FRAMINGHAM, MA, USA, JUNE 6, 2011—Although Mac users are more likely to experience virus-free computing than Windows PC owners, there is nothing inherently more secure about Apple's operating system, and in certain respects Mac OS X is more vulnerable than Windows, according to a leading security expert.
Chris Clymer, a consultant at SecureState, says the Mac's low market share still keeps it cleaner than Windows. But the recent "Mac Defender" attack illustrates the vulnerabilities in the platform, which is designed first and foremost for usability, rather than security.
Mac vulnerabilities could be exposed more over time because of the growing popularity of iOS, Apple's OS for iPhones and iPads. Mac OS X and iOS are based on similar code and are expected to converge over the next few years, if not merge completely.
"I'm a Mac user and a big fan of the platform, but there's nothing inherent about the platform that makes it more difficult to attack," says Clymer, who advises businesses on security risk. "There's actually a lot of things that have not necessarily been developed as well as on the Microsoft platform. It's probably more vulnerable in many ways."
Market share trackers typically show Windows powering 80% to 90% of desktops and laptops, with Mac OS in the 6% to 8% range.
There has long been debate over whether Macs are inherently more secure than Windows, or simply not attacked as often because of lower market share. Many Mac users don't even run antivirus software, even though free antivirus tools can be installed from the likes of Sophos.
Macs give an impression of greater security by requiring users to type in a password before almost any changes are made to the system. But that's not foolproof, and attacks generally occur through social engineering methods designed to convince users to give up personal information, as well as browser-based exploits that may not even compromise the operating system itself.
Google Chrome, at least, has sandboxing that makes it difficult for attacks to move from the browser to the host operating system, Clymer says. But Safari, the default browser on Macs, is traditionally "not the greatest" in terms of security, he says.
For businesses using an intranet, or Web apps specifically built for one browser, Clymer recommends using two browsers: one for the corporate tasks and another for everything else. That way, an exploit targeting a user's personal Web surfing won't spill over to the corporate data and applications.
But Mac OS itself has some troubling attributes. For example, the firewall in Snow Leopard, the current version, is not turned on by default.
"The platform is all about sharing," Clymer says. Apple creates a fairly "noisy" network, with wireless communication among iTunes, AirPlay, Apple TV and the like.
"That stuff is very noisy and is blasted across the network," Clymer says. "When I see 'Bonjour' stuff flying across the network, I get pretty happy as an attacker because there is a lot of information there."
Mac OS X is a Unix-based operating system, with some open source components. One way attackers can exploit Macs, Clymer says, is to identify open source projects that run on Mac (such as Perl), look up the security fixes made in the last year, and then see if the same fixes have been made to the Mac versions.
While open source developers churn out quick changes to improve functionality and minimize security threats, Apple's updates are fewer and farther between, Clymer says. That's not entirely a bad thing. As the producer of a commercial product, Apple must thoroughly test updates before rolling them out to millions of users. But this can leave security holes exposed.
Apple is learning that lesson. New malware called the Mac Defender forced Apple to roll out a security update, but malware authors developed a new version to bypass the security update within hours.
The Mac Defender Trojan, luckily, is pretty easy to remove. The question is whether things will get worse. Observers have been predicting for years that the Mac was on the verge of a giant security problem, but it's never gotten nearly as bad as the constant threats targeted at Windows users.
What's different now? Clymer says proliferation of iOS will lead to more attacks, even though so far Android is being harder hit. Although Apple's app store is more locked down than the Android one, that does not mean Apple performs an in-depth code review of phone and tablet applications, Clymer says.
Macs may also become more frequent targets of financially motivated malware, he said, simply because expensive Mac computers are often purchased by people with higher incomes. "If there's a Mac in a company, it's a graphics guy, an executive, or both," Clymer says. "It makes it a tempting target."
Windows, obviously, has been a tempting target for years. Windows also lacks a simple backup feature like the Mac's Time Machine, which makes it easy for Mac users to roll back to a previous, clean state of the operating system in the event of attack.
But Microsoft improved the security model between Windows XP and Windows 7, requiring more explicit permission from users before allowing applications to install. Windows 7 automatically keeps track of whether you have antivirus software installed or the firewall enabled, and has made other changes under the hood to make the OS more secure, Clymer says.
Another huge difference between Windows and Mac is the frequency of security updates. Every month on Patch Tuesday, and sometimes even more often, Microsoft fixes the latest security flaws in the platform. For users and IT administrators who have to apply patches, it is a cumbersome, yet necessary process.
The Unix core of Mac OS X is a great starting point to build a secure system, but "in many ways Apple is five or 10 years behind Microsoft," Clymer says. "They have the ability to move a lot more rapidly, but they are learning the same lessons other vendors have had to learn, and in some cases they are setting priorities differently. Microsoft had no choice but to make security a priority."
Apple calls Mac OS X "the world's most advanced operating system," and says it remains secure "with virtually no effort on your part."
"Mac OS X doesn't get PC viruses," Apple says. "And its built-in defenses help keep you safe from other malware without the hassle of constant alerts and sweeps."
Apple CEO Steve Jobs is previewing new versions of both Mac OS X and iOS this week at the Worldwide Developers Conference. Will the platforms be able to stand up to increasingly sophisticated attacks? Only time will tell.
Sign up for CIO Asia eNewsletters.