What’s Safer From Hackers: A PC or a Mac?


Mac vs. PC. (Images by Thinkstock/Apple/Microsoft, modified by Yahoo Tech)

Apple’s vaunted reputation for safety and security has taken some hits recently. Just this week came news of DYLD_PRINT_TO_FILE — a bug in Apple’s OS X operating system that has allowed a malicious program to take complete control of Macs. Apple has known of the flaw for a few weeks but hasn’t gotten out a patch yet. Then there were reports of a vulnerability in the Mac’s firmware that could allow infections to pass among Macs via Thunderbolt accessories.

This isn’t to pick on Apple too much. Microsoft Windows has obviously suffered from regular security flaws over the years. But Apple is the one that’s historically claimed to have the safer, more secure platform. Is that claim true?

Before you compare OS X and Windows, you have to remember that security is about more than just the operating system: The biggest threats can run on both platforms. Just last month, for example, researchers learned of a big flaw in Adobe Flash that would allow an infection from a website to take complete control of any computer, Windows or Mac.

So we decided to take a look at the big picture, comparing Windows and OS X on overall hackability. Overall, Apple OS X is still a bit more secure than Microsoft Windows, but the gap keeps narrowing. Ultimately, the safest operating system is the one run by an informed user who knows how to keep it up to date, knows what to install, and knows what to remove.

Both PCs and Macs have plenty of security bugs

When it comes to security flaws, Windows and OS X are now about tied, says Morey Haber, VP of technology at corporate security software maker BeyondTrust. Combing through security alerts and updates, Haber calculated that for 2014, Windows had 142 vulnerabilities while OS X had 147.

But operating system vulnerabilities accounted for only 13 percent of all reported computer security issues in 2014, according to Haber; software that runs on both systems accounted for 80 percent. “Most hackers aren’t even targeting the operating system anymore,” says Haber. They go after software like Adobe Flash, a platform for Web-based videos and games (more about Flash later).

Macs make up less than 10 percent of today’s computer market. (Apple)

Macs’ biggest security asset is basic economics. “I’ll stick on my Mac over my Windows box, and the simple reason is statistics,” said Haber. “Hackers are targeting Windows because there are more devices out there.”

The winner here: OS XMacs are a scoche safer simply because they are less likely to be targeted in cyberattacks.

Web browsers and plugins are the main targets

Your Web browser is not only the front door to all the charms of the Internet, it’s also a backdoor for attackers. A particularly nasty attack method is called a drive-by download: Simply visiting a website running malicious code can infect your computer. “I’ve seen upwards of 50 different exploits in the one link,” says Chase Cunningham, threat intelligence lead at security firm FireHost. “It just tries everything it can.” But it gets worse. You can get infected by visiting a perfectly legit site with booby-trapped animated ads that slip into the automated networks that place ads on Web pages.

In 2014, Internet Explorer was found to have 220 vulnerabilities rated as “high,” Chrome had 86, and Firefox had 57, according to Haber. He can’t get an exact count of flaws in the Apple Safari browser, says Haber, because Apple generally doesn’t provide detailed descriptions of vulnerabilities and fixes, as other software makers do.

Other major dangers are the powerful plugin programs that extend the functions of the browser. In 2014, 65 security vulnerabilities were discovered in Adobe Flash; Oracle’s Java plugin had 50. Many attacks are on older versions of plugins because they generally don’t update automatically or prod users as aggressively to install new versions.

“All of the operating system [and] the browser vendors realize that plugins are problematic,” said Haber. “[They] are a bad user experience, and [companies] are turning them off.”

OS X has been more active in choking off the “vulnerable plugin” problem. Apple stopped installing Flash on its computers in 2010 (although Mac owners can manually install it). You can often get by without Flash, as many sites are replacing it with alternatives built into the HTML 5 Web programming standard. Amazon Instant Video, Netflix, YouTube and Vimeo, for instance, have already switched over or are switching over.

Java can be installed both as a standalone app and as a browser plugin. Apple stopped preinstalling Java with OS X Lion (10.7) back in 2011. In 2012, it issued an update that removed the Java plugin from all installed Web browsers. (Mac owners can install Java on their own.) Java has been falling out of favor for years. “I don’t have it enabled in any of my browsers,” said Guillaume Ross, senior consultant at security company Rapid7. “I’m trying to remember the last time I needed Java.”

Microsoft has removed plugins from its successor to Internet Explorer, called Microsoft Edge, which comes with Windows 10. (Though a future version of Edge will bring back some kind of plugin compatibility, Microsoft has said.)

Vulnerable software like Flash running on both operating systems provides an entry point for an attack, but from there it still has to be crafted for the specific operating system. So once again, Windows’s greater popularity makes it a more appealing target.

The winner here: OS XBoth Apple and Microsoft are pulling out browser vulnerabilities, but Apple has been working on it longer.

Third-party programs put you at risk

Other programs are less likely targets for hackers, but they may have security flaws. “Any application that you install will increase your attack surface,” said Ross.

Apple and Microsoft have responded by creating app stores. Not only have they evaluated the apps to insure that they are genuine, but they also require security measures called “sandboxing,” which limit a program’s access to the operating system and other applications. Versions of the same program offered as a download — from, say, the vendor’s website — may not have sandboxing measures, however. “I would definitely pick the app store application when there are two,” said Ross.

Apple, by default, keeps your computer safe from apps of unrecognized origins. (Screenshot by Yahoo Tech)

If a program isn’t in an app store, the next line of defense is to check if it’s digitally signed by the software maker. By default, OS X allows only apps from the App Store or those that have been signed by known software makers.

The winner here: OS XApple’s automated security for programs protects users better.

How to make both operating systems safer

Apple’s security edge is based largely on what the operating system does by default. But you can do a lot to make either system much safer.

Install those updates your computer keeps nagging you about, or enable auto updates. Microsoft currently provides security updates for Windows Vista, 7, 8/8.1 and 10 (there is no Windows 9). Apple tends to support the latest two or three versions of OS X. Right now, that’s 10.8 Mountain Lion, 10.9 Mavericks and 10.10 Yosemite.

As earlier explained, Flash has been on the wane for years. Whether you have a Mac or Windows computer, you can easily flush it from your system or keep it disabled until you need it.

Flash: Only enable it when you absolutely need to. (Screenshot by Yahoo Tech)

Java is of even less use nowadays. Oracle offers instructions for uninstalling Java from Windows computers and more-technical instructions for removing Java from a Mac.

Get programs from the app stores in Windows and OS X whenever you can. If a program isn’t in the app store, make sure it’s genuine by going to the vendor’s own website instead of some generic download site (or pirate site).

Viewing a program’s digital signature in Windows. (Screenshot by Yahoo Tech)

In Windows, check the digital signature: Right-click the program installer you have downloaded and click Properties to see if the name on the signature is the same as the maker of the software. On a Mac, go to the Security and Privacy preferences; under “Allow apps downloaded from:” click the button labeled “Mac App Store and identified developers.”

If you do download a bogus app, encounter a website that exploits a Flash or Java vulnerability, or forget to update your OS, security software acts as a safety net. This is a competitive product category, so most packages do a good job, and many are free for personal use. For an in-depth comparison, check the latest rankings on AV-Test.org.

The overall takeaway is this: All computers can be hacked. Apple, by shedding default plugins and blocking automatic installation of unsigned third-party apps on Macs, has traditionally made it easier for average folks to keep themselves safe. But on the flip side, Windows, running on almost 90 percent of all computers operating today, has always been a juicier target for virus and malware makers. Most attacks now work equally well on both operating systems. So staying safe isn’t so much a matter of what computer you buy, but rather how well you understand and avoid the security pitfalls on it.

Sean Captain is a freelance tech and science writer based in New York City. Follow him on twitter @seancaptain or send tips to [email protected].