Style vs. Security for Macs

“I’m a total Apple fanboy,” said security consultant Dino Dai Zovi during his talk yesterday afternoon at the SOURCE Boston computer-security conference. “If Apple made clothes, I’d probably dress in them.”

But part of being an Apple fanboy for Dai Zovi means hacking Macs, and he says that OS X is often easier to hack than Vista or Linux.

Apple enthusiasts often extol the security of the Mac operating system, and they rarely run antivirus software. Dai Zovi agrees that Macs generally face less attack from malware authors, but he said that’s not due to the impenetrability of OS X. The Mac may be safer, but it’s not necessarily secure, he said, comparing the situation to leaving your front door unlocked because there aren’t many thieves in the neighborhood.

Today, about 10 percent of browsers run on OS X, so it’s just not profitable for malware authors to go after Macs, Dai Zovi said. However, the situation could change if Apple continues to gain market share.

In his talk, Dai Zovi demonstrated an OS X attack that allowed him to take control of the built-in camera on a MacBook. He also outlined several ways that attackers could exploit flaws in OS X. For example, he said that many exploits require attackers to locate data stored in a computer’s memory. Vista and Linux use randomization to make this hard to do, and, while OS X does randomize some data, other things are relatively easy for an attacker to find.

Dai Zovi said that Apple has a chance to improve security with its forthcoming Snow Leopard update to OS X. Without improved security, he worries that people may start worming in to Apple’s computers. “Writing exploits for Vista is hard work,” he said. “But writing exploits for Mac is fun.”