Windows: More Secure Than Mac OS X?

Canada’s security conference, CanSecWest, starts this week. Word on ‘net from security expert Charlie Miller is that he’ll be exposing serious Apple Mac OS X security flaws at the conference . Should Mac fans be nervous? Well, maybe. Here’s the scoop…

Charlie Miller — if you’re wondering what makes him so smart — is the first guy to find a critical bug in the MacBook Air and was able to exploit it in merely 2 minutes. He also won $5,000 for hacking Safari in with a less-than 10 second exploit. What’s more, he unearthed  a bug in the way the iPhone handles SMS messaging, which could be exploited for full control of the iPhone (including branching onto it for DDoS attacks.) Oh yeah, and he has a Ph.D. in mathematics from the University of Notre Dame.

At CanSecWest, he plans on exposing 20 zero-day exploits in Mac OS X. That means nobody knows about it, not even Apple. H-Online.com is reporting that he plans on being a nice guy, and only showing how he found the exploits, but not all the details of the vulnerability. But H-Online also has quoted Miller speaking about why these exploits exist:

“OS X has a large attack surface consisting of open source components (i.e. webkit, libz, etc), closed source 3rd party components (Flash), and closed source Apple components (Preview, mdnsresponder, etc). Bugs in any of these types of components can lead to remote compromise…”

So does Microsoft’s dig about open-source software being a security issue ring true here? Well, not exactly.

The way Miller uncovered these issues is by “fuzzing.” Fuzzing is a form of hacking which basically tries to ‘break’ the program by shoving the program’s “input channels” with malformed data. The objective is to finally get the program to crash from the volume of unusable data. But even when you get a program to crash, that doesn’t mean you’ve found a hole it; it means that you can now comb through the wreckage to see what may or may not be exploitable.

But Miller maintains and has noted that Apple systems are typically cracked first at competitions, but conceded that Apple users are “safer, but less secure.” Part of that is the old song-and-dance that virus writers don’t bother with the small chunk of Apple users, but Miller also offered an interesting analogy:

“Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town….[Apple’s position on security is relaxed] They sell lots of computers and nobody doesn’t buy Apple computers because of a perceived lack of security. So in their minds, [Apple doesn’t] have a security problem until it affects their bottom line, which hasn’t been the case, yet”

Sounds kind of harsh, but is that really Apple’s position on security? Just to lay back and be relaxed ’till the bottom line says otherwise? It’s only fair to note that you can get anti-virus software for the Mac if you’re feeling super-worried, but it should also be noted that any company in any position with zero-day exploits about to be revealed can’t do anything about them, because of the simple point that they’re unknown yet. But a smart company will pay attention and fix them.

Then again, ignorance shouldn’t be an excuse for a big company like Apple. And for a company that touts their software as the end-all be-all perfect solution for all your needs, there certainly shouldn’t’ be so many  bugs…

But maybe that’s something Apple should flaunt a bit more — their security team. We know they release security updates, but we don’t really hear much about Apple in terms of how they secure their OS. With Mac OS X 10.6.3 on the horizon, it’ll be interesting to see what patches come out of Cupertino this week, if any at all.

Sign up for The VAR Guy’s Newsletter; Webcasts and Resource Center; and via RSS; Facebook; Identi.ca; Twitter and VARtweet.