Security Expert: Mac Safer Because of Smaller Market Share

I’ve always argued (admittedly, without that sound a technical understanding) that Macs are safer from malware only because Apple’s market share is so much less and therefore there’s less of a market to attract malware writers. Seems like this guy agrees: Pwn2Own contest winner: Macs are safer than Windows:

Repeating comments he made earlier, Miller noted that “Mac bugs aren’t really valuable,” pointing out that while the CanSecWest award of a new Mac notebook and the $5,000 “is a lot of money, it’s really not that much when you consider what a bad guy could make with an exploit for an unknown vulnerability in, say, IE 8 running on Vista.”

In a separate interview, Miller estimated that a researcher with an exploitable Windows vulnerability “could easily get $50,000 for that vulnerability. I’d say $50,000 is a low-end price point.” The huge difference in vulnerability valuations between the Mac and Windows reflect the fact that there is no demand for creating malware on the Mac.

It’s not, he says, because the Mac is inherently more secure:

Miller told Tom’s Hardware “the NX bit is very powerful. When used properly, it ensures that user-supplied code cannot be executed in the process during exploitation. Researchers (and hackers) have struggled with ways around this protection. ASLR is also very tough to defeat. This is the way the process randomizes the location of code in a process. Between these two hurdles, no one knows how to execute arbitrary code in Firefox or IE 8 in Vista right now. For the record, Leopard has neither of these features, at least implemented effectively. In the exploit I won Pwn2Own with, I knew right where my shellcode was located and I knew it would execute on the heap for me.”

I might be oversimplifying things here a bit, but I still find the whole thing fascinating.

Speak Your Mind