Recently there has been a lot of news about the security of Mac OS X. A lot of the press would like to sell the idea that the Mac isn’t fundamentally any more secure than any other operating system (read Windows). The reasoning is based upon popularity. Surely the less popular operating system has fewer problems because it naturally has fewer attackers.
While this sounds reasonable to many journalists, it ignores the realities of software security. One of the recent attacks on the Mac was “social engineering”. This type of flaw is not an operating system flaw at all but a human flaw. One of my favorite attacks of this type was an email sent to Windows users that told them to search for a particular file which was a virus threat and delete it from their systems if they found it. Only that file was on 100% of their computers since it was a key part of the operating system. Deleting it rendered the computer useless until the operating system was reinstalled.
As an operating system, Mac OS X is essentially a BSD unix variant. As such it shares the strengths and weaknesses of Unix when it comes to security. In addition it has many other Apple specific software APIs that may contain security flaws. However there are some key things to remember. For one thing, Mac OS X as delivered is already set up in a very secure configuration. A configuration which the typical user has little reason to alter. To date Apple has quickly fixed any flaws found before any exploits could be created. For another thing, there still are not very credible root kits for Mac OS X. And getting and keeping root access is an important step in taking control of a machine.
All this has sparked a debate amongst Mac users and developers not about how secure our machines are, but about how secure we should say they are. Most Mac users don’t want to belittle Windows for its security flaws. As far as most Mac users (and Linux users) are concerned we wouldn’t use Windows even if it had no security flaws whatsoever. And we don’t want to brag about how secure Mac OS X is and invite attacks. Well most of us don’t. Some do. And some are willing to pay for proof. This blog for example. And at the U of Wisconsin, Dave Schroeder has posted a contest web page inviting people to hack his Mac mini.
As for me, while I think we might one day see a real virus on the Mac. I just keep my firewall running smoothly, my root account disabled and I sleep well at night.