You may remember that the Pwn2Own competition was run recently, designed to reveal hidden security flaws within browsers and operating systems. Charlie Miller, who was one of the competitors in the competition, has come out with a rather controversial statement: Mac OS is theoretically safer than PCs.In an interview with Tom's Hardware, Miller stated, "I'd say that Macs are less secure for the reasons we've discussed here (lack of anti-exploitation technologies) but are more safe because there simply isn't much malware out there. For now, I'd still recommend Macs for typical users as the odds of something targeting them are so low that they might go years without seeing any malware, even though if an attacker cared to target them it would be easier for them."
He has also said that whatever you do, keep your system up to date, and be 100% sure you know what you're doing. The reason for this is because no anti-malware protection would have stopped him; "None of those protections would have probably worked, or at least there were potential workarounds. The best thing the user could have done is not click on the malicious link. Of course, in some cases such as a man-in-the-middle attack, even this wouldn't have helped."
So, to summarize, Miller says that Macs are less secure in terms of technologies, but there just aren't the threats out there to make users worried.
But Alex is right. While I still believe security is better on the Mac, most users have taken it for granted for so long. As the market share rises the majority of it's users think they are invincible so they won't think twice about clicking questionable links or installing questionable software.
Microsoft may be a lot of things but they respond quickly and are open about their mistakes.
Microsoft may be a lot of things but they respond quickly and are open about their mistakes.
+1
I have been saying exactly that for many years!
It simply is not worth attacking the Mac.
When people say the Mac is more secure it is like saying my rust bucket car is more secure because nobody is going to bother stealing it!
Well for one, his opinion isn't the only one that counts. I meant there are less people who make virus', malware, what have you for the mac. So regardless of market share. The hackers or virus makers, most of them write for windows based machines. But as market share rises more of those same people will see the benefits in going after the mac. I guess I'm going in circles here
Just to set the record straight ...The following are reported exploits in Windows XP ...
Reported 2008-12-09, Unpatched. secunia.com/advisories/32997/ - Secunia rating "Extremely Critical"
Reported 2008-09-10, Unpatched. secunia.com/advisories/31824/ - Secunia rating "Less Critical"
Reported 2008-04-18, Unpatched. secunia.com/advisories/29867/ - Secunia rating "Less Critical"
Reported 2007-09-17, Unpatched. secunia.com/advisories/26800/ - Secunia rating "Moderately Critical"
Reported 2007-02-23, Unpatched. secunia.com/advisories/24245/ - Secunia rating "Non Critical"
Reported 2006-12-26, Unpatched. secunia.com/advisories/23487/ - Secunia rating "Non Critical"
Reported 2006-10-30, Unpatched. secunia.com/advisories/22592/ - Secunia rating "Less Critical"
Reported 2006-08-07, Unpatched. secunia.com/advisories/21377/ - Secunia rating "Less Critical"
Reported 2006-05-10, Unpatched. secunia.com/advisories/20061/ - Secunia rating "Less Critical"
Reported 2005-11-17, Unpatched. secunia.com/advisories/17595/ - Secunia rating "Less Critical"
Reported 2005-10-06, Unpatched. secunia.com/advisories/17064/ - Secunia rating "Less Critical"
Reported 2005-08-24, Unpatched. secunia.com/advisories/16560/ - Secunia rating "Non Critical"
Reported 2005-07-27, Unpatched. secunia.com/advisories/16210/ - Secunia rating "Less Critical"
Reported 2005-06-06, Unpatched. secunia.com/advisories/15605/ - Secunia rating "Less Critical"
Reported 2005-04-22, Unpatched. secunia.com/advisories/15064/ - Secunia rating "Less Critical"
Reported 2005-01-31, Unpatched. secunia.com/advisories/14061/ - Secunia rating "Non Critical"
Reported 2004-10-19, Unpatched. secunia.com/advisories/12793/ - Secunia rating "Less Critical"
Reported 2004-10-01, Unpatched. secunia.com/advisories/12670/ - Secunia rating "Less Critical"
Reported 2004-07-12, Unpatched. secunia.com/advisories/12047/ - Secunia rating "Non Critical"
Reported 2004-02-25, Unpatched. secunia.com/advisories/10968/ - Secunia rating "Moderately Critical"
Reported 2004-01-26, Unpatched. secunia.com/advisories/10708/ - Secunia rating "Moderately Critical"
Reported 2003-10-27, Unpatched. secunia.com/advisories/10066/ - Secunia rating "Less Critical"
Reported 2003-10-03, Unpatched. secunia.com/advisories/9921/ - Secunia rating "Less Critical"
Reported 2003-09-22, Unpatched. secunia.com/advisories/9799/ - Secunia rating "Non Critical"
Reported 2003-04-22, Unpatched. secunia.com/advisories/8635/ - Secunia rating "Non Critical"
Reported 2003-03-18, Unpatched. secunia.com/advisories/8329/ - Secunia rating "Less Critical"
Reported 2003-01-28, Unpatched. secunia.com/advisories/7959/ - Secunia rating "Non Critical"
Reported 2003-01-27, Unpatched. secunia.com/advisories/7824/ - Secunia rating "Less Critical"
Reported 2002-12-30, Unpatched. secunia.com/advisories/7793/ - Secunia rating "Moderately Critical"
Reported 2002-12-09, Unpatched. secunia.com/advisories/7669/ - Secunia rating "Non Critical"
Reported 2002-12-02, Unpatched. secunia.com/advisories/7629/ - Secunia rating "Non Critical"
Reported 2002-09-18, Unpatched. secunia.com/advisories/7121/ - Secunia rating "Non Critical"
In other words, Macs are easier to exploit than Windows, but the only reason they *appear* safer is because they hold a nominal market share and aren't worth the trouble many hackers have to go through when at the end of the day they only inconvenience/exploit 1/12 as many people.
