Apple more secure than Windows NT?

Apple more secure than Windows NT?

Summary: Apple needs to come clean on security


commentary With exploit code for an OS X vulnerability released recently and a compromised Australian university Mac server caught hosting malware in August, it may be time Apple admitted its platform is no more secure than any other.

While Apple users laud their systems as unbreakable pillars of security in a dangerous world, unsusceptible to the malware attacks that make life on Windows so hazardous, the headlines keep coming.

In August, the University of New South Wales was, no doubt, surprised to learn one of its Mac servers had been hijacked by baddies to host some malware disguised as a Microsoft patch. University system administrators interviewed by ZDNet Australia were puzzled -- the server was evidently running the latest version of OS X server.

It turned out the miscreants gained entry through a vulnerability in the server's TikiWiki code, a third party package that has nothing to do with Apple. Still, OS X didn't somehow, magically, prevent the attack as some users seem to think it's capable of doing.

Yes, it's true the average Mac user (like me -- shiny 20 inch G5 Rev B) doesn't have to contend with the malware that plagues Windows-based computers. Yes, it's true I'd prefer my mother use a Mac to avoid keylogging Trojans designed to capture her Internet banking passwords. But Apple's marketing these days seems to suggest its computers are immune to attack (The advert is also available on YouTube).

They're not, and it's dishonest for Apple to suggest otherwise.

There is little evidence to justify the claim that Apple computers are more secure than any other, and anyone who points to the low number of reported OS X security bugs, worms or viruses as proof to the contrary is misguided.

Macs are safer to use because of the lower number of reported bugs, but that does not make them more secure. It's an important distinction.

There's only one thing that makes Macs substantially safer than PCs, and it's called market share; a 3.8 percent market share, measured by net presence, to be precise.

If Macs were the dominant operating system with, say, 80 percent of the market, there is no doubt all the clever malware writers would devote their skills to engineering malware for Macs, not Windows-based PCs.

With all that brainpower going into compromising an operating system, there is little doubt the efforts would yield results.

In this parallel universe, switching to that boutique operating system made by the underdog with the 3-4 percent market-share, Microsoft, would seem like a great idea. Windows would develop a cult following for its inherently superior security.

The ironic part is Apple has, whether it knows it or not, ripped a leaf straight out of Microsoft's marketing playbook. You have to dig around for Microsoft's old Windows NT marketing material -- the company has removed much of it from its Web servers, perhaps out of shame -- but it reads much the same as Apple's current spiel.

"Intelligent design prevents the swarms of viruses and spyware that plague PCs these days," says Apple's Web site.

And this from Microsoft. "Windows NT Server is secure from the ground up," says a Microsoft Web site archive touting NT's apparent NSA C2 security compliance.

"Every process and feature was designed with C2 level security in mind. In fact, Windows NT Server is so secure that certain processes (identification and authentication, and the ability to separate a user from his/her functions) meet B2 security requirements, a level of security that is even more strict than C2."

In retrospect, it is kind of funny. More reading here.

Indeed, when Windows NT first rolled around in the '90s, Microsoft pushed the security angle hard. It was a new product, and there were few known vulnerabilities in the new server architecture. Of course, with increased market share came a deluge of vulnerabilities and everyone realised that it was, for the purposes of security, poorly designed and full of holes.

Users were not happy, and Microsoft was forced -- it took years -- to finally invest in security in earnest. The Redmond-based giant has learned its lesson.

Apple hasn't been through that humiliating process yet, and still thinks it's invincible. This could explain its lacklustre response to security vulnerability reports. Ask almost any security researcher what they think of Apple's response capability, and you'll usually get the same answer: "They're bad, but not as bad as Oracle."

It's hardly a glowing endorsement.

The argument being put forward here isn't that Windows is more secure than OS X, it's that currently there is no such thing as a secure operating system. OS X just hasn't been subjected to the torture test that comes with market domination. It is almost certain that there are dozens of undiscovered bugs in OS X.

Welcome to the wonderful world of operating system security.

And thanks to the computer-maker's decision to switch to an Intel CPU architecture, Mac malware has never been easier to write. Creating security vulnerability exploit code requires a fairly intimate knowledge of the CPU architecture on the target machine. The relative obscurity of the previous Mac architecture (Power PC) meant there were few malicious coders who could be bothered writing exploits for OS X.

