The Mac Observer

Pwn2Own Winner: ‘Mac OS X is Less Secure Than Windows’

News
11:10 AM, Mar. 27th ET, 2009
TMO Talk (29)
Articles by Author Brad Cook on Twitter Contact Author
Comments (19)

Charlie Miller's Safari web browser exploit, which won him a new Mac laptop at last week's Pwn2Own competition, once again ignited the discussion about Mac OS X security. In an interview with the Baltimore Sun, Mr. Miller, who uses a MacBook on a daily basis and who used to work at the National Security Agency, said: "Any security expert knows that Mac OS X is less secure than Windows."

He continued: "The question is which is SAFER. Because Mac OS X is still relatively rare, it is actually a little safer. But it has nothing to do with it being more secure, but rather, that bad guys are entirely focused on Windows at the moment due to the overwhelming market share Windows has. At this time, I still don't recommend anti-virus for Mac OS X users, because there simply isn't much malware for that platform. However, if Mac OS X market share ever goes up, there will be a landslide of exploits and malware."

When asked if Mac users should be worried, he responded: "They should definitely be a little worried." However, there's a perception among many computer users that Mac OS X is inherently secure while Windows isn't, which Mr. Miller said is wrong: "Everything you could do on a Windows machine: turn it into a 'bot,' send spam, perform DDOS [distributed denial of service], etc. can be done from a compromised Mac.

"I have been talking about this issue for a while because I don't want it to come to some large worm or other security issue to force Apple into action,although I'm afraid that is what it will probably take. I want to see Apple become more secure. Until the bottom line is affected, I don't see major changes coming from them. Ironically, Microsoft spends a ton on security, is more secure, but is perceived as less secure!"

Mr. Miller also delved into the reasons why he thinks OS X is less secure, which he said boil down to "two technologies that Windows has that Mac OS X lacks, specifically, are Address Space Layout Randomization (ASLR) and a non-executable heap. These two things make it very hard to write exploits (the code that gains control of your computer) in Windows." He noted that the iPhone has a non-executable heap, which is part of the reason why the smartphone wasn't cracked during last week's competition, and he said that he "heard a rumor that Snow Leopard [Mac OS X version 10.6] will have ASLR."

 

Post A Comment or Log-in. Need an account? Register here.

19 Observer Comments

Actually, OS X DOES have ASLR, however as it is currently implemented it is evidently rather easy to get around. Snow Leopard may well fix this.

Saying that OS X is less secure than “Windows” is quite misleading. Vista might have a better implementation of ASLR and other features, but previous versions do not. The extreme reluctance of the general populace to “upgrade” to Vista means that there are a lot of Windows machines without those Vista features to exploit.

I suspect that Snow Leopard will have a much more enthusiastic install base than Vista did, which means that Apple’s security stance would be much more proactive than reactive, adding security BEFORE it is actively exploited rather than after-the-fact, still making it the SAFER platform to use no matter how you slice it.

with OS X being such a high profile target, you’d think that if widespread viruses and malware were so easy, we’d see them by now.

the Pwn2Own results always seem a little contrived..

   Actions DanielDecker said on March 27th, 2009 at 10:58 AM (Edited: 03/27/2009 1:30 PM):

Your headline is somewhat disingenuous and sensational.

The broader impact of the interview is that while less secure, OS X is still inherently SAFER to use. Being “The Mac Observer” why not play your headline around that angle? Exactly, not as disingenuous or sensational.

Pretty pathetic play to get hits, plus I read this somewhere else yesterday. Surprisingly, that source managed to work the bit about being safer into their headline.

I love “The Mac Observer”, but this comes across as a little yellow.

Really you are going to put MacObserver out on front street about that headline?

Funny, because I almost didn’t click on the article because of the headline.

But it looks like we both click & read the article. So the headline must of worked.

   Actions DanielDecker said on March 27th, 2009 at 11:36 AM (Edited: 03/27/2009 1:30 PM):

@fultonkbd I’m only calling them out because, really, does Mac centric tech journalism need sensational headlines?

And my source for the less sensational headline I read yesterday, Appleinsider. A rumor site being less sensational than a news site.

The use of this headline is just less than I expect from TMO. As a consumer of their product, it is my duty to call them out when the product does not meet my expectations or behaves differently than what is expect.

I clicked the link to read the TMO take on the story. I pretty well knew what it was going to say.

