Apple more secure than Windows NT?

Apple needs to come clean on security
Written by Patrick Gray, Contributor

commentary With exploit code for an OS X vulnerability released recently and a compromised Australian university Mac server caught hosting malware in August, it may be time Apple admitted its platform is no more secure than any other.

While Apple users laud their systems as unbreakable pillars of security in a dangerous world, unsusceptible to the malware attacks that make life on Windows so hazardous, the headlines keep coming.

In August, the University of New South Wales was, no doubt, surprised to learn one of its Mac servers had been hijacked by baddies to host some malware disguised as a Microsoft patch. University system administrators interviewed by ZDNet Australia were puzzled -- the server was evidently running the latest version of OS X server.

It turned out the miscreants gained entry through a vulnerability in the server's TikiWiki code, a third party package that has nothing to do with Apple. Still, OS X didn't somehow, magically, prevent the attack as some users seem to think it's capable of doing.

Yes, it's true the average Mac user (like me -- shiny 20 inch G5 Rev B) doesn't have to contend with the malware that plagues Windows-based computers. Yes, it's true I'd prefer my mother use a Mac to avoid keylogging Trojans designed to capture her Internet banking passwords. But Apple's marketing these days seems to suggest its computers are immune to attack (The advert is also available on YouTube).

They're not, and it's dishonest for Apple to suggest otherwise.

There is little evidence to justify the claim that Apple computers are more secure than any other, and anyone who points to the low number of reported OS X security bugs, worms or viruses as proof to the contrary is misguided.

Macs are safer to use because of the lower number of reported bugs, but that does not make them more secure. It's an important distinction.

There's only one thing that makes Macs substantially safer than PCs, and it's called market share; a 3.8 percent market share, measured by net presence, to be precise.

If Macs were the dominant operating system with, say, 80 percent of the market, there is no doubt all the clever malware writers would devote their skills to engineering malware for Macs, not Windows-based PCs.

With all that brainpower going into compromising an operating system, there is little doubt the efforts would yield results.

In this parallel universe, switching to that boutique operating system made by the underdog with the 3-4 percent market-share, Microsoft, would seem like a great idea. Windows would develop a cult following for its inherently superior security.

The ironic part is Apple has, whether it knows it or not, ripped a leaf straight out of Microsoft's marketing playbook. You have to dig around for Microsoft's old Windows NT marketing material -- the company has removed much of it from its Web servers, perhaps out of shame -- but it reads much the same as Apple's current spiel.

"Intelligent design prevents the swarms of viruses and spyware that plague PCs these days," says Apple's Web site.

And this from Microsoft. "Windows NT Server is secure from the ground up," says a Microsoft Web site archive touting NT's apparent NSA C2 security compliance.

"Every process and feature was designed with C2 level security in mind. In fact, Windows NT Server is so secure that certain processes (identification and authentication, and the ability to separate a user from his/her functions) meet B2 security requirements, a level of security that is even more strict than C2."

In retrospect, it is kind of funny. More reading here.

Indeed, when Windows NT first rolled around in the '90s, Microsoft pushed the security angle hard. It was a new product, and there were few known vulnerabilities in the new server architecture. Of course, with increased market share came a deluge of vulnerabilities and everyone realised that it was, for the purposes of security, poorly designed and full of holes.

Users were not happy, and Microsoft was forced -- it took years -- to finally invest in security in earnest. The Redmond-based giant has learned its lesson.

Apple hasn't been through that humiliating process yet, and still thinks it's invincible. This could explain its lacklustre response to security vulnerability reports. Ask almost any security researcher what they think of Apple's response capability, and you'll usually get the same answer: "They're bad, but not as bad as Oracle."

It's hardly a glowing endorsement.

The argument being put forward here isn't that Windows is more secure than OS X, it's that currently there is no such thing as a secure operating system. OS X just hasn't been subjected to the torture test that comes with market domination. It is almost certain that there are dozens of undiscovered bugs in OS X.

Welcome to the wonderful world of operating system security.

And thanks to the computer-maker's decision to switch to an Intel CPU architecture, Mac malware has never been easier to write. Creating security vulnerability exploit code requires a fairly intimate knowledge of the CPU architecture on the target machine. The relative obscurity of the previous Mac architecture (Power PC) meant there were few malicious coders who could be bothered writing exploits for OS X.

Now it's been switched over to the more hacker-friendly Intel architecture, it's a fair bet that more exploits for OS X will emerge. Sure, the differences between Mac and Microsoft operating systems still mean malware will have to be customised for OS X, but the initial exploitation will be that much easier.

Apple, the message is this: Yes, you make beautiful computers. They're pretty, shiny, they have a nice interface and I love my Mac. Consumers are safer online using a Mac, too. But just as the security of New Zealand is rooted in its geographic isolation, not its military might, the security of your products has more to do with your small market share than their technical superiority.

Editor's note: An update to this commentary has been published here.

Editorial standards