Mac vs. PC. (Images by Thinkstock/Apple/Microsoft, modified by Yahoo Tech)
Apple’s vaunted reputation for safety and security has taken some hits recently. Just this week came news of DYLD_PRINT_TO_FILE
— a bug in Apple’s OS X operating system that has allowed a malicious
program to take complete control of Macs. Apple has known of the flaw
for a few weeks but hasn’t gotten out a patch yet. Then there were
reports of a vulnerability in the Mac’s firmware that could allow infections to pass among Macs via Thunderbolt accessories.
This
isn’t to pick on Apple too much. Microsoft Windows has obviously
suffered from regular security flaws over the years. But Apple is the
one that’s historically claimed to have the safer, more secure platform.
Is that claim true?
Before
you compare OS X and Windows, you have to remember that security is
about more than just the operating system: The biggest threats can run
on both platforms. Just last month, for example, researchers learned of a
big flaw in Adobe Flash that would allow an infection from a website to take complete control of any computer, Windows or Mac.
So
we decided to take a look at the big picture, comparing Windows and OS X
on overall hackability. Overall, Apple OS X is still a bit more secure
than Microsoft Windows, but the gap keeps narrowing. Ultimately, the
safest operating system is the one run by an informed user who knows how
to keep it up to date, knows what to install, and knows what to remove.
Both PCs and Macs have plenty of security bugs
When
it comes to security flaws, Windows and OS X are now about tied, says
Morey Haber, VP of technology at corporate security software maker
BeyondTrust. Combing through security alerts and updates, Haber
calculated that for 2014, Windows had 142 vulnerabilities while OS X had
147.
But
operating system vulnerabilities accounted for only 13 percent of all
reported computer security issues in 2014, according to Haber; software
that runs on both systems accounted for 80 percent. “Most hackers aren’t
even targeting the operating system anymore,” says Haber. They go after
software like Adobe Flash, a platform for Web-based videos and games
(more about Flash later).
Macs make up less than 10 percent of today’s computer market. (Apple)
Macs’
biggest security asset is basic economics. “I’ll stick on my Mac over
my Windows box, and the simple reason is statistics,” said Haber.
“Hackers are targeting Windows because there are more devices out
there.”
The winner here: OS X
Macs are a scoche safer simply because they are less likely to be targeted in cyberattacks.
Macs are a scoche safer simply because they are less likely to be targeted in cyberattacks.
Web browsers and plugins are the main targets
Your
Web browser is not only the front door to all the charms of the
Internet, it’s also a backdoor for attackers. A particularly nasty
attack method is called a drive-by download: Simply visiting a website
running malicious code can infect your computer. “I’ve seen upwards of
50 different exploits in the one link,” says Chase Cunningham, threat
intelligence lead at security firm FireHost. “It just tries everything
it can.” But it gets worse. You can get infected by visiting a perfectly
legit site with booby-trapped animated ads that slip into the automated
networks that place ads on Web pages.
In
2014, Internet Explorer was found to have 220 vulnerabilities rated as
“high,” Chrome had 86, and Firefox had 57, according to Haber. He can’t
get an exact count of flaws in the Apple Safari browser, says Haber,
because Apple generally doesn’t provide detailed descriptions of
vulnerabilities and fixes, as other software makers do.
“Agree and install now” at your own risk. (BBC)
Other
major dangers are the powerful plugin programs that extend the
functions of the browser. In 2014, 65 security vulnerabilities were
discovered in Adobe Flash; Oracle’s Java plugin had 50. Many attacks are
on older versions of plugins because they generally don’t update
automatically or prod users as aggressively to install new versions.
“All
of the operating system [and] the browser vendors realize that plugins
are problematic,” said Haber. “[They] are a bad user experience, and
[companies] are turning them off.”
OS
X has been more active in choking off the “vulnerable plugin” problem.
Apple stopped installing Flash on its computers in 2010 (although Mac
owners can manually install it). You can often get by without Flash, as
many sites are replacing it with alternatives built into the HTML 5 Web
programming standard. Amazon Instant Video, Netflix, YouTube and Vimeo,
for instance, have already switched over or are switching over.
Java
can be installed both as a standalone app and as a browser plugin.
