The bad guys have invested in tool chains for creating Windows malware. This creates inertia and may delay the point at which macs are becoming mass-exploited.
Windows Vista and 7 are significantly harder to exploit (much harder than macs). This may push the exploitable population closer to a point where macs are becoming the juicy target. This will move up the point at which mac will see mass-exploits.
While Windows XP is harder to secure than the later Windows versions, it is entirely possible to lock down a Windows XP. Enterprises have been doing this successfully for a long time now. If the XP population that is left are all deployed locked-down in enterprises, the "XP share" is not a good index. Many/most of the exploitable XPs are pirated copies which may even have been infected before installation. Remember how our resident Linux advocate/peddler insisted that Windows had open ports even with the firewall on? Only to find out that he used a pirated (and infected) copy downloaded from the internet because he was too cheap tp pay for it (or rather his "friend" was. This always happens to someones "friend").
Follow-up: Malware attempts that use Apple-focused social engineering are now in the wild. I just found one via Google Image search. See for yourself: What a Mac malware attack looks like.
Oh, the rationalizations people come up with to explain away what they don’t want to hear.
Last week, when I wrote Coming soon to a Mac near you: serious malware, I expected to get an earful from Mac partisans telling me how wrong I was. They didn’t disappoint.
In this post, I want to respond, in detail, to the arguments that I heard in response to that post. They’re the same ones that come up over and over again when the topic turns to Macs and malware.
First, there’s the contention that OS X is architecturally superior to other operating systems, that its very design confers immunity from infection. Second, there’s the perfectly reasonable question of numbers: if Macs and Windows PCs are equally vulnerable to attack, how come there are hundreds of thousands of Windows viruses and only a handful of specimens of Mac malware?
Those are reasonable arguments, and I want to address them fully, with enough evidence to help you make your own conclusions. This isn’t about Mac-versus-Windows religion. It’s about engineering and economics.
I’ve got my flak jacket fastened, so let’s dive in.
Is OS X architecturally superior to Windows?
That’s the argument several commenters made in response to my post. Here’s one example, complete with obligatory homage to Steve Jobs:
The architecture and methodology is different at Apple, which is why so many developers (and hackers) hate Macs and iPhones, they can’t get in to do anything really serious. Not to deny anything is possible, but I still feel left out when I use PCs that get infected regularly. And thank Steve for that feeling!
Sorry, but that’s not true. Sensible third parties have acknowledged this for years. In a 2008 post at the Mac-centric Tidbits.com, Security Editor Rich Mogull wrote:
It’s not that Mac OS X is inherently more secure against viruses than current versions of Windows (although it was clearly more secure than Windows prior to XP SP2); the numerous vulnerabilities reported and patched in recent years are just as exploitable as their Windows equivalents. But most security experts agree that malicious software these days is driven by financial incentives, and it’s far more profitable to target the dominant platform. […] At some point, assuming Apple continues to make appealing products, we Mac users will become bigger targets and face a higher level of risk. [emphasis added]
As I’ve documented in a series of recent posts, social engineering has become the dominant technique that malware authors use to spread their poison. If you can convince someone that your hostile program is useful or necessary, they will happily (or fearfully) click through all necessary prompts and enter their administrative credentials where required.
This is true in Windows, where User Account Control has been a default since 2006. It is equally true in OS X.
But, the argument goes, Windows users are victimized by drive-by downloads, and Macs are immune from those!
Sorry, but that’s not true either. Like any modern operating system, OS X contains flaws that can be attacked fairly easily. That is why Apple updates it so regularly. Let’s take just one recent example…
In Apple’s security bulletin for the April 22, 2011 release of OS X 10.6.7, I counted 23 separate fixes for vulnerabilities that allow “arbitrary code execution” in the current shipping version of OS X. At least three of those vulnerabilities are new in Snow Leopard and did not exist in previous versions of OS X.
For those who aren’t familiar with security terminology, “arbitrary code execution” means “no user interaction required.” It is the nightmare scenario of online security: The attacker sets up a web page containing hostile code or creates an ordinary looking document, image, or movie file. When you visit that web page or open that document or look at that picture or play that video clip—or even if you just download a file—the attacker’s code runs, potentially giving him complete control over your machine.
No permission dialog boxes pop up, and no password prompts are required.
But don’t just take my word for it. I’ve gone through that April document, line by line, and pulled out the details.
