The contest held at CanSecWest security conference in Vancouver to see who could find and exploit a vulnerability in Mac OS X has re-ignited the debate about which is the safest operating system. Are Mac users in denial over security?
No one argues that an Internet Explorer-based attack on Windows isn't a valid one, and similarly this attack shouldn't be dismissed because of the chosen attack vectorThe contest was an interesting one. Two MacBook Pros, each fully patched using the latest updates, were pitted against anyone wanting to take a shot at them. The contest was won by Dino Dai Zovie, who walked away with the $10,000 prize put up by TippingPoint's Zero Day Initiative.
The exploit that Dai Zovie discovered was a bug in QuickTime and he leveraged it through Safari. It's the nature of the bug that has caused some to question the validity of the contest - after all, is a QuickTime bug an Apple exploit?
My take on it is that a bug is a bug. QuickTime is Apple's code and Apple ships QuickTime with Mac OS X. It's interesting that Dai Zovie decided to attack the system using Safari, following in the footsteps of hackers who attack Windows via Internet Explorer. No one argues that an Internet Explorer-based attack on Windows isn't a valid one, and similarly this attack shouldn't be dismissed because of the chosen attack vector.
After a post I made about Mac OS X security a while back a number of people asked me why the operating system isn't being attacked in the same way that Windows is. My take is that there's no incentive for attackers to go after Apple. The user base is around 5% and that simply won't translate into enough dollars for those wanting to build botnets or push malware. Why bother with Mac OS X when Windows is such a big, juicy, wide-open target?
But just because we're not seeing Mac OS being attacked now doesn't mean that it'll stay that way. There has to be a critical mass of users when it will become a viable target. My guesstimate is that this is somewhere around 15-20% market share (a way off yet, but some think that the critical point could be as low at 10%, which might only be a few years off at the rate that Apple is picking up new users) but as soon as this critical mass is attained, the worms and the viruses will follow.
Right now though, the situation is that Mac users have digital kingdoms that are significantly safer than those that rely on Windows. But with every new Mac user, the day where Mac users have to start worrying about security is getting closer.