Now it's been switched over to the more hacker-friendly Intel architecture, it's a fair bet that more exploits for OS X will emerge. Sure, the differences between Mac and Microsoft operating systems still mean malware will have to be customised for OS X, but the initial exploitation will be that much easier.

Apple, the message is this: Yes, you make beautiful computers. They're pretty, shiny, they have a nice interface and I love my Mac. Consumers are safer online using a Mac, too. But just as the security of New Zealand is rooted in its geographic isolation, not its military might, the security of your products has more to do with your small market share than their technical superiority.

Editor's note: An update to this commentary has been published here.

Topics: Apple, Hardware, Microsoft, Operating Systems, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Absolute bullsh*t.

    C'mon Zdnet, I know standards are slipping but geeez...the gimps you have "writing" for you now is beyond a joke.

    The article lost all credibility about 3 sentences in.

    The old "it's the marketshare" argument is sooooo 1995 and it has lost all credence with "proper" IT Security people, not just your CISSP clowns.

    I can't be bothered even starting in on thios artcile except to say that's toilet paper and should be treated as such, and no, I don't even use Macs day to day (but I admire their purity).

    So lift your game Zdnet and lets get some grown-ups here writing your articles, unless of course, you don't want them ?? Who pays for all that shiny advertising anyway?

    Your author is either a fool that shouldn't be let enar a typewriter, or he's pushing an agenda as NO-ONE of any note has even comtemplated those sad, well worn arguments for over a decade now.

    If Mac had 80% of the market then Win NR would STILL have the vast majority of the real world, "in the wild" viruses as it's TRIVIAL TO BREAK WINDOWS!

    Do you need smaller words, less syllables ?? TRIVIAL ! Windows is the ONLY commodity OS where you can get pnwed by CLICKING ON A LINK or OPENING AN EMAIL and all your huffing and pussing and lying won't change that. It's not even a proof of concept on Mac or BSD or Linux and there sure as hell is NOT 114,000 different examples of this floating around IN THE WILD infecting millions of machines every day!
    it's like car manufacturer X saying 'See/, a car from manufacturer Y got stolen so their cars are as bad as ours!' when the thief needed to follow you home, knock you out, take the keys, get a thumb-print, defeat the biometrics in the garage, then the car and then only manage to crane it onto the back of a truck for removal and it was the only one stolen that year when manufacturer X'c car doesn't even come with door locks or (pardon the pun) windows and they have a life expectancy until they're stolen of 15 minutes!

    Ohhh..but if man Y's cars were so popular they'd be stolen constantly too...right?..right?... rubbish!!

    Now go back to sleep.
  • I agree

    A bit long winded but yes, the author clearly has little or no grasp of the fundamental principles at play here.

    it is a shame when so called "experts" don't understand the basics. Big or Little endian code has no bearing on this matter as most hackers --- see?, he doesn't even call them crackers ! -- use toolkits that go nowhere near hitting the hardware.

    The article is a joke and the author is woefully ignorant. I would suggest anyone who is reasonably interested in these matters invist 30 minutes of their time for some quick googling and have a look at what qualified people have to say on the issue.
  • nonesense

    You forget to mention that Mac OS X is built on top of a Unix variant and shares much in common with FreeBSD. It is as secure as Linux/FreeBSD/Unix in general and many of the vulnerabilities it has are due to third party applications rather than system design, unlike Windows NT & XP. The majority, of the limited number, software engineers who have looked at the Windows codebase are shocked at the number of short sighted 'quick-fixes' and messy spaggetti code that it is made up of. Conversely the under pinnings of OS X are open and available for inspection as part of Darwin, and are well written and transparent with over 30 years of history of refining and development of some segments of the code.

    Your accusation regarding market share leading to better security is laughable and betrays a complete misunderstanding of the subject.
  • malware on Mac

    As far as I can remember, Apple has never said anything about their system be unbreakable....they just don't talk about....but they do put out patches....don't know where you got the idea that Apple has said what you write thinks you are wrong on this.....again, more FUD.....

    And, this has taken a rather long time for the report...this happened in August????....Now that is even suspect...if this is true, it would have made the news all over the fact, this is the first I have heard about it....and I get news stories from all over the world about Apple Computer, Macintosh, and iPod's...?????
  • What a crock

    The fact that you can make a statement like this:

    "It turned out the miscreants gained entry through a vulnerability in the server's TikiWiki code, a third party package that has nothing to do with Apple. Still, OS X didn't somehow, magically, prevent the attack as some users seem to think it's capable of doing."

