Security analysts and Windows managers often point a finger at Apple's longstanding place at the top of Secunia's OS vendor vulnerabilities list. However, that chart may map only part of the insecurity picture.
Neil MacDonald, a vice president at Gartner Research recently authored a research note on whether antivirus software is needed on Mac OS X and Linux desktops. (The answer is yes.)
In a recent blog post, MacDonald says that in an number of reports, such as Secunia's 2010 vulnerability rankings, Apple comes in at Number 1 and Microsoft, Number 3. This looks very bad for Apple.
However, he says that while the number of vulnerabilities is an important measure, the severity of the vulnerabilities is also important. Comparing the "critical and high-vulnerability disclosures" in IBM's X-Force 2010 Mid-Year Trend and Risk Report, Apple appears to have improved its security over the past 5 years, while Windows has gone from 20 percent to 75 percent.
With Microsoft’s Secure Development Lifecycle in place and continuing to be refined over the past 7 years, why does the OS software being produced by Microsoft contain a significantly larger percentage of security vulnerabilities rated critical or high while other OSs are decreasing?
MacDonald offers some significant analysis on the topic. Take a look-see.
So the story isn't just about some abstract vulnerability but on how bad it all really is. And anyone who has used both Macs and PCs understands the real-world difference.
For example, working on my Mac, I've been infected with malware twice: once in the late 1980s before the word malware was invented, and another time with a Windows macro virus in the 90s. This isn't a statement of the vulnerability or invulnerability of the Mac OS. Instead, it's just how it has been.
Meanwhile, Apple appears to be making a greater effort towards security in Mac OS X Lion. It recently invited security researchers inside the fold — something that has never happened before.
Some researchers have high hopes about improvements in Lion.
Charlie Miller, author of the Mac Hackers Handbook and principal security analyst at Independent Security Evaluators was interviewed at Infosec Island after his recent win at Pwn2Own this month. He pointed out that with the release of iOS 4.3, the iPhone now incorporates ALSR (address space layout randomization) and DEP (data execution prevention) protection. Of course, here Apple is following Microsoft, which supports the schemes in Windows Phone 7.
Windows has had full ASLR in Windows since Vista, he reminded us.
Q: Does this lead you to believe that the Mac OS X Lion may also have full ASLR when released?
A: I sure hope so. If it has full ASLR, it will be a huge improvement over Snow Leopard.
Check out the full interview: Miller runs down the security situation on Mac OS X and iOS, and talks about the techniques he used to crack the iPhone at Pwn2Own.