If malware was water falling from the sky, the experience of people running the big three desktop operating systems would go something like this:
Mac OS X: “Is it sprinkling? I thought I felt a drop there. Did anyone else feel a drop? No? Maybe I just imagined it.”
Linux: “Oh, yeah… I definitely felt a sprinkle or two there.”
Windows: [Can’t say anything because they’re pinned to the foot of Niagara Falls by tons of down rushing water.]
For the last ten years, there has been a raging debate among computer geeks as to why Mac OS X and Linux have virtually no problems with malware while Windows is often almost crippled by it. The most commonly accepted explanation is called “Security Through Rarity.” This concept holds that on a technological level Mac OS X and Linux are just as insecure as Windows but that the relatively small market share of the first two operating systems makes it unprofitable for malware programmers to spend the time trying to infect them.
I have longed believed that the basic premise of “Security Through Rarity” largely explained why I can run my Mac OS X machines without any additional anti-malware software but don’t dare do the same for my Windows machines. For the last decade, I and everyone else who believed in the concept have expected that “any day now” the Mac’s immunity from malware would end in a shocking gotterdammerung of a Mac malware pandemic but it hasn’t happened yet. Just as the failure of other types of apocalyptic prophesies undermine people’s faith in those prophesies, the fact that the long-prophesied Mac malware apocalypse has never manifested in more than a trivial manner has caused me to reexamine my belief in the “Security Through Rarity” concept.
There are several good reasons to doubt that “Security Through Rarity” explains the lack of malware that exploits Mac OS X in particular.
First, back in the ’90s Macs had a smaller market share than they do today, but they had more malware problems both absolutely and by percentage of the installed base.
Back then, Macs used a different operating system, now called Mac OS Classic. Classic was a single user OS with no privilege restrictions or other forms of basic security. Before the Internet really took off, malware spread by infected disk, and Macs were overrepresented in environments like education and graphics design in which there was a much higher level of disk swapping between machine than in the PCs of the time.
During my time in Apple tech support, we encountered several successive waves of malware outbreaks. We all ran anti-virus software and advised our customers to always do the same. I personally discovered that the dreaded “AutoStart” worm was corrupting AppleShare file servers. Malware was a big problem for Macs back then.
If “Security Through Rarity” explains why Macs today don’t have major problems with malware today, why did Macs have more problems with malware back in the mid-’90s when Apple’s market share was at its nadir? Why did malicious hackers bother to write malware for Macs back then when the possibility for profit or notoriety was even smaller than today?
Second, Linux has a smaller market share than Mac OS X but has more malware targeted at it. Granted, compared to Windows, the Linux malware problem is still trivial. Linux has just a few dozen pieces of malware in the wild compared to 9000+ for Windows. On the other hand, Linux is a rich target because the primary use of Linux is to run the Apache Web server and other Internet related server apps. If a malicious hacker could use malware to infect and control a Linux web server, then they could stand to profit to a much greater extent than they could by hijacking an ordinary desktop. Yet Linux sees few problems, though still more problems than Mac OS X.
If smaller market share explains why Macs today don’t have major problems with malware, why does Linux with its smaller market share have a bigger problem with malware than Mac OS X?
Third, although Mac OS X’s share of the installed base is small compared to that of Windows, in absolute terms there are still tens of millions of units out there. The Mac installed base has been over 20 million units since the late ’90s and in the last couple of years that has jumped to an estimated 30 million units (75 million if you include the slimmed down Mac OS X in the iPhone.) That’s a lot of targets for malicious hackers. In proportional terms, Mac OS X has roughly a 5%-10% share of the total Internet-connected computer installed base. That translates into a minimum of 1 in every 20 Internet-connected computers in the world running Mac OS X.
That’s a lot a computers in absolute terms. There are definitely enough Macs out there to make writing malware for Macs worthwhile. Malware writers can make a lot of money if they can gain control of a just a few thousand machines. Granted, an infected Mac would only infect 1 out of 20 other computers it randomly chose for attack, but since malware can carry out hundreds of such attacks every hour, the small chance of success would quickly add up exponentially in just a few hours.
Mac malware would be especially profitable given that (1) almost all Macs are connected to the Internet, (2) almost all Macs are administered by non-computer savvy end users, (3) most of these non-savvy users pay little attention to security and (4) the vast majority of Macs don’t run any kind of anti-virus/anti-malware software at all. If, as the “Security Through Rarity” advocates claim, it is just as easy to write malware to infect Mac OS X as it is to write malware to infect Windows, the lack of security consciousness and software on the 30 million Macs in the world would make them easy pickings for malware authors. It would be like the world’s best high-tech international jewel thief breaking into an Amish household.
If “Security Through Rarity” explains the lack of Mac OS X malware, how many tens or hundreds of millions of Macs would there have to be to make attacking them worthwhile?
In business terms the Windows malware “market” is saturated while the “market” for Mac OS X malware is under served. It’s business 101 (and common sense) that the same amount of effort produces a higher rate of return in an under served market than in a saturated market.
At this point, the “Security Through Rarity” explanation relies on the idea that greedy, amoral yet technically cunning malware programmers have never noticed all these facts and therefore have never bothered to write malware for the Mac. Given that there are some actual pieces of malware for Mac OS X we can safely disregard this idea. Clearly, malware programmers are trying to attack Mac OS X but are failing. Given the laxity of anti-malware vigilance by Mac users, one bright malware programmer could make his fortune if he could successfully propagate just one piece of Mac OS X malware through a few hundred thousand Macs.
The lack of such malware is all the more puzzling because every year computer security experts publish flaws they find in Mac OS X that hypothetically could be used to create self-spreading malware (viruses and worms). Why haven’t malware programmers exploited these publicly available Mac OS X flaws that the security experts describe in such fine detail? With just a week’s work, a malware author could hypothetically turn the expert’s description into a real piece of malware, seize control of hundreds of thousands or even millions of Macs and cash in big time.
(Hell, just the lure of the bragging rights that would come from being the first programmer to write a successful virus or worm for Mac OS X tempts even me and I have some ethics.)
If amoral programmers have the physical ability to steal from others without consequence, they will try to do so. The fact that they haven’t infected Mac OS X machines on a wide scale is powerful evidence in itself that they cannot actually infect Macs on a systematic basis. It’s the best real-world test we could ask for.
Then what does prevent malware programmers from cracking Mac OS X and Linux? There may be some non-technology related factors. The programmer culture that evolves up around each OS might make it less likely for Mac OS X and Linux programmers to go bad. The usage patterns for the two secure operating systems might make them more immune.
In the end, however, I think that despite all the round-and-round debate about the security models of all three major operating systems, the real world experience provides concrete evidence that the Unix based security models of Mac OS X and Linux are superior to the Windows security model. When all the histories and tradeoffs of the three operating systems’ technology sum up under real world conditions, Windows has massive flaws that the other two do not.
Over the last decade we’ve tested the “Security Through Rarity” hypothesis and it has failed. Mac OS X and Linux appear to be more secure against malware because on a technological level they are actually more secure. Market share has little to do with it.