    Tells me you are utterly unqualified to make a statement like this:

    "There is little evidence to justify the claim that Apple computers are more secure than any other, and anyone who points to the low number of reported OS X security bugs, worms or viruses as proof to the contrary is misguided."

    You have to have a basis to understand what makes an OS or Application secure in order to gauge if it's possible for one to be more secure than another.

    Look here:
  • Mac = Obscurity? NOT!

    Obscurity has nothing to do with market share or the installed user systems share. Apple is one of the LEAST OBSCURE computer systems, and offers the one of the most tempting targets for malware creators. This is no secret to hackers.

    Temptation #1 - Taunting - Never in the history of computing devices has any other computer manufacturer been so brazen about its security as to advertise it to so many around the world. This level of taunting is like twisting a dagger into the hearts of hackers.

    Temptation #2 - Transparent - Apple utilizes far more open-source code than Microsoft. This code is not only in user systems, but is also found in Apple's servers and super-computer grid configurations. All of Mac's core operating system, BSD UNIX, is freely available for use and inspection for vulnerabilities.

    Temptation #3 - Vulnerable - Over 95% of the Mac OS X users do NOT use ANY malware protection software. In fact, corporate-owned Apple systems, from in-store demo units to the staff at Cupertino, do not use any such software. They rely upon the innate security of the OS alone.

    Temptation #4 - Fame - To be the first to create a successful, self propagating virus or to take control of a Mac for the use of being an unwitting spam generator would bring tremendous international notoriety; the Holy Grail of programming. Apple's public announcement of being virus-free makes this challenge impossible to ignore by many hackers.

    There isn't a hacker out there that isn't aware of Apple's use of open source programming, their lack of virus protection software, and their arrogant public taunting of criminals. The general population still dwells within their vast herd of false security and myths, having yet to experience a Mac for themselves and view Apple as being an obscure computer system. But, for the hackers, they clearly see it, they are very well aware of it... but can't touch it. For them, Mac OS X is far from obscure.
  • 1 to 100,000

    Let us acquiesce to a heavily disputed "fact" that there are 2 known Trojans out there for a Mac. If current trends hold true, then in 2008 the Mac OS will be 100,000 times safer than Vista with its projected 200,000 viruses/Trojans.

    I was about to make an analogy here, but it really isn't necessary. It should be blatantly obvious to even the simplest of morons that choosing between any two things where one item is 100,000 times more likely to cause security problems than the other is no real choice at all.

    But, for those of you still curious, here are a few examples of things with a 1:100,000 ratio. Which would you rather do...?

    Jog 1 mile or jog around the Earth 4 times?

    Toss a paperclip (1 gram) at your coworker's head or throw your stocky 220 pound boss the same distance?

    Wait 1 minute for your computer to boot up or wait 69.4 days?

    Last, but not least...

    Lift a gallon of milk (8 lbs) onto the kitchen counter or lift a fueled C5 Galaxy cargo plane with a full load of two M1-A1 Abrams battle tanks and 73 soldiers (400 tons total) onto the kitchen counter? [ photos at ]

    Don't allow Microsoft or any of their mindless lemming-like minions to downplay the size of this problem; 100,000 of anything is a lot!
  • True

    All Apple claims is 0 viruses. The problems this article describes are not computer viruses.
  • FUDmeisters and Facts

    Over on macCompanion, we have established a Mac Security 101 column and we have also had QuickTime videos last summer on Mac Security and Maintenance that blow this kind of FUD completely out of the water.

    Why spread blatently obtuse and patently false stuff like this around except to garner keyclicks and try to do a "Dvorak"?
  • Ignore article and do not add more comments

    I know, I know I just did.

    If you think this article is crap, and it is, please do not give the "reporter" additional credit by generating more visits to this page. After all that's all they're trying to do with these sensationalized, untrue, and unresearched stories based on ignorance.

    Please do not start a raging debate. Let's ignore this garbage and give it the resounding silence this article deserves.

    Thank you.
  • Malware on Apple OS

    If you listen to the Apple ads you mention, you'll note that "Mac" only says that he isn't affected by the viruses that infect "PC". Which is a 100% factual statement. The latest Mac OS has never been affected by a PC virus.

    If you install Windows or Microsoft Office on an Apple computer, then these applications can be vulnerable to viruses written specifically for this sofware. But the Mac 10.4.7 operating sytsem is not affected.

