do with OS X, and nothing else on my web server was touched. Two of my friends running phpBB on Windows also got hit the same month.
All this, and I spend zero time maintaining it. More time for pointless arguing on MDN.
-c
I sincerly beleive if Windows and Mac OS X market share were reversed that Mac OS X would be the most exploited OS and Windows would have some malware floating around anyway.
Who cares what you believe? “Faith means not wanting to know the truth.” – Nietzsche
REVERSE THINKING?
Gee, maybe if we told people that Macs are vunerable to viruses and other such crap, we can increase our marketshare because I think people who rely on attacking computers will promote the Mac so that they can stay in business. Then whamo! We stop the bad people.
Wishful thinking.
1: Out of the box Mac OS X is insecure because as soon as it’s hooked up to the internet and before Software Update can be used, the Mac can be compromised. Home users tend to go months, even years before doing a SU!
This is a bizarre conclusion. Software update is enabled on all OS X installs by default. How can someone go months without an update? Even if they do, there are no services on by default. Sure there are possible exploits to an unpatched OS X install if you browse the web but since the vast majority of OS X installations are patched, there is little chance that someone will spend any time putting up an exploit that is unlikely to succeed. There are certainly no reported cases.
Apple needs to provide Software update disks with each new machine and disable internet access until the SU disks are run.
You have to be kidding. Plus that makes no sense since how do you get software updates without the internet?
Also the firewall is not enabled by default. There is no outgoing firewall whatsoever.
There are no services on by default. So why do you need the firewall? You clearly know very little about OS X security. Why do you need an outgoing firewall? To prevent the non-existant viruses and spyware? What a complicated waste of resources for something that doesn’t exist.
2: Apple doesn’t practice enough compartmentalized security with Mac OS X.
Applications shouldn’t demand a admin password to install and leave hooks into Mac OS X that can be exploited via application exploits. Apple should take over the installation process to insure security and police developement. Sandbox the OS better.
You want Apple to restrict development of new software? What an awful idea. What actual problem is being solved here? A theoretical problem or an actual one?
Few OS X applications require an installer. Most that do are just broken and written by Windows companies that don’t know any better. Installing an application into the OS X Applications folder should absolutely require an admin password. Anything else would require that the Applications folder be world writable–not a good idea. Again, you seem to have very little actual knowledge of OS X security.
While few people would argue for less security, sandboxing is hardly called for at this time. Remember, there are no exploits in the wild for OS X.
3: Apple tends to include a users real name and details in places it shouldn’t be. Like the name of the computer, emails and Apple website loging cookies for instance. People should have the option to have a privacy install option.
I have no idea what you are ranting about here. Whatever it is, giving your current record of false and misleading “issues”, you are probably wrong about this too.
4: Apple still hasn’t fixed a severely critcal Metadata file exploit from a few years ago. Any file has the potential to run code on Mac OS X.
Reference? I have no idea what you are talking about. There are 7 reported vulnerabilities on secunia open for OS X and one of those is actually closed. All the rest are local privilege escalation problems. One open one actually requires the cooperation of someone with Admin rights. I’m not making this up, a supposed privilege escalation problems requires someone with root privileges to exploit.
5: There has been over 100 exploits of Mac OS X since it’s arrival. Some very severe, like the URL handler exploits.
No, not exploits, vulnerabilities. No exploits besides proof of concepts at all that I’m aware of.
6: Buisnesses have the money for IT staff to keep Windows secure. Windows services are open “out of the box” which is bad for the home user
Mac OS X services are closed “out of the box” which is good, until the novice home user enables the services, then it’s bad.
Bad is good, Black is white and you are an idiot.
There is more, but I said enough.
I would say that sums it up.
I sincerly beleive the reason Mac OS X is mostly ignored is because Windows is easier and more common to exploit. The reason Windows is less secure is because out of the box it takes more for it to be secure.
I can’t believe it, you said something intelligent and factually correct. Impressive.
I sincerly beleive if Windows and Mac OS X market share were reversed that Mac OS X would be the most exploited OS and Windows would have some malware floating around anyway.
You do see how this is a direct contradiction of your previous statement? No probably not, sad.
