Daniel Eran Dilger
Random header image... Refresh for more!

Are Macs more Safe than Secure? No


Daniel Eran Dilger

Everyone seems to get lost in their own words when talking about security and Apple. The Daring Fireball recently cited security blogger Dennis Fisher, who insisted it was “demonstrably false” to say there were not “any virus attacks on Macs.” However, rather than pointing out what a horrible pile of trash Fisher’s article was, John Gruber praised it (apparently to be nice) and then got lost in his own semantics on the subject. Sometimes you need to say “he’s wrong, here’s why.”

Instead, Gruber wrote, “That [blogger's article] probably sounds like clueless trolling to many of you reading this but it’s not, and it highlights an important distinction. Security is about technical measures, like the strength of the locks on your doors and windows. Safety is about the likelihood that you’ll actually suffer from some sort of attack.”
Safety or Security?

Let’s first briefly wade through the semantics. In the dictionary that ships with Mac OS X, security is defined as “the state of being free from danger or threat” and safety is similarly defined as “the condition of being protected from or unlikely to cause danger, risk, or injury.” Security comes from the Latin securitas or securus “free from care” while safety comes from salvitas or salvus meaning “safe.”

So if there were any real nuance of difference between being safe and being secure, then security would have the edge in meaning “feeling safe”, while safety could be said to imply actually “being safe.” You can have an impressive but flawed security system making you feel safe when you’re really at serious risk, and you can terrorize yourself about hypothetical security vulnerabilities when in reality there may be few actual dangers. Typically however, safety and security are interchangeable.

Given all that, it’s too bad Gruber didn’t instead describe how completely bat-nuts Fisher’s predictably ignorant screed was, and why stereotyping 25 million Mac users as being a lockstep group of same-thinking automatons who comprise a giant strawman dubious of his own mortality is a tired way to begin one’s attempt to say something interesting about security in relation to Apple. Fischer presents himself as a security expert, so this isn’t some run of the mill CNET blogger giving the predictably sensationalized, anti-Apple click bait rant.

The Difference Between Security and Safety

Real World Security on Macs and Windows

The real discrepancy that needs to be pointed out between security on the Mac and Windows is that while Microsoft has recently invested more into building a fancy security infrastructure in the Vista version of Windows that most Windows users don’t actually use, Mac users continue to both feel safer and to actually be safer in the sense of being “free from danger or threat,” whether that threat might relate to:

  • malicious data loss
  • machine downtime
  • ID theft and related fraud
  • the stealing of sensitive data
  • the nuisance of adware
  • lost PC resources used to serve a spambot network
  • lost PC resources used to run protection software.

There is clearly no immediate or impending threat to Macs, and there is little in the way of market forces or that wishful thinking pundit invention of “hacker pride” that will result in something to turn Macs into the disaster that has dogged Windows since the late 90s. Fischer’s capacity for speculating a scenario where Macs fall prey to virus attacks is not the same as Macs actually being at any risk of being attacked by viruses.

No amount of highly publicized security contests (where one of the half dozen men on earth who track Mac security vulnerabilities arrives and shuts down the contest with a prepared exploit that has no value outside of such a contest) changes that fact.

There are currently no viral threats on the Mac to worry about; the only malware anyone has yet reported for the Mac are ham-fisted efforts to trick users into manually authorizing software installations that do bad things. This short list of “malware” is simply not a real world risk to users, and certainly is not even close to being anything like the problems that plague Windows, no matter how much sensationalistic emphasis the tech press attempts to frost over reality with.

Trying to equate things on the Mac and Windows behind words that lack much meaning is like trying to equate a hangnail with an ebola virus infection by calling both “health issues.”

InfoWorld Publishes False Report on Mac Security

Inventing a Problem for your Solution

Will the risks facing Mac users gradually change as the Mac installed base grows? Apparently that can’t happen fast enough for the anti-virus companies who want to sell Mac users unnecessary software. Their pundits love to equate low risk, self-injury actions that are unlikely but possible on a Mac (and impossible to stop with security software) with high risk, difficult to escape from events that are routine on Windows and can be addressed by their lucrative security software subscriptions. This is straight up misinformation mixed with fear, uncertainty and doubt to defraud the public.

For example, nearly everyone is claiming that:

  • Downloading iLife warez that pretend to be stolen software
  • from a non-trusted source
  • assigning it privileges to install on your system
  • and then finding that you have installed a background process that does something ugly, which that you can trivially remove

is the same as:

  • Trying to use Windows to browse the web and use email
  • finding that you’ve been automatically infected with adware and viral malware without knowing it
  • then finding that your PC is also self replicating attacks or sending spam on to other systems
  • then realizing that Microsoft’s design of the Windows Registry makes it difficult to clean malware out
  • then noticing how much of your CPU capacity is being used to protect you from all of these threats via malware and virus scanners
  • then finding out how expensive it is to spend hours cleaning up the mess yourself, or alternatively paying some Nerd Patrol $300 to “diagnose” that your PC is hosed.

