UPDATE: For a response to John Gruber check here. For more discussion on the lack of security features in OSX, check here.
The Mac community is up in arms. Bill Gates gave an interview where his fights back against some Apple’s misleading and deceptive marketing.
As a side note those commercials are what lead me to do security research in Apple. Also the quote that is quite often attributed to me about “cigarettes in mac users eyes” is a misquote as I actually said “cigarettes in the eyes of the actors in the commercials”. But I digress.
"Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine."
Oh the Mac fans are upset. *rabble*rabble*.
The limited exposure guy even went as far as to count the MoBB bugs to prove how insecure Windows is. He forgot to mention how many of the affect Windows Vista and IE7 (HINT: not 25, that’s for sure).
Take a seat, hold your hats because I am about to make a declaration: Windows Vista is more secure than OSX 10.4.8. Anybody that tells you anything different should immediately be treated with the same disdain as finding a parking ticket on your car. This hasn’t been a popular thing to say and it’s not often said, but I am here to stand my ground on this. It sure won’t win me any karma on Slashdot.
Why do I think this? One new exploitation methods have to be developed to take advantage of a Vista vulnerability. Let’s look at why:
Stack overflows are gone. Don’t think this is just because of NX, or Non-eXecutable stacks. NX just means I can’t execute code on the stack but return-to-libc attacks still work. With things like ASLR (which is implemented on Vista and not OSX) breaks return-to-libc attacks because the system libraries are loaded at different, random addresses every time. Count how many of the Month of Apple Bug exploits were stack overflows. The most dangerous one, MoAB #1, was.
Heap Overflows are pretty broken is not eradicated. With heap randomization, metadata elements and function pointers being XORed with random numbers it would be next to impossible to exploit a heap overflow on Vista in the traditional way. OSX doesn’t have any similar protection.
Tom Ptacek even comments on the lack of advanced security features in OSX here.
What does this mean? In order for attacks to continue in the same way there will have to be some MAJOR evolutions in vulnerability and exploit technology as almost all of the widespread flaws you have heard of take advantage of these methods. Blaster, Sasser, Slammer, Zotob, all those big worms have relied on either a stack or heap based overflow.
Don’t believe me? Prove me wrong. Now don’t get me wrong, you can still email executables to people and then trick them into running it…you can do that on OSX as well.
Of course this won’t do anything to calm the swell of zealots or people stuck in the belief that Microsoft hasn’t changed since 1998. Its kinda like when explaining, in-depth, a black Ferrari is a better car than a red Honda civic to a teenage girl. The same logic that would lead the teenage girl to say “but I like this one better because its red and goes with my lipstick” is the same logic a Mac zealot will use when they say “I don’t care about the facts, I KNOW OSX is more secure”. Know I can’t comment on usability or any of that jazz, that’s not my area of expertise. I’ve never had a problem setting up and running either.
The thing that really upsets me about the Mac community going off on Bill Gates is that Apple does the same exact thing. Their "we don't have security problems" commericals are the same thing as what Bill Gates said. If you want to be mad at Bill then hold Steve accountable for the same actions as well. The arrogant commericals Apple runs has done nothing but win them alot of researchers who are breaking their systems that would not have otherwise given them a second look.
I’ll leave you with my favorite Mark Twain quote:
“It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so.”
UPDATE: Please understand that I'm not referring to the average Mac user that just wants a safe, reliable computing experience. I'm taking exception with zealots who place those users at risk by giving them a false sense of security. OS X is pretty safe today for the average user, but the platform is definitely NOT as fundamentally secure as Vista. Microsoft only changed when users demanded better security, and it's only when the Mac community calls for similar protections that Apple will include them in products. I use my macbook on a daily basis. I write code on it, I watch movies on it, I chat with people on it. Just becasue I don't think highly of the security in OSX doesn't mean I am not a Mac user.