Why Mac users are safer

Why Mac users are safer

Summary: The evidence is overwhelming: The opportunities to attack Mac users are plentiful, but nobody bothers. It's still too easy to get at Windows users. This has been obvious for some time and well-understood in the security community.

SHARE:
TOPICS: Security, Apple
122

On October 22 of 2013 Apple released OS X 10.9, a.k.a. Mavericks. In it they patched dozens of security vulnerabilities, many quite serious, and disclosed those fixes. In contrast to their prior practice, they did not, and have not since, released fixes for those vulnerabilities for earlier versions of OS X, including 10.8, a.k.a. Mountain Lion. I think they're not going to. 

For the more than 10 weeks since, all Mountain Lion (and Lion and earlier) users have been vulnerable to attack. Have you heard any reports of attacks? I haven't. There may in fact be some, but they're certainly not widespread. (By way of analogy, the NSA may be compromising iPhones, but it's not a widespread problem.)

[CORRECTION: Since we published this story NetMarketShare has changed the numbers cited below. The changes aren't big for Mac OS X. The chart is also now modified with correct data.]

And that's the issue right there: No Mac problems can really be all that widespread because there aren't enough of them. As my colleague Ed Bott describes, the latest NetMarketShare numbers through December show that 7.53% of total users are running Macs, with 37% of those (2.79% of the total) on 10.9. The percentage of users on Macs has been fairly constant through the year. (See the chart below for this and more detail using the latest data from NetMarketShare.)

osx-usage-dec-2013-620
Source: NetMarketShare

This is, of course, not news, but the lack of fallout from Apple's change of policy for security updates demonstrates it to me more clearly than anything I've seen in the past. Even more striking is the lack of outrage, or even curiosity, from Mac users, about the change in security update policy. It seems like they don't care either.

I'll go so far as to say that many Mac users are in denial about Apple abandoning Mountain Lion users. I ran into this when I put a paragraph about the events in the Wikipedia page for Mountain Lion. The changes were quickly removed by an editor, saying "Instead of complaining about security updates, we should either wait for new ones to be released or wait until Apple declares ML unsupported." In other words, don't say anything about Apple without their clearance.

Personally, I would think that even 1% of the total users is an immense target, but I have to surrender to the empirical evidence: As one Mac security expert puts it to me:

    It all comes down to attacker economics. The return on time investment just isn't there compared to the return on attacking Windows hosts. There is a big switching cost for attackers to target a new platform. They don't just have to exploit the vulnerability, they must also have payloads and malware developed for that platform. While there are enough Windows hosts to attack and vulnerabilities to attack them through, it makes more financial sense for attackers to continue targeting them and essentially ignoring other platforms. The obvious exception to this is Java applets. The same attack can be leveraged to attack multiple platforms so that has apparently made it worthwhile for some attackers to exploit those vulnerabilities on Macs.

Even the Java exception is not what it used to be. As Kaspersky noted in their 2014 predictions, the real action in Java exploits fizzled out early in 2013.

There has been basically one exception to this state of affairs: The Mac Flashback trojan was discovered in September 2011 and, by the following April, had infected 10% of home networks with Macs on them. At that point, Apple issued a system update which removed the most common versions of the attack. Flashback was a concerted effort on the part of a Russian criminal gang to bring the PC malware ecosystem to the Mac. I'm usually leery of the phrase "the exception which proves the rule," but it's perfect here: Flashback showed that successful Mac malware was very possible; the fact that nobody has bothered since shows that it wasn't worth the effort.

So even though they are vulnerable to any talented attacker who would try, Mac users are safe. Nobody's trying. This is what we call "flying under the radar."

Speaking of exceptions and rules, and reminding you of the NSA hacking iPhones, when I say that "Mac users are safe" I don't mean that all Mac users are safe. If you believe that you are worthy of special effort by a sophisticated actor, such as a government or criminal enterprise (it's so hard to tell the difference sometimes), as a Mac user you are not only vulnerable, you are extremely vulnerable. Apple has a well-documented history of taking a long time to fix publicly-disclosed security vulnerabilities, even on the versions that they are still supporting. So if you're a political dissident in China or a guardian of valuable intellectual property, using a Mac doesn't improve your security much, if at all.

I have been arguing and still believe that Apple's strategy is, in effect, to bring their support policy in line with that of iOS: When Apple has released a new version of iOS they have always ended all support for the previous version. iOS and OS X are not completely analogous, mostly because Apple doesn't control the OS X software market the way they control the App Store for iOS, but this difference doesn't seem to matter.