They are not the same, and only a liar would keep suggesting that Mac and Windows users face the same dangers and threats. If you’re paying attention, you’ll notice that those who keep suggesting this almost always work for an anti-virus company working to make money off of Mac users. This shouldn’t require any help in dot connection.

Kaspersky Sells Mac AntiVirus Fear Using Charlie Miller

Fischer Price

How exactly Fischer benefits from regurgitating a bunch of tired misinformation about Mac security I don’t know, so I’ll assume there was more incompetence than malice involved. From his first paragraph, he insists that the idea of there not being virus attacks on the Mac is “demonstrably false” by linking to his site’s own paraphrasing of a ZDNet report, which left out the original article’s statement that the discovery in question “is not currently spreading in the wild.” Fischer also saw no reason to cite the article’s hype deflating paragraph, which stated:

Excluding such notable OS X pieces of malware such as last year’s ARDAgent-based trojan exploiting a local root escalation vulnerability in Mac OS X 10.4 and 10.5, the rest of the newly discovered OS X malware continues relying on social engineering tactics (fake codecs such as CodecUpdate.v1.18.dmg; License.v.3.411.dmg etc.) in order to spread.

Fischer’s conclusion that Macs are somehow now under virus attacks (just not in the wild, and only if they install prototype trojans and activate Apple Remote Desktop first) is just plan irresponsible.

Fischer then suggests that the plague of Windows Powered spambot networks was some ancient problem related to Outlook, which he only seems to concede may have inconvenienced someone in a former life in another universe. “But the game now is about owning the machine itself,” Fischer claims, entirely without bothering to explain why, or without recognizing the difference between different types of attack and different targets.

One might as well say that car break-ins used to be a problem, but now everyone steals money by setting up a Ponzi Scheme, because that’s what you hear around in the newspapers lately. In other words, don’t worry about your car being stolen, but be terrified about investing money, because that’s far more dangerous apparently, at least when pundits are making up harebrained logical fallacies.

Ask Enderle!

Oh but it gets worse. “This has led to the inevitable debate over which new OS will be more secure, Snow Leopard or Windows 7,” Fischer insists. He then hauls out “analyst Rob Enderle” who according to Fischer, unsurprisingly, “puts his money on Windows 7.”

I wonder if that’s because Enderle a paid shill who will put his money anywhere you pay him to put it? Enderle is the same guy who read my article explaining why Windows 7 was headed toward the same fate as the Zune for similarly copying Apple’s strategy despite lacking Apple’s circumstances and position, and cited it to mean that Apple was helping to make Windows 7 better.

Enderle has been triumphantly discovering and lauding golden kernels of corn in Microsoft’s poop for years. And while he can spin anything in Microsoft’s favor in his frequent blog postings, he can’t actually manage to do anything to affect reality. His incessant demonizing of the iPhone ended up flaccid and impotent, and his efforts to advise Dell on how to deliver a killer new Windows Mobile smartphone in reaction were so ineffectual that the carriers ultimately told Dell to come back when they had a product that wasn’t boring.

For Windows Enthusiasts who can’t fathom Apple being successful and Microsoft failing, the only way to interpret the last decade is to insist that up is the new down and that success isn’t owning the future, but having monopolized the past. Let it go, folks.

Why Windows 7 is Microsoft’s next Zune

The Big Lie

Fischer then claimed that the reason why the dramatic expansion of Mac adoption over the last few years hasn’t had any impact on new Mac malware was only because “Windows dominates in the enterprise, which is where the most valuable data is. Ergo, that’s where the attackers go.” Oh really? Then why are “attackers” causing such a mess for home Windows users?

I’ve done a lot of antivirus and malware cleanup for a lot of computer users, and I’ve never encountered a PC that wasn’t chuck full of adware junk, but have never seen a Mac that had any significant infection from malware. It’s a pretty big lie to suggest that the plague of consumer malware which caused Microsoft to spend the first half of the decade working on patches to XP and spending much of its resources to develop a security infrastructure in Vista… simply didn’t happen.

The other reality is that, of the billion people who currently use Windows, only a minority actually use the patched and fixed editions Microsoft has recently released (which themselves are still not immune to viruses in the way these pundits like to suggest). The next article will look at what Microsoft is doing about that in its attempts to get people to adopt Vista under its new name: Windows 7.

