Despite what the Mac commercials would have you believe, the latest Mac operating system is actually less secure than either Vista or Windows 7. That’s not me saying this, mind you, it’s noted security expert, Charlie Miller. According to a recent ComputerWorld article, Miller is quoted as saying “Apple missed a golden opportunity to lock down Snow Leopard when it again failed to fully implement security technology that Microsoft perfected nearly three years ago in Windows Vista.”
Specifically, Miller is referring to a security hole that has to do with ASLR (address space layout randomization) which "randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus make it harder for them to craft reliable exploits." Apple has yet to patch this hole in their new OS.
While you may think that one unpatched hole does not make an OS less secure than others, Miller feels differently. In a follow up email with the researcher, he explained that this hole is so important that until it’s fixed, he will consider Mac OS X less secure than Windows.
And if Mac does patch the hole? “ If Mac OS X had ASLR, he says, “I'd say Windows and Mac OS X were roughly the same as far as security goes.”
Essentially, explains Miller, OS security boils down to two things: which OS has the most vulnerabilities, something that’s hard to accurately measure, and which OS makes it the most difficult to exploit those vulnerabilities. This second item is much easier to measure – you simply list the known anti-exploit mitigations and see if the OS has them. In Mac OS X, ASLR is missing from the list.
So how does the Mac OS X get away with calling themselves the more secure OS when security researchers like Miller say otherwise? It’s because hackers don’t find attacking hacks worth their while. Again, that’s Miller’s opinion. “If [the hacker] can hit 90% of the machines out there, that's all he's gonna do. It's not worth him nearly doubling his work just to get that last 10%.”
Lest you think Miller is the only pundit making these sorts of claims, take a look at recent findings from analyst firm Gartner. According to a recent article, “Yes, Macs are Vulnerable Too,” the lack of publicized Mac attacks doesn’t mean there are an underlying lack of vulnerabilities. There are plenty, the article states, referring to a chart from IBM's ISS X-Force security report which shows Mac OS X vulnerabilities coming in at the top spot when compared to other operating systems like Linux, Sun Solaris, and several versions of Windows. The article also notes how Safari and IE are “neck and neck” when it comes to browser vulnerabilities, too.
According to the Gartner analyst Neil MacDonald, “it’s a matter of when, not if, large numbers of Apple users will be affected with an outbreak.”
So at the end of the day, are Macs more secure than Windows? No, it appears they are not. They’re just not attacked as much.