Security and the Mac

Some have implied that Macs are safe from Viruses or Worms; thus they are secure or nearly impervious. While I like their enthusiasm, I think they are being a little too optimistic; so some cynical realism is in order.

First, we need to understand the terms. A computer virus (or worm) is a self-replicating program or something that “spreads” and makes copies of itself without permission or the user even knowing about it. These programs “infect” other programs, documents or the system, so that in the future accessing those files will run the virus and spread it even more. Thus a computer virus inserts itself into the users computer or on other programs, like a real virus would invade your cells. Like other life forms, its primary purpose is propagating the species and survive.

The difference between a worm and a virus is that a virus usually spreads itself locally; to any other files it can find. While occasionally remote drives are mounted (across the network) so it can spread directly, a virus mostly depends on you sending copies of infected files to other people (their machines), where they will be run and the pattern continues. A worm actually attacks other systems directly across the network (it’s looking for holes to worm its way in); and tends to focus on attacking the system files (making one copy of itself that is always running). So a worm is an aggressive, network centric form of virus that looks to spread as wide as possible; whereas a virus infects the local machine as deep as possible, and casual contact (application promiscuity) spreads it to other machines.

A virus usually spreads by adding its code to the start of an application. When you run the app, it runs the virus (which infects another file, or in other words, makes another copy or two), then it continues to run the regular application (so that you are unaware that you ran the virus). It can infect any/most applications on the disk.

Worms usually target a hole in the network, some flawed service that is running (exploits), so that it can attach its code across a network, without even having permission to do that update/patch. It is a lot harder to write a worm, as the holes are much smaller, and found quickly and easy to plug; but the smart nature of worms and the attack being more focused, means that worms can spread much faster.

Unix boxes are susceptible to both viruses and worms; and OS X is just a proprietary (customized) UNIX. Thus Mac OS X is susceptible to both viruses and worms. In fact, some of the first viruses found in the wild were on the first versions of MacOS, which were probably more secure than OS X. Face it, Macs have Applications with code (and resources/bundles), so you can inject code in that bundle; thus create a virus. The System itself shares data across a network and has many services, each can have exploits in them, which can thus be attacked by a worm. So both can exist.

The good news is that while Macs can get worms and viruses, there are far fewer of them on the Mac than on the PC; for many reasons. Let’s look at a few.

One key item to vulnerability is OpenSource. Large parts of the underlying code in OS X is open; meaning programmers can look at how they are written, and have been able to for years. This is a double edged sword, which means that hackers can look through the code for vulnerabilities. But in practice, many more people are looking for those vulnerabilities so they can block them, or once hackers brag about finding the hole, others can fix them. So in practice, more open tends to mean vulnerabilities are found quicker, and thus blocked quicker. Large parts of OS X are not OpenSource, but most of the key services are — and really none of Windows is. So if you value audited code, then from best to worst, it would be Linux/BSD (pure OpenSource UNIX), then MacOS X, then Windows.

Even though Linux and BSD flavors of UNIX are more open, they aren’t necessarily more secure. By default many of the settings on those OS’s are “on” or running; similar to Windows. So you have to be somewhat of an expert to go around shutting everything you don’t want on, to off; and knowing how to plug all the holes. For the most part, OS X starts the other way; all services off, and you have to actively turn them on (thus accept the tradeoff of using the service versus the risks using that service incurs). So you can make a Mac as wide open as Windows or other UNIXes, it just doesn’t start out that way.

Windows, and specifically ActiveX and their DLL mechanisms, is a virus construction kit in disguise. Microsoft decided to make their OS and files, and applications very extensible. You can add controls and chunks of code that extend behaviors, without the user having to do anything. While most of the new behaviors are benign and helpful, some are bad; i.e. a virus. And there’s no real way to know the difference until it is too late. Just visiting websites can install a special ActiveX control, which can give your machine a virus or adware/spyware. Turning on security settings means that the OS will usually ask you “are you sure?” before installing them — but so many sites require these ActiveX controls, that people get used to just saying “Yes” anyways. Installing Apps can replace shared/common libraries that infect every application that uses them. Running filters (anti-Virus programs) that try to protect against known viruses, helps. But these measures are still like trying to stop water from coming through a screen door. You can’t create an open operating system that isn’t open to intrusion. If you have Windows, you’re open, thus going to get viruses or other forms of malware (malicious software).

Macs on the other hand allow far fewer ways of running programs. You don’t run them just by visiting websites. There aren’t as many automatic installs. It requires active behaviors like a user downloading something, verifying that they want to install, then installing. But if you do install a program with a virus, you will catch that virus. And there are shared libraries on the Mac as well. The obvious solution is, “don’t run programs from websites/people that you don’t trust”. But of course if Windows users did that, and had their security settings set high enough (so it behaved like the Mac), they wouldn’t get nearly as many viruses either.

Windows has an advanced permission system that is supposed to block unauthorized installations. But the problem is there are way too many holes or exceptions. Programs can intrude on running system resources, and too many files are open to exploits, and installing any program that asks for verification can have an unwanted tag-alongs. UNIX and OS X are slightly better; mostly in implementation rather than design, but OS’s are complex, and there are tens of thousands of files and routines required for the computer; it only takes one hole to create an exploit. So Macs may be far better in practice, but the risks are still there.
Most of the advantage of OS X is just that hackers want the biggest bang for their buck. They target the most people, for the least effort. So they target the platform with the largest marketshare; thus being the minority platform helps. On top of that, the hackers think/know how to program Windows first, then UNIX. And it is easier to program viruses for Windows. The Mac is a non-standard UNIX, with some quirks and tweaks done by NeXTies — so normal UNIX programmers aren’t completely at home, even if they get the basics. Off the shelf Linux or BSD exploits may not work exactly the same on OS X. Thus more specialization is required to make a Mac virus/worm.


All explanations aside; the Mac is more secure than Windows. If you want to reduce your chances of being attacked, then the Mac is the better platform. The Mac has fewer holes that Windows, and a design that doesn’t have ActiveX or as bad a DLL mechanism. Unix (OS X) programmers tend to think more secure (UNIX grew up in a multi-user world), so they thought security before versatility… the opposite of Microsoft. The Mac uses its permission system better. It costs more effort to find exploits in OS X, and it is easier for Apple to patch/update. The bang for the buck in creating a virus/worm is less on the Mac, because far more users use Windows. People also hate Microsoft more than Apple; thus target Windows for misplaced philosophical reasons.

For now, each time you hear of a worm, virus or malware on the PC, think of how much money you’re saving or how much more secure you are by running a Mac. But never let these truths lull you into the delusion that the Mac is safe; it is just safer. Programmers determined to find holes in a few million lines of code, are likely to find them eventually. With the Mac it is just more expensive to do so, and there are fewer returns. But like it or not, it is not a case of “if” there’s going to be a malicious and damaging virus, worm or spyware on the Mac; it is just a case of when, how fast it spreads, and how fast the market can respond to mitigate the damages. Fortunately, Windows has such a huge head-start on damages, that I don’t think the Mac will ever catch up.

Leave a Reply