I’m about to tread, yet again, on religious ground.
John Gruber, attacking an eWeek article, incited a response by Tom Ptacek over at Matasano. I suggest you read those articles, especially the Matasano response, because they highlight very clearly some of the technical differences between OS X and Windows Vista.
I’ve been spending a lot of time, we’re talking a year or two, trying to decide if OS X is inherently more secure. I’m not a vulnerability researcher or OS developer, so I can’t dig in like Ptacek, but as an analyst I’m pretty good at weeding through the BS and I’m geeky enough to know what I’m talking about.
OS X is more secure than my XP PC, but Vista changes everything. This is not your usual Windows.
Tom’s response to Gruber focuses on Windows Vista, but Tom could have explained that more clearly. Gruber probably hasn’t hammered on a recently-released, barely-production-deployed OS so his arguments are tailored towards Vista. I think all the pundits need to be clear about which OS versions they are talking about. To a very real degree they are debating around each other- Tom focusing on Vista, and John on XP. This was something I was planning to write about after I got my hands on a non-beta copy to play with, but Tom beat me to the punch.
OS X is more secure than XP for a variety of reasons, including the user account model, lack of SYSTEM, quiet network profile, some core code signing, and so on. That said, OS X was not designed with a secure development lifecycle, and does not include the advanced security features shipping in Vista. Not that Vista is perfect, but there are clear indications that the game may have changed. (And yes, I’ve simplified a lot)
- The Secure Development Lifecycle is far more than some marketing campaign. MS hammers their code harder than anyone… ANYONE else in development today. Independent review, multiple security code scanning engines, mandatory training, and dropping beta versions to hackers like free candy. I talk with a lot of vendors; many have good processes, but I haven’t found any major vendor that makes such an effort. Ignore XP- it never went through this process, but look at SQL Server 2005, one of the first major applications to go through this process. No vulnerabilities to date- just one shared-code flaw (XML Core Services). Vista is the first consumer OS to go through this process. Bugs will still be found, but I suspect far fewer than XP.
- Memory randomization- key code hops around in memory. This makes it incredibly hard for an attacker to point to system code, since the code always moves. No hardcoding addresses. This may be the most significant change in the OS security.
- C#, which will probably be the most common application language used on the Windows platform, uses memory virtualization, just like Java. Again, nothing’s perfect, but this means C# apps are much less likely to suffer some of the common families of flaws that have crippled Windows so far.
- The user privilege model is stronger, but not perfect. MS cut back a little here to keep some enterprise customers happy, but the improvements are still very real. Old code demanding admin access runs off virtual registries rather than corrupting the main system registry.
- Browser isolation- most major malware today on XP comes in email or over the browser (and half the email stuff uses the browser). IE 7 itself is stronger, and the browser runs in a more isolated and less privileged mode.
I’m just running off other’s evaluations, so take it or leave it, but the hard-core researchers I know all tell me Vista is not the MS software we’re used to. Everything from the browser, to the kernel, to the programming languages used to build applications is significantly improved. And I haven’t even mentioned all the new security features, like a real 2-way firewall, PatchGuard, and so on. Will it all work? I don’t know, but I do know those who have hacked away at Vista come away impressed.
So is Vista more secure than OS X? I think so, but we’ll still see more malware for Windows for a long time to come. And Apple has plenty of time to take some of the same security steps. Heck, with less ties to legacy applications Apple could probably jump ahead if they put their minds to it. Vista might see life on my Mac, but replacing my XP virtual machine.
But with Vista now released we all need to be clear about which operating systems we’re discussing. On paper Vista has more security built in at a more fundamental level than OS X. But Vista is brand new, and we’ll have to watch the world kick the tires for a while. Apple needs to respond with similar features, where needed, if they are to compete in the security game. If they want to.
The truth is, security is still not a major factor in most people’s OS choice. I’m sitting here saying I think Vista is more secure, but I don’t plan on switching off my Mac. Security is about being “good enough”. As the major target for attacks, “good enough” for Windows is significantly higher than “good enough” for Macs. Until Apple sees the same kinds of exploits on the same scale there will be little motivation for them to invest so deeply in security.
