The Mac is a safer computing platform than Windows. It has had no serious malware problems. By design, it’s more secure than Windows thanks to its smart use of user and administrator privileges. Mac users are right to be happy about the choice they made for security reasons.
Yet sometimes pieces appear in the appear in the Mac press that just make me want to weep. For the fact is that the Mac, like every operating system, isn’t perfect. There are security holes in it, some known, some as-yet undiscovered, that could be exploited to give root privileges and thus control over a machine.
At ZDNet Austrialia, they’ve done a piece pointing this out. The piece is based on an interview with Neil Archibald, a security specialist with SureSec. Archibald points out that there are plenty of security holes in OS X, and that – because Apple does not use software auditing tools to spot bugs before releases – there will undoubtedly be plenty more.
Archibald isn’t speaking without experience. Last year, he discovered the dsidentify bug, which affected 10.4, and that allows a non-admin user to gain admin rights – potentially allowing them to create and remove root accounts and gain control over the machine.
OS X riddled with “ancient” security flaws – The Unofficial Apple Weblog (TUAW). This track record suggests that he should be someone worth listening to. In fact, he says, the main reason that the Mac hasn’t been a target is simply that it’s not worth developing malware for – the user base isn’t wide enough to make it worth it.
However, some parts of the Mac web clearly think that clapping your hands over your ears and shouting “la la la” is the right response. Take, for example, TUAW:
Of course, his opinion is
wrong. Small market share is obviously a contributing factor in OS X’s rock-solid security track record, but there are also other components, like the fact that root is disabled by default, anything that makes any global changes to your
machine requires a password, etc. Besides, even if the market share thing is monumentally important, it’s not like OS X is going to be the most-used platform overnight. So we’re still safe (for now).
Sorry, but “has security holes in it that can be exploited to gain root” does NOT equal “safe (for now)”. It means both users AND Apple have to take security way more seriously than they do at the moment.
It’s simply irresponsible for a serious publication (and TUAW is serious, most of the time) to keep parroting the “it’s safe” line. There are plenty of users out there who believe that there’s simply no way that anyone could ever make a virus, malware or exploit for the Mac. I know, because I’ve had to argue with them. These are the people who, when they get an email attachment from one of their friends won’t think twice about double clicking on it and letting it install something – because “Macs don’t get viruses”.
The main part of the problem, I think, is that so few Mac users know anything about the way viruses work in the Windows world. Take a look at the top ten list of viruses reported to Sophos in December. All are email worms. They rely on someone opening an attachment and running the contents in order to install themselves. All, therefore, rely on “social engineering” – fooling the user into thinking that an action that’s isn’t safe is perfectly OK. None – not a single one – relies on a security hole in Windows. None of them will work if you have up to date anti-virus software (and given that decent virus software can be had for nothing, there’s no reason why any user shouldn’t). And, if you’re running up to date email software, you’ll be warned about downloading and running an executable file, too.
Mac users are equally susceptable to social engineering. In fact, because there’s a rump of Mac users who believe that the Mac has no security problems, they’re arguably more susceptable. The only difference between the platforms is that the Mac requires you to input your password before running an installer, or anything that places files where they’ll run every time you run your Mac. How many Mac users would happily install something if it came (apparently) from a friend, and was called something like “cool screen saver for you to install”? Far, far too many – all because “the Mac doesn’t have security problems”.
There is, of course, a counter argument. Why, if all this is true, are there no viruses for Macs? Surely the kudos of writing the first Mac virus would be enough to tempt virus writers to do it? This answer again exposes a lack of knowledge of what virus writing is all about. Spreading an infection is more about two things: gaining control over a machine for profit; and disabling the viruses of other virus writers, in a kind of virtual war. It’s about harvesting email addresses that can be sold to spammers; creating botnets for spamming; keylogging to get credit card details; or hijacking machines via Spyware trojans. All these require hitting as many machines as possible, and that means hitting Windows, not the Mac. There is no profit in making a Mac virus, and so it doesn’t happen.