    If someone installs buggy software on any server, including an Apple Xserve, they shouldn't be surprised to find it vulnerable to attack. However I'm sure the Mac OS running on that server was not infected by the malware you mention.

    Your article was not very well informed and is more of the type "flame baiting" than the factual and neutral description of the security issues I would have expected from serious journalism.
  • Macs ARE more secure than Windows XP

    Windows NT is not intended for consumers, so for starters let's compare apples to apples: OS X to XP. While OS X surely has vulnerabilities, that does not automatically make it as insecure as XP. XP runs all processes with the same level of privileges as the account in which it is run, and since most users run as admin, most processes are automatically granted admin privs. This is not the case with OS X. Therefore, malware trying to gain access through normal channels will prompt the user to authenticate.

    Apple cannot be blamed for the actions of admins placing third party software on their servers and then not keeping up with patching the security holes in that third party software. And please show me the people who think that OS X should have "magically, prevent[ed] the attack". Please don't paint us all with that brush.
  • Apple more secure than Windows NT?

    Is this a joke? This "article" has so many incorrect statements, it's ridiculous and not even worth my time to correct. Get someone who knows something about technology to write these "articles!"
  • How Come I Can't Run 3.8% Of The Viruses?

    If Apple's marketshare is indeed 3.8%, why aren't 3.8% of the world's malware/viruses written for the Mac. Symantec indicates that there are over 100,000 viruses yet there are a disproportionate number for Windows? Statistically shouldn't there be something written for the Mac?
  • Are you serious?

    Are you serious? Serious journalism from ZDnet? HAHAHAHA!
  • Security: OS vs. 3rd Party Apps

    Apple can't "magically" prevent poorly written 3rd party apps from becoming security holes. All they can do is make their own code the best it can be.

    How many actual security breaches have been the result of Microsoft's own code?

    How many actual security breaches have been the result of Apple's own code?

    3rd party developers can write buggy code equally well for both operating systems, for which the OS manufacturer can't be held accountable.

    So, which OS is the better bet for safe computing? The answers to these questions will prove which is the least secure OS and its manufacturer's applications.

    I think the answer is clear.

    I don't think anyone has claimed OS X is impervious, but rather that it if far more secure than Windows and that, so far, nobody has breached security through an OS bug -- unlike Windows.

    So, let's be rational.
  • Security

    It has never been the issue that Microsoft is the only one with security issues. The issue has been the sieve-like nature of MS OSs and apps, and the misguided notion that competing products must have "no defects" to be better than what MS is offering. That notion is a logical fallacy, referred to as the Requirement for Perfection. In other words, it is not the case that Product X must be perfect in order to be "better than" Product W.
  • Come Hack Me Then You Moron!

    Hey I don't run any 3rd party security software on my Mac. I'll even give you my static IP address. Come on, big mouth, hurt me! G*D this article is lame 10 times over! You say yourself it should be easy now that I'm on an Intel based Mac. Of course, it doesn't occur to you that vulnerabilities are found in the OS, not the CPU.
  • Statements about technology should be supported by fact

    If you're making a statement about alleged technological superiority, then you should give some facts about the technology instead of just assuming your conclusion from the start. Is Mac technology more or less secure than Windows technology? How would you know? How about a comparison between Apple's Unix implementation and Windows? How about an investigation into specific kinds of vulnerabilities such as Office macros and e-mail attachments? Without such a discussion, you've given us an opinion without any reason to listen to it.
  • Absurd, Pathetic, Weak Attack

    The only successful Mac attack was a fake. Two security professionals at a conference installed special (PC) cards with special drivers to PROVE that the Mac was vulnerable!!! Pathetic. It turned out that one of the guys had seen the Mac PC commercials, and said that he'd like to "stick a burning cigarette in the eye" of "smug" Mac users. The only real attacks on the Mac are from journalist-wanna-be's like yourself.

    Apple has done a superb job. Give them credit. Never once - NOT ONCE - have I ever been attacked, nor has any Mac user I have ever heard about, aside from the jealous, grandstanding hoaxers mentioned above. Rather than say "that can't be, they're liars" perhaps you should write an article on just how Mac resists all attempts (to date) of attack. Is it the tried an true UNIX underpinnings? The way the mac won't allow installs without authorization as Windows does? Obviously what Mac has done is working... so why don't you write about that?