In their words: Experts weigh in on Mac vs. PC security

When I am asked the question "Which is more secure, Mac or PC?" I find myself stumbling around for a response because I don't have a clear-cut answer. I use both. And I use antivirus software with both.

So I decided to conduct an informal survey of a bunch of security experts and see what they had to say in the hopes that people can use the information to help them come to their own conclusions.

Before I provide quotes from the 32 experts who participated in the survey, along with edited comments from an interview with a Microsoft representative and a link that Apple provided, I'd like to share some relevant research from antivirus vendor ESET.

ESET released the results of a survey in November related to awareness of cybercrime in the U.S. The survey of more than 1,000 people found that while both PC and Mac users perceive the Mac as being safer, Mac users are victims of cybercrime just as frequently as PC users.

Meanwhile, Mac users are just as vulnerable to Web-based attacks like phishing as PC users are, and Mac users who fall prey to phishing tend to lose more money on average than PC users do, the survey found. "Viruses are a diminishing percentage of what we're seeing," said Randy Adams, director of technical education at ESET. "A lot of attacks have to do with social engineering and that kind of attack is platform agnostic."

For my survey I asked security experts: Which is more secure for consumers--Mac or PC, and why? Here are their (mostly) unedited responses, in alphabetical order by last name.

Ross Anderson, professor of security engineering at the Computer Laboratory at University of Cambridge: "Computer criminals differ from ordinary criminals in that they're more rational. The bulk of normal crime--burglaries, muggings, car thefts--is done by disadvantaged young men, often illiterate and with drug and alcohol problems. The bulk of e-crime is done by technically sophisticated people living in poor countries like Russia, India, or Brazil. So while preventing normal crime is about sociology, preventing online crime is about economics. Malware writers are rational, as are botnet herders. They would far rather attack Windows PCs as there are lots more of them. So you are much less likely to be bothered by malware if you use a Mac, or run Linux on your PC."

Jacob Appelbaum, hacker and researcher: "It's possible to have a well-secured machine regardless of operating system. Users generally aren't able to secure machines and so this responsibility often falls to the vendor...Mac OS X and Windows both encourage users to download programs from the Internet without any thought for security. Both of those operating systems run many services by default and offer them to anyone who cares to look. While Windows offers digital signatures for some programs, it's still very common for users to run buggy, untested software they download from random places on the Internet. The same is true for Mac OS X. Both suggest that a vendor should offer source code for applications so that users may make their own assessments."

Mike Bailey, senior researcher at Foreground Security: "I'm a hardcore Unix guy, but I am happy to say that I have about as much faith in Windows 7 as I do in OS X. Both have a solid design, a great SDL (software development lifecycle), security-minded developers, and a responsive support team. OS X does still have a small edge due to its smaller install base, but it is quickly losing that.

"I still prefer OS X, but due to ease-of-use and customization, not security reasons. In my mind, the OS question is quickly becoming moot, and will soon be replaced by the already-intense Web browser holy wars--especially with Google jumping into the fray there."

Graham Cluley, senior technology consultant at Sophos: "They're both mature operating systems from the security point of view, and as good as each other. But, crucially, it's not about the operating system that is being run on the computer, it's the fleshy human sitting in front of it...I would argue that an Apple Mac user wanting to watch the 'Erin Andrews Peephole Video' is just as likely to download a bogus browser plug-in to help them do that, as a Windows user. And it doesn't matter that Mac OS X will ask them to enter their username and password to install the plug-in--they want to watch the video, they will enter their username and password. Social engineering is the unifying threat that puts all computer users at risk, regardless of operating system. And that's what most threats exploit.

"So, the next question is--when people ask me what kind of computer should they buy for home, which one do I recommend? Well, I recommend Apple Macs to my friends. Compared to Windows (where we see 50,000 new malware samples every day) malware for Mac is still a novelty. Mac malware is becoming more common, is in the wild, and is financially motivated...You can still get hit--but there are a lot less arrows being thrown at Mac users...I do tell my friends that they should run antivirus on their Macs, just like I do on the Macs my wife and I use at home."

Dino Dai Zovi, independent researcher: "Neither. Consumers should see if Apple's iPad or the forthcoming devices based on Google's Chrome OS suit their needs because both are significantly more secure than any general-purpose desktop system, Linux, Mac, or PC."

