MacShrine

Well, its out. Mac OS X is no longer malware-proof. The two recent issues found in Apple’s latest operating system - the trojan found last week and the Safari exploit found today have come as quite a shock to the Mac community.

Of course, the forums and countless blogs around the world are alight with the ‘I told you so’ crowd taking their cheap-shot at the Mac fanatics who had been preaching of their Nirvana-like virus-free operating system. This will bring them down a peg or two, granted, but the real question that will come to light when the dust settles and the slur campaigns have run their course is whether or not Mac OS X is actually any more secure than Windows.

Of the three main desktop operating systems, Windows, Mac OS X and Linux (in all its flavours), Linux must arguably come out as the most secure. It hasn’t had the greatest amount of exposure in the desktop domain (it’s mainly used in the computer server arena to run web sites, email servers, and other IT services businesses need to function), but has always had a good track record. Its the most mature operating system of the three (its been around the longest, has had the most revisions, and has more eyes looking over every part of it than any other) and already has a heritage of a secure computing platform.

Windows is Windows. It seems that every day there is another new security flaw or critical exploit announced, and we must all keep a twenty-four hour vigil on our Windows Update program to make sure we’re running the absolute most up-to-date version available. Not to mention the endless headaches of virus scanners and firewalls that must be routinely used. Its a sad fact, but most computer users today see virus scanners and firewalls and software patching as just another part of the computing experience - the price they must pay to be able to type up their documents, send their email and buy stuff on eBay.

The really odd case here is Mac OS X…

You see, the thing is, Mac OS X is this kind of weird cousin hybrid operating system: a Frankenstein’s monster of a platform constructed from the ripped-out bits of other OSs and bolted together to make something that works. The truth of the matter is that Apple’s solution is actually quite an elegantly blended mix of Unix (think really old Linux) back end for all the hard-core hairy tasks a computer must be able to do (talking to hard drives, printers, monitors, managing memory, multitasking, etc…) and Apple’s own concoction of a user interface layered over the top.

So, there are some plain facts that need to be considered when we wonder how secure OS X really is. First of all, it is highly unlikely that there is going to be a problem with any of the Unix underpinnings of OS X. This code is so old that it has been looked over by so many eyes in the past and all the security flaws have been seen years ago and fixed. Sure, the very odd one gets through, but Apple is in a perfect position to quickly pick up the fix the open-source community make to the broken bit of Unix, and mix it up into a Software Update for us to download.

The most dangerous part of Mac OS X is the software that Apple themselves write, and this is where the two security vulnerabilities highlighted recently have come about. The latest, and greatest, is a flaw in Apple’s own web browser that could effectively run dangerous code if a user were to click a link in a web page using Safari.

Both issues that have manifest on OS X require the user to do something - in the first case, the user had to actually double-click and open a file that was downloaded (and agree to a safety warning). In the second case, the trigger was as simple as a link on a web page. It will always be possible for malware writers to create code that does bad things when the user is the one who runs the bad code. I could send you code right now that could wipe your hard drive in one go, but you would have to double-click to run it and maybe even type your admin password before the bad stuff will happen. There very little Apple can do to prevent this either, as you’re telling OS X to run the code yourself. The only way to prevent this type of malware is user education and being careful what you run.

However, the most dangerous malware on any platform is code that can run either by itself (by the user’s computer simply being on the Internet) or executed very easily when a user does a common task, like click a web link or open an email attachment. In in this area that Apple score highly. Firstly, they have the accumulated experience of the open source community who write the core Unix-based components and have already found these holes. For the rest of the code, it is up to Apple to discover them, fix them quickly, and then have a very effective way of patching and updating a computer. Microsoft, in this regard, are already way ahead of Apple, as they have had to develop a comprehensive answer to the deluge of issues. But Apple have the benefit of watching Microsoft from the sidelines - when it comes to Apple’s turn to ratchet up the level of patching and security hole plugging, they can give Microsoft a taste of their own medicine and steal (lovingly recreate?) the best patching model Microsoft have and implement it right in OS X. Let Windows beta-test the best way of doing it, and then steal all their best ideas.

Mac users are living in a world of security by obscurity - our small market share means that we’re small fish compared to the millions of unsecured Windows boxes out there on the Internet. However, if the tide continues to rise and market share continues to increase, we’ll become a tastier target. What we have - and what we share with the Linux crowd - is a lot of eyes looking at a lot of the code that makes up our operating systems. And for the rest of the code, it is entirely down to Apple.

At the end of the day, the security of Mac OS X compared to Windows comes down to how good the software vendors are at creating well-written software, and how much of a target the average computer presents. There is a huge chunk of already solid and secure code in Mac OS X and for the rest that Apple take care of - we have to put our computers’ fates in their hands. Compare the kind of software you see Microsoft creating on the average Windows box (the bloat that is Office, the crumbling ‘Outlook Excuse’, Internet Explorer), to the software Apple create for the average OS X box (iPhoto, iTunes, Mail, iChat AV, Pages) and now tell me who you think creates the best code?

Who would you rather have looking after the code that runs your computer?

I think I’ll stick to OS X for now, thanks.

© Copyright Craig Pugsley 2006
Published by MacShrine with permission

Craig Pugsley is a new addition to the team. He will be providing a new article every Wednesday for you folks!