Why Mac users are safer

The evidence is overwhelming: The opportunities to attack Mac users are plentiful, but nobody bothers. It's still too easy to get at Windows users. This has been obvious for some time and well-understood in the security community.
Written by Larry Seltzer, Contributor on

On October 22 of 2013 Apple released OS X 10.9, a.k.a. Mavericks. In it they patched dozens of security vulnerabilities, many quite serious, and disclosed those fixes. In contrast to their prior practice, they did not, and have not since, released fixes for those vulnerabilities for earlier versions of OS X, including 10.8, a.k.a. Mountain Lion. I think they're not going to. 

For the more than 10 weeks since, all Mountain Lion (and Lion and earlier) users have been vulnerable to attack. Have you heard any reports of attacks? I haven't. There may in fact be some, but they're certainly not widespread. (By way of analogy, the NSA may be compromising iPhones, but it's not a widespread problem.)

[CORRECTION: Since we published this story NetMarketShare has changed the numbers cited below. The changes aren't big for Mac OS X. The chart is also now modified with correct data.]

And that's the issue right there: No Mac problems can really be all that widespread because there aren't enough of them. As my colleague Ed Bott describes, the latest NetMarketShare numbers through December show that 7.53% of total users are running Macs, with 37% of those (2.79% of the total) on 10.9. The percentage of users on Macs has been fairly constant through the year. (See the chart below for this and more detail using the latest data from NetMarketShare.)

Source: NetMarketShare

This is, of course, not news, but the lack of fallout from Apple's change of policy for security updates demonstrates it to me more clearly than anything I've seen in the past. Even more striking is the lack of outrage, or even curiosity, from Mac users, about the change in security update policy. It seems like they don't care either.

I'll go so far as to say that many Mac users are in denial about Apple abandoning Mountain Lion users. I ran into this when I put a paragraph about the events in the Wikipedia page for Mountain Lion. The changes were quickly removed by an editor, saying "Instead of complaining about security updates, we should either wait for new ones to be released or wait until Apple declares ML unsupported." In other words, don't say anything about Apple without their clearance.

Personally, I would think that even 1% of the total users is an immense target, but I have to surrender to the empirical evidence: As one Mac security expert puts it to me:

    It all comes down to attacker economics. The return on time investment just isn't there compared to the return on attacking Windows hosts. There is a big switching cost for attackers to target a new platform. They don't just have to exploit the vulnerability, they must also have payloads and malware developed for that platform. While there are enough Windows hosts to attack and vulnerabilities to attack them through, it makes more financial sense for attackers to continue targeting them and essentially ignoring other platforms. The obvious exception to this is Java applets. The same attack can be leveraged to attack multiple platforms so that has apparently made it worthwhile for some attackers to exploit those vulnerabilities on Macs.

Even the Java exception is not what it used to be. As Kaspersky noted in their 2014 predictions, the real action in Java exploits fizzled out early in 2013.

There has been basically one exception to this state of affairs: The Mac Flashback trojan was discovered in September 2011 and, by the following April, had infected 10% of home networks with Macs on them. At that point, Apple issued a system update which removed the most common versions of the attack. Flashback was a concerted effort on the part of a Russian criminal gang to bring the PC malware ecosystem to the Mac. I'm usually leery of the phrase "the exception which proves the rule," but it's perfect here: Flashback showed that successful Mac malware was very possible; the fact that nobody has bothered since shows that it wasn't worth the effort.

So even though they are vulnerable to any talented attacker who would try, Mac users are safe. Nobody's trying. This is what we call "flying under the radar."

Speaking of exceptions and rules, and reminding you of the NSA hacking iPhones, when I say that "Mac users are safe" I don't mean that all Mac users are safe. If you believe that you are worthy of special effort by a sophisticated actor, such as a government or criminal enterprise (it's so hard to tell the difference sometimes), as a Mac user you are not only vulnerable, you are extremely vulnerable. Apple has a well-documented history of taking a long time to fix publicly-disclosed security vulnerabilities, even on the versions that they are still supporting. So if you're a political dissident in China or a guardian of valuable intellectual property, using a Mac doesn't improve your security much, if at all.

I have been arguing and still believe that Apple's strategy is, in effect, to bring their support policy in line with that of iOS: When Apple has released a new version of iOS they have always ended all support for the previous version. iOS and OS X are not completely analogous, mostly because Apple doesn't control the OS X software market the way they control the App Store for iOS, but this difference doesn't seem to matter.

The end result of the change is that Apple has only one version at a time to worry about. On iOS it's generally understood that users will upgrade quickly. Apple brags about how fast it happens. On Macs things move, but not quite as fast. As the chart above shows, a large majority of Mac users are still using unsupported versions. In their defense, many of them are no doubt using Macs on which Mavericks doesn't run.


It's worth mentioning that the one thing Apple did for users of Lion and Mountain Lion was to release an update to Safari (to version 6.1) which addressed the vulnerabilities in that program fixed in Mavericks Safari 7.0. Apple has since released Safari updates to 6.1.1 and 7.0.1. Apple has always run Safari on a separate, if sometimes coincidental, update schedule. The browser is such a major vector for attack in on all platforms that this is a non-trivial mitigation, but I think it just underscores their lack of interest in delivering any other fixes.

I should add that Apple still appears to sell Mountain LionLion and even Snow Leopard, to those willing to shell out $19.99. I'm trying, but failing to come up with a reason why they would do this. My best guess is that it's for users who have older hardware that won't support Mavericks.

By the standards to which we hold more popular operating systems, Apple's abandonment of users who didn't immediately upgrade is irresponsible and outrageous. It seems those standards don't apply to Apple. And yet, empirically, what they did is looking reasonable.

Editorial standards