Nitesh Dhanjani, researcher and consultant: "I realize the market share argument is a cliche, but I feel it is true--OS X wins from a security perspective because it has a lower market share. Windows Vista and Windows 7 have some impressive security controls that are not present in OS X. If we were to flip the market share, we would see a lot more exploitation in the wild. More specifically, browser security is one of the more important items to consider today from a risk perspective. I know Internet Explorer has had a considerable share of vulnerabilities, but the Safari Web browser also has a lousy reputation in the security community--it almost seems a child's play to locate an exploitable condition in Safari. Apple really needs to get its act together with Safari since OS X is enjoying a healthy market share climb at the moment."

Carole Fennelly, director of content and documentation at Tenable Network Security: "I will give you a frustrating answer: the most secure system is the one that you know how to secure :) Meaning if you're pretty knowledgeable in Windows, or even just disciplined enough to keep up with Windows updates and keep your antivirus up to date, there's no reason you can't run a Windows box relatively securely. My mother-in-law has a Windows machine and does very well with it. HOWEVER if you are the type to not let Windows do its updates, tend to click on anything, etc., I'd say get a Mac. I had my parents get a Mac for this reason.

"In short, Mac is probably more secure in that more people write Windows exploits. This would probably change if the majority of people had Macs. Windows requires effort to be secure. Then again, so do most OSes."

Paul Ferguson, network architect at Trend Micro: "Well, that's a difficult (and tricky!) question to answer--I think that cybercriminals will always prefer to target the platform with the largest user footprint, so it's really not a question of whether a 'PC or Mac' is more secure than the other one, in my opinion."

Robert G. Ferrell, information systems security specialist at the U.S. Dept. of Defense: "Is it more dangerous to take off from a terrorist-infested airport, or land at one? Flippancy aside, I just don't think this question (Mac or PC) has any real meaning today. Far more relevant to me are the browser and e-mail clients a consumer is using, irrespective of the operating system or hardware platform. Even more critical from a safety standpoint is the level of security awareness exhibited by that consumer. If you haphazardly visit every link and download every file sent to you in e-mail or posted to your social-networking pages, sooner or later you're going to get nailed. Period. Platforms are passe. Apps are where it's at."

Halvar Flake, head of research and CEO of Zynamics: "General state of affairs: Vista/Win7 has more extensive countermeasures against attacks and a codebase with presumably fewer security issues. But it's the operating system of the majority of users, hence making it profitable to attack. Attackers will therefore spend lots of time bypassing the countermeasures. Mac OS has fewer countermeasures and lots of easily exploitable bugs, but the market share is low, making it a less likely target.

"In the end, for the consumer, if he doesn't think he'll ever be deliberately targeted, using a low market share operating system is safer as attackers pool their resources for the largest target (even though the largest target might be significantly more secure, technically)."

Joe Grand, president of Grand Idea Studio, hardware hacker, inventor: "Not taking into account the human factor of falling for social engineering, phishing scams, etc., which could affect any operating environment, I would say right now the safer route is Mac OS X, primarily because there just isn't a huge amount of directed attacks against the operating system compared to a Windows environment (yet).

"I hear way more about zero days coming up on Windows environments compared to Mac. Maybe Apple is better at keeping their security issues under the rug. On a PC, if you drop your guard for one moment and forget to keep your products up-to-date, it could be game over. People [attackers] are still focused on targeting Windows (and other associated Microsoft and Adobe products), but that may change at some point. For an everyday consumer that just wants to use a computer and not worry about getting owned with every click of the mouse, I'd go for a Mac."

Jeremiah Grossman, founder and chief technology officer at WhiteHat Security: "To ask that question from a consumer's perspective you probably should be using the word 'safe' rather than 'secure'; two completely different things. 'Secure' is a supermax prison. 'Safe' is a playground in suburbia. Follow?

"Macs may or may not be technically more secure than PCs, but that is irrelevant if NOT getting hacked is most important to you. In the current threat climate, Macs do not get attacked nearly as often as PCs. So in that context, Macs are safer for consumers."

Frank Heidt, CEO of Leviathan Security: "I'm tempted to go with the safe answer that the size of the installed Microsoft base makes Apple 'more secure' because it is targeted less often. The risk landscape for consumers (and enterprises) has changed over the last few years. Operating systems as such are no longer the primary target of consumer-targeted attacks; applications are. In light of that fact, I'd say each operating system has its benefits and liabilities. The real risks lie in the consumer's browser choice, and security habits. From a browser standpoint, I would choose Firefox over IE, and IE over Safari."