   Actions Lee Dronick said on March 27th, 2009 at 11:36 AM (Edited: 10/18/2011 6:20 PM):

We have someone who worked for the NSA saying that OSX is less secure than Windows yet he uses OSX as his primary computer.

@DanielDecker - What this says to me is that TMO has a better headline writer than does Appleinsider.

A headline should grab you and make you want to read the article. That’s exactly what it does. As a Mac based organization, TMO understands that it’s audience would be appalled to learn that our precious Macs are actually less secure than the other guy. So this headline makes us what to know more!

If the headline said “Macs are safer than Windows” then as a diehard Mac fan, I would say “sure, I know that. Nothing to read there. Moving on…”

But in fact the article is entirely interesting. Neither statement 1) “Macs are less secure” and 2) “Macs are safer” tell the entire story. If they did, then we wouldn’t need an article.

It’s a good headline that gets me to click. If the headline is misleading, then I might feel a little bit cheated, but it wasn’t misleading, it just wasn’t the whole story; and I learned something in the article. There was a payoff.

Don’t forget that TMO relies of me clicking so that I’ll see their Ads. I get that. So they need to market a little with their headlines. Now if they go overboard, like “Jobs an alien, proof inside” then I’ll probably not continue to read.

But of course, if you believe that “Pwn2Own Winner: Mac OS X Less Secure Than Windows” is too sensationalist for you, then by all means, stop reading TMO. In my opinion, you’re asking too much.

@Sir Harry Flashman - Excellent summation! Maybe the headline should read “Pwn2Own Winner: OS X Safer And Less Secure Than Windows But Still My Fav”

Yes, ctopher, I was going for the “man bites dog” angle, in light of the fact that this is a Mac-centric readership. And, yes, it’s always amusing when people accuse online journalists of “just wanting clicks” when in fact, yes, it’s pretty clear we need clicks the same way TV news needs viewers and radio news needs listeners.

   Actions Lee Dronick said on March 27th, 2009 at 12:47 PM (Edited: 10/18/2011 6:20 PM):

it’s pretty clear we need clicks the same way TV news needs viewers and radio news needs listeners.

We must remember that the MacObserver is a business as is Charlie Miller who needs to sell his product.

I still can’t get over that someone who worked for the NSA is using what he claims is the least secure OS. It is like a locksmith telling us that Acme deadbolts are the most secure we can buy, but on his home front door he uses Brand X that can be defeated by jiggling it.

Well, Charlie’s point is that OS X is more secure because of security through obscurity.  So it’s like that locksmith saying, go ahead, use Brand X, like I do, because we both live in really remote areas that criminals don’t pay attention to. He’s telling people they can play the odds.

:“These two things make it very hard to write exploits…in Windows.”

Yes, very hard. That must explain why there’s well over 100,000 exploits for Windows, right?

I still don’t believe the security through obscurity angle considering that all the security professionals/hackers want fame and glory by breaking into MacOS and getting interviews in newspapers and TV precisely for breaking into a Mac. If it is so easy, they’d all be doing it and getting their name out there—which would in turn make it less of a reason to hack since they wouldn’t get famous.

Also, people running spambots and such on zombie machines could just as well attack Macs and get extra coverage since the zombies could broadcast to other Window machines, too, and get right back into that gigantic Windows pie. At least, they could just as well do it if it was so easy.

Will it happen? Yeah, unfortunately it will some day. But saying so as a security professional in a magazine is like me standing outside some giant building and proclaiming that it will fall. Yes, it will, some day.

@DanielDecker ... Yeah I got what you are saying. You thought the headline was overly sensational.

I think the headline was rather un-sensational.

And it looks like some other readers were somewhere in between.

Ultimately, it looks like headline did its job. It got a few people to click to read more. (and make comments)

smile

   Actions DanielDecker said on March 27th, 2009 at 2:51 PM (Edited: 03/27/2009 6:34 PM):

@ctopher I think you got my tone wrong, chief. I have been coming here everyday for YEARS, like 9. Everyday. I understand the need to make money, and I wasn’t begrudging anyone a means to make a living. I was just speaking out about a minor dissatisfaction. So, you know, chill out.

