This story appeared on Network World at

http://www.networkworld.com/columnists/2006/050106bradner.html

Mac OS X gets wrong kind of attention

'Net Insider

By Scott Bradner, Network World, 05/01/06

Recently there has been a growth industry in pundits whining about the security of the Apple Mac OS X operating system. To read some of the coverage, you would think someone deciding to use OS X instead of Windows would have to be dumber than a fence post. Methinks the security worries are rather misplaced and may be the result of hyperventilating, nontechnical reporters and some gloating on the part of Windows users.

One would have to be dumber than a fence post to assert any set of software as complex as a computer operating system and all of its application programs could ever be totally secure. Programs are created by programmers, most of whom are human and therefore unlikely to generate perfect, bug-free code. Bugs in software design or implementation are what lead to security vulnerabilities.

Security researcher and Columbia professor Steve Bellovin has said most security problems are caused by buggy software. Anyone who has ever said Mac OS X is bug-free and because of that will not have any security vulnerabilities was smoking some strong herbs.

But that said, there is no reason to think most of OS X should be as subject to vulnerabilities as is most of Windows. Most of OS X, including most of its more than 1,000 Unix applications, are from open source BSD Unix and the GNU Project, both of which have been beaten on by researchers and hackers for years (and fixed when problems have been found). This process is more likely to result in secure code than any private, corporate process such as Microsoft uses, where the code has had nowhere near as many eyes reviewing it.

Sometimes public access to source code means a hacker finds something to exploit. It also means exploits can be quickly fixed. The nonpublic parts of OS X, including Apple's own applications, generally should have the same level of buggy code as most of Windows - Apple programmers are not intrinsically better than programmers working elsewhere.

Then why the increased buzz about OS X security? (Note that even though the buzz has increased, it is still a whisper compared with discussions about Windows security: A search on Google News, for example, returns 64 hits for OSX + security and 7,300 hits for Windows + security.)

I expect a major reason is there is a lot of buzz about OS X and Apple these days; too many reporters feel just writing about good news is not good for their careers, so they feel they have to come up with something to complain about.

The buzz also has excited the hacker community to try to tarnish the Apple image. There have been a few actual OS X attacks found in the wild (that is, the software is being used, not just a security-expert exercise) but not many. Last I read, there were fewer than five, compared with many thousands for Windows (even if many were exploiting the same underlying vulnerabilities).

OS X is not going to be vulnerability-free, but I do expect it to show significantly fewer vulnerabilities than Windows has. That does not mean OS X users can ignore security - at the very least, enable the built-in personal firewall - but it does mean you should not stay with Windows because you think it will be safer.

Disclaimer: Harvard is not twit-free, but you should not draw any conclusions about the quality of the school's education from that factoid. In any case, the above Apple review is mine, not the university's.