Mikko Hypponen, chief research officer at F-Secure: "Mac is more secure, simply because it has less attacks targeting it. If Mac would be targeted more, it could have exactly the same problems as PC does today.

"There's two main reasons why Mac isn't targeted as much as PC:

1) Smaller user base--making it less a lucrative target 2) Lazy attackers--their existing codebase and expertise is on Windows, so they keep creating more Windows attacks. Hey, if they make a nice enough living by writing malware targeting Windows XP, why change to anywhere else?"

3ric Johanson, security researcher: "If you look at the number of published vulnerabilities in software and the number of users and compare Windows versus Mac OS you will discover that Mac OS has far more published vulnerabilities per user than Windows does so I think the data pretty much speaks for itself."

Paul Kocher, president and chief scientist at Cryptography Research: "The fair answer is that with the latest versions of each operating system there isn't a compelling security reason to pick one or the other. It used to be that Apple was doing a better job, but with Windows 7 Microsoft has caught up. There are some differences; Windows has a better security ecosystem. On the other hand, Apple tends to have more expensive hardware and has a smaller market share, so it attracts fewer malware writers. Both have security bugs. Both need patches. Both can be broken if someone finds a zero-day exploit."

R. Adrian Lamo, threat analyst: "I'm not sure this question is really as relevant as it would have been just a few years ago. The security posture of the average Internet user depends less on their computing platform and more on their browser choice and configuration. My loved ones use Macs, with some gentle encouragement from me, but that's mostly to save me time playing Geek Squad for them.

"Personally, I never had a significant malware issue when I used a PC running Windows full-time--choices and practices define security more than an operating system does. It's worth remembering that, in locating security vulnerabilities, I've often not had to trouble myself with the target operating system.

"There's no one-size-fits-all answer to this question. A PC, common sense, and NoScript http://noscript.net/ [Firefox plug-in] will help a user reduce their exposure profile more than a Mac and no common sense + clicking on anything that flashes. But the former isn't because it's a PC, and the latter isn't because it's a Mac."

Steve Manzuik, senior manager of security research at Juniper Networks: "I think for consumers it really comes down to what operating system they are the most comfortable configuring and using. Windows is by far the biggest target, but this is not necessarily because they are the most insecure but more a result of their dominant position in the market. Regardless of the operating system, the easiest way for an attacker to compromise a system is by going after the application level and causing the user to click, open, or run something they should not. "The trend of patches over the last couple of years from Microsoft, Adobe, and even Apple supports this. Unfortunately, you cannot 'secure' user behavior. But both Apple and Microsoft operating systems, as well as third-party application vendors, can still make a lot of improvements on protecting users. However, those types of changes do not happen quickly as the vendors are forced to consider usability and compatibility."

Gary McGraw, chief technology officer at Cigital: "I have a Mac. Having a Mac is more secure because not that many people have Macs. I think their market share is still less than 15 percent. For every point of market share, the risk goes up. Mostly I have a Mac because it is a better machine, not because it is more secure."

Charlie Miller, a principal analyst at consultancy Independent Security Evaluators: "Technologically speaking, PCs are a little more secure than Macs. Macs have a larger attack surface out of the box (Flash, Java, support for a million file formats, etc.) and lack some anti-exploitation technologies found in PCs like full ASLR [Address Space Layout Randomization]. This means Macs have more vulnerabilities and it's easier to turn a vulnerability into an exploit on the platform. Despite the fact it is less secure, paradoxically, Macs are actually safer to use for most people. This is because there simply isn't much risk of being exploited or installing malware.

"This safeness is purely a function of market share. Since Macs are only around 10 percent of computers out there, and it takes just as much effort for bad guys to write malware or exploits, they tend to spend all of their time targeting PCs. In other words, despite the fact that Macs are less secure than PCs, if you give one teenager a Mac and another a PC and come back in a month, the odds are the Mac will have no problems and the PC will be infected with malware. At some point the market share of Macs will reach a threshold to interest attackers, and then things will quickly turn bad for Mac users."

