/ 3 February 2010

Mac or PC: Which is safer, or more secure?

An article at CNet offers a compilation of comments from 32 people involved in the security business who were asked “Which is more secure, Mac or PC?”

I don’t think there’s much doubt about whether you’re safer using Windows or Mac OS X: the answer is Mac OS X. If you want to know which is more secure, that’s a different question. It’s also a more complex one, because there several versions of Windows. If you want to pick on Windows XP, we know that’s not secure: its failings prompted Microsoft to spend vast sums retraining its programmers in Trustworthy Computing, and to give users a more secure version free: XP SP2.

By contrast, Windows 7 has more advanced security than OS X, but whether it’s safer is another matter. The fact is, Windows is much more likely to be attacked. Chris Wysopal, chief technology officer at Veracode, puts it like this: “I think the Mac is less risky, not more secure. The difference is in the threat environment. An analogy would be an unlocked house in an urban vs rural environment. Both are insecure. One, the rural, is less risky.”

Wysopal is one of the 32 security experts quoted in a CNet article, In their words: Experts weigh in on Mac vs PC security. It’s a very interesting read, and it would be even better if more contributors had said which version of Windows they were talking about.

One running theme is that Mac OS X isn’t attacked as much because of its small market share, but that won’t last if it becomes more popular. Mikko Hypponen, chief research officer at F-Secure, says: “Mac is more secure, simply because it has less attacks targeting it. If Mac would be targeted more, it could have exactly the same problems as PC does today.”There’s two main reasons why Mac isn’t targeted as much as PC:1) Smaller user base — making it less a lucrative target 2) Lazy attackers — their existing codebase and expertise is on Windows, so they keep creating more Windows attacks. Hey, if they make a nice enough living by writing malware targeting Windows XP, why change to anywhere else?”

Another theme is that attacks are moving to target the browser and other software rather than the operating system, and this may not turn out quite as well for Apple. Frank Heidt, CEO of Leviathan Security, says: “The risk landscape for consumers [and enterprises] has changed over the last few years. Operating systems as such are no longer the primary target of consumer-targeted attacks; applications are. In light of that fact, I’d say each operating system has its benefits and liabilities. The real risks lie in the consumer’s browser choice, and security habits. From a browser standpoint, I would choose Firefox over IE, and IE over Safari.”

Nitesh Dhanjani, researcher and consultant, says: “I know Internet Explorer has had a considerable share of vulnerabilities, but the Safari Web browser also has a lousy reputation in the security community — it almost seems a child’s play to locate an exploitable condition in Safari. Apple really needs to get its act together with Safari since OS X is enjoying a healthy market share climb at the moment.”

In the end, however, a big part of the problem is the bit between the chair and the keyboard. As Graham Cluley from Sophos says: “Social engineering is the unifying threat that puts all computer users at risk, regardless of operating system. And that’s what most threats exploit.”

Steve Manzuik, senior manager of security research at Juniper Networks, says: “Regardless of the operating system, the easiest way for an attacker to compromise a system is by going after the application level and causing the user to click, open, or run something they should not. The trend of patches over the last couple of years from Microsoft, Adobe, and even Apple supports this. Unfortunately, you cannot ‘secure’ user behavior.”

This is, no doubt, true, but the Mac still has the advantage. A careless Windows 7 user will probably run into lots of ways to get attacked by malware, whereas even the most careless Mac user seems unlikely to run into any. Even if Windows 7 is more secure than Mac OS X, the Mac is still safer. – guardian.co.uk