I had an interesting conversation the other day with Dino Dai Zovi, the researcher who discovered the QuickTime for Java vulnerability that Shane Macaulay used to take control of a Mac at the CanSecWest conference last month. Macaulay got the MacBook Pro that the show’s organizers put up as a prize, and most of the press attention. But Dai Zovi got the $10,000 bounty from TippingPoint’s Zero Day Initiative and he’s done enough research on both Macs and Windows machines to have put some thought into the whole Mac versus Windows security debate. A lot has been made about Macs being inherently more secure than Windows-based PCs, but Dai Zovi said the question of which OS is more secure really misses the point.
“Gauging how secure something is, is difficult to establish,” he said. “If people were looking, there would be more vulnerabilities discovered [in Apple products]. In general Apple’s making good decisions related to security architecture. Do I buy into the Apple is more secure thing? Not so much. Apple’s authentication infrastructure is better-engineered than UAC. It’s less obtrusive. But there are plenty of implementation flaws to be found. Any third-party application is bound to be the weakest link.”
That may not sit well with the Mac faithful, but Dai Zovi, a former @stake researcher and co-author of a new book called “The Art of Software Security Testing”, knows whereof he speaks. The lesson, it would seem, is if you’re looking for computers to p0wn, forget the OS and go after the apps.