Is OS X more secure than Windows?

As an information security consultancy, a PCI QSAC and a Cyber Essentials certification body, we often hear clients say “We use Apple Macs and we don’t need to be worried about malware because Macs are inherently more secure than Windows.”

The question for the day, then, is: “In today’s cyber landscape, is Mac OS X still more secure than Windows?”

Malware these days has been commoditised by attackers; the days of malware being a way of the authors to gain kudos has been replaced with commercial attackers trying to monetise the results of malware.

As part of this commercialisation of malware, authors look at the rewards to be gained and, with the increasing popularity of operating systems other than Windows, it has meant there are great rewards for developing malware that attacks these other operating systems. This has been seen with the rapid growth of malware for smartphone operating systems and the Internet of Things.

Increase in vulnerabilities

The Hacker News reported in Feb 2015  that an analysis of vulnerabilities in 2014 showed Apple OS X to have more reported vulnerabilities than Microsoft. This is not quite matched by a simple analysis that we conducted for vulnerabilities by vendor since 1999.

Analysis from the CVE Details online database.

Vulnerabilities are not the same as malware, of course, but the number of vulnerabilities does indicate the attack surface of an operating system. Vulnerabilities still need to be exploited by an attack agent, and there are many factors that affect the ability of the attack agent to do so successfully. Malware are exploits that use a vulnerability to create an incident that can result in a breach.

Mac OS X may be harder to exploit than Microsoft, but it is not immune. Mac users simply tend to think it is more immune than it really is. This can result in a Pollyanna culture where Mac users think they are more secure and less at risk than they are in reality; this is obviously bad for information security.

A lot of Mac users assert that there is less malware for their machines in the wild. In reality, the volume of malware for Linux is catching Windows up; Mac users are still less likely to be exposed to malware than a windows user, but it is not as low as Mac users like to think.

As a result of the belief that Mac is more secure, some Mac users don’t use anti-malware software as much. This actually means that, when there is an outbreak of malware, the impact is often higher than a malware campaign for Windows as the infection spreads more quickly and is often detected later than a Windows malware campaign.

In conclusion, while it is still very likely that a Mac user is at less risk than a Microsoft Windows user, they are being targeted in the current threat environment. Attackers are investing time and resources in finding vulnerabilities and developing malware to exploit those vulnerabilities. A Mac user needs to protect their machines by using the operating system’s security features and third-party software such as AV – if they don’t, there is an increasing chance they will be affected, and could suffer an incident that causes tangible losses.