Pwn2Own Winner: ‘Mac OS X is Less Secure Than Windows’

| News

Charlie Miller's Safari web browser exploit, which won him a new Mac laptop at last week's Pwn2Own competition, once again ignited the discussion about Mac OS X security. In an interview with the Baltimore Sun, Mr. Miller, who uses a MacBook on a daily basis and who used to work at the National Security Agency, said: "Any security expert knows that Mac OS X is less secure than Windows."

He continued: "The question is which is SAFER. Because Mac OS X is still relatively rare, it is actually a little safer. But it has nothing to do with it being more secure, but rather, that bad guys are entirely focused on Windows at the moment due to the overwhelming market share Windows has. At this time, I still don't recommend anti-virus for Mac OS X users, because there simply isn't much malware for that platform. However, if Mac OS X market share ever goes up, there will be a landslide of exploits and malware."

When asked if Mac users should be worried, he responded: "They should definitely be a little worried." However, there's a perception among many computer users that Mac OS X is inherently secure while Windows isn't, which Mr. Miller said is wrong: "Everything you could do on a Windows machine: turn it into a 'bot,' send spam, perform DDOS [distributed denial of service], etc. can be done from a compromised Mac.

"I have been talking about this issue for a while because I don't want it to come to some large worm or other security issue to force Apple into action,although I'm afraid that is what it will probably take. I want to see Apple become more secure. Until the bottom line is affected, I don't see major changes coming from them. Ironically, Microsoft spends a ton on security, is more secure, but is perceived as less secure!"

Mr. Miller also delved into the reasons why he thinks OS X is less secure, which he said boil down to "two technologies that Windows has that Mac OS X lacks, specifically, are Address Space Layout Randomization (ASLR) and a non-executable heap. These two things make it very hard to write exploits (the code that gains control of your computer) in Windows." He noted that the iPhone has a non-executable heap, which is part of the reason why the smartphone wasn't cracked during last week's competition, and he said that he "heard a rumor that Snow Leopard [Mac OS X version 10.6] will have ASLR."

 

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

19 Comments Leave Your Own

mblaydoe

Actually, OS X DOES have ASLR, however as it is currently implemented it is evidently rather easy to get around. Snow Leopard may well fix this.

Saying that OS X is less secure than “Windows” is quite misleading. Vista might have a better implementation of ASLR and other features, but previous versions do not. The extreme reluctance of the general populace to “upgrade” to Vista means that there are a lot of Windows machines without those Vista features to exploit.

I suspect that Snow Leopard will have a much more enthusiastic install base than Vista did, which means that Apple’s security stance would be much more proactive than reactive, adding security BEFORE it is actively exploited rather than after-the-fact, still making it the SAFER platform to use no matter how you slice it.

burrito

with OS X being such a high profile target, you’d think that if widespread viruses and malware were so easy, we’d see them by now.

the Pwn2Own results always seem a little contrived..

DanielDecker

Your headline is somewhat disingenuous and sensational.

The broader impact of the interview is that while less secure, OS X is still inherently SAFER to use. Being “The Mac Observer” why not play your headline around that angle? Exactly, not as disingenuous or sensational.

Pretty pathetic play to get hits, plus I read this somewhere else yesterday. Surprisingly, that source managed to work the bit about being safer into their headline.

I love “The Mac Observer”, but this comes across as a little yellow.

fultonkbd

Really you are going to put MacObserver out on front street about that headline?

Funny, because I almost didn’t click on the article because of the headline.

But it looks like we both click & read the article. So the headline must of worked.

DanielDecker

@fultonkbd I’m only calling them out because, really, does Mac centric tech journalism need sensational headlines?

And my source for the less sensational headline I read yesterday, Appleinsider. A rumor site being less sensational than a news site.

The use of this headline is just less than I expect from TMO. As a consumer of their product, it is my duty to call them out when the product does not meet my expectations or behaves differently than what is expect.

I clicked the link to read the TMO take on the story. I pretty well knew what it was going to say.

Lee Dronick

We have someone who worked for the NSA saying that OSX is less secure than Windows yet he uses OSX as his primary computer.

ctopher

@DanielDecker - What this says to me is that TMO has a better headline writer than does Appleinsider.

A headline should grab you and make you want to read the article. That’s exactly what it does. As a Mac based organization, TMO understands that it’s audience would be appalled to learn that our precious Macs are actually less secure than the other guy. So this headline makes us what to know more!

If the headline said “Macs are safer than Windows” then as a diehard Mac fan, I would say “sure, I know that. Nothing to read there. Moving on…”

But in fact the article is entirely interesting. Neither statement 1) “Macs are less secure” and 2) “Macs are safer” tell the entire story. If they did, then we wouldn’t need an article.

