CLEAN
Communities

When I am asked the question "Which is more secure, Mac or PC?" I find myself stumbling around for a response because I don't have a clear-cut answer. I use both. And I use antivirus software with both.

So I decided to conduct an informal survey of a bunch of security experts and see what they had to say in the hopes that people can use the information to help them come to their own conclusions.

Before I provide quotes from the 32 experts who participated in the survey, along with edited comments from an interview with a Microsoft representative and a link that Apple provided, I'd like to share some relevant research from antivirus vendor ESET.

More than half of Americans believe that PCs are "very" or "extremely" vulnerable to cybercrime attacks, while only 20 percent say the same about Macs, according to this ESET survey.

(Credit: ESET)

ESET released the results of a survey in November related to awareness of cybercrime in the U.S. The survey of more than 1,000 people found that while both PC and Mac users perceive the Mac as being safer, Mac users are victims of cybercrime just as frequently as PC users.

Meanwhile, Mac users are just as vulnerable to Web-based attacks like phishing as PC users are, and Mac users who fall prey to phishing tend to lose more money on average than PC users do, the survey found. "Viruses are a diminishing percentage of what we're seeing," said Randy Adams, director of technical education at ESET. "A lot of attacks have to do with social engineering and that kind of attack is platform agnostic."

For my survey I asked security experts: Which is more secure for consumers--Mac or PC, and why? Here are their (mostly) unedited responses, in alphabetical order by last name.

Ross Anderson, professor of security engineering at the Computer Laboratory at University of Cambridge: "Computer criminals differ from ordinary criminals in that they're more rational. The bulk of normal crime--burglaries, muggings, car thefts--is done by disadvantaged young men, often illiterate and with drug and alcohol problems. The bulk of e-crime is done by technically sophisticated people living in poor countries like Russia, India, or Brazil. So while preventing normal crime is about sociology, preventing online crime is about economics. Malware writers are rational, as are botnet herders. They would far rather attack Windows PCs as there are lots more of them. So you are much less likely to be bothered by malware if you use a Mac, or run Linux on your PC."

Jacob Appelbaum, hacker and researcher: "It's possible to have a well-secured machine regardless of operating system. Users generally aren't able to secure machines and so this responsibility often falls to the vendor...Mac OS X and Windows both encourage users to download programs from the Internet without any thought for security. Both of those operating systems run many services by default and offer them to anyone who cares to look. While Windows offers digital signatures for some programs, it's still very common for users to run buggy, untested software they download from random places on the Internet. The same is true for Mac OS X. Both suggest that a vendor should offer source code for applications so that users may make their own assessments."

Mike Bailey, senior researcher at Foreground Security: "I'm a hardcore Unix guy, but I am happy to say that I have about as much faith in Windows 7 as I do in OS X. Both have a solid design, a great SDL (software development lifecycle), security-minded developers, and a responsive support team. OS X does still have a small edge due to its smaller install base, but it is quickly losing that.

"I still prefer OS X, but due to ease-of-use and customization, not security reasons. In my mind, the OS question is quickly becoming moot, and will soon be replaced by the already-intense Web browser holy wars--especially with Google jumping into the fray there."

Graham Cluley, senior technology consultant at Sophos: "They're both mature operating systems from the security point of view, and as good as each other. But, crucially, it's not about the operating system that is being run on the computer, it's the fleshy human sitting in front of it...I would argue that an Apple Mac user wanting to watch the 'Erin Andrews Peephole Video' is just as likely to download a bogus browser plug-in to help them do that, as a Windows user. And it doesn't matter that Mac OS X will ask them to enter their username and password to install the plug-in--they want to watch the video, they will enter their username and password. Social engineering is the unifying threat that puts all computer users at risk, regardless of operating system. And that's what most threats exploit.

"So, the next question is--when people ask me what kind of computer should they buy for home, which one do I recommend? Well, I recommend Apple Macs to my friends. Compared to Windows (where we see 50,000 new malware samples every day) malware for Mac is still a novelty. Mac malware is becoming more common, is in the wild, and is financially motivated...You can still get hit--but there are a lot less arrows being thrown at Mac users...I do tell my friends that they should run antivirus on their Macs, just like I do on the Macs my wife and I use at home."

Dino Dai Zovi, independent researcher: "Neither. Consumers should see if Apple's iPad or the forthcoming devices based on Google's Chrome OS suit their needs because both are significantly more secure than any general-purpose desktop system, Linux, Mac, or PC."

Nitesh Dhanjani, researcher and consultant: "I realize the market share argument is a cliche, but I feel it is true--OS X wins from a security perspective because it has a lower market share. Windows Vista and Windows 7 have some impressive security controls that are not present in OS X. If we were to flip the market share, we would see a lot more exploitation in the wild. More specifically, browser security is one of the more important items to consider today from a risk perspective. I know Internet Explorer has had a considerable share of vulnerabilities, but the Safari Web browser also has a lousy reputation in the security community--it almost seems a child's play to locate an exploitable condition in Safari. Apple really needs to get its act together with Safari since OS X is enjoying a healthy market share climb at the moment."

