Macs are NOT hack-proof. They are not inherently more secure than Windows PCs. In real-world use, however, OS X is more secure. Why is that so?
Myth #1: The average Mac OS user may be more tech savvy than the average Windows user and less likely to succumb to social engineering.
This may actually be true. Before you fire off that email to complain, keep in mind that the Tom’s Hardware audience isn’t the average Windows user. You’re at the upper echelon of the group that builds PCs, keeps up with the latest technology trends, and does its own research before making a tech purchase. I’m not saying that Mac users are smarter than Windows users. Just the averages. If you think about the ubiquity of computers in North America, Europe, and Asia, then the average Windows user should in fact be close to the 50 percentile for the global population. If you think you’re better than 50 percentile, then you, too, are better than the average.
If you look at the market, it makes sense. US Census data has long shown the association between level of education and household income. Since Macs are inherently more expensive, it would follow that the average income of a Mac owner should be higher than the average income of a Windows owner, and along those lines, the average education of a Mac owner should be higher than that of a Windows user. That bears out in large surveys. About 70% of Mac users have a college education whereas only 54% of Windows users have a college education according to a 2002 Nielsen study.
Ultimately, it’s not the “average” that matters--it’s the least tech savvy in any group that ruins it for the rest of us. Take spam for example. Recent work from UC Berkeley and UCSD determined that out of 350 million pharmaceutical spam messages sent via the Storm botnet, 10,522 users visited the site and 28 people tried to actually make a purchase. It’s those users that make spam profitable and make it a problem for the rest of us.
At another level, there is some truth to this claim because Mac owners have to be consciously making a switch to the Mac. Either they’re technically savvy users who are comfortable dealing with cross-platform issues or they're technical neophytes who are still smart enough to know that they don’t know anything and therefore choose the Mac as their one method of trying to stay safe. It’s the Windows users who don’t know even know that they’re vulnerable who drive the statistics up.
This myth is true if you consider the statistics; the myth is unimportant.
Myth #2: Mac OS X have a superior design
In theory, Vista should be the better-designed operating system. Microsoft actively invests in extensive security capabilities and the Address Space Layout Randomization in Windows Vista and recent security analyses comparing number of risks and “days at risk” show that Windows Vista users actually fare better than Mac OS X users.
The problem is that these analyses are limited to “security holes we know about” and get patched. Suppose two operating systems have 1000 holes in them. If one manufacturer patches 400 of them, and the other only patches 40, which is the more secure system?
The answer is neither. It only takes one hole to compromise the entire system.
Myth #3: Macs are targeted less frequently.
Malware is profit-driven. Since there are fewer Macs on the market, the hypothesis is that commercial malware operators will not target the Mac until they reach a critical threshold market share. At some point, Macs will reach critical mass and it will be as big of a target at Windows.
An analysis performed by the Director of Emerging Technologies at Cloudmark and published in the IEEE Security and Privacy has an interesting hypothesis. Using game theory, he predicts that Macs will become an economically-feasible target once the platform breaks 16% market share. Even with the success of the Mac, we don’t see Apple reaching that level for a few years (if that). Then, once the Mac reaches that level of market share, the assumption has to be that developing malware for that Mac costs the same as developing malware for the PC, and this may not be the case.
In 2008, there were 1.5 million different pieces of malware targeting Windows machines. There are less than 200 pieces of malware targeting the Mac.
Myth #4: Pwn2Own
This one comes from the comments section of our State of the Personal Computer piece from late last year.
The story about the Pwn2Own contest is that a hacking contest was held to see if Windows Vista, Ubuntu, or Mac OS X was more secure. Hack the machine, and you win the computer. The MacBook Air fell 2 minutes after the start of the contest. Windows Vista fell the next day. Ubuntu remained unhacked for the entire 3 day competition. Therefore, Macs are the least secure, followed by Windows Vista, followed by Ubuntu Linux.
That’s how the story goes.
The details are where things get interesting. It’s easy to imagine Pwn2Own as this free-for-all death match with hundreds of hackers going at it for glory and fame. In fact, Pwn2Own was a contest with very rigid rules. You had to wait in line to attack a target. Only one team had an opportunity to hack a machine at any time. Each opportunity was 30 minutes, and if you are unsuccessful, you have to go back to the end of the line and wait your turn. You can only wait in one line at a time, and you can only win the contest once. First come, first serve.
Only four teams participated.
Day 1: Win the notebook if you can do a true remote execution attack. No attempt was made.
Day 2: Web browsers and mail application will now be allowed. The organizers of the competition will visit a Web site or receive an email. The winner of the MacBook Air knew that he had a previously undescribed flaw in Safari that would win the competition. He was the first in line that day. Hacked in 2 minutes.
The two minute story makes for a great story and lots of publicity for both the conference and the security researcher, but no one really talks about the time spent BEFORE the contest to discover the exploit.
Day 3: Common plug-ins are now installed. The Vista notebook is hacked via an Adobe Flash exploit.
The two-man team that took down Vista did so with their personal MacBook Pro notebooks. Although the Vista notebook wasn’t the first to go that morning, the Flash exploit that affected Windows Vista also affected the Ubuntu Linux machine that had Adobe Flash installed. The contestants just weren’t interested in trying to win the Ubuntu machine. No one signed up to try to hack the Ubuntu Linux notebook according to the organizers.
So, when you read an article talking about Pwn2own, the fact still remains that OS X has not been the target of active remote execution exploits or browser holes in real-life. Current OS X malware exists only in the form of Trojans in which the user is willingly installing software and willingly entering the administrator password.