Is OSX safer than Windows?

Following last month’s article on the relationship between Vulnerability, Threat and Risk, I’d like to examine how each of these concepts map onto Apple’s OSX operating system. Often thought to be more secure than Windows, OSX is increasingly the target of malicious coders. This article examines the OSX risk profile and looks at whether it is changing.

A threat is comprised of three components – an actor, their motivation and a vulnerability. Risk requires the presence of a threat and is based on the probability of a particular impact on the business as a result of that threat. If we wish to compare the risk profile of OSX to that of Vista or Linux, we should start by comparing each of the components of risk.

The topic of OSX security is the subject of fierce debate. Die-hard fans will swear that OSX is infallible, and opinion is certainly skewed by prejudice from advocates on both sides of the argument and the media. This article is therefore attempt to analyse the argument quantitatively – as far as that is possible – and produce an objective statement of risk.

Threat

All risk profiles start with threat – without this, one cannot be exposed to risk. We know that threats exist against the OSX target, the key questions are:

• How many threat actors are there?
• How motivated are they? – i.e. how likely they are to act?
• How many specific vulnerabilities have been discovered and disclosed?

Answers to these questions will assist with generating a risk profile.

Motivated Actors

Market share is a key determining factor for the number of motivated actors. A low market share immediately reduces the number of actors with the skills required to attack a system. More importantly, it also reduces the size of the target set – and this could reduce the motivation of our actor.

Historical operating system market share figures from W3Counter show OSX rising from 4 to 6% from 2007 until now.

With a market share of less than 10%, OSX represents a significantly smaller target pool than the leading Microsoft Windows family, at 91%. A small pool of attackers, though, doesn’t provide any real protection for a small target set – not without knowing how vulnerable the operating system is to attack.

Vulnerability

The graph below shows the number of vulnerability disclosures from 2005 – 2009 (figures from Secunia). It clearly illustrates that OSX suffers from a number of vulnerability discoveries each month – though clearly less than both XP and Vista.

It is perhaps more effective to track the cumulative total from 2007 (the launch of Vista). This graph clearly indicates that OSX suffers from less vulnerabilities than the two Microsoft Operating Systems, though it was ahead of Vista in 2007. These figures are perhaps the evidence behind the early argument that Vista was safer than OSX.

Risk Profile

So OSX suffers from fewer vulnerabilities than XP or Vista. Does this make it safer?

Not according to Dino Dai Zovi, speaking to Macworld. A respected security researcher, Dino broke into an Apple Powerbook at the CanSecWest security conference in 2007. He commented later that he thought OSX was behind Vista as a result of Microsoft’s Security Development Lifecycle (SDL). SDL was developed out of Microsoft’s Trustworthy Computing initiative in 2002. It sets out a development lifecycle focussed entirely on security – from requirements gathering, through design, implementation, verification and release – and includes activities such as mapping the attack surface during the design process and fuzzing files and services during verification.

In the end, though, the Microsoft SDL is designed to reduce the number of vulnerabilities in their operating system and, despite early success, the number of vulnerabilities in Vista crept up during 2008, rapidly overtaking those found in OSX during the same period. Though OSX has suffered from marginally fewer vulnerabilities, there is no longer a vast difference between vendors.

We’ve determined that OSX has a small target pool, a probably smaller number of skilled threat actors and a number of vulnerabilities. We also know that the business impact of a security breach is platform agnostic – lost data or downtime is equally serious regardless of operating system.

The risk profile calculation appears to boil down to motivation of the actor. This is difficult to gauge – we’ve hypothesised that motivation may drop as a result of the smaller target pool. It could also be argued that because fewer business critical applications are hosted on Apple machines, the reduced benefit for any potential attacker may also reduce their motivation. That doesn’t necessarily apply to mass propagation worms or website deployed trojans, though.

Can the history of past attacks help to shed some light on the motivation of an attacker?

Attack History

The first ever OSX virus was discoverd by Sophos in February 2006. OSX/Leap-A propagated through the iChat program, transferring itself by masquerading as a jpeg image. It is significant that this first OSX virus was discovered over four years after the initial launch of the operating system.

In 2007, Sophos announced that criminals were specifically targeting OSX users with a specially designed OSX/RSPlug trojan. Since then, a number of trojans have been reported, leading to some controversial advice from Apple in 2008 for users of OSX to install anti-virus utilities. The company quickly u-turned, however, retracting the statement and putting out a new one:

The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box.

This flies somewhat in the face of the evidence, ignoring the results of projects such as The Month of Apple Bugs, which turned up 30 vulnerabilities in as many days. It would appear that relying on the mantra that OSX is immune to attack, or that its underlying Unix kernel with fine-grained permissions makes it secure, is leaving Apple users open to compromise.

Conclusion

On the one hand, OSX suffers from fewer vulnerabilities than Windows and has a much smaller market share. On the other, that market share is increasing and new vulnerabilities are regularly announced. The motivation of attackers is increasing – perhaps because of the increased market share of the OS, perhaps a result of the new financial interest of criminal gangs.

It is clear from the evidence that while using OSX reduces the likelihood of an attack, specific threats do exist. This article has, of course, also ignored the most important vulnerability of all – the user. Users are trusted not to run malicious code. Malware for the Microsoft platform is now less likely to rely on the increasingly savvy Windows user – recent mass worm outbreaks have relied on multi-mode propagation, usually exploiting a vulnerable network service and autoplay. Attackers looking to target Apple users could do worse than looking at the tactics of the ILOVEYOU generation – relying on a user to run the worm themselves.

For the home user the risk profile of OSX is reduced through lack of attacker motivation, but is nevertheless rising. For a business user, with specific motivated adversaries, the risk of using OSX should be evaluated as equal to or greater than that of Windows – vulnerabilities exist and it is unlikely that any detection or prevention mechanisms have been deployed.