A security expert revisits an earlier examination he made of the relative security of Mac Tiger and Windows XP.
Back in February 2007, I wrote
that, Im more secure on a Mac than I was on Windows XP. Much has changed since thenin particular, Vista and Leopard were released. Yet much hasnt changedIm still more secure on a Mac. Again, Ill explain my reasoning.
Again, however, Ill caveat my statements by saying that I didnt say that Leopard (that is, version 10.5 of Apples OS X) is more secure than Microsofts Vista. What I said was that Im more secure on a Mac, and I truly believe it.
Before I go and re-visit the list of issues that I believe are at the heart of my rationale, lets take a moment to explore some of the underlying major changes in the two systems versus their predecessors, Windows XP and OS X Tiger.
Probably the biggest single change in both systems is a fundamental shift in how they protect users and their data. Previously, the operating systems largely focused their security controls on the data/file entitiesfor example, a file might be readable to a group, but only read/writable to its owner. In Vista and Leopard, on the other hand, there are now security controls over user and application actionsfor example, one application might be allowed to open an outbound network data session, while another is additionally allowed to accept inbound network data sessions.
Whats more, even though both operating systems have relatively rich sets of user account controls for permissions and such, these new controls on user actions happen largely at a user level. In fact, both operating systems seem to me to be moving away from the old school model of having an administrator account for system administrative purposes and user account(s) for day-to-day system usage.
Indeed, ordinary users can, in most cases, install software on the system once they have confirmed to the system that they want to and that they know the administrative password to do so.
This really is a fundamental shift in the usability of both operating systems, and I suspect they did it to make things easier and still (hopefully) adequately secure.
Perhaps its just me, but Im not so convinced this is a step forward. Now, Ill be the first to admit that the old admin/user model wasnt functioning well in either operating system previously. But, Im also convinced that the general end-users have demonstrated historically that they arent very good at making this type of security decision.
Im reminded frequently of the old adage, give a user the choice between security and dancing pigs, and theyll go with dancing pigs every single time. Obviously, this adage is tongue in cheek, but the point hits pretty close to home.
Giving the end users the equivalent of discretionary administrative control is a recipe that is more likely to fail than succeed.
With that out of the way, lets revisit the list of issues from my XP vs. Tiger comparison.
Familiarity with security mechanisms. Previously, I said, One of the things that lured me over to OS X from Windows XP and Linux (but thats another topic for discussion) is that under OS Xs pretty GUI lies BSD UNIX, for all intents and purposes. Ive been using UNIX systems since the early 1980s and Im very comfortable there, right down to understanding the underlying security mechanisms quite thoroughly.
This statement remains true today in the Leopard vs. Vista realm, without a doubt.
The waters have gotten somewhat muddied, however, with the advent of the more user-oriented security model I describe above. The line between administrative and non-privileged has certainly blurred.
Qualitative score: OS X gets a B- while Windows gets a C-.
Separation of data and executables. Previously, Id said, In my familiar UNIX land, all programs are stored in areas of the file system that were outside of the control of users. Specifically, directories including /bin, /usr/bin, /usr/sbin, /usr/local/bin, and so on are where programs go. Users, on the other hand, login to their own directories, such as /home. Among other things, this has made various administrative tasks like backing up user data, system data, etc., well organized and easy to manage on UNIX systems.
Here too, the comparison hasnt substantially changed with Vista and Leopard.
Qualitative score: OS X gets a B+ while Windows gets a D-.
Privilege management. Now things start to get murkierand for both operating systems. In comparing Tiger and XP, I wrote, Pretty much from the start, UNIX has been a multi user system, whereas multi user functionality has been a retrofitted feature in the Windows family. OS X has a root user while modern Windows versions have an Administrator user for doing administrative tasks.
Now, Im confident Microsoft and Apple will both claim that their newer privilege models are improvements in usability over previous versions, but I remain unconvinced. I find them to be pretty sloppy and no substitute for proper system administrationwhich, some will argue, died some 10+ years ago.
I give Leopard an only slightly less bad score than Vista because its application firewalling doesnt annoy me as much.
Qualitative score: OS X gets a D+ while Windows gets a D-.
Program management. Previously, I wrote, Heres where OS X really shines. Apple has improved on UNIX in this area. Although the standard UNIX utilities are still in /bin, /usr/bin, and such, Apple apps and most third party apps install in /Applications.
This hasnt changed much with Leopard and Vista. I still dont feel I can remove a major application from a Windows system without leaving behind significant residue, be it directly in the file system in the form of remnant DLLs or in a registry hive somewhere that the uninstaller didnt clean up.
Qualitative score: OS X gets an A while Windows gets a C.
Access controls. On the topic of access controls and, in particular, default configurations, I previously said, OS X installs the default desktop user with administrative privileges. This bothered me to my kernel when I first set up my Mac, so I went out of my way to turn that off. Regarding Windows, I said, Windows, once again, shows its security-retrofitted roots here. Normal desktop users generally have far too much write-enabled access to a Windows installation, even if they do not have administrative privileges.
Unfortunately, I dont see any improvements being made here. If anything, by my score, weve stepped backwards due to the new action-focused security desktop mechanisms I described above.
Still, though, I was able to tweak my Leopard installation so that my desktop user is unprivileged and my administrative user has read/write control over applications. But I still find myself sweeping through the system periodically to clean up the default access controls left behind by various application installers that leave /Applications and /Library/Application Support open to world read/write.
This is sloppy at best, and it enables malware to infect and spread with relative impunity. So, Im downgrading my score for both operating systems.
Qualitative score: OS X gets a C- while Windows gets a D-.
So, all this doesnt paint a very pretty picture for either operating system, does it?
The only thing that kept Leopard from failing me in several areas is that Im still able to invoke the UNIX-like attributes of the underlying operating system to enable security the way I want it to be. Ive not been so fortunate on the Windows systems Ive used over the years, as I find the privilege and access control mechanisms to be far murkier.
As a result, I remain steadfast in saying that Im more secure on Apples Leopard than I would be on Microsofts Vista. But it does seem to me that, with each subsequent release of OS X, I have to spend more and more time tweaking the operating systems features before I really feel at $HOME.