Security is a complex topic

There are few useful generalizations to be made on the topic of security. Pundits, please stop saying that Mac users are all self-assured that their platform is “invulnerable” to viruses. Everyone I’ve talked to is aware that the Mac is a safer platform because there’s simply fewer existing problems and fewer reasons for anyone to want to introduce them.

There’s also far fewer old Macs sitting around which are connected to the network but without Software Update turned on, while the Windows platform is full of such dead wood fueling the viral forrest fires: all the old legacy Windows PC systems sitting around running cash registers or browsing the web in a cafe where nobody knows how to properly secure it.

I’ve earlier pointed out how Microsoft has itself participated and encouraged the adware/spyware business because it thought it could make money at it. The company also willingly attracts the kind of cheapskate consumers who are most likely to respond to the sorts of pandering adware offers that fuel viral malware. None of these problems are shared by Apple, meaning it’s not a safe assumption that the Mac’s success is fated to inherit Windows’ security crisis.

The Unavoidable Malware Myth: Why Apple Won’t Inherit Microsoft’s Malware Crown

News media, please do your jobs.

In view of all of this, the most shocking and disappointing thing that can be observed about this mess is how the media is lapping up the near denial that Microsoft bears any guilt in regard to today’s multi billion dollar PC security crisis, that it should only be commended for taking some recent stabs at polishing up its tarnished security record, and yet how much attention goes into covering the wagging finger of “security experts” who chastise Apple for not doing enough to keep the Mac free from imagined threats that could theoretically exploit known vulnerabilities.

This seems creepily too much like the media’s approach to torture, where Dick Cheney is given a free pass for approving it, and yet somehow Nancy Pelosi as a legislator is vilified for not doing more than the executive branch to stop it, after being informed via classified reports she could not legally have taken public.

  • enzos

    I recently had a scare with that monumental slug, MS Office 2008. ‘Upgraded’ from 2004 because of some problems I’ve been having with .docx files.. but then discovered that I couldn’t copy-paste-edit Chemdraw graphics embedded in PP and Word files opened in 2008 documents. Turned out the graphics were still editable (even after saving in 2008) but only by opening them in Pages / Keynote or newly reinstalled 2004.

    Should have known MS would be advancing steadily backwards. Pre OLE, in Word 95, the graphics double-click-opened in a little Chemdraw (or whatever) window and got updated in place upon closing the little window.. EGO for Word worked great. Even Endnote was good then, small, snappy and nice to use actually (now it’s slow and buggy, does a hundred things I don’t need in referencing software, and looks as butt-ugly as most other peecee progams).

  • GwMac

    Arguing over the semantics of safety vs. security really doesn’t enlighten the discussion. I would be far more interested in comparing specific key technologies that are used in Leopard/SL vs Vista/Win7. The latest Java flaw that is over six months old and Apple has still not issued a patch for does not reassure me. Apple always seems to be way behind on Java updates, sometimes over a year behind in releasing updates.

    Two important technologies that I believe Windows offers that OS X still lacks is GS Stack Protection for buffer overflow protection. The other is Vista has new defenses for a broad variety of memory manipulation attacks ranging from memory corruption errors to heap overflows. Named Address Space Layout Randomization (ASLR), the goal is to “shuffle” the address space deck so that common footholds are nearly impossible for attackers to find.

    As far as I know Snow Leopard will still not give us any better defense for buffer overflows or randomizing memory space. One thing is for sure though, Apple cannot rest on it’s laurels. A few well publicized attacks of fortress Apple would seriously tarnish the brand considerably. I hope that Snow Leopard will ensure that Macs continue to be both safe and secure.

  • http://www.geoffrobinson.net geoffrobinson

    The Bush administration kept Congress within the loop about a whole host of matters.

    Now, when it is politically advantageous, Pelosi & co. claim to be shocked that gambling is going on at Rick’s cafe.

    It’s sad. Plus, Eric Holder, Obama’s own attorney general, undermined the case that waterboarding is legally torture. Haven’t heard that about Holder? Probably not.

  • Joe Sa

    The Bush administration kept Congress within the loop about a whole host of matters.

    no on really knows for sure, yet but you & Fox news do!

    “Now, when it is politically advantageous, Pelosi & co. claim to be shocked that gambling is going on at Rick’s cafe.”

    If they did…how does that take away from the fact that the Bush administration broke the law? People like you seem to deal in trying to blow smoke. “Pelosi & company” did not make policy under the Bush administration.

    “It’s sad. Plus, Eric Holder, Obama’s own attorney general, undermined the case that waterboarding is legally torture. Haven’t heard that about Holder? Probably not.”

