Skip Links

Mac OS X more vulnerable than Windows in some ways, security expert says

Most malware still targets Microsoft platform, but Mac OS X has some security deficiencies, according to one expert

By , Network World
June 06, 2011 01:57 PM ET

Network World - Although Mac users are more likely to experience virus-free computing than Windows PC owners, there is nothing inherently more secure about Apple's operating system, and in certain respects Mac OS X is more vulnerable than Windows, a security expert tells Network World.

Chris Clymer, a consultant at SecureState, says the Mac's low market share still keeps it cleaner than Windows. But the recent "Mac Defender" attack illustrates the vulnerabilities in the platform, which is designed first and foremost for usability, rather than security.

CHANGES: The complicated new face of personal computing

Mac vulnerabilities could be exposed more over time because of the growing popularity of iOS, Apple's OS for iPhones and iPads. Mac OS X and iOS are based on similar code and are expected to converge over the next few years, if not merge completely.

"I'm a Mac user and a big fan of the platform, but there's nothing inherent about the platform that makes it more difficult to attack," says Clymer, who advises businesses on security risk. "There's actually a lot of things that have not necessarily been developed as well as on the Microsoft platform. It's probably more vulnerable in many ways."

Market share trackers typically show Windows powering 80% to 90% of desktops and laptops, with Mac OS in the 6% to 8% range.

There has long been debate over whether Macs are inherently more secure than Windows, or simply not attacked as often because of lower market share. Many Mac users don't even run antivirus software, even though free antivirus tools can be installed from the likes of Sophos.

Macs give an impression of greater security by requiring users to type in a password before almost any changes are made to the system. But that's not foolproof, and attacks generally occur through social engineering methods designed to convince users to give up personal information, as well as browser-based exploits that may not even compromise the operating system itself.

A JavaScript keylogger running in the browser could steal your banking credentials without targeting the OS, for example, Clymer says.

Google Chrome, at least, has sandboxing that makes it difficult for attacks to move from the browser to the host operating system, Clymer says. But Safari, the default browser on Macs, is traditionally "not the greatest" in terms of security, he says.

For businesses using an intranet, or Web apps specifically built for one browser, Clymer recommends using two browsers: one for the corporate tasks and another for everything else. That way, an exploit targeting a user's personal Web surfing won't spill over to the corporate data and applications.

But Mac OS itself has some troubling attributes. For example, the firewall in Snow Leopard, the current version, is not turned on by default.

"The platform is all about sharing," Clymer says. Apple creates a fairly "noisy" network, with wireless communication among iTunes, AirPlay, Apple TV and the like.

"That stuff is very noisy and is blasted across the network," Clymer says. "When I see 'Bonjour' stuff flying across the network, I get pretty happy as an attacker because there is a lot of information there."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News