The blogosphere is abuzz over the latest Black Hat presentation exposing the security holes of Apple's Mac OS X. The upshot is that Microsoft Windows, in comparison, does a better job of protecting its users, especially against network protocol attacks. A proof-of-concept hack shown at the Black Hat security conference involved plugging one rogue Mac computer into an enterprise network, where it was soon able to gather the authentication credentials of all the other Macs in the environment.
In my world (I'm a principal security architect for Microsoft), this is no big surprise. Macs have always been far more vulnerable to hacker assaults than Windows computers, by almost every metric that means anything. Yes, Macs do have far more software vulnerabilities than Windows computers. If you don't believe me, go to any vulnerability database (I like Secunia's advisory database) and compare any operating system or application from Apple and Microsoft, head to head, over the same time period during the last five years. Most people are absolutely shocked to see that Microsoft software in general, and Windows in particular, has suffered far fewer vulnerabilities than Apple software and Mac OS X.
But even pure vulnerability numbers don't paint the whole picture. Among the leading OS vendors, Apple has been the last to implement nearly every important security protection. Apple was last to implement anti-buffer-overflow memory protections. Apple was the last to implement address space layout randomization (ASLR). Apple was the last leading operating system vendor to offer full disk encryption (in the recently released Mac OS X Lion). Apple is also typically the last among these vendors to patch software bugs, sometimes months after they become publicly known.
And it came as no surprise when Dmitry Sumin, president of Password Inc., told me last week that Apple's Mac OS X Lion was the only popular operating system to store login passwords in plain text in memory.
As astounding as these facts might be to Mac users, they aren't surprising to security experts who work with both platforms. It's been this way for a long time. At Black Hat a few years ago, I asked hacking expert Charlie Miller why he concentrated on the Mac when most hackers focused on Windows. He replied, "Because it's easier." Apple is an innovator in device design, UI, and many other important things that the world is properly grateful for. But in the computer security world, Apple is a follower.
Does all this mean that Mac users would be safer running Windows? No, it doesn't. Macs are attacked far less frequently today than Windows PCs, and this factor is hugely important when considering overall security. Although I said Macs are more vulnerable than Windows PCs, notice that I didn't say they are more insecure. Although vulnerability is easy to measure, insecurity is a function of security risk. Right now, Macs have far less security risk than Windows PCs. Microsoft Windows is the primary target of hackers because it runs on 80 to 90 percent of the world's computers. Simply because Macs are in the minority, owning a Mac means you might be "safer" than if you owned a Windows computer.