title:

OSX, beginning to attract the wrong kind of attention

By Scott Bradner

Recently there has been a growth industry in pundits whining about the security of the Apple Macintosh OSX operating system. To read some of the coverage OSX one would think that someone deciding to use OSX instead of Windows would have to be dumber than a fence post. Methinks that the security worries are rather misplaced and may be the result of hyperventilating non-technical reporters and some gloating on the part of Windows users.

One would have to be dumber than a fence post to assert that any set of software as complex as a computer operating system and all of its application programs could ever be totally secure. Programs are created by programmers, most of whom are human, and therefore unlikely to generate perfect bug-free code. Bugs in software design or implementation are what lead to security vulnerabilities. For example, security researcher and Columbia professor Steve Bellovin has said that most security problems are caused by buggy software. (http://www.cs.columbia.edu/~smb/papers/acm-predict.pdf) Thus anyone who has ever said that Mac OSX is bug free and, because of that, will not have any security vulnerabilities was smoking some strong herbs.

But, that said, there is no reason to think that most of OSX should be as subject to vulnerabilities as is most of Windows. Most of OSX, including most of the more than 1,000 Unix applications that are included, are from open source BSD Unix and gnu (http://www.gnu.org/), both of which have been beat up on by researchers and hackers for many years (and fixed when problems have been found). This process is more likely to secure code than any private corporate process, such as Microsoft uses, where the code has had nowhere near as many eyes reviewing it. Sometimes public access to source code means that a hacker finds something to exploit but it also means that exploits can be quickly fixed. The non-public parts of OSX, including Apple's own applications, should generally have the same level of buggy code as most of Windows does -- Apple programmers are not intrinsically better than programmers working elsewhere.

Why the increased buzz about OSX security? (Note that even though the buzz has increased it is still a whisper compared to discussions about Windows security -- Google News gets 64 hits for OSX + security and 7,300 hits for Windows + security.) I expect a major reason is that there is a lot of buzz about OSX and Apple these days and that too many reporters feel that just writing about good news is not good for their careers so they feel they have to come up with something to complain about. The buzz has also excited the hacker community to try to tarnish the Apple image. There have been a few actual OSX attacks found 'in the wild' (actually being used rather than just a security expert exercise) but not many - last I read there were less than 5, compared to many thousands for Windows (even if many were exploiting the same underlying vulnerabilities.

OSX is not going to be vulnerability free but I do expect it to have significantly fewer vulnerabilities than Windows shown. That does not mean that OSX users can ignore security -- at the very least enable the built-in personal firewall -- but it does mean that one should not stay with Windows because you think you will be safer.

disclaimer: Harvard is not twit free but you should draw any conclusions about the quality of Harvard's education from that factoid, in any case the above Apple review is mine not the university's.