The game isn’t over, but it’s definitely a different game than just a few weeks ago.
Reader interactions
5 Replies to “Mac vs. Windows Security- It’s a Whole New Game, and Doesn’t Matter”
Security: Are Ptacek/Lawson and Joanna Fighting the Wrong Battle?Investigating the Leopard FirewallMac vs. Windows Security- It’s a Whole New Game, and Doesn’‘t MatterTutorial: How To Use Mac FileVault SafelyGoing Where the Weather Suits My SoulBarenaked- Stripping
I believe there’s a small typo in the original article:
“Gruber probably hasn’t hammered on a recently-released, barely-production-deployed OS so his arguments are tailored towards Vista.”
The follow-on text implies that Mr. Gruber’s arguments are tailored towards XP.
FWIW.
Thanks Tom, I’‘ll reply here but let me know if you want this moved to your site. Remember, I don’‘t have nearly your level of OS skills but think I know enough to respond intelligently.
1) Fundamentally, probably, but realistically, no. There are so many more exploits for XP, especially if you use IE6, that OS X doesn’‘t _need_ to be more secure to be more secure. If you know what I mean. I often deploy SP2 without any additional security software, and out of the box, with current security updates, I can’‘t hack it remotely very easily. Same as OS X. But give it a month or two of “average user” activity and the odds are higher it will get exploited. On the other hand, give it to a smart user who stays away from weird websites and it’s probably fine. In the end it just means if you want to browse porn or gamble, OS X is still a safer choice.
2) Do you mean the OS X model isn’‘t more secure than the XP model? Agree it’s just a slight barrier to entry. I used to think it offered more security than it does. One big difference is you at least have the option on OS X of running without admin. Technically you can do this under XP, but not realistically. But you are right- it’s not nearly as secure as most people think it is, especially with some of the buffer overflows.
3) Yes, but not totally. Far more Windows applications and services seems to run under SYSTEM or other priviliged user accounts. I know MS really worked hard to restrict this in Vista. Far less OS X applications seem to run with that privilege level.
And yeah, this is a silly fight that will just incent black hats to smash OS X just to piss people off. We also haven’‘t even talked about other issues, like the less-robust access controls for the file system.
I used to think OS X was a lot more secure, but after spending a lot more time digging in I realized that this probably isn’‘t true, and definitely isn’‘t true for Vista. All that said, it doesn’‘t matter. Seriously. I love my Mac, as do most of the security researchers I know, like yourself, that run on Mac.
As long as I can work safely I’‘m happy.
Here we go again with another debate about Windows vs. Mac security. Gruber drew first blog blood (here), Tom takes him to task (here), Mogull tosses in some thoughts (here), and of course I could not sit idly by without tossing in a couple of my own coins. Mogull’s right about one thing – it doesn’t matter. I wish it did, I wish you could buy a secure OS and not have to spend on deploying security technologies or managing the infrastructure, but the reality is that you do and you will for the foreseeable future – you see users are stupid and will figure out a way to bypass your dream secure OS, and of course an auditor is coming to a network environment near you soon and would like to know how you provide visibility and control over all those end-points under your dominion.
Thanks for the link. Let me bat some things back at you.
(1) I’‘m not just talking about Vista. I think sane people could argue that XPSP2 and OSX are neck-and-neck. I think XPSP2 users shouldn’‘t be afraid to take the Pepsi Challenge on this one.
(2) The user account model on XP is not substantially more secure than OSX’‘s, unless you’‘ve revoked “Administrator” privileges from your local account, which nobody does. The cute Finder/Keychain passwords prompts are nice until you hit the Unix shell and look at file ownership. Not to mention, anybody with your creds can intercept all of your I/O and capture your password.
(3) This SYSTEM stuff is a red herring. Machine administrator on OS X can get to root, and root is game-over on OS X.
(4) I don’‘t think Gruber has “banged on” any operating system, including OS X.
I agree with you though; I’‘m in no rush to switch to Windows from OS X. I just think the Mac people really need to stop picking this fight.