Security Bytes

Nov 16 2007   11:43AM GMT

Diving back into the Mac Vs. Windows debate

Leigha Leigha Cardwell Profile: Leigha

Bill BrennerAfter writing about the massive security update Apple released for Mac OS X this week, I’ve decided to dive back into the never-ending blog debate over whether the Mac is really more secure than Microsoft Windows, even though I get hate mail whenever I do so.

Critical feedback almost always comes from faithful Mac users clinically unable to acknowledge that their machines are not bulletproof. At the same time, I’ve gotten plenty of emails over time from those who skewer Mac Nation for shouting names at the Windows universe from atop the security high horse.

This week, most of the blog postings I’ve come across tilt toward the latter viewpoint.

Gareth Heyes, a Web application developer who tries to hack his own handiwork in his spare time, writes in the Spanner blog about how he decided to “hack the hell” out of the Safari browser that comes with Mac machines after Apple brushed aside one of his bug warnings. Of course, he writes about finding problems. Security Blog Log

“Apple seems to have some sort of security related breakdown because they allow the telnet protocol,” he says. “On top of that they allow it to automatically connect and to any address. Yeah crazy eh?”

To make Safari secure, he says, simply select the Safari icon in applications and drag it to the waste bin.

My view is that as long as Mac Nation lives in a state of security denial, more vulnerability researchers are going to shift from their Windows work in favor of the Apple-oriented hacking Heyes is doing.

That’s not to say Apple doesn’t deserve credit for getting some things right.

One thing I’ve noticed is that the company puts out security updates pretty frequently — more so than Microsoft’s once-a-month patch rollout. The last update fixed some 41 flaws, and that tells me that someone at Apple is taking security seriously. It’s also worth noting that Apple’s security bulletins describe not only the flaw but how it has been fixed. Microsoft only recently started doing so in its security bulletins.

And statistically speaking, no one can argue against the fact that Windows has been attacked a gazillion times while the Mac up to this point has only been targeted with limited malware that hasn’t spread very far.

But those attacks have taught Microsoft to take security more seriously and the software giant has made huge security strides in the last five years.

At the end of the day, it’s futile to debate which operating system is more secure, because no operating system is 100 % immune to attack. Apple may have suffered fewer attacks to date, but that will probably change, especially as hackers set their sights on the iPhone.

Since no operating system is bulletproof, we’re better off keeping the discussion on how users can practice better computing habits and avoid falling for social engineering tricks that so often lead to malware infections and online thievery. We’re also better off assuming that any of us could be hacked someday and that every company needs to hammer out a data breach response plan to mitigate the potential damage.

Two bloggers touch upon these points:

Jim Becker, lead systems engineer at the Urban Institute and a volunteer/director at Encompass U.S., writes in the Encompass U.S. blog that he keeps hearing from people or reading postings where the operating belief seems to be, “I don’t use Windows! I’m invincible!” To that, he says, “Sorry, gang, I don’t buy it.”

No matter which operating system you use, he says, having a securable operating system or application isn’t enough. Careless configuration, poor practices (especially poor change control), indifferent users, and slow incident response can undo any security measures you’ve taken — even if that measure is a switch from Windows to Macs, he says.

“The best way to guarantee you’re not invincible is to think you are,” he concludes.

Phoenix-based security consultant Marcin Wielgoszewski blogs that operating systems are no more secure than than “the idiots using it,” writing, “I’m tired of arguing about the security of Windows vs. Linux vs. OS X. They’re pretty much all the same, and they’re all insecure.”

He says a competent user or sysadmin managing it will limit the number of services running and ports open, install only signed/verified applications, and practice safe browsing. But, he says, this won’t protect you or them from a zero-day.

“Whether your grandma is more secure using one OS over another, again… it’ll only be as secure as she can be,” he concludes. “With more and more vulnerabilities exploiting the browser and targeting the user, no OS is secure.”

They both make sound arguments. Mac Nation would do well to listen.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

2  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Paul Schmehl
    When I read this - “The best way to guarantee you’re not invincible is to think you are,” he concludes. - I immediately thought of Larry Ellison's idiotic "Oracle is unbreakable" declaration. Boy has that been proven wrong.
    0 pointsBadges:
    report
  • Bfedorko
    Setting up Mac users with the "We think we're invincible" strawman is quite unfair by Jim. Most Mac users are simply confident in the inherent security of the Mac OSX and underlying BSD OS. It is like moving into a house, complete with a normal compliment of locks. A handy owner can increase security, or welcome a burgler in, if they are too trusting. Using Windows XP is like moving into a house without doors. Or a roof. That catches on fire every now and then, and often needs rebuilding from the ground up. A 'handyman's special', if you will. Many security buffs can poke theoretical security holes in the Mac OS, but oddly, I can count all the viruses I've found on every Mac I know of on 0 fingers. Same with Malware, Spyware, Adware, and bots. Amazing! I have yet to watch anyone with a PC run Adaware and have it come up empty. EVERY TIME. Theoretically, I'm sure the Mac OS has bushels of hypothetical security problems. Some day, maybe I will actually see one. In short, Macs are not invincible... In theory. In practice, it sure seems that way. Maybe Jim should consider buying it?
    60 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: