MyDoom, NovaRG, Worms and Mac OS X

Friday 06 February 2004 at 18:41

The COMUG mailing list brought this article to my attention: Can Apple Keep the Worms Out? My reply to the thread got long enough that I thought I'd keep it here for posterity. I've elaborated on my comments from the last pair of rampaging worms: Sobig and Blaster rekindle the OS Wars

The article presents a fairly balanced story, but I have to take issue with the conclusion.

The standard Mac gloat ... goes something like this: I didn't get this virus because I have a Mac. In fact, I never get viruses. Never have, never will.

The standard Windows community reply: The reason you don't get viruses is because so few people have Macs. In fact, hackers think Macs are so marginal they don't even bother with figuring out ways to break into them or infect them with viruses. If 95% of the world used Macs, you can bet they would catch viruses all the time.

....

Now that Apple has Unix under the hood, ... the argument that Apple is safer because of its marginal place in computing's cosmos no longer applies. With its embrace of Unix, Apple has joined a big family -- and it keeps growing, thanks to Linux and other open-source versions of Unix.

I disagree about the "no longer applies" business.

While it is true that unix is a big family -- much bigger than OS 9 and earlier, it is also a remarkably diverse family. The Windows operating systems are all the product of a single company. When vulnerabilities are discovered within one version of windows, they are frequently also present in other versions.

By contrast UNIX has been developed separately by many different organizations: AT&T, UC Berkely, Free Software Foundation, Sun, HP, Novell, SCO, IBM, Silicon Graphics, NeXT, RedHat, Suse, Apple, and many others. HPUX vulnerabilities are likely to be quite different from the vulnerabilities in IRIX, or Solaris, or Linux. Each will undoubtedly have vulnerabilities, but few vulnerabilities will effect all of that diverse family. Moreover, there's a habit among the unix culture of compiling software locally to ensure the most important tools are optimized for local needs. That adds another layer of diversity between systems. All of that diversity makes it much harder for a cracker to create a worm that will have the same impact among the UNIX family as they can among the Windows family.

Another important distinction is that UNIX grew up connected to the Internet whereas Windows didn't. The Great Worm was unleashed in November 1988. It effected 6000 Sun and VAX systems but left the rest of the unix family untouched. There are two points to emphasize: it illustrates the fact that it's hard to make one worm effect all of the unix family. Second, the Great Worm revealed the need for network security to unix developers fifteen years ago. For that reason there's deeper security knowledge in the unix developer community than in the windows developer community.

But here's the more important point. It doesn't really matter if Macs would have more viruses if they were the dominant OS. Whether or not that claim is true, that world is a fantasy. The world we live in is the one where Windows is the dominant OS. And the viruses and worms in the real world breed and feed in the Windows ecosystem. That reality is unlikely to change for the foreseeable future, say the next five years or maybe ten.

There are going to continue to be many, many old windows computers out there connected by broadband to the 'Net. Even if Microsoft is cleaning up their act and making security a priority for XP and longhorn, there are still going to be many easy targets out there for the crackers to abuse. The crackers are predators and will prefer the easy targets as all predators do. Windows will continue to be an easier target than UNIX.

This doesn't mean we Mac geeks (or other unix geeks) can ignore worms. But we will get to enjoy our position of relative security for a long time to come.