Conventional wisdom has it that Apple's Mac OS X system is more secure than Windows. And though partisans on either side of the OS fence have differing reasons for believing that to be so—Mac users believe it's because of the inherent superiority of OS X's UNIX underpinnings, and Windows users claim that OS X's tiny 5 percent usage share isn't a sufficient target for hackers—this is perhaps the one area where they do agree.
But security expert Alex Stamos of iSec Partners says the conventional wisdom is wrong. And this week at the Black Hat Conference, he claimed that Mac OS X is "significantly more vulnerable" than Windows 7 when it comes to network-based attacks—you know, the kind that actually occur in the real world.
Catch your breath a moment so the dust can settle: As you read this, a thousand tiny-minded technology enthusiasts are busy exercising their bile gene in profanity-laced email messages, on Twitter, and in anonymous comment-section posts. They'll calm down. Just give it some time.
And in the interest of full disclosure, various versions of Mac OS X did suffer from fewer overall vulnerabilities over the past three years than did various versions of Windows: There were 1,151 major OS X vulnerabilities in this time period, compared with 1,325 for Windows. (But even those figures should temper any talk of OS X's "inherent" superiority. Just a thought.)
But when you look at the most recent versions of OS X and Windows, and examine network-based attacks specifically, the tables are turned: Modern Windows versions are more secure overall than the latest OS X versions, and with network-based vulnerabilities in particular, OS X comes out way behind.
"OS X networks are significantly more vulnerable to network privilege escalation," Stamos said at the show. "Almost every OS X server service offers weak or broken authentication mechanisms."
Stamos also threw cold water on the notion that OS X is too small of a target for hackers to bother with, and he notes the small difference between overall OS X and Windows vulnerabilities over the past three years as proof. If hackers were ignoring OS X as predicted, those vulnerabilities would never have been found.
He also points out that a false sense of security leads Mac users to think they are invulnerable to hacking, and Apple's "deceptive" advertising doesn't help. Mac users are more prone to social-engineering attacks than Windows users simply because they don't have the security religion.
Of course, Apple has just shipped its latest OS X release, Lion, and that version of OS X will eventually require new applications to enforce a security sandboxing model that should help very new applications from spreading malicious code. And on the iOS side—Apple's iPhone and iPad are based on an OS X-like OS themselves—the company has always provided a more secure sandboxing model, which raises hopes that these devices will be more secure going forward, too.
(Modern OS X and Windows systems include many similar or security features, by the way, including such things as ASLR, which randomizes the memory location of startup applications, and NX/DEP/ED, another set of memory-based protections.)
What Microsoft has going in its favor, of course, is a fanatical devotion to security: After shutting down OS development in 2002 to address rampant security vulnerabilities in Windows XP, the company initiated its Trustworthy Computing program and now develops all products under an ever-improving Security Development Lifecycle (SDL) process that none of its competitors have come even close to adopting. The SDL has been so successful, in fact, that hackers have turned from OSs to popular applications in recent years because Windows has become so secure. Just ask Adobe how that change has affected its business.
The point is that things change. In my experience, it's not at all hard to properly secure a Windows PC, and common sense goes a long way when it comes to online activities. I'm not sure I'd personally promote the notion that Windows is "more secure" than OS X, but I am arguing that they're within shouting distance of each other and are certainly comparable from a security standpoint. Of course, for Mac users, that's probably an affront to every notion they hold dear. Hopefully, their comeuppance won't be as painful as the one PC users faced almost a decade ago.