Apple stopped preinstalling Java with OS X Lion (10.7) back in 2011. In
2012, it issued an update that removed the Java plugin from all
installed Web browsers. (Mac owners can install Java on their own.) Java
has been falling out of favor for years. “I don’t have it enabled in
any of my browsers,” said Guillaume Ross, senior consultant at security
company Rapid7. “I’m trying to remember the last time I needed Java.”
Microsoft
has removed plugins from its successor to Internet Explorer, called
Microsoft Edge, which comes with Windows 10. (Though a future version of
Edge will bring back some kind of plugin compatibility, Microsoft has said.)
Vulnerable
software like Flash running on both operating systems provides an entry
point for an attack, but from there it still has to be crafted for the
specific operating system. So once again, Windows’s greater popularity
makes it a more appealing target.
The winner here: OS X
Both Apple and Microsoft are pulling out browser vulnerabilities, but Apple has been working on it longer.
Both Apple and Microsoft are pulling out browser vulnerabilities, but Apple has been working on it longer.
Third-party programs put you at risk
Other
programs are less likely targets for hackers, but they may have
security flaws. “Any application that you install will increase your
attack surface,” said Ross.
Apple
and Microsoft have responded by creating app stores. Not only have they
evaluated the apps to insure that they are genuine, but they also
require security measures called “sandboxing,” which limit a program’s
access to the operating system and other applications. Versions of the
same program offered as a download — from, say, the vendor’s website —
may not have sandboxing measures, however. “I would definitely pick the
app store application when there are two,” said Ross.
Apple, by default, keeps your computer safe from apps of unrecognized origins. (Screenshot by Yahoo Tech)
If
a program isn’t in an app store, the next line of defense is to check
if it’s digitally signed by the software maker. By default, OS X allows
only apps from the App Store or those that have been signed by known
software makers.
The winner here: OS X
Apple’s automated security for programs protects users better.
Apple’s automated security for programs protects users better.
How to make both operating systems safer
Apple’s
security edge is based largely on what the operating system does by
default. But you can do a lot to make either system much safer.
Apply OS updates
Install
those updates your computer keeps nagging you about, or enable auto
updates. Microsoft currently provides security updates for Windows
Vista, 7, 8/8.1 and 10 (there is no Windows 9). Apple tends to support
the latest two or three versions of OS X. Right now, that’s 10.8
Mountain Lion, 10.9 Mavericks and 10.10 Yosemite.
Remove plugins
As earlier explained, Flash has been on the wane for years. Whether you have a Mac or Windows computer, you can easily flush it from your system or keep it disabled until you need it.
Flash: Only enable it when you absolutely need to. (Screenshot by Yahoo Tech)
Java is of even less use nowadays. Oracle offers instructions for uninstalling Java from Windows computers and more-technical instructions for removing Java from a Mac.
Use app stores or check that downloads are genuine
Get
programs from the app stores in Windows and OS X whenever you can. If a
program isn’t in the app store, make sure it’s genuine by going to the
vendor’s own website instead of some generic download site (or pirate
site).
Viewing a program’s digital signature in Windows. (Screenshot by Yahoo Tech)
In
Windows, check the digital signature: Right-click the program installer
you have downloaded and click Properties to see if the name on the
signature is the same as the maker of the software. On a Mac, go to the
Security and Privacy preferences; under “Allow apps downloaded from:”
click the button labeled “Mac App Store and identified developers.”
Use security software as a safety net
If
you do download a bogus app, encounter a website that exploits a Flash
or Java vulnerability, or forget to update your OS, security software
acts as a safety net. This is a competitive product category, so most
packages do a good job, and many are free for personal use. For an
in-depth comparison, check the latest rankings on AV-Test.org.
The
overall takeaway is this: All computers can be hacked. Apple, by
shedding default plugins and blocking automatic installation of unsigned
third-party apps on Macs, has traditionally made it easier for average
folks to keep themselves safe. But on the flip side, Windows, running on
almost 90 percent of all computers operating today, has always been a
juicier target for virus and malware makers. Most attacks now work
equally well on both operating systems. So staying safe isn’t so much a
matter of what computer you buy, but rather how well you understand and
avoid the security pitfalls on it.
Sean Captain is a freelance tech and science writer based in New York City. Follow him on twitter @seancaptain or send tips to seantech@seancaptain.com.
0 comments:
Post a Comment