Windows versus MacOS Security
While I am still on the topic of the relative security of one operating system versus another, it is a good time to mention the results of a fascinating study recently conducted by Stefan Frei, Bernhard Tellenbach and Plattner of the Computer and Engineering Networks Laboratory at the Swiss Federal Institute of Technology. The results of this study show that from 2002 through 2007 678 vulnerabilities (including 658 high- and medium-risk vulnerabilities) in Windows operating systems were discovered. Over the same period 810 vulnerabilities (including 738 high- and medium-risk vulnerabilities) in MacOS were identified. Not only did MacOS have more vulnerabilities, but Apple was on the average slower in developing and releasing patches for the vulnerabilities. Furthermore, over the six year time period covered in the study, there were more unfixed vulnerabilities in MacOS as well as a higher number of attacks in which these vulnerabilities were exploited (including by using zero-day exploits) than in Windows systems.
I’m not a betting person, but if I were, I’d bet that Steve Jobs was extremely surprised and displeased when he learned of the results of Frei and his associates’ study. Somehow, I am not at all surprised. But I do not think that the results of this study in any way prove that Apple is somehow bad in its product security, nor do the results suggest that Microsoft is doing exceptionally in its product security. Instead, it is apparent that when it comes to security, Apple is being surpassed by Microsoft. I’d like to think that a huge change in Microsoft’s attitude about and approach to security in its products started with its Trusted Computing Initiative (TCI), which Bill Gates first announced six years ago in response to the many massive worm infections and other security problems that plagued Windows systems at that time. TCI’s provisions included mandatory security engineering training for developers as well as other employees and monetary compensation and promotions given to developers according to how bug-free their code was. Critics initially scoffed, saying that the TCI was nothing more than a big publicity stunt, but they were dead wrong. Slowly but surely, Microsoft products have improved in their out-of-the-box security, and Microsoft has showed itself to be increasingly responsive in dealing with security-related vulnerabilities found in its products. By all appearances, the TCI thus stimulated changes within Microsoft that have resulted in substantially improved (or perhaps better said, substantially improving) product security. There appears to not currently be nor never have been such an impetus within Apple.
The Frei et al. study also provides further corroboration that all is not as well in the Mac security arena as the Mac user community believes, and, accordingly, that this community should not relax, thinking that their machines are as safe as can be. Vulnerabilities for which there are exploits, but for which a vendor has not produced a patch raise the level of security-related risk substantially. A little healthy paranoia, a paranoia that we all really should have anyway, would go a long way within the Mac user community right now. And at the same time, the results of the Frei et al. study should not in any way make the Windows user community smug, either. Windows systems are still a major target of attacks, and a generous supply of free tools designed to breach the security of Windows systems is freely available to the public on the Internet. Let’s face it; the world of computing is not a very pretty place right now when it comes to security. It is thus quite noteworthy that at this point in time, Microsoft seems to be realizing this and is doing something about it better than is Apple.