TechnicalInfoBannerA
TechnicalInfoBannerB
TechnicalInfoBannerC

Papers

  Mac OSX vs. Microsoft XP
First Published: X-Force Monthly Magazine

Not less than two years ago, Microsoft found itself fully engaged in combating accusations that Windows was less secure than Linux. After several detailed analytical studies relating to vulnerabilities, out-of-the-box configurations, default services and security patch responses, the end verdict for most observers was a confused draw. The security and integrity of both operating systems (OS) were tied directly to the skills and awareness of the end-user and the myriad applications he may install or use on a daily basis.

So, having ridden the wave at least once this decade, Microsoft Windows now finds itself facing a new antagonist — Apple and its Mac OSX.

You may have seen the new TV and magazine advertising campaign that describes how much better Macs are than Microsoft Windows (visit http://www.apple.com/getamac/ads/ to see the TV ads). A couple of these advertisements address system security, in particular out-of-the-box configuration and the proliferation of Windows viruses (referencing 114,000 viruses in 2005). Simultaneously, several independent security vendors have published their own analyses and have advised users that they may be more secure using Apple computers running OSX.

For the most part, this advice has been based upon the worldwide proliferation of viruses. Indeed, there are literally hundreds of thousands of viruses and malware that target Microsoft Windows systems and, until February this year, there were no viruses specifically targeting Apple’s Mac OSX.

This fact is highly surprising to many security professionals. In the late 1980s, the situation was completely reversed; Apple Macintoshes were commonly associated with viruses, while viruses were not a problem for PCs. Although there have been a couple of hundred macro viruses that affect Microsoft Office on both OSX and Windows, OSX.Leap.A was the first virus that only affected OSX.

              

OSX.Leap.A, was an instant messaging worm that propagated via iChat by sending a compressed file labeled as “latestpics.tgz” (which contained a hidden payload disguised as a JPEG image file) to the infected user’s buddy list. Since February there have been many more viruses targeting OSX.

With this in mind, it is important that users be reminded that not having had a virus is definitely NOT the same as being immune to viruses. From an X-Force perspective, advice from some signature antivirus vendors to switch to OS X echoes the immortal words of Homer Simpson (in the episode “Oh Brother, Where Art Thou?”), “You know that little ball you put on your antenna so you can find your car in a parking lot? That should be on every car!”

Why is Mac OSX so secure?

A question commonly asked of X-Force is, “Why is Mac OSX more secure than Windows?” The simple fact of the matter is, it is not. OSX has a long development history and has incorporated ideas for service design from several *NIX variants (such as OPENSTEP, NetBSD, FreeBSD, etc.). This history, coupled with the strong emphasis on graphical user experience, means that OSX suffers from many common *NIX application frailties in addition to less rigorous access controls.

Since its first public appearance as a server operating system in 1999, OSX has suffered from vulnerabilities common to its *NIX heritage plus those associated with Apple’s custom software additions that ship with the operating system. As is typical with *NIX-based operating systems, it is difficult to precisely track the number of security vulnerabilities that have affected OSX since its first public release. Many analysts have, and continue to, argue over whether the OSX vulnerability count is better or worse than any other popular *NIX operating system.

The question for many organizations that could contemplate a migration to OSX is, ”How does it compare to Microsoft Windows?”

X-Force security analysts have investigated every disclosed vulnerability within both operating systems and have found Apple’s Mac OSX to have more vulnerabilities on a like-for-like basis than Microsoft Windows.

To create a level playing field, X-Force compared the desktop variant of Mac OSX 10.x with Microsoft’s XP desktop operating system. This analysis included vulnerabilities associated with the base operating system and software installed by default as part of a standard installation. In addition, X-Force security analysts focused upon vulnerabilities from the beginning of 2004 onwards — a period in which both operating systems can be said to have matured into “stable” products and having already had any low-hanging fruit vulnerabilities discovered and consequently fixed.

Our analysis revealed that the total number of vulnerabilities associated with the two desktop operating systems were very similar, with OSX actually suffering 13 percent more vulnerabilities than Windows XP. For much of the last 2½ years, the rate at which vulnerabilities were discovered for both operating systems was very similar even though there was little correlation between the individual vulnerabilities discovered on a monthly basis. It is only since February of this year that the total number of OSX vulnerabilities has overtaken those discovered in Windows XP.

The question that then begs an answer is, “If OSX has more vulnerabilities than Windows XP, and is generally less secure, why are there so few viruses or people attacking it?” In answer, it is important to understand that while OSX is certainly one of the most popular *NIX desktop operating systems, Apple’s share of the worldwide PC market is tiny — verging on insignificant (2.2% in 2005 [1]).

When it comes to system security, there are typically two key drivers for people wanting to create viruses or malware — commercial gain and kudos. From the commercial gain perspective, it does not really matter what the operating system is; it will still take roughly the same amount of development effort (and legal risk) to create a virus or malware, and the return on investment for targeting OSX installations is simply too little when compared to a popular operating system such as Microsoft Windows. However, this may change over the next few years as OSX proliferation is expected to increase with the adoption of Intel processors within Apple’s product range.

From a kudos perspective, the emphasis is largely upon infecting the most number of machines in the shortest period of time. Building up a massive Botnet network (and retaining control of it) achieves a lot of underground kudos (as well as revenue opportunities). Again, the effort to develop technologies focused on OSX just does not provide an economical return — at the moment. The only real exceptions are kudos associated with doing something first (e.g., writing the first OSX worm) or the possibility of achieving a lot of media attention.

This latter point about media attention is likely to be a key influencer motivating attackers to target OSX throughout the remainder of this year. The comparison between Oracle’s “Unbreakable” marketing strategy from a couple years ago, and the new Apple advertising campaign harping on viruses and out-of-the-box configuration, can be seen as a call to arms for those who wish to establish a reputation for having proven Apple wrong.

So, for those organizations considering a move to a “more secure” OSX environment, would you like to buy a little ball for your car antenna?

[1] “Low market share is badge of honor, as far as Mac faithful are concerned,” Mike Langberg, http://www.siliconvalley.com/mld/siliconvalley/business/columnists/mike_langberg/14191452.htm

     
    Copyright 2001-2007 © Gunter Ollmann