Contest winner: Vista more secure than Mac OS

Dino Dai Zovi, the New York-based security researcher who took home $10,000 in a highly-publicized MacBook Pro hijack on April 20, has been at the center of a week's worth of controversy about the security of Apple's operating system. In an e-mail interview with Computerworld, Dai Zovi talked about how finding vulnerabilities is like fishing, the chances that someone else will stumble on the still-unpatched bug, and what operating system — Windows Vista or Mac OS X — is the sturdiest when it comes to security.

From your research on both platforms, is there a winner between Mac OS X 10.4 and Vista on security?
"I have found the code quality, at least in terms of security, to be much better overall in Vista than Mac OS X 10.4. It is obvious from observing affected components in security patches that Microsoft's Security Development Lifecycle (SDL) has resulted in fewer vulnerabilities in newly-written code. I hope that more software vendors follow their lead in developing proactive software security development methodologies."

Full interview at source.

News source: MacWorld

Report a problem with article
Previous Story

Dell to preload Ubuntu, industry sources say

Next Story

Fiber Optic Cable Between U.S. and Asia Under Construction

61 Comments

Commenting is disabled on this article.

>_< Why do people have to be so hateful... The minority known as Apple fanboys doesn't represent the majority of Mac users. OK, this guy says Vista is more secure, so what? Most Mac users don't go around saying "Macs are more secure than Windows HAHAHA!" either.

I hate this... Every time there is an Apple-related news article on Neowin, the general response is almost always either
a) OOOH! Apple got OWNED!
or
b) Pfft, yet another piece of bull**** Apple / Apple fanboys have come up with.

Seriously, wtf? Modern computers are all secure enough in general for the sensible user, quit with the flame war.

wctaiwan

I like how nobody was able to break into the MacBook when it had no programs running.

Imagine a contest to break into a panic room; after everyone participating in the challenge fails to break in, they're given telephone access to the person inside the room so they can talk them in to opening the door from the inside to let them in. Is that a security compromise of the panic room, or a social exploit?

To win the first Mac, a cracker had to break in and "follow the instructions in the home of the default user." To win the second Mac, contestants needed to "follow the instructions in the filesystem root." Had both Macs been given away, this would have been a real exploit. After not being able to directly break into even the user realm, the contest dropped the bar to allow users to send URLs to the contest manager, who put them on a server and set the two MacBook Pros to automatically visit a website site and 'click on' the submitted URLs.

Reenacted by Jody Foster, it might have gone like this:
"Hello inside the panic room! It’s safe to come out now!"
Door opens.
"Ah hah! We broke in!"

Nobody could gain root privileges on the Mac despite the $10 000 prize (and the laptop), even though there are many hundreds of known vectors for doing just that on Windows PCs. Were an attacker to use a Windows-like exploit to try installing software via a browser link, or through a malware graphic attempting to run arbitrary code simply as a user simply visited a booby-trapped website, Mac OS X would throw up an authentication dialog telling the user to sign in for the software that was being installed.

thenewbf said,
Nobody could gain root privileges on the Mac despite the $10 000 prize (and the laptop), even though there are many hundreds of known vectors for doing just that on Windows PCs. Were an attacker to use a Windows-like exploit to try installing software via a browser link, or through a malware graphic attempting to run arbitrary code simply as a user simply visited a booby-trapped website, Mac OS X would throw up an authentication dialog telling the user to sign in for the software that was being installed.

Hundreds of ways to do that on a Windows PC?

http://secunia.com/product/13223/ for Vista - currently 8 vulnerabilities (2 unpatched) with the most severe unpatched being rated "Not Critical"

http://secunia.com/product/96/ for Mac OSX - currently 101 vulnerabilities (5 unpatched) with the most severe unpatched being rated "Less Critical"

I think Vista wins this round; 3 less unpatched vulnerabilities and 93 less overall vulnerabilities.

I don't get it, is this supposed to be good news for Vista users, and bad news for Mac users? I don't think so...

Of course Vista HAS to be more secure because of the huge userbase, otherwise it would be a complete disaster.

But that doesnt take away the fact that using a mac is still far more secure that using a Windows-based computer. So as long as the mac userbase remains low, mac users will be fine.

"So as long as the mac userbase remains low, mac users will be fine."

In other words, Mac OS X isn't secure if too many people use it whereas Windows is because so many people use it? Did you even read the article?

C_Guy said,
"So as long as the mac userbase remains low, mac users will be fine."

In other words, Mac OS X isn't secure if too many people use it whereas Windows is because so many people use it? Did you even read the article?

