Are Macs safer than PCs?

Last week, there was a lot focus on the security of Apple Macs after the Russian security firm, Dr Web, revealed that they had found a botnet comprising over half a million infected Mac computers.

Macs were becoming infected with Flashback malware after users were redirected to a rogue website from a compromised site. JavaScript code was used to load a Java-applet which exploited a vulnerability (since patched).

The thing that surprised many of us was the scale of the botnet.

Mikko Hypponen, Chief Research Officer at F-Secure, put it very well when he said that, proportionally, the Flashback Trojan was as widespread amongst Macs as the notorious Conficker worm had been amongst Windows-based PCs.

The attack has left a lingering question: how secure are Apple Macs?

Apple has traditionally marketed its systems as being more secure than those running Microsoft Windows, but how true is that?

Mac OS, the Apple Mac operating system, is based upon the Berkley Software Distribution (BSD) of Unix, surrounded by a nice graphical user interface.

If you began your career using Unix, as I did, one of the things you come to value is that Unix (and hence Mac OS) has always had a security model built into the operating system.

That was not always the case for Windows as it was originally based upon MS-DOS. The concept of Read, Write and Execute for various executables and data, as implemented in Unix, is simple to understand and has stood Unix systems in good stead for many years.

Unix has other simple features, such as storing executable code and data in separate folders. When you install a program in Unix, you typically predict which folders the executables and data will reside. The corollary of this is that it is easy to completely remove an installation.

Anyone who has installed software onto a Windows platform knows that the installed components can be placed in a wide variety of folders, the obscurity of which mean that if you were ever to attempt to unpick the installation manually you’d inevitably end up with some unwanted pieces of code on your machine.

For Windows, this has spawned a whole host of tools for the uninstall and clean-up process.

So, Mac OS “feels” like it should be more secure. But is it in fact just tidier?

Fundamentally, there is no reason why Macs should not be targeted using malware in the same way that viruses, Trojans and worms are built to target Windows systems.

You might run, for example, a piece of JavaScript that steals credentials, or a keylogger, without necessarily attacking the operating system. Likewise, you might exploit a vulnerability in a third party application, as happened recently when a backdoor Trojan embedded inside boobytrapped Word documents successfully ran on Macs.

Ten years ago, when Windows gained a bad reputation for security, Microsoft responded by introducing its Trustworthy Computing Initiative. A security model had previously existed but it wasn't until XP, where objects were given Security IDs and allowed actions were enabled in a way similar to Unix, that a model existed that had the same value as that in Unix. However, Microsoft took a long look at the threat and made a conscious effort to evolve their operating systems to counter it.

Initially, one of the biggest threats was considered by Microsoft to be buffer overflow. This is where regions of computer memory that should not be used for executing code are misused by rogue software.


As well as preventing developers inadvertently building this into their applications by adding safeguards to the compilers, Microsoft also introduced memory protection mechanisms within their operating systems.

For example, since Vista was introduced in 2007, Windows has had address space layout randomisation (ASLR) which is implemented so as to obscure most of what an attacker needs to conduct, for example, shell code injection attacks.

Mac OS acquired ASLR in late 2007 (Mac OS X v10.5, aka "Leopard"). Unfortunately, Apple’s implementation is not as advanced as that in Windows, and hence it does not provide the same degree of protection.

Apple said it planned to improve items such as ASLR in its next release of Mac OS, but some five years later we are still waiting.


I think what all of this exemplifies is two populations of users (Mac OS and Windows) that have developed very different attitudes to security.

Those using Windows have been aware for a long time that their systems have vulnerabilities, and so they are much more likely to use some form of protection such as anti-virus software. Windows users also typically update their software when an update is released by Microsoft; they know updates mean that vulnerabilities may have been found, and it is safer to update than be exposed.

Those using Mac OS have, perhaps, been lulled into a false sense of security. Mac OS users think their systems are somehow inherently “secure” and hence they are less likely to update as frequently as Windows users, or to use tools such as anti-virus software.

A Mac OS user is less likely to be attacked than a Windows user, but that is nothing to do with the level of vulnerability in the operating system. It has everything to do with the fact that over 80% of the personal computers in use run the Microsoft Windows operating system.

Those building malware would rather attack the vast majority of the users. They get a bigger bang for their buck, to borrow a phrase from the military.

What is now catching up with Mac OS users is that their platform of choice is now becoming popular enough to be considered worthy of hackers’ efforts. With the last three years seeing a growth in Mac OS malware in excess of 200%, Mac OS users need to start adopting a different mindset or they will be caught out.

Mac OS users may be "safer" than Windows users, simply because they have fewer attacks focussed on their systems, but they are not more "secure".

Apple has its part to play by releasing updates rapidly in response to known vulnerabilities, and users need to make sure they implement those updates as well as installing security software to protect against the coming threat.

Now is the time to prepare, rather than try to react, when the inevitable onslaught begins.

Professor Alan Woodward is a visiting professor at the University of Surrey's department of computing and a writer for the Sophos Naked Security blog. 

More from Business Spectator