Windows is more secure, but when you have 1200% more market share, that brings with it 1200% more hackers and malware as well.
But exploit for exploit, malware for malware, Windows is better equipped to deal with attacks than OSX, as is evident by Miller's very own comment itself.
Last edited by Calum on 27 Mar 2009 - 11:37
But he still reccommends it as a choice for home users over Windows, apparently.
Agreed. The whole time I was reading this I was thinking "Well, yeah... everybody knows that!"
That is more than enough to say Macs aren't safe
Nope, not if you aren't chased as much. How big of a problem is this on a Mac, despite Windows perhaps being more secure?
You need to understand the distinction here that the hacker is trying to make.
That's the best part about this article: that he tells that security != safety. It's soo common for people to not make this distinction, unfortunately.
That is more than enough to say Macs aren't safe
That's a bit like saying someone in the congo with rifles and expert knowledge is more 'safe' from a wild animal attack than someone living in an inner city... Surely there's the chance that a wild animal could find its way into the inner city, but it's not going to happen very often...
Weird analogy I know, but still along the same lines...
a) it's still millions of users
b) if you were one of the first to really screw over those systems then you'd rise to fame over night. Windows you may but your in a much larger pool and theres more vendors dealing in security products ect there.
c) sometimes the lesser used systems are still more critical. Find a way to really exploit linuc and you could do some rather large damage to corporate servers if they haven't been locked down properly for instance.
Really theres reasons for and against picking both small or large systems as an attack point. Mac's aren't exactly a small target anyway.
85% would be better
85% would be better
85%??? are you joking? doing a quick search of how many users in the world use mac, i found a 2007 article that says 22 million. for the sake of it, lets say there's now 25 million. 85% more than 25 mil is 46 mil and there's a hell of a lot more pc users than 46million.
surely this is news because he performed extremely impressively at the Pwn2Own competition and by extension his opinion on these matters may well be something that the members of a tech forum (oh gosh, like Neowin) would be interested in?
Everybody get on the"THIS ISN'T NEWS" barge, quick, before it becomes cliche!
Many never make this distinction.
Was Linux even included in this last Pwn2Own? It wasn't compromised last go-around. Would have been interesting to let them have another go at it.
There was a saying I used to hear growing up back home quite a bit; "Don't crap where you eat", usually worded a tad different. But you get the gist. I think that would apply to hackers finding and announcing exploits for Linux.
Because the "bad guys" all use Linux? And exploits are never revealed?
Come on, flaws in Linux are found, announced and patched all the time.
It's not like Windows and OSX are immune to people "keeping exploits in their back pockets for a rainy day" or anything.
Come on, flaws in Linux are found, announced and patched all the time.
It's not like Windows and OSX are immune to people "keeping exploits in their back pockets for a rainy day" or anything.
Way to jump to conclusions, scooter. No, because the tools are more prevalent and available in an open-source environment such as what Linux provides. As that I don't consider hackers "bad guys", not sure where the condescending attitude comes from, but whatever. I do, however, think that most (not all, but most) people that work at finding exploits in *nix, tend to bring it up to the responsible parties beforehand, before bringing it out to the general public, a bit more frequently than they do with, say, Windows.
Then you applied this vague but colorful saying to
I had nothing but a bad metaphor to go off of, so perhaps my questions sounded like statements of fact to you. I checked them again, and there are indeed two question marks in my post, each punctuating a clarification that I was asking.
Sincerely,
Scooter
P.S. for one that decried a "condescending attitude", you had no problems mustering one up yourself.
Seriously though, just as OS X, Linux does not thrive in terms of usage among the general public compared to Windows. Thus, it would appear that these people (that is, computer users with malicious intent) would be less concerned with actually trying to follow through with an exploit.
With Windows at least (and perhaps OS X), there is a real market value for these exploits (according to Charlie Miller himself). If they're used, they may very well have the possibility of compromising the user's system, which can lead to many different things, including possible identity theft perhaps. Put that on a larger scale, and you've got a mess on your hands.
Not sure how accurate these numbers are, but according to this, Windows has 88.41%, Mac 9.61%, and Linux 0.88%. (with the iPhone at 0.48%) That is a big difference. How you can simply say that hackers simply won't attempt to exploit the same operating system they use seems silly.