The end result of the change is that Apple has only one version at a time to worry about. On iOS it's generally understood that users will upgrade quickly. Apple brags about how fast it happens. On Macs things move, but not quite as fast. As the chart above shows, a large majority of Mac users are still using unsupported versions. In their defense, many of them are no doubt using Macs on which Mavericks doesn't run.

Safari.logo

It's worth mentioning that the one thing Apple did for users of Lion and Mountain Lion was to release an update to Safari (to version 6.1) which addressed the vulnerabilities in that program fixed in Mavericks Safari 7.0. Apple has since released Safari updates to 6.1.1 and 7.0.1. Apple has always run Safari on a separate, if sometimes coincidental, update schedule. The browser is such a major vector for attack in on all platforms that this is a non-trivial mitigation, but I think it just underscores their lack of interest in delivering any other fixes.

I should add that Apple still appears to sell Mountain LionLion and even Snow Leopard, to those willing to shell out $19.99. I'm trying, but failing to come up with a reason why they would do this. My best guess is that it's for users who have older hardware that won't support Mavericks.

By the standards to which we hold more popular operating systems, Apple's abandonment of users who didn't immediately upgrade is irresponsible and outrageous. It seems those standards don't apply to Apple. And yet, empirically, what they did is looking reasonable.

Topics: Security, Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

122 comments
Log in or register to join the discussion
  • Just to point out:

    When has there been any major security holes in managed programming languages that were heavily exploited?

    How many in the .Net languages?

    Likewise, how many in WinRT?

    Java and third-party browser plugins (and related "Trojans") still remain the wildcard, and those only affect the legacy Win32 environment (and Mac systems just the same), which is a good reason to get them off the system. Pure WinRT doesn't have em. Windows RT doesn't get OS bloat over time either.

    Also, to say that Mac users are "safer" when only 39% of them are on the latest version of the OS, and all of the older OS versions aren't getting the security updates is just being dishonest. The truth is that most Mac users are not safe, since the majority of them are NOT on the version that Apple seems willing to patch.
    Joe_Raby
    • Mac users are safe...

      For 99 percent of the Internet malware - regardless of Kasperski, Norton and Symantec not bothering to know about the operating system. MacOS is Unix BSD, the first OS exposed to hackers. It has been tested and still lives.
      This is related to that it is impossible to go from one application and modify the other, it is impossible to access files that you are not granted access to, it is impossible to download and execute a file - like on Windows.

      Since Mac / iOS runs BSD, it also runs Unix 4.2 sockets - full tcp/ip stack, supports 4.3 but has all the vulnerabilities of the 4.2 sockets. The main is that you can leave a socket to "linger" indefinitely, and allow others to "Bind" to it and connect to the Mac through a back-door.

      The main vulnerability on Mac is the user - that the user downloads and installs malware and no "security fix" certified by Apple can warrant this.
      But nobody can get an email with a content that can be executed and read or modify things on the Mac. This is impossible, just like walking on water - requires huge effort by the USER. The same with email and browser adverts that contain code. What remains is the Flash and Java code that the WEB contains. Well, use Opera and see which pages execute code, how much is Flash and Java.
      knuthf
      • How wrong you are.

        Windows and UNIX security models are more alike than different. Please stop talking about things you haven't a clue about.
        ye
        • Please follow your own advice

          And stop rabbiting on about stuff you are so ignorant on.
          ego.sum.stig
      • Mac users are safe

        I agree with you after having used Mac and Linux for so many years as well as Windows. The biggest area wherein Windows users make their mistakes is logging in and using the internet with their administrative accounts. When they do that, they are inadvertently giving malicious malware and spyware special permissions to the Windows kernel. Without these permissions, viruses, malware, and spyware cannot just activate themselves. Most Windows users are not aware of this. Also, we all must remember to surf safely and stay off of suspicious sites and not click third party links in emails no matter what OS you use.
        tsairox
        • Whats even worse about windows

          A guest account will allow you to download and run an EXE, try that with a bin file in Linux.

          Sadly no amount of computer security can overcome an idiotic user and a crap sys admin.
          Alan Smithie
      • How would a Mac user know if they are safe?

        They don't use any security software that would notify them of a problem. For all we know, people have been quietly hacking mac users for years and the users have been blissfully ignorant as to how their credit cards, Social Security numbers etc. are being stolen or why all their friends with windows machines keep getting malware.
        mrefuman
    • Meh

      There is a complete set of security fixes for Mountain Lion.

      It's called Mavericks.

      Since Mountain Lion users can install Mavericks free of charge, that meets the requirements to make security fixes available to them.

      On the other hand, less that 50% of Windows users trust Microsoft enough to regularly apply their security fixes.

      These have cause so many problems in the past that many Windows users prefer the risk of being out of data to the risk of the Windows update mechanism trashing their system.