@ WiseGuy, aka Troll
The MTBA (mean time before attack) of a Windows machine hooked to the net is less than 20 minutes.
The MTBA of a Mac is, well, since there are no attacks in the wild, it’s a rather large positive number that assumes there will be an attack eventually. And it’s Several orders of magnitude larger than 20 minues.
That answers the question of which is OS more secure, Vista or OS X, rather nicely irrespective of all the posturing with cooked data like comparisons of fixes, market share v ‘malware share’, etc.
Time for you to go back to school…
Sorry to inform you it already has been done.
http://blog.washingtonpost.com/securityfix/2006/03/when_macs_attack.html
Did you actually read the article by the esteemed Brian Krebs /sarcasm? I’m thinking you didn’t since it more or less contradicts your statement. The supposed OS X vulnerability was actually a flaw in PHP. PHP is not a service provided by OS X client by default. It can’t be turned on without expert guidance. There are no checkboxes in a control panel to enable it.
If you are running OS X server and don’t know how to lock down the system, you are incompetent but that has nothing to do with OS X client installs to the average user.
Have you actually ever used OS X? Go troll somewhere else.
I’ve been using Macs for ten years, almost daily online, and have never suffered from any malware issues.
The fudmeisters will also fail on the security issue. The number of Mac users is growing and they’re spreading the word. You can’t fool all the people all the time.
I’m pretty sure this article was some woefully poor attempt at an early April Fools’ joke.
“All things being equal, Windows should have 9500 exploits over the last 5 years in order for it to be equal to Mac OS X in market share.”
and in theory, there is no difference between theory in practice.
…sadly, in practice, there is.
by the way wiseguy, great washington post link to that blog. you should read it. in order for a hacker to take a Mac and bot it, the blog says, it requiers php.
….which is not running by default.
…and in fact requiers some terminal work to get running.
“In some situations — depending on how the Web site operator has set up his system — flaws in those third-party applications can be leveraged to install malicious code on the victim’s system that could allow bad guys to access files or run programs.”
in other words, someone took a secure system, and opened it up.
if you buy the most secure house money can grab, and leave the door open, do you blame the people who made the door locks?
magic word, “probably.” write your own joke…..
@Wiseguy
“Alsothe firewall is not enabled by default. There is no outgoing firewall whatsoever.”
This is total bunk. OSX is using IPFW from FreeBSD. Unlike FreeBSD, this firewall is ALWAYS on in OSX. If you go to your terminal and type ipfw, you will see that the firewall is enabled, but it isn’t blocking any incoming traffic. Unlike Windows, it is very easy to create powerful rules with IPFW, unfortunately the GUI in OSX doesn’t make it easy to do advanced rules. With regards of outgoing firewall, again, you are wrong. IPFW not only can block incoming traffic, but it can also very easily block outgoing traffic too. My advice to you is to stop spreading fud, and whenever you have a chance, try doing a man ipfw at your terminal, try actually learning Unix a little bit before you start to spout out meaningless crap…
crap, I meant, type sudo ipfw list. Since, like a secure os, it actually needs administrative access to use.
Wise Guy,
Exploits are not the same as vulnerabilities. There have been no exploits of Mac vulnerabilities in the wild. All Macs have software update set to weekly in the factory. You would know that if you used one. The only Macs on record as exploited are those Macs that belong to Anti-Virus firms. Anyone can hack their own computer.
That example of a botnet with Macs on it that you love to point out regularly has been debunked. The hacker that turned those computers in question into a botnet had physical access to the computers, network and passwords.
Apple’s Mac OS X can’t guard against rogue employees or break ins.
Go peddle your Microsoft talking points somewhere else.
I believe, if you live near an Apple store, you can pop in with blank CDs and get the updates downloaded there. Or, if it’s a laptop, then you get it right there. Maybe even some resellers do the same but I’m not certain.
I never bother to download security updates. Never had a problem. I could load up 10.2 on my G4 and it would be as good and secure as 10.2 first was when it first came out in 2001/2? Still wouldn’t have a problem. Try loading Win95/98/2000 on a modern PC and see how far you get. Not that you would of course…
There have been more then zero cases of malware of OS X, you can’t say it’s really zero. There was an incident where some malicious unix codes disguised as photo icon tricked people into opening it. That effected at least a small group of people in the wild.