Rich Mogull, CEO at Securosis: "It depends on which version of Windows we're talking about. Clearly there are major differences between Windows XP and Windows 7. Second is, are we talking about safety versus security? Microsoft has done more in terms of its inherent security features than Apple has in the operating system. All of that said, Microsoft gets attacked a lot more than Apple does. Right now your odds of being infected as a Mac user by malicious software are quite a bit lower than a Windows user, unless you do stupid things, such as download free versions of commercial software. And some of the pornography sites on the Internet, the dark corners of the Internet have stuff that will hurt a Mac.

"But I want to give Microsoft credit because the more advanced features they put into their operating system are superior to what Apple has done. It's really a balance because there's little motivation for Apple to do more at this time. The Mac OS has got some holes in there that Microsoft has closed down. But since it's attacked less there is less motivation for Apple to close the gap."

Jose Nazario, security research manager at Arbor Networks: "While I use Macs, time and time again we've seen they're no more secure than Windows systems. But, at present, you're less likely to be exploited on a Mac because there are just fewer viruses and attackers targeting them. Sadly, there are more tools for Windows like AV [antivirus], personal security suites, etc. The Mac desktop is lagging behind. Also, Apple has often shown less aggressiveness than Microsoft in addressing security issues."

Tyler Reguly, senior security research engineer at nCircle: "If you believe the hype and the flashy commercials the answer would be Mac. But if you take a look at the two platforms, and the mindsets of the companies behind them then the PC wins hands down. If you compare Windows 7 to Snow Leopard, then the simple winner is Windows 7. Microsoft brought in teams of security professionals to look at their code and find problems leading to a more secure product while Apple is often criticized for ignoring issues.

"The idea of the consumer being protected due to lack of market share is fairly obtuse, as more people buy into the product and market share grows, targeted attacks will grow as well. You also have to consider that Microsoft has a patch program in place that provides patches and updates on a more regular basis than Apple, this is something that the consumer should care about, as should they care about the plethora of PC security products that exist.

"The big risk is client side attacks and most of that could be prevented by using adequate software on the desktop, along with common sense while surfing. Until consumers can learn to do this on a regular basis it won't matter if they are running a Mac or a PC...they'll be at risk."

Avi Rubin, computer science professor at Johns Hopkins University: "Right now the Mac is more secure than the PC, but only because the PC still has almost 90 percent of the market. The Mac is no more difficult to hack than the PC, but hackers get much more bang for their hacking buck attacking Windows. So, you're safer on a Mac...for now."

Patrik Runald, senior manager of security research at Websense: "My opinion on this is that if you look at the raw numbers of threats then there's no doubt a Mac is safer. However, I've seen Mac users run/click on anything because of this and that is bound to get them into problem at some point. I'm using a Mac myself."

Bruce Schneier, chief security technology officer of BT: "Mac, because there's much, much less malware out there that targets a Mac."

Joe Stewart, director of malware research at SecureWorks: "The answer is 'for the average user, at this moment in time it is less risky to use Mac OS than Windows.' The paradox is, by promoting that idea we've just made Macs a little less safe, since we are potentially increasing Apple's market share by a tiny fraction, making it more of a viable target over time. Fundamentally Mac and Windows suffer from the same weakness--human programmers make mistakes and users are easily social-engineered. Whichever platform has the most users is ultimately the riskiest to use."

Johannes Ullrich, chief research officer for the SANS Institute: "I recommend Macs. The main advantage for Mac users is the lack of interest from malware writers. Macs don't really have an advantage over Windows systems when it comes to malware. A lot of malware (for example, the recent fake-antivirus examples) is installed willingly by users. Mac users would do the same thing if asked to install software under the right pretense. Right now, there is no well tested anti-malware solution for Macs due to a lack of samples."

Paul Vixie, founder of the Internet Systems Consortium: "Mac is more secure for consumers, for three reasons. First, the code base is smaller and more easily audited. Second, the code base came from the old minicomputer world of UNIX rather than from the old microcomputer world of MSDOS, and things like multiuser and multiprocessor and protected virtual memory have been around longer in the UNIX world than in the MSDOS world. Third and finally, because the Mac market size is smaller, there are fewer users and fewer ISV's [independent software vendors] and fewer device driver writers and it's just not as interesting a target for bad guys."

