The Myth of the Insecure Mac

I once wrote that supposed vulnerabilities in Apple Macs are just tempests in a teacup; that editors (and mainstream bloggers) should remember that when they bend over backwards to give security firms and contests free publicity in exchange for exciting headlines.

The point is, if Apple’s OS X ever became seriously vulnerable to a virus or worm in the wild, as Windows is routinely vulnerable to, it would create press headlines way, way beyond what you see now. Still, every tiny chance that a Mac might be vulnerable is seized upon by the press and bloggers and turned into a minor story (see “Safari vulnerability exposed in MacBook Pro hacking contest” in Jason D. O’Grady’s Apple blog, “MacBook hacked in contest at security event” in CNET, or “A Mac gets whacked, a second survives” in The Register).

Can’t blame them — an OS X virus, worm, or zero-day exploit in the wild would be a major scoop. But it’s just not going to happen, as it would have happened already. This story (in particular the version in Infoworld, “Myth crushed as hacker shows Mac break-in“) is itself a Crushed Myth. The MacBook was not hacked remotely; the hack required user interaction; and the hack exploited a hole in the browser’s Java, not in OS X. Besides, the hack was part of a contest, not running in the wild. It turns out that the vulnerability that enabled the MacBook hack is in Apple’s version of Java, and not specific to Safari. If you use, for example, Firefox with Java enabled, you are vulnerable to this kind of attack.

For a good summary of this tempest in a teapot, see “InfoWorld Publishes False Report on Mac Security” in RoughlyDrafted. As the article points out, Apple makes responsible efforts to design security into its products, while Microsoft hasn’t until very recently.

It’s not that it is impossible to infect or exploit a Mac, it’s that Apple hasn’t shipped millions of Macs listening wide open for commands to act upon, or shipped a web browser designed to naively run programs like Microsoft’s ActiveX did, or installed an email program designed to automatically run commands that arrive as attachments as Outlook did.

Arguments about whether browser vulnerabilities reflect badly on the operating system miss the point: OS X does not require Safari, which you can remove easily if you want; whereas Windows not only fastens parts of Internet Explorer and Outlook to its basic functionality but also doesn’t let you remove them easily. OS X is built on the time-tested Unix core system designed from the ground up to be secure as multiuser systems; Windows is, well, not.

.Mac (Apple Computer, Inc.)



The Myth of the Insecure Mac — 5 Comments

  1. Pingback: Tacit Telegraph » Grapevine Telegraph 2.0

  2. Pingback: iTimes with Tony Bove » Blog Archive » Grapevine Telegraph 2.0

  3. Pingback: Get Off Microsoft » Blog Archive » Grapevine Telegraph 2.0

  4. Are you freaking kidding me. There are hundreds of exploits for OSX. Look at the exploit database I just was hacked through DMPRodxy, WindowServer and ShareD. Look at Vault 7 you have no clue what you are talking about.

Leave a Reply

Your email address will not be published. Required fields are marked *