Entries:
Comments:
Posts:

Loading User Information from Channel 9

Something went wrong getting user information from Channel 9

Latest Achievement:

Loading User Information from MSDN

Something went wrong getting user information from MSDN

Visual Studio Achievements

Latest Achievement:

Loading Visual Studio Achievements

Something went wrong getting the Visual Studio Achievements

Snow Leopard Less Secure than Windows?

Despite what the Mac commercials would have you believe, the latest Mac operating system is actually less secure than either Vista or Windows 7. That’s not me saying this, mind you, it’s noted security expert, Charlie Miller. According to a recent ComputerWorld article, Miller is quoted as saying “Apple missed a golden opportunity to lock down Snow Leopard when it again failed to fully implement security technology that Microsoft perfected nearly three years ago in Windows Vista.”

Specifically, Miller is referring to a security hole that has to do with ASLR (address space layout randomization) which "randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus make it harder for them to craft reliable exploits." Apple has yet to patch this hole in their new OS.

While you may think that one unpatched hole does not make an OS less secure than others, Miller feels differently. In a follow up email with the researcher, he explained that this hole is so important that until it’s fixed, he will consider Mac OS X less secure than Windows.

And if Mac does patch the hole? “ If Mac OS X had ASLR, he says, “I'd say Windows and Mac OS X were roughly the same as far as security goes.”

Essentially, explains Miller, OS security boils down to two things: which OS has the most vulnerabilities, something that’s hard to accurately measure, and which OS makes it the most difficult to exploit those vulnerabilities. This second item is much easier to measure – you simply list the known anti-exploit mitigations and see if the OS has them.  In Mac OS X, ASLR is missing from the list.

So how does the Mac OS X get away with calling themselves the more secure OS when security researchers like Miller say otherwise? It’s because hackers don’t find attacking hacks worth their while. Again, that’s Miller’s opinion. “If [the hacker] can hit 90% of the machines out there, that's all he's gonna do. It's not worth him nearly doubling his work just to get that last 10%.”

Lest you think Miller is the only pundit making these sorts of claims, take a look at recent findings from analyst firm Gartner. According to a recent article, “Yes, Macs are Vulnerable Too,” the lack of publicized Mac attacks doesn’t mean there are an underlying lack of vulnerabilities. There are plenty, the article states, referring to a chart from IBM's ISS X-Force security report which shows Mac OS X vulnerabilities coming in at the top spot when compared to other operating systems like Linux, Sun Solaris, and several versions of Windows. The article also notes how Safari and IE are “neck and neck” when it comes to browser vulnerabilities, too.

According to the Gartner analyst Neil MacDonald, “it’s a matter of when, not if, large numbers of Apple users will be affected with an outbreak.”

So at the end of the day, are Macs more secure than Windows? No, it appears they are not. They’re just not attacked as much.

Tags:

Follow the Discussion

  • eganisteganist

    "Miller is referring to a security hole called ASLR (address space layout randomization)"

    ASLR is a security feature in both Windows and Leopard/Snow Leopard. The hole is in Apple's implementation.

     

    -Bryant Zadegan

    AeroXperience

  • Mario Albertico MaganaMario Albertico Magana

    I think that the more Apple prides itself in its marketing about the whole, rather aging, "macs don't get viruses" standpoint, the bigger the hole it is digging itself into gets. More mac virus ads bring more official attention to the security debate, and when big names start to test the claims, and Apple continues to fall short of them, the reality should begin to trickle down to the masses. So there you go Apple, keep at it with those so-last-year "only PC's get viruses" ads.

  • Eddie StarrEddie Starr

    Awesome Story Sarah!  Can not wait to share this with my "Apple Fan Buddies"

  • ShiftShift

    Eat that apple fanboys!

  • Thanks Bryant. Poor wording on my part, I corrected.

  • SentaxSentax

    It's always about "Kill the King". 

     

    Apple can sit back and be more relaxed because of Microsoft taking all the focus of attackers.  Then come the commercials as we've seen, which I believe that are now just defensive moves on Apple's part. 

     

    I'd like to see Apple take 90% market share for a few days and see how well their *awesome* *virus-free* operating system handles the attention.

Remove this comment

Remove this thread

close

Comments Closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.