After writing about the massive security update Apple released for Mac OS X this week, I’ve decided to dive back into the never-ending blog debate over whether the Mac is really more secure than Microsoft Windows, even though I get hate mail whenever I do so.
Critical feedback almost always comes from faithful Mac users clinically unable to acknowledge that their machines are not bulletproof. At the same time, I’ve gotten plenty of emails over time from those who skewer Mac Nation for shouting names at the Windows universe from atop the security high horse.
This week, most of the blog postings I’ve come across tilt toward the latter viewpoint.
Gareth Heyes, a Web application developer who tries to hack his own handiwork in his spare time, writes in the Spanner blog about how he decided to “hack the hell” out of the Safari browser that comes with Mac machines after Apple brushed aside one of his bug warnings. Of course, he writes about finding problems.
“Apple seems to have some sort of security related breakdown because they allow the telnet protocol,” he says. “On top of that they allow it to automatically connect and to any address. Yeah crazy eh?”
To make Safari secure, he says, simply select the Safari icon in applications and drag it to the waste bin.
My view is that as long as Mac Nation lives in a state of security denial, more vulnerability researchers are going to shift from their Windows work in favor of the Apple-oriented hacking Heyes is doing.
That’s not to say Apple doesn’t deserve credit for getting some things right.
One thing I’ve noticed is that the company puts out security updates pretty frequently — more so than Microsoft’s once-a-month patch rollout. The last update fixed some 41 flaws, and that tells me that someone at Apple is taking security seriously. It’s also worth noting that Apple’s security bulletins describe not only the flaw but how it has been fixed. Microsoft only recently started doing so in its security bulletins.
And statistically speaking, no one can argue against the fact that Windows has been attacked a gazillion times while the Mac up to this point has only been targeted with limited malware that hasn’t spread very far.
But those attacks have taught Microsoft to take security more seriously and the software giant has made huge security strides in the last five years.
At the end of the day, it’s futile to debate which operating system is more secure, because no operating system is 100 % immune to attack. Apple may have suffered fewer attacks to date, but that will probably change, especially as hackers set their sights on the iPhone.
Since no operating system is bulletproof, we’re better off keeping the discussion on how users can practice better computing habits and avoid falling for social engineering tricks that so often lead to malware infections and online thievery. We’re also better off assuming that any of us could be hacked someday and that every company needs to hammer out a data breach response plan to mitigate the potential damage.
Two bloggers touch upon these points:
Jim Becker, lead systems engineer at the Urban Institute and a volunteer/director at Encompass U.S., writes in the Encompass U.S. blog that he keeps hearing from people or reading postings where the operating belief seems to be, “I don’t use Windows! I’m invincible!” To that, he says, “Sorry, gang, I don’t buy it.”
No matter which operating system you use, he says, having a securable operating system or application isn’t enough. Careless configuration, poor practices (especially poor change control), indifferent users, and slow incident response can undo any security measures you’ve taken — even if that measure is a switch from Windows to Macs, he says.
“The best way to guarantee you’re not invincible is to think you are,” he concludes.
Phoenix-based security consultant Marcin Wielgoszewski blogs that operating systems are no more secure than than “the idiots using it,” writing, “I’m tired of arguing about the security of Windows vs. Linux vs. OS X. They’re pretty much all the same, and they’re all insecure.”
He says a competent user or sysadmin managing it will limit the number of services running and ports open, install only signed/verified applications, and practice safe browsing. But, he says, this won’t protect you or them from a zero-day.
“Whether your grandma is more secure using one OS over another, again… it’ll only be as secure as she can be,” he concludes. “With more and more vulnerabilities exploiting the browser and targeting the user, no OS is secure.”
They both make sound arguments. Mac Nation would do well to listen.
About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at firstname.lastname@example.org.