    Could you elaborate, please? Maybe you should get your news from more than one source that seems to have a problem with fact checking.




  • snookie

    I really didn’t get Grubers comment just based on the quoted parts of the article on Daring Fireball and I got it even less after reading the article. If this guy is a security expert I’m the Queen of England. His blog posting was sophomoric at best. He got slammed in the comments by me and others especially for quoting that clown Enderle. His attempts to defend himself in the comments section made him sound even more desperate, uninformed and anti-apple. I’ll never understand this insecurity and hatred of Apple. If you are willing to settle for Microsoft and cheap plasticky garbage computers with the cheapest components out of china this week then be happy with what you have. Great article as always Dan.

  • enzos

    snookie.. re. Apple bashing, a term from down my way –

    Tall Poppy Syndrome (TPS) is a pejorative term used in Australia, New Zealand and Canada to describe what is seen as a populist, levelling social attitude. Someone is said to be a target of tall poppy syndrome when his or her assumption of a higher economic, social, or political position is criticised as being presumptuous, attention seeking, or without merit. Alternatively, it is seen as a societal phenomenon in which people of genuine merit are criticised or resented because their talents or achievements elevate them above or distinguish them from their peers.

  • http://caixaalta72pt.wordpress.com João Gomes

    @GwMac: “The other is Vista has new defenses for a broad variety of memory manipulation attacks ranging from memory corruption errors to heap overflows. Named Address Space Layout Randomization (ASLR), the goal is to “shuffle” the address space deck so that common footholds are nearly impossible for attackers to find.”

    I remember reading an article on AppleInsider about Snow Leopard which focused precisely on the addition of ASLR to OS X:


    Also, a quick google search reveals that OS X 10.5 already has some form of protection in that front, too.


  • http://macsmarticles.blogspot.com Derek Currie

    Part of the general idea of propaganda, of which anti-Mac security FUD is an example, is to repeat one’s double-speak nonsense over and over and over such that, having heard it often enough, people begin to believe it is true. And sadly, we humans are capable of believing just about anything to be true.

    The anti-Mac security FUD also bolsters the WinDroids (robotic followers of Big Brother Bill who drink the kool-aid without question) into believing their bad OS decision is a good OS decision, their bad hardware decision is a good OS decision, that a cheap Windows PC is more valuable than a more expensive Mac. Drink up me hearties, yo ho! The poison does its job and the nifty rhetorical lies make it all seem just fine.

    Meanwhile in reality: There are no viruses for Mac OS X, no worms, no illegal spyware. There are only the 11 Trojan horses, which by definition require user error in order to infect a Mac. There is also no such thing as ‘security by obscurity’ on the Mac. You don’t compare 11 Trojans to over 200,000 malware for Windows and conclude this is because the Mac is obscure, at over 5% of the market, not unless you are deranged.

    And no, I’ve never read or heard Mac users going around saying that Mac OS X is invulnerable, being snotty or arrogant about anything, or picking on Windows PC users unless they’ve been picked on first. It’s amusing how anyone can say anything with whole hearted conviction and yet it is utter rubbish.

    If you’d like to keep track of actual, factual, real Mac OS X security, I attempt to do so over at my Mac-Security blog on Blogger:


  • javierbds

    First message, been reading you for a couple of years: you should collect your essays in a book!

    I can’t help but feel that finding that your OS is a pain to secure is like finding your partner is cheating you … People deny it, devote time to self-healing, they may even tell friends their partners will do the same. Some will say things like “all [gender] are bitches” …

    I had to leave my old OS many years ago when I found it bugged me by requiring constant attention … Life goes on, and OS X suits my needs (and taste).

  • http://www.geoffrobinson.net geoffrobinson

    “Could you elaborate, please? Maybe you should get your news from more than one source that seems to have a problem with fact checking.”

    I’m glad you are trying to be cute. Now, because you are trying to be snide I’m going to make you look foolish by elaborating:


  • http://macsmarticles.blogspot.com Derek Currie

    Off Topic. <–This is how one designates comments that have nothing to do with the subject, which in this case is Macs.

    Why is water-boarding being defended here? Why is the linked National Review article being used in defense of water-boarding. This is ridiculous in all respects:

    “The CIA interrogators who questioned top al-Qaeda captives like Khalid Sheikh Mohammed and Abu Zubaydah intended no more harm to them than Navy instructors intended to their SEAL trainees.”


    Can we please keep inane subjects and comments for elsewhere on the net?

  • http://www.geoffrobinson.net geoffrobinson

    Water-boarding isn’t being defended. Liberal legal arguments were shown to be so much fluff.

    Maybe this is why putting random political comments in a tech article should be kept to a minimum.