      And even if they install all of the Windows fixes, and their system survives, they are still far more exposed to security problems than Mac users.
      Henry 3 Dogg
      • So...

        Mavericks runs on all previous Mac hardware? In looking over the system requirements, many systems require hardware purchased post 2009. That's only 4 years old. So, if I have a 4 year old beautiful, artistically crafted, still functioning perfectly because of all the high-end parts, Mac I can't get security upgrades?
        tdogg219
        • Huh?

          4 years old is an eternity in the computer world regardless of whether you talking about mobile or desktop.

          You have a 4 year old computer it's time for an upgrade.
          Seabiscuit88
          • You are crazy

            I have a 12 year old ThinkPad running Windows XP that will works *perfectly*. MS has been offering me support this whole time.
            x I'm tc
      • Upgrading the entire OS to fix bugs is stupid.

        Only Apple apologists think otherwise.
        ye
        • Of course it is

          That's why Microsoft does it. That and the revenue to be gained.
          ego.sum.stig
          • No, Microsoft does not

            Microsoft provides security updates for products for 10 years (12 in the case of Windows XP). They actually have a published and consistent policy about these things. Apple has never published a policy about end of life for any of their products. Not only do they stop supporting products when they feel like doing it, they don't even announce that they have done so.
            Larry Seltzer
      • You pulled the 50% number out of your rectum...

        Windows users don't skip updates because of trust issues with Microsoft. They skip updates because they are lazy and / or don't understand why they should update. It's seen as a needless inconvenience.

        If / when these people do switch to Macs or Linux like you people so desperately hope they will, you will sadly find that they won't update their Macs or Linux boxes either.

        I work in IT and I still have to update my girlfriends ipods, ipads and blackberries even though she knows exactly what the updates are for because she "Doesn't have time for that sh%%%... updates are annoying...".
        mrefuman
        • As opposed to where you pull your data from?

          Your posts make it quite clear you make up data on the spot.
          "They don't use any security software that would notify them of a problem. "
          You know this how, exactly?
          .DeusExMachina.
        • updates much easier and more complete in non-Windows

          Hi :)
          While Windows kinda forces people to run automatic updates it does it in a way that takes control away from the user and often forces reboots at what might be inconvenient moments.

          Even after updates all the drivers, codecs, libraries and 3rd party programs haven't been touched = often leaving ancient legacy attack vectors wide open. Also visiting Microsoft.Com often reveals other security patches that need to be applied.

          So even after sitting through MS's forced updates and forced reboots users still find that opening a Pdf forces them to sit through yet another set of updates and maybe even reboots.

          Even after trying to go through everything that might need upgrading you can never be sure that the system really is fully patched. It's highly likely to still be unpatched in some way or other.

          Of course people get sick of it, and that's assuming the updates fix rather than break things!


          A complete contrast with Gnu&Linux!

          With Gnu&Linux a discrete message pops-up to let the user know that some updates are available. Unliek with Windows the pop-up doesn't force the user to stop what they are doing to deal with the pop-up. Users can continue to type or watch a movie or whatever they were doing without having to respond to the reminder at all.

          When users do run updates then EVERYTHING that has an update gets updated. All libraries, codecs, drivers, everything. It takes less time because programs share such things so you don't need 20 programs to receive the same update for the same vulnerability. Just 1 library update would cover them all.


          Also nearly all updates for nearly all programs in Windows are "security updates" so they are not meant to increase functionality or usefulness and indeed have sometimes blocked certain usages. Again Gnu&Linux and other systems tend to already have rock-solid security so updates are almost always adding functionality.

          No wonder Windows users get so sick of updates and keep running legacy systems with known vulnerabilities!! It's all in the design.

          Regards from
          Tom :)
          Tom6
      • Meh?

        Problems in the past? The Windows update mechanism trashing their system? Huh? I recall only two issues with patches in 2013, and these weren't widely reported problems. Nevertheless, Microsoft caught the reports very quickly and pulled the patches. In my experience, most of the other problems I've seen with updates is due to the condition of the OS in the first place. I remember one patch for Windows XP that was causing failures and the cause turned out to be malware on the box. Microsoft had changed some of the code in the kernel which caused the malware to not be able to connect to it, causing a kernel panic.
        darthmongo
    • You miss the point

      They are safer in that they aren't being targeted - "security through obscurity".

      Why steal a Nexus when the illegal phone market buyers are only looking for iPhones?

      Same applies here - why target a tiny minority of computer users, when the same amount of work can get you the vast majority of computer users?
      William.Farrel
      • The security through obscurity myth has been disproved so many times

        including directly to you, that it defies reason why you still bring it up.
        .DeusExMachina.