Platform Popularity - Security in Obscurity?
First Published: X-Force Monthly Magazine

For several years there has been mudslinging between the various proponents of the Microsoft Windows and Linux operating systems pertaining to the security of their favorite operating system.  Many professionals have joined the fray, but the final verdict for most users has been a confused draw.  In the end, the security (and integrity) of both operating systems (OS) are tied directly to the skills and awareness of the end-user and the myriad of applications he may install or use on a daily basis.

Now, in a replay of these past heated debates, one of the younger contenders in the *NIX operating system world have joined in as well.  Microsoft Windows now finds itself facing a new antagonist – Apple and their Mac OSX.

You may have seen the new TV and magazine advertising campaign that describes how much better Mac’s are than Microsoft Windows (visit to see the TV ads).  A couple of these advertisements address system security, in particular out-of-the-box configuration and the proliferation of Windows viruses (referencing 114,000 viruses in 2005).  

Simultaneously several independent security vendors have published their own analysis and have advised users that they may be more secure using Apple computers running OSX.

For the most part this advice has been based upon the worldwide proliferation of viruses.  Indeed, there are literally hundreds of thousands of viruses and malware that target Microsoft Windows systems and, until February this year, there had been no viruses specifically targeting Apple’s Mac OSX – which was highly surprising to many security professionals.  But it is important to note that not having had a virus is not the same as being immune to a virus.

From a professional penetration testing perspective, the Apple Mac makes for a great pentesting platform.  You can install and configure all your favorite Linux or BSD tools, and at the same time have a lovely interface that allows you to run those important corporate applications (such as Microsoft Word) for writing up those reports for the client.  Doing all this on a single host without having to run various virtual machines adversely affecting performance is a large reason why many security professionals have adopted OSX as part of their pentesting equipment.

However, these very same pentesters are the first to point out that OSX is no more secure than any other operating system – in fact it has been subjected to much less public security scrutiny than many of more popular operating systems and many feel that the time is drawing near in which a great glut of new security vulnerabilities will be released.  Apples new advertising campaign isn’t likely to help this – in fact it’s likely to have the opposite effect – and many people have drawn a comparison with Oracles “Unbreakable” advertising of a few years ago.

In the past, the probability of encountering a host running OSX was pretty remote unless you were penetration testing a media organization, in which you would discover a scattering of high-end graphic-design workstations.  Nowadays chic looking Mac notebooks are popular with the younger management of many organizations and represent a soft target for both pentester and hacker alike as they search for more access credentials and jump points further into the network. 

Mac OSX has proven to be an easy compromise within corporate networks due to a mix of poor user security awareness and the increasing volume of newly discovered vulnerabilities.  Since the first virus for OSX was released, there has been a jump in new vulnerabilities each month.  Many people are surprised to learn that vulnerabilities within a standard install of Mac OSX have outpaced those in Microsoft Windows XP by a considerable amount – a trend that is likely to continue for the near future as independent security researchers strive to prove the recent advertising wrong.

In the world of security research it often pays to be a small guy – security through obscurity could have worked to Apples advantage.  Unfortunately popularity and media visibility are key incentives for many up-and-coming security researchers to go bug hunting.
    Copyright 2001-2007 © Gunter Ollmann