commentary One thing ZDNet Australia managed to prove this week is any debate about OS X security will be heated.
Our inboxes were full of comments following the publication of Apple more secure than Windows NT?
Many Mac users disputed the arguments put forward in the story. In particular:
- The obscurity of OS X as an operating system explains why there has been a small number of security bugs reported in it
- The computer-maker's decision to switch to an Intel chipset will make it easier for malware writers to code exploits for OS X-based systems
This writer would like to revisit those claims.
Firstly, there is historical evidence to suggest that security through obscurity is a genuine phenomenon. According to Chris Wysopal, the co-founder and former CTO of AtStake (which was acquired by Symantec in 2004), the number of reported vulnerabilities is a horrible way to judge software security, especially for less popular software.
"NeXTStep had seven reported vulnerabilities over a seven year period from 1990 to 1997. This is a far smaller vulnerability count than OS X. Was it more secure? Hardly. No one cared," Wysopal said.
Given that modern malware is written for profit -- trojan programs designed to steal banking passwords a favourite -- an operating system with a 3.8 percent market share is hardly an attractive target.
Computer Associates' director of Content Research, Jakub Kaminski, believes the worm will turn, but he's not sure when. "Everything is about money. Someone will figure out that there are enough Macs out there that it's worth it."
Kaminski, who oversees virus research at CA's biggest virus lab, also agreed with the premise that the switch to Intel has done the bad guys a favour.
"The fact that they're using the same processor [as PCs] will definitely make things easier," he said. "The really bad guys ... they're using assembly. Someone who wrote [exploits] for Intel on PC will [find it] much easier to move to Mac."
He's not the only one who thinks so. Security expert and founder of the controversial Metasploit project, HD Moore, told ZDNet Australia that the switch to Intel did result in many type of vulnerabilities becoming easier to exploit.
"Lots of reasons for this, but the key ones are flexibility of x86 assembly and the independent i-cache/d-cache in PowerPC," Moore said via e-mail.
Moore is an authority on the subject. He has written a very comprehensive article on OS X PPC shellcode tricks. Shellcode is the assembly-coded software that allows hackers to meaningfully exploit security vulnerabilities.
Apple more secure than Windows NT also took issue with Apple's marketing strategy around security, suggesting the company is implying its products are more secure than others because of some sort of inherent superiority.
Well, it's happened again. In the wake of news that Apple shipped iPods pre-loaded with a Windows virus, the company put its spin machine into action, declaring on its Web site: "As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it".
It shows a lot of gall for Apple to take a poke at Microsoft, having just infected its users with a virus shipped on iPods. If history has taught us anything, using security in public relations campaigning and advertising is dangerous.
It backfired on Microsoft when the Redmond-based giant used NT 3.5's apparent NSA C2 security compliance to promote the product, and it backfired on Oracle, too. When the database-maker declared its products "unbreakable" in an advertising campaign in 2001, the deluge of security bugs that followed was nothing short of startling.
What's needed now is a rational discussion about security issues affecting Mac users. The truth is, there's a fringe element of extraordinarily loyal Mac users who refuse to acknowledge that trouble may be on the horizon, despite mounting evidence to the contrary and a significant hardware change with the switch to Intel.
Instead of getting bogged down in full-scale denial, let's start a rational debate. This isn't about Windows versus Mac, this is about keeping Macs safe from attackers by dragging the security issues affecting OS X into the open. It's time.