It’s a good headline that gets me to click. If the headline is misleading, then I might feel a little bit cheated, but it wasn’t misleading, it just wasn’t the whole story; and I learned something in the article. There was a payoff.

Don’t forget that TMO relies of me clicking so that I’ll see their Ads. I get that. So they need to market a little with their headlines. Now if they go overboard, like “Jobs an alien, proof inside” then I’ll probably not continue to read.

But of course, if you believe that “Pwn2Own Winner: Mac OS X Less Secure Than Windows” is too sensationalist for you, then by all means, stop reading TMO. In my opinion, you’re asking too much.

@Sir Harry Flashman - Excellent summation! Maybe the headline should read “Pwn2Own Winner: OS X Safer And Less Secure Than Windows But Still My Fav”

Brad Cook

Yes, ctopher, I was going for the “man bites dog” angle, in light of the fact that this is a Mac-centric readership. And, yes, it’s always amusing when people accuse online journalists of “just wanting clicks” when in fact, yes, it’s pretty clear we need clicks the same way TV news needs viewers and radio news needs listeners.

Lee Dronick

it?s pretty clear we need clicks the same way TV news needs viewers and radio news needs listeners.

We must remember that the MacObserver is a business as is Charlie Miller who needs to sell his product.

I still can’t get over that someone who worked for the NSA is using what he claims is the least secure OS. It is like a locksmith telling us that Acme deadbolts are the most secure we can buy, but on his home front door he uses Brand X that can be defeated by jiggling it.

Brad Cook

Well, Charlie’s point is that OS X is more secure because of security through obscurity.  So it’s like that locksmith saying, go ahead, use Brand X, like I do, because we both live in really remote areas that criminals don’t pay attention to. He’s telling people they can play the odds.

deasys

:“These two things make it very hard to write exploits…in Windows.”

Yes, very hard. That must explain why there’s well over 100,000 exploits for Windows, right?

Dean Lewis

I still don’t believe the security through obscurity angle considering that all the security professionals/hackers want fame and glory by breaking into MacOS and getting interviews in newspapers and TV precisely for breaking into a Mac. If it is so easy, they’d all be doing it and getting their name out there—which would in turn make it less of a reason to hack since they wouldn’t get famous.

Also, people running spambots and such on zombie machines could just as well attack Macs and get extra coverage since the zombies could broadcast to other Window machines, too, and get right back into that gigantic Windows pie. At least, they could just as well do it if it was so easy.

Will it happen? Yeah, unfortunately it will some day. But saying so as a security professional in a magazine is like me standing outside some giant building and proclaiming that it will fall. Yes, it will, some day.

fultonkbd

@DanielDecker ... Yeah I got what you are saying. You thought the headline was overly sensational.

I think the headline was rather un-sensational.

And it looks like some other readers were somewhere in between.

Ultimately, it looks like headline did its job. It got a few people to click to read more. (and make comments)

smile

DanielDecker

@ctopher I think you got my tone wrong, chief. I have been coming here everyday for YEARS, like 9. Everyday. I understand the need to make money, and I wasn’t begrudging anyone a means to make a living. I was just speaking out about a minor dissatisfaction. So, you know, chill out.

Partsmutt

Being a security professional, my opinion is Charlie is full of it and has a hidden agenda (I just don’t know what it is).  So if Macs are so insecure, why are so many seriously smart security folks, like from the NSA, FBI, and others, using Macs at conventions like Black Hat?  Walk around DefCon and see what the pros are using.  Not Windows.  Cracking windows is not hard, not at all, as is evident by all the successful attacks.

Lee Dronick

Being a security professional, my opinion is Charlie is full of it and has a hidden agenda (I just don?t know what it is).?

He told us his agenda; “it’s worth money” or words to that effect.

zewazir

Okay, if OS X is so much easier to crack than Windows, why is it people can win a computer for finding a successful OS X exploit?

AFAIK, there are no contests to see if people can crack Windows….they just do it.

Prawn

Okay, if OS X is so much easier to crack than Windows, why is it people can win a computer for finding a successful OS X exploit?

AFAIK, there are no contests to see if people can crack Windows?.they just do it.

RTFA? Pwn2Own is a competition, Mac vs Linux vs Windows. First person to break into any of the machines, gets the $10,000 and a laptop.  Why did they go for the OSX machine (and get in in 2 minutes) if the Windows machine is so much easier to crack?

Brad Cook

Why did they go for the OSX machine (and get in in 2 minutes) if the Windows machine is so much easier to crack?

To be fair, “get in in 2 minutes” is misleading.  Yes, he executed the exploit in 2 minutes.  But he spent a lot of time (how much? I don’t think he’s said) before the event digging around OS X and finding a weakness to exploit.

A lot of people are making this sound like he sat down at the computer and found an exploit in 2 minutes, which is not the case at all.

And, yes, that applies to all of the operating systems and browsers involved in the competition.

Log-in to comment