For the student, the cubicle-bound desk worker, and the grocery store clerk alike, computers have become an integral part of everyday life. We live in an age where being connected to the internet is no longer a luxury, but a necessity for most people; and an age in which the danger of the internet has never loomed so large. It is all too easy to click on an enticing link and find yourself the victim of a ransomware attack. At least for Windows users. Mac users are safe, right?
“Macs can’t get viruses”
Almost every known cyber-exploit gets an entry in the MITRE CVE Database. CVE stands for “Common Vulnerabilities and Exposures,” and the details on these common vulnerabilities are kept in public registers like the MITRE database to help security professionals across the world know how to protect themselves against exploits out in the wild. On July 7, 2019, CVE-2019–13449 was added to the MITRE database¹. Hundreds of exploits are added to this database every week, but this one was particularly egregious. It was an easily exploitable way to cause a “denial of service” attack on macOS computers through manipulating the cloud-conferencing software “Zoom.”
A denial of service attack causes the machine that is being attacked to become unusable, and in the case of this vulnerability, attackers could continually cause a remote computer to focus on a particular browser window, preventing the user from doing anything else with their computer. This vulnerability was first discovered by security researcher Jonathan Leitschuh on March 8, 2019. He immediately tweeted Zoom asking to talk to their security team and received no response. He emailed Zoom. No response. A full month later a security engineer finally responded. Then in June, they contacted the researcher again to discuss a patch for the vulnerability. Finally, on July 8 (a day after the CVE was released), the fix was rolled out².
The frightening part about this attack vector was not that it existed, but that Zoom handled the situation so poorly and dragged their feet for months before even responding to the researcher who discovered the vulnerability. Often, as was the case with this Zoom vulnerability, there isn’t a patch available at the time that the CVE is released; and this is just one of the thousands of CVEs that apply to macOS users.
The MacBook is ubiquitous on college campuses across the United States. It’s desktop cousin, the iMac is in the offices of professionals and creators everywhere. Apple has, by default, been taking over the personal computing market for the past 10 years³. This is no surprise, given that the younger generation gravitates toward Apple products. According to a study done by Jamf, an Apple product management company, students see the Mac platform “as more intuitive, longer-lasting, more secure and more encouraging of productivity” as opposed to a Windows alternative. The “more secure” statistic is particularly interesting: 43% of Mac users agree that Apple’s platform is more secure than Windows⁴. This raises the obvious question: if there are thousands of known exploits on the macOS platform, why do almost half of the MacBook wielding students who took part in this survey think it is a more secure platform?
“Windows is more targeted, right?”
The reasons for this myth are largely historical. In January of 2009, 93% of the desktop and laptop computers in the United States ran on Windows³. From a hacker’s perspective in the year 2009, it would have only made sense to target a platform that the vast majority of the world ran on rather than a niche platform designed for content creators. The medical industry ran on Windows, the banks ran on Windows, the government ran on Windows. Most importantly, regular people ran Windows on their personal computers. It would have been foolish from a return-on-investment perspective to target a platform other than Windows⁵.
Windows was so large a target for malware and viruses a decade ago that security was one of the main focuses of Apple’s famous “Get a Mac” ad campaign⁶. There were ads about how Macs didn’t get viruses and Windows did, ads about how Windows had annoying security policies because of the prevalence of viruses and malware, and ads about how Windows Vista was just generally insecure.
Between 2006 and 2009 when Apple ran this campaign, macOS was not a target and Windows was, and there are remnants of the horrible security policies Microsoft implemented to prevent certain severe attacks to this day. But a lot has changed since the year 2009. Today in the US, 25% of desktop and laptop computers now run on macOS, and only 65% run on Windows³. Not only is there a difference in market share, the types of people who are running macOS are very different than they were back in 2009. A large part of the “Get a Mac” campaign was focused on getting the attention of creators, but Apple has shifted away from that platform. Mac is no longer a “creative” tool that only musicians and artists gravitate toward. The Apple logo is a status symbol.
In 2018, researchers Marianne Bertrand and Emir Kamenica set out to discover if they could determine economic and cultural differences between people based on their consumer habits. They found that in the year 2016, the defining purchase that separated someone on the top of the economic ladder from someone on the bottom was an Apple iPhone and/or iPad⁷. Owning Apple products has become a sign of (relative) wealth, and consequently, a reason to be targeted by cybercriminals. Everything in the insane everyday war that happens over wires between hackers and cybersecurity experts boils down to either national security or money. By becoming a product owned by well-off people, the MacBook has declared itself a target of this war.
“Don’t worry. My antivirus will protect me.”
Anyone who has ever used a Windows PC has probably installed (or been told to install) some sort of antivirus or antimalware software. Although Windows Defender has existed on Windows since 2006, it wasn’t a truly complete security suite until Windows 8, and even now its main purpose is to be antivirus software, not antimalware software. A virus is intended to replicate itself and be chaotically malicious (like adware that jumps from machine to machine), while malware is often more of a targeted attack (like ransomware). Even now that Windows Defender is a relatively good security package, security experts still recommend using Windows Defender in conjunction with a third-party antimalware package to fill in gaps⁸.