That said, don't you watch TV? Every hacker uses a Macbook!
Regardless Mac or PC but is a "typical" user 100% sure about system updates?
I think my mom is a typical user - but when it comes to her preference to browsers and latest malware patches.................
Don't fall for the market share argument. If you have a computer and it's connected to the internet, control over it is valuable. Never forget that.
For example, i use Firefox on OSX and sometimes i use Opera in Windows.
It's interesting because that isn't what Miller said. He mentioned that Mac OS X has fewer anti-exploitation technologies available than Windows. That's true, and in many ways it means that the current Mac OS X user base can be "ambushed" very easily - and it may be a while before anyone realizes it.
One needs to consider why such technologies exist, though. Windows' greatest security failure was arguably that the base user ran with full administrative privelages by default and that they could modify anything and everything without prompting. This made exploits terribly simple to carry out - it reached the point where a user simply had to be tricked into clicking on a false web advertisement or applet and their computer was fully compromised. The entire design of the operating system was much too free, both to users and programs that resided on it. Windows Vista has finally made some steps in the right direction to correcting this.
On the other hand, the UNIX system was designed a bit differently, and it turned out to be advantageous to security. A standard user account would be unable to modify core system files or even carry out some modifications (such as installing a program, or running a program that would modify certain files). That in itself is a security feature that Windows lacked for the longest time, and it critically limits the capabilities of most malware.
However, Mac OS X users shouldn't feel smug about that. Despite having that setup available to them, Apple has gone and followed in Microsoft's failings: the first user account created is an administrator account, by default. It's very possible to operate with a "standard" (non-administrative) account (unlike in Windows XP, where programs would have problems running), but the average user is very unlikely to go through the "trouble" of setting up a second account unless prompted. While the OS will still prompt you for a password when modifying critical system files on an administrator account, everything else is game. Additionally, the password prompts are only as good as the user behind them. Blindly entering a password when prompted makes you no more secure - the user needs to be aware of what is going on and why they are being prompted. If you don't know, don't enter the password. It's the same principle as not clicking on links that come from unknown sources.
And to anyone wishing more malware for Macs, grow up. We suffer as a collective every time another computer is taken over. I'm glad to see that Microsoft is finally taking security seriously, and I hope that Apple and the Linux communities also maintain a focus on security.
Hah i like that line!
+1
Shouldn't that be Macs are safer than windows or whatever OS you are referring to? PC's incorporates many operating systems and hundreds more versions of those. Hell you can run OSX on a "PC" and technically macs are PC's anyway now in many peoples books.
When you put that next to the Neowin article titled "MacBook Hacked in Seconds... Again" you have to wonder if money was exchanged for that "expert" opinion.
I'd still recommend Macs for typical users as the odds of something targeting them are so low
Does the guy WORK for Apple? If you're going to recommend a computer how about factoring in things like cost, performance, available applications, options, style, hardware specifications??? For me, there is more than the single consideration of "OMFG How many viruses are there for that operating system?"
As mentioned in another discussion, all the software and hardware safeguards in the world won't protect someone from a malware attack if they don't know the basics of computer security. Despite what Stevie wants you to believe, Mac OS X won't make up for a lack of user knowledge. Neither will Windows, Linux, or any other operating system.
If you read a little more, he pointed out that once you have an exploit on OSX, it's easier to take it and craft it into something malicious because the antiexploit technology in OSX is severely lacking.
He's just saying that OSX is 'safer' because there isn't much stuff for it. The OS itself, however, is more insecure.
'nuff said
Every man and his dog has an "informed opinion" on this matter, but with everything in the IT world, security depends on how careful you are, and what you do with your computer.
His reasoning isn't the standard, canned 'UNIX foundation' BS that most people spout. It's actually nothing even remotely like that. He says they're safer due to the lack of 'stuff' for them, but easier to exploit due to a lack of properly implemented safeguards to stop it.
I'm more concerned with what the people who would never show up to any "hacking" event are up to.
Last edited by GreyWolfSC on 27 Mar 2009 - 18:36
Yeah, I've always hated the incorrect use of terminology. PCs are not an Operating System--much less a Microsoft Operating System--and Macs are PCs.
There's a very simple reason for this: marketing. By painting it as Mac vs. PC, Apple maintains their image of being something different and apart from the rest of the market. If they advertised instead as Mac OS running on a PC, Apple hardware stops appearing unique, and they risk looking like just another software developer. This might have the unwanted result of creating more demand for MacOS on 3rd party systems.
Remember, it's not about actually being different. Just 'thinking' different. The slogan is telling the truth: it's all in your head.
Using Vista and noticing how that pop-up looks an awful lot like XP's Luna.
Though it's not surprising that your typical user doesn't catch that bit.
Easy excuse, I'm sure the malware developers would like to wipe the smugness of the mac community right? Why haven't they?
Easy excuse, I'm sure the malware developers would like to wipe the smugness of the mac community right? Why haven't they?
Economics.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.