Vincent Weafer, vice president of Symantec Security Response: "If you look at the security landscape as a whole, PCs tend to be targeted by more attacks then the Mac platform. So, from that perspective, the Mac would appear to have the edge. However, in reality, all technologies are subject to security vulnerabilities, including the Web browsers, common Web browser plug-ins and common applications that run on top of the operating systems. So in reality, consumers can fall victim to online threats regardless of the operating system they're using. Also consider that we're seeing today's cybercriminals almost exclusively going after personal and financial information, and often times, they do this by employing social-engineering tactics, like phishing attacks, that are platform agnostic.

It's also important to keep in mind that as any platform gains popularity, its likelihood of becoming targets for cybercriminals increases. Ultimately, what it comes down to is computer users deciding which platform best fits their computing likes and dislikes and then doing everything they can to make sure that they have protected themselves. This includes keeping up-to-date with security patches, having full-featured security software protection, setting sensible policy and controls on how they use their computer--especially in open environments such as free Wi-Fi hot spots--and being aware of how to spot threats and how not to fall victim to them."

Chris Wysopal, chief technology officer at Veracode: "My wife, kids, and parents all use Macs on my recommendation. I think the Mac is less risky, not more secure. The difference is in the threat environment. An analogy would be an unlocked house in an urban vs. rural environment. Both are insecure. One, the rural, is less risky.

Bugs similar to the flaw in Microsoft Internet Explorer 6 that was exploited at Google in China certainly exist in Mac applications, but attackers don't spend the time required to find them and build attacks using them. This is because it is much more often a PC than a Mac between the attacker and the attacker's target."

Peiter "Mudge" Zatko, technical director of National Intelligence Research and Applications for BBN/Raytheon: "Both [OS X and Windows] are particularly vulnerable to client side application exploitation, both still have vulnerabilities at lower levels within file system, network, and directory services, and the content that most people want to view or process is often from unknown sources and requires a fair amount of control of the system for 'proper' execution--e.g. flash etc. But I suppose that 'neither' is not an acceptable answer...If a nonsecurity-paranoid user next door were asking which OS is more secure and was attempting to use that as their sole purchasing decision. I would have to advise them that bad news lies in either direction and they should instead make their purchasing choice based on other criteria such as what tasks they need to perform and what software/support they are looking to utilize.

"Of course, I'd still tell them (either way) to disable all of the JavaScript, Active-X, and plug-ins on their browsers (and other applications...such as PDF viewers and various office applications) and to fight the urge to re-enable all of these hairy areas of risk to watch the latest viral video or view noisy Web sites."

Microsoft

Paul Cooke, director of Windows client and enterprise security: "One of our major goals [for] Windows 7 was to keep malware off the box...When we look at the Smart Screen Filter in IE 8, it was built to help users understand if the sites they go to are safe or are known phishing sites...On top of that there is integration with Windows Live Mail and other features...If you try to download a piece of known unwanted software we will warn the user and tell them this piece of software is known to be bad...Windows running with IE 8 is the only combination of browser and operating system technology that has anything like an XSS (Cross-Site Scripting) filter. It is aimed at helping ensure that when you go to your banking or other trusted sites that you are actually interacting with that site.

"Windows 7 has investments that extend the security enhancements from Vista (like) Data Execution Prevention technology, Address Space Randomization technology, kernel patch protection, User Account Control ... [and new technologies like] Structured Exception Handling Overwrite Protection and Fault Tolerant Heap.

"The Mac and OS X is not a panacea against security methodologies and attacks. You can go on the Internet and see the patches that Apple puts out. Like all operating system platforms they have vulnerabilities. This is something that as an ecosystem, we all have to deal with. I've been a security guy over 20 years and never seen an organization with a commitment to security like Microsoft has. It's why I came here."

Microsoft also directed me to this site and this site for more information about Windows 7 security features.

Apple

Apple did not provide a representative for comment but referred me to this page that says: "Mac OS X doesn't get PC viruses. And its built-in defenses help keep you safe from other malware without the hassle of constant alerts and sweeps."

"The 64-bit applications in Snow Leopard are even more secure from hackers and malware than the 32-bit versions. That's because 64-bit applications can use more advanced security techniques to fend off malicious code," the Apple page says.

The site also says Mac OS X "prevents hackers from harming your programs through a technique called "sandboxing"--restricting what actions programs can perform on your Mac, what files they can access, and what other programs they can launch. Other automatic security features include Library Randomization, which prevents malicious commands from finding their targets, and Execute Disable, which protects the memory in your Mac from attacks."