Home > Computer Security > Mac OS X versus Windows Security: Let’s just call it even

Mac OS X versus Windows Security: Let’s just call it even

Mac users like to say their computers are more secure than Windows-based computers. I’m not saying all Mac users say OS X is more secure than Windows, but I’m sure everyone knows somebody that does. I usually keep my mouth zipped when someone states it, because it’s pointless to argue with someone that believes their operating system is less exploitable just because another operating system is more exploitable. Apple’s Security Update 2010-005 provides all the evidence that’s needed to set the record straight once and for all.

Before we dive into the details, let me make a brief comment here about “arbitrary code execution.” Arbitrary code execution is a euphemism for a successful buffer overflow. If you’re interested in learning more about buffer overflows, there is a decent write-up on Wikipedia. The outcome of a successful buffer overflow, is that a hacker gains control of the execution thread and can perform any number of actions, which may or may not include performing actions as the system’s administrator. With administrator privileges, a hacker may be able to install a Trojan. Even without administrator privileges, arbitrary code still executes with the user’s privileges, which provides more than enough opportunity to ruin someone’s day.

Of the seven vulnerable products/components, five are at risk for arbitrary code execution, some of which can be triggered just by viewing a document or image file:

ATS [Apple Type Service for fonts] : Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution.

claimAV [anti-virus program]: Multiple vulnerabilities exist in ClamAV, the most serious of which may lead to arbitrary code execution.

CoreGraphics [OS X graphics component ]: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. Note here that it’s not only Adobe software that is vulnerable to PDF exploitation!

PHP [scripting language]: Loading a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution. Note that many images on the Web are PNG files.

PHP [scripting language]: Multiple vulnerabilities in PHP 5.3.1. PHP is updated to version 5.3.2 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution.

Samba [file and print services ]: An unauthenticated remote attacker may cause a denial of service or arbitrary code execution.

If you run through the history of Windows vulnerabilities, you’ ll come across the same types of vulnerabilities.  Just think, all of these OS X vulnerabilities have been just sitting around waiting to be discovered and documented by the good guys. I wonder how long the bad guys have known about them?  How many more vulnerabilities do you think are still hidden in the code?

Here are the other two products/components that are included in the update:

CFNetwork [framework for network protocols]:  An attacker with a privileged network position may intercept user credentials or other sensitive information.

libsecurity [certificate host name resolution]: An attacker in a privileged network position who can obtain a domain name that differs only in the last characters from the name of a legitimate domain may impersonate hosts in that domain.

Just so that you don’t get the wrong idea, I’m not happy about these vulnerabilities, but they do prove that Apple’s OS X operating systems are not any more secure than Windows operating systems. Quantity is not a valid comparative statistic- it’s the type of vulnerabilities that people need to be concerned about. If I were a Mac user, I would be very concerned about exposure to some of these vulnerabilities.

  1. andreime
    September 1, 2010 at 7:53 am

    I am not a mac fanboy nor a windows hater and i respect your opinion. I have to say though, that your argument in very superficial. Nobody said Macs are safer than Windows and refered to the fact that they have a different, better version of Php for example. Pointing out flaws in 3rd party software and saying that it’s the same problem cross-platform doesn’t help your cause. I work on a Mac, Linux and Windows(less this days). What you should have pointed out are the exploits windows comes bundled with, security flaws that threaten an insanely big number of computers because the nt architecture is faulty. Nobody said that mac is bullet proof, but please, they are far from being equally attackable. An attacker in a privileged network position will be a threat for any os at any time. That’s just how i view it.

    • September 2, 2010 at 4:27 am

      Thank you for sharing your perspective and insights. Both Mac OS X and OS X server come “bundled” with 3rd party products, which include the ones mentioned above. Windows has built in OS X 3rd party equivalents as well as some 3rd party components, but far less than OS X. Buffer overflows are facts of life for both Windows and OS X – and that is what I am primarily focusing on, with the issue being that hackers can take control of the executing thread and read/write to disk. Equally attackable is certainly debatable and I think it really comes down to the compromise vector of each individual vulnerability and how the exploit is delivered to the target system. Not all the attacks above require a privileged network position.


  2. Marvin Nakajima
    September 28, 2010 at 11:44 am

    Hi, just wanted to chime in.. I have a lot of friends that have bought into Macs over the years partly because they believed the Mac vs. PC ads.. Especially the humorous one where the guy playing the PC has a cold (caught a virus, you know) and the Mac guy is perfectly fine.. The implied “Macs don’t get viruses” is what sold them. The majority of people buying computers for the home believed that and raised Apple’s reputation.. My friends who have Macs are now much quieter when the subject comes up but I’m sure you can still stop people on the street that still believe Macs are safer than Windows..

  1. September 1, 2010 at 7:40 am
  2. October 21, 2010 at 1:21 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: