As expected, my blog this week about Macintosh security generated a lot of comments. Some were personal in nature (author's note: I really do know the difference between a Trojan and a virus but typos happen), some were quite thought-provoking.
I did receive some interesting data from a colleague from IBM. According to the X-Force 2008 Trend & Risk Report (PDF) released early this year, Mac OS X Server and Mac OS X top the list of operating systems with the most disclosed vulnerabilities for 2008. Each accounts for 14.3 percent, and has been in the top five in each of the last three years. Rounding out the top five were: Linux Kernel at 10.9 percent, Sun Solaris at 7.3 percent, and Microsoft Windows XP at 5.5 percent.
The purpose of this data is to compare the total number of disclosed vulnerabilities with each individual operating system. Vulnerability data is submitted to the Mitre Corp. and then appears in the CVE (Common Vulnerabilities and Exposures) List.
This is not a perfect study as there are common vulnerabilities across different operating systems. Additionally, the Windows-based total vulnerability "footprint" is much larger than the Mac because of the size of the Windows installed base. Finally, this is a cumulative study but the data does not break down the vulnerabilities in terms of how critical they are. All that said, the X-Force data puts the whole "Mac is secure and Windows is not" discussion in perspective with some real numbers. I don't think IBM has an ax to grind here.
Again, I am not trying to pick a fight with Mac users or cast aspersions on Apple. My point is that OS X, Windows, Oracle, etc., are complicated pieces of software with known (and unknown) security holes. Clearly Windows is the biggest target but the Mac installed base is too juicy and exposed for the cyber bad guys to ignore. The X-Force data is yet another reason why Apple users shouldn't consider themselves immune. Apple itself has said as much, suggesting indeed that Mac users install antivirus software.
This line of reasoning seems to stir massive passion, anger, and antipathy in the Apple community, but is risk management really that bad?