The guy thinks that the amount of security vulnerabilites, which would include viruses and worms, is directly proportional to to the market share you have. That's absurd and shows me he has nothing to back up his statement. Previous incarnations of the Mac OS were vulnerable to many viruses, with a smaller market share than OS X has now.

Oh my gosh! You mean that a company which actually put effort into security has a more secure OS that one that has simply coasted by on obscurity all this time?
Amazing.
As much as Apple has screwed the Darwin project over the years I can't imagine why they wouldn't be all gung-ho to help out with security issues.

It's about time somebody recognized...

Here's a theory - Mac code actually isn't more secure, but there are a heck of lot more haters out there that want to hack windows. We'll call it a brute force attack, if all the devious people hate "The Man" (Gates) and they put their collective efforts behind hacking his stuff, then of course they are going to get in.

Windows users don't have to sit around worrying about whether they can hack in to somebody's Mac, cause the fact is that there just aren't that many out there in the real world. The world where people need to do more with their computer than make cool home videos with the dorky high school dude from "Ed." I sort of like the guy's stuff, until he decided to join the blissfully ignorant. Mac fans are just like their commercials - bad politics. Talk about what your crap can do on it's own - not your biased opinion of how you think you can convince the masses that your stuff can actually do something that the other guy's can't do.

Dang, I sat down at my computer last night (just a lonely streamlined XP box ) and I was determined to make a home movie. Wull, golly... i were surprised to fin out that a windows puter caint make no movies. Read dripping with sarcasm (if it wasn't obvious).

~*What U Know About That~* said,

Use both. Let Apple & Microsoft keep pushing to make their products more secure, in the end we're the one's who benefit.


Pretty much what I'm thinking.

Lets hear it from the other Mac users (of which I'm one) - 'Waaahhhhh, no, it's impossible. This guy must be a total **** and knows nothing compared to me 'n Steve!!!"

Well I suppose that's good news since I'm using Vista and some of its security settings can get annoying, still, isn't a new Mac OS supposed to be released by the end of this year?

=NickJ= said,
thankfully I don't either on my PC, its a cunning combination of Firefox and not being a retard :rolleyes:

+ 1

=NickJ= said,
thankfully I don't either on my PC, its a cunning combination of Firefox and not being a retard :rolleyes:

+ 2

=NickJ= said,
thankfully I don't either on my PC, its a cunning combination of Firefox and not being a retard :rolleyes:

+3

i too dont use spyware/adware protection, just use firefox, i do scan for it every now and then but havnt found any since firefox (maybe 1)

and the only time i have gotten a virus, it was from downloading questionable content off of questionable sites

Wow, can you believe I've never had a virus or spyware on my PC either. I use IE and still never got any spyware, despite all the FUD that spreads about it.

Using a mac does not make you immune if the person behind the keyboard is a retard and will open obviously dangerous files.

Apple comes across to me as an expensive car dealer that tries to claim that by driving their car, you'll never have any accidents, so seatbelts and airbags don't take up room in your iCar like every other vehicle on the roads.

=NickJ= said,
thankfully I don't either on my PC, its a cunning combination of Firefox and not being a retard :rolleyes:

+6

This...well, this should be interesting. I've always thought that us Mac folks have been marketed into a false sense of security. It's really not a big suprise. Not that I use Mac's soley due to those claims. -shrug-

Software has flaws. Honestly, Microsoft has FAR more experience with security. They've actually run into thousands of problems that needed solving. It's honestly not very suprising that they would have far more mature security development.

Apple is negatively arrogant. What can I say? Marketing is marketing is marketing. Get over it! :D

It still doesn't mean what they say is false. It just could easily be made untrue by a larger market share, which everyone has talked about. Then again, a closed system makes the potential for fixes far faster and easier. If they ever grab a big enough piece, the real test is how they respond.

It's good to get a good punch in the face, every so often.

You talk alot of sence (not just slagging off the other OS i mean) for a mac user i'm glad, all these children make us mac users look bad, i use both mac and vista but mostly windows

I thought copies were supposed to be worse quality than the original.
I guess Microsoft is using a magical copy machine.

Vista = Development for 5+ Years
OSX = On computers / Sale for 6+years

vista is newer code, so it should be more secure, but on the other foot, OSX has been out in the market for longer then Vista has been in development, and still has less security holes ( Vista / XP or combined )

Hell-In-A-Handbasket said,
Vista = Development for 5+ Years
OSX = On computers / Sale for 6+years

vista is newer code, so it should be more secure, but on the other foot, OSX has been out in the market for longer then Vista has been in development, and still has less security holes ( Vista / XP or combined )

And do you have Macboy written across your forehead too?

