Macs Really May Be More Secure Than PCs

Certainly, we can all agree that Mac users hate Windows.

On the other hand, most Windows users hate the Macintosh and, moreover, Mac users. And those Mac ads.

One thing that really pushes the buttons of Windows users is how Mac users describe the relative security for each platform. What PC users hear in the exchange is that the Mac is invulnerable to attacks.

Of course, this idea is false, and any right-thinking Mac user would admit that any computer can be attacked. Or almost any computer.

• Click here to visit FOXNews.com's Cybersecurity Center.

"My CPM computer hasn't been attacked once — because it's not connected to the Net," joked Ron Hipschman, senior media specialist at San Francisco's Exploratorium science museum.

He manages a number of clients and servers of different platforms, including Sun Solaris, Windows and Macintosh.

"It's hard to write a system that can't be exploited, he said. "Leaving it disconnected from the Internet will do it, and sealing the CD drive, floppy and thumb drive [ports] will keep you virus-free."

In one of the hated Apple ads, the sneezing PC guy (the hilarious John Hodgman) comes over to the Mac guy and tells him that he has a virus that's going around. "Don't be a hero," Hodgman warns.

The Mac guy isn't worried. He doesn't get viruses. Well, really he says that he's not going to get one of the Windows viruses, which is perfectly correct.

Still, no matter how much you might consider this comparison an unfair shot, it is real. The Mac is a better platform when it comes to security and malware attacks.

I've used Macs since 1984, and I've been infected by some malware twice. Two times.

One was in 1989 on a diskette distributed at a Macworld Expo with a HyperCard stack of naughty drawings (it was infected at the company).

The other was an infection by a cross-platform Office macro virus perhaps 10 years ago. The person sending me the file was a Windows user.

Take a look at the exploits actually seen in the wild on the Wild List. In March, the group recorded 766 different viruses, with a supplemental group bringing the total to 1,709 titles. None are on the Mac.

A search through security vendor F-Secure's Virus Description Database for the word "Macintosh" brings up 24 total hits. Most of them are MS Word macro viruses, and five were hoax reports.

So based on these figures, it would take a lot of attacks to make a dent in the Mac's good name and challenge the current record on the PC side.

However, by my reckoning of the installed bases for each platform, there should be many more exploits for the Mac.

Depending on how you calculate the number — 2, 3, 5 or whatever percent — shouldn't there be that corresponding percentage of viruses on the Mac in these lists?

A side note: Some folks estimate the number of Mac users — ones who actually buy things or read content on the Web — is a greater figure than we would find by looking at pure sales or when looking at the entire PC installed base. Mostly, this means that there's evidence that Mac users are undercounted.

For example, in a previous column I pointed to a chart on Scripting News that listed the site's readers by browser.

Firefox was the largest (49.76 percent), and Internet Explorer came in second (23.43 percent).

However, Mac-only browsers Safari and Camino were next in line (21.31 and a guesstimate of 2 percent, respectively). And some part of the Firefox figures must have been Mac users as well.

Whatever the number, bigger or smaller, the sum of Mac attacks is statistically nil when compared with the PC market. There just aren't many attacks, now or in the past.

Also, it's not as if Mac users are hiding off the Web. They are exposed in the same way Windows users are.

Worse, Mac users are very naive when it comes to security. Most don't run any anti-virus software, except for the firewall that comes built into Mac OS X. Most users rely on Apple to update their security, something that happens very often nowadays.

So, what's the reason for this difference in exploits? Why aren't there more Mac attacks? And why have researchers been finding more Mac holes?

Perhaps the reason for the discovery of more exploits for Mac OS X isn't as much a reflection of Apple's quality of programming engineering (or its lack), but rather the fact that automated security tools have improved.

Security blogger Ryan Naraine told me that instead of poring over code into the early hours, security researchers now can let tools run overnight and check in the morning for a new crop of likely holes.

He also suggested that security researchers are turning toward investigating Apple more now that the company has popular Windows programs such as iTunes and QuickTime for Java.

However, credit must go to Apple, according to wireless security blogger Glenn Fleishman, based in Seattle. He pointed to the company's reaction to January's Month of Apple Bugs Project as an example of how serious the company is about patching the exploits promptly.

"The prediction beforehand was that Apple would be all pissy about it and it would take a long time to fix the bugs and that they would ignore it. Instead, [Apple] kept coming out with patch after patch and in a nice touch credited [the Project]."

Both Fleishman and Hipschman said that while bugs are constantly being uncovered, Mac OS X appears harder to exploit than Windows.

Hipschman said Apple has turned off a lot of services in OS X that make Windows vulnerable, especially in Windows XP. One example he noted was that Apple offers users an opportunity during installation to enter an administrator password, rather than defaulting to admin user status without a password.

Fleishman said that while there have been exploits demonstrated on the Mac, many are very difficult to accomplish out in the wild.

"No one has come up with a good vector to spread infection on the Mac; that's what stymies people," he said. "Even if you came up with the world's best Wi-Fi exploit drive around the city, and actually take ownership of 100 Macs, even then, with root-level access on a Mac, you can't just deploy [an exploit] exponentially or even arithmetically. You can't even add one more," he said.

Also, Fleishman noted that Apple Mail has proved difficult for malware authors to exploit for payloads.

Most of the concern in the Mac community is over data in transit and wireless security, he said. "It's all really marginal stuff."

In addition, Fleishman wondered about reports of successful Mac zombie attacks in the past year.

"I believe [the zombie attacks] have happened, and I wouldn't be surprised if some Macs were owned and turned into zombies. But how many worldwide? Was it 100 [machines]? Compare that to the numbers for PCs," he said.

Finally, I believe there's another reason for the Mac's amazing security record, beyond the technical and beyond any protection afforded by its supposed market "obscurity."

The protection is cultural. It's that legendary "strong" installed base of loyal users.

As I said before, Mac users love the Mac. Most don't want to do something that will harm the platform. That loyalty includes programmers. So they avoid attacking other Mac users and stick to Windows. That's an easier and more successful target anyway.

Will there be unfortunate attacks? Of course — it's the world we live in.

Consider this: The Mac is the most homogeneous computing platform in the world. That should make it the most vulnerable. Instead, it has the strongest real-world record when it comes to exploits.

Surely, that record will continue.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.