Lab Notes

Chris Holland posts a rant on The Apple Blog (a blog about Apple, not by Apple) regarding the relative security merits of Mac OS X and Windows. While I generally agree with his conclusion that Mac OS X is the more secure operating system, I disagree with the way he arrives at that conclusion.

To begin with, he asserts that because Mac OS X doesn't have any services enabled by default, it is immune from network attack. This is mostly true -- if BIND isn't running on your machine, then any flaw in BIND cannot be exploited. Saying that no services are running by default isn't to say that the network stack is disabled, however. Flaws in the kernel TCP/IP stacks could still be exploitable with all services disabled. For instance, a buffer overflow in the ICMP echo service could be exploited by simply sending a specially formatted ping. This isn't to say that Mac OS X is vulnerable to this particular attack, but rather to illustrate that disabling your services is a false sense of security.

The fact that Apple makes it very easy to enable the by-default disabled services doesn't bode well for security. Given that there have been a number of remotely exploitable vulnerabilities in the Mac OS X sharing services (Apache, Samba, OpenSSH, et. al.), you will not be safe unless you never turn these on. I don't subscribe to the "turn your computer into a lead weight" school of security, so somewhere there has to be a compromise between usability and security. All that said, I do agree with Chris that the services should be disabled by default; let the user make the choice to enable them, even if it is an uninformed choice.

Chris also goes after the Windows software update mechanism because it uses Internet Explorer as its host. I'm somewhat unclear on his argument that running the software update mechanism as a separate application is somehow more secure than running it in a browser. In my experience, any code running on your machine is just as vulnerable as any other code, whether it is a web browser or not. And while you can still manually point your browser to windowsupdate.microsoft.com and update your system, if you are running any somewhat recent Windows operating system there is a separate application that periodically checks for updates and asks for your permission to install them. This is nearly identical to the Software Update application in Mac OS X.

There seems to be this belief out there that Mac OS X, because it has suffered from very few instances of malware in recent years, is somehow invulnerable. It isn't. It's simply a much smaller target. Hackers spend their time trying to hack Windows because the rewards are so much greater. If as much effort went into exploiting Mac OS X as goes into exploiting Windows, we Mac users would be in for a world of hurt. If you plug your computer into the internet, you'd better be safe. The fact that you are using Mac OS X may make you safer from network threats, but it does not make you immune.