C|Net: Mac Security Not About the OS Anymore
by , 2:10 PM EDT, April 9th, 2008
Security researchers have never identified any instance in the wild in which a Mac has been exploited from the Internet, according to C|Net on Wednesday. That's despite a recent incident in which a well crafted Website was used to exploit a flaw in Safari. As a result, exploitation techniques have moved from attacking the OS directly to tricking the user.
Tom Krazit, at the RSA conference, took some time to characterize the state of PC security and surmised that it's no longer about which OS is more secure. It's more about economics and social engineering. Because the PC still has vastly dominant market share, the business case for attacking PCs remains favorable.
"Even if Apple moved to 10 percent market share, why spend the time on the 10 percent when you can just nail 90 percent with one bug?" Charlie Miller pointed out.
Mr. Miller took control of a MacBook Air at CanSecWest conference's "Pwn to Own" contest, but it required a specialized exploit that a user would normally never come across. In the earlier part of the contest, the MacBook was immune from attacks restricted to network attacks from the outside.
As a result of this increase OS security by all vendors, thieves are turning to more devious techniques that depend on tricking the uninformed or naive users, especially those who have become accustomed to entering credit card numbers online.
The fastest way to make money in the Internet remains the infamous Nigerian 419 e-mail, Mr. Krazit reported. Given that, it isn't surprising that many PC users thought that the iTunes update in Windows offering them Safari was mandatory.
In the end, the OS battle to see who has the best security pales in comparison to the educational challenge for ordinary computer users who are spending more and more time on the Internet.