Windows will never be as secure as Mac / Linux

August 26, 2009

Over and over again I read the mis-informed or simple minded mainstream press writing about Mac security based on tech industry myths (mostly created by “Security firms” that make their living on people being afraid and need a robust threat level of viruses, malware and trojans to build their biz on.

Their line goes something like this: The bad guys don’t target Mac’s because their market share is to small. for example here is a quote from a cnet story – Mac security not so much about the Mac:

“Even if Apple moved to 10 percent market share, why spend the time on the 10 percent when you can just nail 90 percent with one bug?” Miller points out. It’s far easier, and far more lucrative, for those shadowy figures in the hacking business to spend their time going after the other 90-plus percent of computers in the world than it is to try to exploit flaws in the Mac–even if there’s a shiny new computer involved.

There is truth in the fact that Windows is a larger target than the Mac. But in the last year or so the Mac has become a much bigger target with significant market share for some time now (6-8% overall and as much as 30 to 50% of the high end – above $1k – consumer laptop business).  Yet the Mac is still totally free of any known virus in the wild. And only a very few (in the single digits) trojans are out there (note these can not be spread from computer to computer and require the user to go to a “questionable” website and then explicitly “ok” the installation of software) .

The same article above clearly states:

No security researcher I spoke with could think of an instance of a Mac running Mac OS X that had been exploited in the wild. Not as part of a contest, or as part of a show-stopping demonstration, but through a malicious attack aimed at pwning a Mac. Few were even sure that any viruses or worms existed for the Mac; there was a Trojan horse type of exploit in the wild last year, but it was delivered through a porn site, and it required users to take several steps to infect themselves.

The reason Mac’s are safer than Windows machines is clearly more about basic multi-user aware underpinning, design philosophy, backwards code compatibility and plain old code quality.

Here is one of  the best ways I have seen it explained it: from the stroy FUD: On Snow Leopard Anti-Malware — Learning Curve.

A few salient facts before continuing.

  • Unix was developed as a research project at Bell Laboratories in Murray Hill New Jersey. The key researchers were Ken Thompson and Dennis Ritchie. Thompson and Ritchie won the 1999 Technology Award and Bill Clinton was present at the award ceremony in Washington.
  • MS-DOS was developed by Tim Paterson and his Seattle Computer Products. It’s won no awards.
  • Unix is a true multiuser system. MS-DOS is a hardware interface. The acronym itself stands for ‘disk operating system’. It’s not an operating system – it’s a disk operating system. It doesn’t deal in access control or ownership. It’s a hardware interface.
  • The Unix we use today is based on the original Unix from Bell Labs.
  • The Windows lusers use today is based on MS-DOS. Not the internal architecture to be sure – that architecture is based on the ‘VMS’ work of David Cutler – but the system’s security is based on (crippled by) good old MS-DOS.
  • Web servers everywhere run Linux and Apache Stronghold and practically speaking they’re impenetrable – this because Unix was built the right way from the start.
  • Windows will never be secure because it wasn’t built with security in mind (or much else for that matter). And that’s just a fact.

The quote above deals with the fact that OSX is built on Unix and as such has a strong, well tested, security system built in from the lowest levels protecting the system from actions by user accounts.  Windows on the other hand (as was Mac OS9) is built on a single user foundation – the assumption in the days of DOS through Win 32 was that the user had complete control of the computer and there is no separation between user accounts and the administrator account. Microsoft has spent the last 10 years trying to graft this type of structure into Windows without breaking too much backwards compatibility. It is a losing battle and is a fundamental difference that is why it will always be less secure than Unix and Mac OSX.

The size and age of the Windows code base makes it virtually impossible to eradicate the bugs and vulnerabilities, and it would appear that Microsoft’s design philosophy of feature bloat that continues to graft new networking and frameworks deep into each release of windows without removing the older ones will only make it worse as time goes on. Dating back to the early days of DOS and Windows Microsoft has let developers directly access the hardware bypassing the operating system, and while they have moved away from this for a long time bits of the old code are still lurking in the depths of their code base.

Apple on the other hand tends to build additional functionality by adding new core  functions to their operating system with a much more deliberate long term architecture perspective and well defined API’s (this dates back to the original Mac operating system which abstracted the actual hardware and made developers use the toolbox). Examples of this is coreaudio, coreanimation etc.

Lastly the way Apple historically  maintains backwards compatibility is much cleaner as they have done it through complete emulation as in the “OS9 Classic Mode” that was a fully sand-boxed environment. They do this on a transitional bases phasing it out completely over time so that they phase out legacy code with a smooth transition from the user perspective.

Microsoft as is typical is adopting some not all of the same concepts in their new Windows 7 but as usual they are still years behind OSX and they have not addressed much of their core issues.

All of this is simply security at the OS level, Microsoft also has many security related issues at the application level, and they build much of the application support for everything from Office apps to IE into the operating system which opens up many many more vulnerabilities.

In summary it is true that no complex software is bug free, and no operating system / application suite  is totally secure, but OSX is much more fundamentally secure than windows.  Everyday thousands (maybe more) of Windows users with or without added security software lose hours of productivity to dealing with infected computers, there are virtually no Mac users suffering the same fate. Millions of Windows machines the world over are acting as bots:

  • spreading viruses,
  • clogging the internet sending spam emails
  • Participating in denial of service attacks

Meanwhile Mac continue to secure and productive network citizens.

Advertisements