Carole Fennelly, director of content and documentation at Tenable Network Security: "I will give you a frustrating answer: the most secure system is the one that you know how to secure :) Meaning if you're pretty knowledgeable in Windows, or even just disciplined enough to keep up with Windows updates and keep your antivirus up to date, there's no reason you can't run a Windows box relatively securely. My mother-in-law has a Windows machine and does very well with it. HOWEVER if you are the type to not let Windows do its updates, tend to click on anything, etc., I'd say get a Mac. I had my parents get a Mac for this reason.

"In short, Mac is probably more secure in that more people write Windows exploits. This would probably change if the majority of people had Macs. Windows requires effort to be secure. Then again, so do most OSes."

Paul Ferguson, network architect at Trend Micro: "Well, that's a difficult (and tricky!) question to answer--I think that cybercriminals will always prefer to target the platform with the largest user footprint, so it's really not a question of whether a 'PC or Mac' is more secure than the other one, in my opinion."

Robert G. Ferrell, information systems security specialist at the U.S. Dept. of Defense: "Is it more dangerous to take off from a terrorist-infested airport, or land at one? Flippancy aside, I just don't think this question (Mac or PC) has any real meaning today. Far more relevant to me are the browser and e-mail clients a consumer is using, irrespective of the operating system or hardware platform. Even more critical from a safety standpoint is the level of security awareness exhibited by that consumer. If you haphazardly visit every link and download every file sent to you in e-mail or posted to your social-networking pages, sooner or later you're going to get nailed. Period. Platforms are passe. Apps are where it's at."

Halvar Flake, head of research and CEO of Zynamics: "General state of affairs: Vista/Win7 has more extensive countermeasures against attacks and a codebase with presumably fewer security issues. But it's the operating system of the majority of users, hence making it profitable to attack. Attackers will therefore spend lots of time bypassing the countermeasures. Mac OS has fewer countermeasures and lots of easily exploitable bugs, but the market share is low, making it a less likely target.

"In the end, for the consumer, if he doesn't think he'll ever be deliberately targeted, using a low market share operating system is safer as attackers pool their resources for the largest target (even though the largest target might be significantly more secure, technically)."

Joe Grand, president of Grand Idea Studio, hardware hacker, inventor: "Not taking into account the human factor of falling for social engineering, phishing scams, etc., which could affect any operating environment, I would say right now the safer route is Mac OS X, primarily because there just isn't a huge amount of directed attacks against the operating system compared to a Windows environment (yet).

"I hear way more about zero days coming up on Windows environments compared to Mac. Maybe Apple is better at keeping their security issues under the rug. On a PC, if you drop your guard for one moment and forget to keep your products up-to-date, it could be game over. People [attackers] are still focused on targeting Windows (and other associated Microsoft and Adobe products), but that may change at some point. For an everyday consumer that just wants to use a computer and not worry about getting owned with every click of the mouse, I'd go for a Mac."

Jeremiah Grossman, founder and chief technology officer at WhiteHat Security: "To ask that question from a consumer's perspective you probably should be using the word 'safe' rather than 'secure'; two completely different things. 'Secure' is a supermax prison. 'Safe' is a playground in suburbia. Follow?

"Macs may or may not be technically more secure than PCs, but that is irrelevant if NOT getting hacked is most important to you. In the current threat climate, Macs do not get attacked nearly as often as PCs. So in that context, Macs are safer for consumers."

Frank Heidt, CEO of Leviathan Security: "I'm tempted to go with the safe answer that the size of the installed Microsoft base makes Apple 'more secure' because it is targeted less often. The risk landscape for consumers (and enterprises) has changed over the last few years. Operating systems as such are no longer the primary target of consumer-targeted attacks; applications are. In light of that fact, I'd say each operating system has its benefits and liabilities. The real risks lie in the consumer's browser choice, and security habits. From a browser standpoint, I would choose Firefox over IE, and IE over Safari."

Mikko Hypponen, chief research officer at F-Secure: "Mac is more secure, simply because it has less attacks targeting it. If Mac would be targeted more, it could have exactly the same problems as PC does today.

"There's two main reasons why Mac isn't targeted as much as PC:

1) Smaller user base--making it less a lucrative target 2) Lazy attackers--their existing codebase and expertise is on Windows, so they keep creating more Windows attacks. Hey, if they make a nice enough living by writing malware targeting Windows XP, why change to anywhere else?"

3ric Johanson, security researcher: "If you look at the number of published vulnerabilities in software and the number of users and compare Windows versus Mac OS you will discover that Mac OS has far more published vulnerabilities per user than Windows does so I think the data pretty much speaks for itself."