Despite Vulnerabilities, Apple's Mac OS X Weathers The Security Storm

Security pros say the Mac platform isn't a high-risk operating system and is more secure than Microsoft's Windows XP.
While an increasing number of bugs have been found in Apple's Mac OS X operating system, security researchers say it isn't a high security risk and it's still more secure than Windows XP.

Is it more secure than Windows Vista? The jury is still out on that one.

"Vulnerabilities just don't equal attacks," said Craig Schmugar, a threat researcher at McAfee, in an interview. "Some people are saying the Mac is less secure than Windows because there have been more vulnerabilities in it than in Windows, but there are far fewer attacks reported on Mac OS X than Windows."

The Mac has long been thought of as a bastion of security in an insecure Windows world. Apple has taken full advantage of that image over the years, doing a lot of fist waving and joke making at Microsoft's expense. Some of that security bravado might have turned on them, though, noted Schmugar.

"Apple enthusiasts are always touting their security, challenging researchers to look for bugs there," he said. "Recently, the Mac ads may be playing a role in making people go looking for flaws. They seem to be bragging a little more than they should."

Last summer's Month of Apple Bugs project also shined the spotlight on the Mac's code and brought new bugs to light. The increase in the number of Mac bugs found, along with a lag in getting some of them patched, started to give the Mac a bad rep.

Last year, McAfee reported that the discovery of vulnerabilities in the Macintosh platform increased by 228% in the past three years, from 45 found in 2003 to 143 in 2005. In the same period, Windows had a 73% increase.

And more recently, Symantec's Internet Security Threat Report, which was released in March and covers the six months from July to January, showed that Mac OS X actually was lagging behind Windows XP when it came to issuing fixes. According to the report, Apple took an average of 66 days to patch vulnerabilities, while operating system rival Microsoft took an average of three weeks. Apple's patch response had slowed down from the previous six months when it took the company an average of 37 days.

While Apple's numbers may not be what they were, it doesn't mean the Mac suddenly has become a risky operating system, according to Johannes Ullrich, chief research officer at the SANS Institute and CTO for the Internet Storm Center.

"It's still safer, but not as safe as Apple pretends it is," Ullrich said in an interview. "Some features, like the firewall, aren't all that great. But, yes, it's still pretty safe."

Paul Henry, VP of Secure Computing and a recent Mac convert, said it's all a matter of scale. The cyber bad guys target the richest market, and that's not the Mac platform. So even though there have been Mac bugs out there, very few malware writers are targeting them.

"People who write malware tend to write malware to infect the greatest number of people they can," Henry said in an interview. "Are you going to write something that gets the majority of the installed base or something that will hit less than 10% of the user base? I still think the Mac is safer than Windows. It has a reduced threat environment. If over the next year, the Mac gains 50% market share, it would become a much more attractive target, but it's not going to happen. It just won't grow that quickly."

Marius van Oers, a virus research engineer at McAfee, posted a blog last week that showed there are more than 236,000 pieces of malware "in the wild." The vast majority are aimed at the Windows environment. Only about 700 are meant for the various Unix/Linux distributions, van Oers wrote. How many are for the Mac OS X platform? Seven or less, he said, calling the threat "pretty much non-existent at the moment."

For older builds of the Mac OS, there are 69 known malicious items, with an additional eight items for Mac HC that used hypercard script extensions, which had to be manually installed as an add-on package, said van Oers.

"Nowadays, malware writers do not go for massive attacks but tend to focus on targeted attacks," he wrote. "It is clear that OS X malware is not taking off yet. With an estimated OS X market share of about 5 % on the desktop systems, one would expect to see more malware for OS X."

The threat landscape could change if the Mac picks up substantial market share, Schmugar said, but for the foreseeable future he thinks the malware writers will continue to pound Windows. "Attackers seek a large installed base and there are so many vulnerabilities to be exploited [on Windows], they haven't had to turn to the Mac for extra victims," he said.

Schmugar, Henry, and Ullrich all say it's too early to compare the Mac's security to Vista. Enough simply isn't know about Microsoft's new operating system at this point, but that won't last long.

"From an attacker's perspective, there's a greater interest in Vista," said Schmugar. "More attackers will try to poke holes in Vista than in Mac OS X just because it's Windows."