On the other side of the aisle, macOS has long had a leg up on Windows in this realm. macOS has had a more fully featured anti-malware for a much longer time, and Apple has been purposeful about making security one of its main selling points. Moreover, macOS is built out of the Unix operating system. Unix has an inherently secure design because it was designed for multiple people to work on the same system at the same time. Everything in Unix is a file or a directory (a folder), and every file and directory has a set of permissions attached to it to tell the operating system who is and is not allowed to interact with it in certain ways. Windows was not designed like this, and thus it is (in theory) a lot easier for malicious programs to interact with the computer in ways that the user might not intend.
This is not to say that Unix systems are completely secure. In fact, searching any common CVE database will reveal that there are only a few hundred less known exploits for the Unix operating system than there are for Windows 10. This is because most security vulnerabilities aren’t often found in the operating system itself (and when they are, it’s a huge deal). More often, vulnerabilities are found in software that runs above the operating system, like the Zoom vulnerability discussed earlier. The Zoom exploit was only possible on macOS, but only because the software was implemented differently on macOS than on other operating systems, not because of macOS itself.
“Is anything safe?”
Windows may have a bad track record when it comes to security, but as we’ve seen, macOS is vulnerable to attacks too. So, which is safer? According to a study released by a popular antimalware company Malwarebytes, in 2019, the average MacBook was attacked by viruses or malware 11 times. In stark contrast, the average Windows machine was attacked 5.8 times⁹. This is an unprecedented number given that in every preceding year these statistics have been flipped on their heads. Attacks on macOS saw a massive 400% increase from 2018, and as more and more of the market is given to Apple, it is only to be expected that the number of attacks per endpoint will rise even higher.
From a purely numbers-oriented perspective, Windows surprisingly seems to be the safer option in the present day. That is, until the types of attacks (the kinds of malicious software) are examined. The report from Malwarebytes states that “Macs differ drastically from Windows in terms of the types of threats seen.” The top ten types of malware consist largely of PUPs (Potentially Unwanted Programs) and Adware. These, while annoying, are largely harmless to the user. On the Windows end of things, the threat landscape is alarmingly full of trojans, spyware, and backdoor exploits allowing hackers to gain control of consumer’s computers.
This means that in the present day, while MacBooks are more likely to be attacked, Windows computers still bear the brunt of the most dangerous attacks. Perhaps the reason for the rise in attacks on Macs is in connection with what BBC tech writer Bill Thompson warned us about all the way back in 2006: “Mac users demonstrate an indefensible smugness when it comes to the dangers of having their systems compromised by malicious software and opened up to exploitation by others.”¹⁰ So many Mac users refuse to believe that they could be they could be the target of an attack that they don’t do anything to protect themselves. This is incredibly dangerous.
While many of the attacks on Mac devices are merely annoying and not damaging, there are plenty of dangerous attacks that exist outside of the top-ten list on Malwarebytes’ study. The further we progress into this strange quarantined spring, the more exploits surrounding the Zoom platform are discovered. Because it has recently become such an important piece of software, security analysts have been scrutinizing it and have found no end of issues on all platforms the software serves¹¹.
The short answer is: nothing is 100% secure. As long as humans are programming computers and trying to break into them, there will always be backdoors. This is not to say that we cannot prevent bad things from happening. Software updates are often security patches, and therefore keeping everything updated is a relatively simple way to stay protected. Having a general understanding of the cybersecurity landscape never hurt anybody either. And most importantly, common sense is a consumer’s greatest weapon. Use it.
- “CVE-2019–13449.” MITRE, Jul. 7, 2019, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13449.
- Leitschuh, Jonathan. “Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!” Infosec Write-Ups, Medium, Jul. 8, 2019, https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5.
- “Desktop Operating System Market Share United States Of America.” Statcounter, https://gs.statcounter.com/os-market-share/desktop/united-states-of-america/#monthly-200901-202002.
- “The influence of student device choice on the modern workplace.” Jamf, May 23, 2019, https://resources.jamf.com/documents/books/the-influence-of-student-device-choice-on-the-modern-workplace-ebook.pdf.
- Hoffman, Chris. “Why Windows Has More Viruses than Mac and Linux.” How-To-Geek, Sep. 21, 2016, https://www.howtogeek.com/141944/htg-explains-why-windows-has-the-most-viruses/.
- “Get a Mac — Viruses.” Apple, Youtube, May 12, 2006, https://www.youtube.com/watch?v=sdF5IsyOxU4.
- Bertrand, Marianne, and Emir Kamenica. “Coming Apart? Cultural Distances in the United States Over Time.” National Bureau of Economic Research, Jun. 2018, https://www.nber.org/papers/w24771.pdf.
- Shultz, Greg. “Windows Defender: Past, present, and future.” Tech Republic, Nov. 17, 2016, https://www.techrepublic.com/article/windows-defender-past-present-and-future/.
- “2020 State of Malware Report.” Malwarebytes Labs, Feb. 2020, https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf.
- Thompson, Bill. “Mac users ‘too smug’ over security.” BBC News, Jan. 16, 2006, http://news.bbc.co.uk/2/hi/technology/4609968.stm.
- Lovejoy, Ben. “Another day, another couple of Zoom vulnerabilities discovered …” 9to5Mac, Apr. 3, 2020, https://9to5mac.com/2020/04/03/zoom-vulnerabilities/.