Re: I AM Awesome
Every potential leader needs to be like a leader who came in the past because?
And I should care about someone prognostications after feeling the entrails of a chicken because?
I’m sick to death of analysts, experts, commentators and opinion makers. I’ll make my own opinion and search out the truth myself thanks very much.
Oh, and I missed your point about OS X vs Windows security. What was it?
This is a lot of hot air from one of Microsoft’s security “partners.” When your bread and butter is this sort of cooperation, exactly what do you expect people to say– that is, people whose primary concern is money, not doing the right thing.
In time, it’s going to be interesting to see how all this plays out. M$ needs to make their OSes more secure to maintain sales/upgrades, but that will block out the security firms. Theoretically, at least. Or, is it more likely that the threat will change?
M$ often squashes competitors, but it’s also greased the palms of a lot of businesses. They will not go willingly into the great beyond…
no, no, no …..a threat researcher? …… named Schmugar? I had to say those words faster and faster and faster …until I figured it out.
A threat researcher named Schmugar? …..he’s in the closet. Come out of the closet Craig Schmugar you threat researcher you.
I mean he is an OSX user. He may work for McAfee but he’s an OSX addict …a real hard-core OSX addict …but there’s no way he say anything to his PC peers …they would ostracize him ..right after they taunted, tormented and humiliated him. fuckers.
So, he hides himself behind vacuous babble and OSX name calling. sissy.
As a former McAfee Sales Representative, I can assure you that this is nothing more than an attempt by McAfee to increase their sales among Mac users. I’ve also sold Symantec, Sophos, and Trend Micro and it is widely known that the OS X platform is far more secure than the Windows platform, the lack of threats = a lack of software sold.
Totally biased story. How frustrating.
Andrew Hamilton
Video Production Las Vegas
http://www.hiproductions.com
I think everyone’s beating around the wrong bush. We live in a commercial world. OSX is secure as it currently needs to be. Apple would put more resources into security if there was a commercial need. But…wait for it…THERE ISN’T!!
@ Wiseguy
I respect you are entitled to your opinions. However, your “maths” (as we say in Australia, not math) is a big worry. If Apple has 100 exploits with 5% share, you say, Windows with 95% should have 9500. This is so bogus!
100/5 = 20 = 1%
95 x 20 = 1900
The logic however is flawed, based on the simple application of basic economic principles like the Law of Diminishing Marginal Returns and the Law of Diminishing Marginal Utility. One would not expect to see a straight line relationship like you (and every other analysist under the sun uses). Each time a new virus is released, it should be come harder for the next person to come up with a new one that is just as effective. So there is a technical impediment that should produce a curved-flattening line (LDMR) and less enjoyment and more time costs for the person to produce it (LDMU).
Therefore, analysts are being faaaaaaaar too kind to M$, because they know nothing about economics and nothing about statistical analysis. The fact that historically (I will not comment on Vista) the line actually has curved the other way – just got steeper and steeper – is a huge comment on just how much MASSIVELY easier it is to write malware for XP than OSX.
What worries me more though is your logic about exploits. I am not convinced that this has any logical significance. Surely the only thing with undisputed meaning is the numbers of actual malware in the wild? Anything else is just philosophy , and I don’t see the point of arguing about philosophy.
IMHO
The best way to get some malware is to install Windows on your Intel Mac. I guess that the security guys will start counting that against MacOS X soon (after all, a “Mac” was infected).
Re exploits: Because I am assuming you mean vulnerabilities.
An exploit would be in the wild.
C1-
You got a 2 footer??? That’s 4′ bigger than mine….I’m jealous.
On this virus stuff. It has been 1 year and 10 days since I went Mac. Unless I read these articles, I never even think about viruses. Like a bad relationship that is finally over, every now and then you remember something shitty about it and you think ‘I should have ended that sooner’.
I’d like to take issue with the claim, “No Mac OS X user in the wild has been affected by malware.”
Sure MDN even changed the way this site worked to stop some OSX Malware from affecting people, but not before they admitted it had crashed their own systems.
Short memories.