Being a security professional, my opinion is Charlie is full of it and has a hidden agenda (I just don’t know what it is).  So if Macs are so insecure, why are so many seriously smart security folks, like from the NSA, FBI, and others, using Macs at conventions like Black Hat?  Walk around DefCon and see what the pros are using.  Not Windows.  Cracking windows is not hard, not at all, as is evident by all the successful attacks.

   Actions Lee Dronick said on March 27th, 2009 at 7:56 PM (Edited: 10/18/2011 6:20 PM):

Being a security professional, my opinion is Charlie is full of it and has a hidden agenda (I just don’t know what it is). 

He told us his agenda; “it’s worth money” or words to that effect.

   Actions zewazir said on March 30th, 2009 at 10:28 AM (Edited: 11/20/2009 6:02 PM):

Okay, if OS X is so much easier to crack than Windows, why is it people can win a computer for finding a successful OS X exploit?

AFAIK, there are no contests to see if people can crack Windows….they just do it.

Okay, if OS X is so much easier to crack than Windows, why is it people can win a computer for finding a successful OS X exploit?

AFAIK, there are no contests to see if people can crack Windows….they just do it.

RTFA? Pwn2Own is a competition, Mac vs Linux vs Windows. First person to break into any of the machines, gets the $10,000 and a laptop.  Why did they go for the OSX machine (and get in in 2 minutes) if the Windows machine is so much easier to crack?

Why did they go for the OSX machine (and get in in 2 minutes) if the Windows machine is so much easier to crack?

To be fair, “get in in 2 minutes” is misleading.  Yes, he executed the exploit in 2 minutes.  But he spent a lot of time (how much? I don’t think he’s said) before the event digging around OS X and finding a weakness to exploit.

A lot of people are making this sound like he sat down at the computer and found an exploit in 2 minutes, which is not the case at all.

And, yes, that applies to all of the operating systems and browsers involved in the competition.

Post A Comment or Log-in. Need an account? Register here.
 

Recent Headlines - Updated February 4th

Fri, 7:27 PM
Product News - Apple Addresses iBooks Textbook Issues with App Update
7:08 PM
News - Apple Rolls Out Updated Snow Leopard Security Fix
5:39 PM
Particle Debris - If Only Selling High Tech Were Easy
5:30 PM
Free on iTunes - 3 Free Panorama Apps for iPhone
5:23 PM
News - Tim Cook Touts Apple Charity in Employee Meeting
4:26 PM
News - Apple Clarifies iBooks Author EULA, Excludes Claim on Content
3:43 PM
Apple Stock Watch - Analyst: Apple Comfy With High End Smartphones & Other Notes
2:10 PM
Quick Look Review - AirPort Utility 6 for Lion is for Beginners
1:32 PM
Deal Brothers - 15” MacBook Pro 2.2GHz Quad-Core Intel i7:  $1,699
10:55 AM
News - Germany Overturns Injunction, Apple Resumes iPhone Sales
10:25 AM
Hot Forum Topic - Reader Discussion: Apple, iPhones & NFC
9:47 AM
News - German Court Gives Motorola iCloud Injunction
 

The Mac Observer Reader Specials

  • TypeStyler 11 is now in the Mac App Store!! -- Special Introductory Price of $59.95!! -- To Buy From The Mac App Store Click Here Now!! Or buy direct from Strider Software.
  • Mac RAM Upgrades: MacBook Pro 16GB kits $475, 8GB Kits for $119.99! iMac 16GB RAM Kits (4x 4GB) for $229.99! Mac Pro Memory 32GB Kit for $399.99, 64GB Kit for $889.99! Mac Hard Drives 2TB Seagate SATA II for $249.99! Click Here!
  • Poker Mac If you're using a Mac, then you've gotta check out Online Poker Mac. This mac poker and online casino mac site actually does the unthinkable, it actually rewards!

Apple Stock Quote (AAPL)

Loading...

Hot Topics

What's the buzz? These articles have TMO readers talking.

TMO Express

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday. Find out more!

Top Deals From DealBrothers.com

Recent Features

Get the latest installments of TMO Columns, Podcasts, & Blogs.

Support The Mac Observer

We noticed you may be running AdBlock on your computer. It takes real money to run this site and to deliver the news, tips, and opinions you love to read.

If you wish to block the ads that pay for the creation of our content, we ask that you instead support TMO Directly, either with a $5 monthly recurring contribution, or a one-time donation of any amount of your choice. Thanks!

Subscribe with Paypal Donate with Paypal