Point being is that Apple users need to shut their mouths as they have been put in their place. Vista is newer code so it should be more secure? That makes no sense whatsoever in the computing industry, at least not at the software level. Newer code does not equal and never has equated to "more secure". It's clear MS has stepped up their security levels and newer technology has resulted in more secure, that I will agree with.

The news story brings out a good point: fishing. This proves once again that because Windows has a substanially larger market share, of course more vulnerabilities will be found and exploited compared to OSX. If there's 10,000 fish in the lake and MS owns 9900 of them, the chances someone will catch one of those fish is substanially greater than catching one of the 100 other.

Enough said.

It's really more about the here and now. Having to patch hundreds of vulnerabilities, Microsoft has learned a thing or two about how to write secure code. So right here, right now, Vista is more prepared than OSX to handle vulnerabilities according to this article, regardless of development time.

lol, Put in our Place, lol ( im writing this on a Windows Box btw, not a mac )

how have we been put in our place. apparently you didn't read how this " Hack " came about or how the contest had to be altered due to nobody at the competition being able to hack the OS, and the hack came from somebody not at the competition, it was emailed to him

Primetime2006 said,
And do you have Macboy written across your forehead too?

Point being is that Apple users need to shut their mouths as they have been put in their place. Vista is newer code so it should be more secure? That makes no sense whatsoever in the computing industry, at least not at the software level. Newer code does not equal and never has equated to "more secure". It's clear MS has stepped up their security levels and newer technology has resulted in more secure, that I will agree with.

The news story brings out a good point: fishing. This proves once again that because Windows has a substanially larger market share, of course more vulnerabilities will be found and exploited compared to OSX. If there's 10,000 fish in the lake and MS owns 9900 of them, the chances someone will catch one of those fish is substanially greater than catching one of the 100 other.

Enough said.

Hell-In-A-Handbasket said,
OSX has been out in the market for longer then Vista has been in development, and still has less security holes

Not true. Secunia lists 101 OSX vulnerabilities in 53 months, or an average around ~2 per month.

http://secunia.com/product/96/?task=statistics

On the other hand, Vista has just 8 vulnerabilities in the last 6 months (Vista was released in November), which works out to around ~1.3 per month.

http://secunia.com/product/13223/?task=statistics

So Vista's doing pretty good as far as I can tell.

Hell-In-A-Handbasket said,
OSX = On computers / Sale for 6+years

Actually a lot of code has changed since 10.0, 10.4 came out 2 years ago as one of the largest releases up to that point.

some where i read that number was higher on the Vista side, but forget where so cant quote,

but agreed vista is doing pretty good so far, cant wait to see what number vista will be kicken in 53 months, but OSX is still more secure(IMO), mainly due to underlying structure, same as Linux compared to Windows

OSX>Windows
Linux>Windows


aaaaa0 said,

Not true. Secunia lists 101 OSX vulnerabilities in 53 months, or an average around ~2 per month.

http://secunia.com/product/96/?task=statistics

On the other hand, Vista has just 8 vulnerabilities in the last 6 months (Vista was released in November), which works out to around ~1.3 per month.

http://secunia.com/product/13223/?task=statistics

So Vista's doing pretty good as far as I can tell.

I'm pretty sure that whole "Mac uses Unix so it must be more secure" argument is being chipped away at by Windows as we speak.

Hell-In-A-Handbasket said,
some where i read that number was higher on the Vista side, but forget where so cant quote,

You can't quote it, because it's wrong. There have been a suprisingly small number of security vulnerabilities discovered in Vista, only one or two of note, and even then, one of them only worked if UAC was off.

No WAYYYY! :eek: There is no way that the MAC OS is less secure than Windows, Steve Jobs would never allow this becuase he said his OS was better.

Sounds like Mr PC needs to just tape over Mac's mouth in the next ad. :cheeky:

oh yes.. because steve jobs its god and he is never wrong... come on the only thing that apple have that sells its the ipod and we all know that pretty much everything beat it

Just because QuickTime contains several flaws doesn't mean the whole OS is flawed... QuickTime has always been bad and if it still goes in the same direction, it'll remain a bad application. Believe it or not, some Mac zealots like me also hate QuickTime.

1. No one claimed the OS in its entirety was flawed.
2. If the OS is compromised by vulnerabilities in software such as Quicktime then the OS is still lacking in security because despite whatever flaws the software contains it should still not compromise the system.

Nice to hear it finally from someone who knows what he's doing ;)

With the resources Microsoft has and the emphasis they put on security this time around, that they have the superior product with better code. Apple just doesn't have the userbase that would shed light on the many vulnerabilities it has.

Do you have evidence to support your counter-argument? How many security vulnerabilities have you found in Vista's new code?