Skip to main content

No, OS X is NOT the 'most vulnerable OS' despite shoddy reporting

Security, as we take great pains to repeatedly point out, is something that deeply affects people. It affects their stress and trust levels when dealing with technology. When it's misreported it turns what should be an empowering experience into one of fear, uncertainty, and doubt. And it's far too frequently done just to get the worst kind of attention. The latest case in point is a — I don't want to call it a report — from GFI which claims OS X and iOS were the "most vulnerable operating systems of 2014. And, frankly, it's bullshit.

There are so many problems with GFI's not-a-report that it's hard to figure out where to begin.

  • OS X and iOS are listed as single line items on the chart yet Windows is broken down by version. Why wouldn't all operating systems be listed the same way? Can we just add all the Windows numbers up and see how big that number is in comparison?
  • The National Vulnerability Database (NVD) lists everything reported to it by vendors, including Apple, Microsoft, and others. That doesn't make it an accurate measure of vulnerabilities. It makes it an accurate measure of reporting. Why isn't that distinction properly reflected?
  • Different vendors, including Apple and Microsoft, have different policies and procedures when it comes to reporting vulnerabilities to the NVD. Apple reports every fix in their advisories. (You can find them via the Apple Security Updates (opens in new tab) page.) If there's no uniform reporting standard, how uniform conclusions be drawn?
  • Microsoft has no "low vulnerabilities" listed. Does that mean there aren't any or they don't report them the way other platforms do?
  • OS X and iOS both have significant UNIX and open source software (OSS) components shared by BSD and other operating systems. That makes for a much different, and much wider possible reporting pool than, for example, Windows. How was that accounted for?

The relative security of a platform has nothing to do with how well a company reports the vulnerabilities they fix — though seeing good reporting is certainly comforting. The relative security of a platform certainly has nothing to do with grossly distorted and disingenuous attention-bait.

I'm not sure how this not-a-report got approved for publication, and I'm flabbergasted that it got picked up by mainstream outlets, seemingly without even a cursory look to see if it made any sense whatsoever.

See more

In an era where some vendors have intentionally gone from defending to attacking their own customers, proper security reporting couldn't be any more important.

This type of misrepresentation happens regularly enough, however, that I'm beginning to suspect it's not done for the benefit of consumers at all. And that feels more like a security threat than anything contained in this not-a-report.

Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

74 Comments
  • Here come the trolls to attack Rene personally for his support of Apple – wait for it…
  • Truth hurts like a mother. Posted via the iMore App for Android
  • Yeah, Android is so full of malware, it must hurt, eh?
  • Except it's not full of malware. Get your facts straight. Magenta is the new Yellow
  • +1. Unless you are sideloading apks from questionable sites or using a third party app store, you will be fine.
  • Thats right http://adugadget.net/harga-iphone-6-vs-harga-iphone-6-plus/
  • Haha aren't you a misinformed troll Posted via the iMore App for Android
  • You'd have to live in a cave to believe such garbage. I've never ran any type of anti-virus apps on my Mac and yet to be exploited. Yet when getting a Windows machine Microsoft pops up a warning that no anti-virus is installed, etc.. I find that ironic that the OS prompts you to get protected because its inevitable that you will need it. Good article Rene.
  • I’ll say the same for my DOS box. Yep I do see the warning but it’s saying no protection at all. having Windows Defender installed and switched on should stop this and of course that can be equated to GateKeeper perhaps?
    I’m getting increasignly annoyed at all the crap that's spouted about Windows on here.
    Personally, Windows because I have to, Mac because I want to. But that doesn’t mean that a PC isn’t a machine equally as good as a Mac that god forbid, some might actually prefer. Oh, and Apple have to be the worst company in history for reporting anything.
  • "Oh, and Apple isn't perfect, but they're more diligent about reporting than the competition. It's just that everyone always hammers on Apple because their OS has a better track record." There fixed, that for ya.
  • Apple are more diligent about reporting than others? You are funny. Very funny.
  • Except when he's right... I actually do security remediation for Enterprises and the fact that there are no low vulnerabilities listed despite the fact that I document and squash low vulnerabilities all day long as apart of my job tells me either this report is garbage or Microsoft doesn't report lows...or perhaps both.
  • My IT guys says otherwise and so does my anecdotal evidence. They are terrible for support in enterprise.
  • "Yet when getting a Windows machine Microsoft pops up a warning that no anti-virus is installed, etc."
    Okay, so it is obvious you have not gotten a Windows machine in years. Microsoft computers come with Windows Defender built in for security with no setting up, subscriptions or maintenance to begin with. Sure, if you disable it or uninstall it, the OS warns you. I guess I fail to see how that is a bad thing? Is OSX just completely impervious to viruses or are they just not as target seeing as their marketshare is so tiny? I mean, if you want to criticize Windows security, go ahead. But citing a user experience from like 4 years ago is a bit ridiculous too.
  • OS X can get AdWare and Malware, typically when people download Flash or similar software from third-party sites. Peter's been writing about all last and this week.
  • Most problems are user error. The inexperienced user is going to run into problems on any platform. Sent from the iMore App
  • This, "Mac's market share is so tiny, therefore nobody wants to attack it" is so 1990's, it's painful to see some people still use it. Let's see, if you really wanted to make headlines, and I mean MAJOR headlines, go ahead, exploit OSX or iOS. Create a widespread security risk, virus, what have you, put Apple on Red Alert. Oh, I see, you give up? And back to the old cliches.
  • This... Posted via the iMore App for Android
  • Actually it has Windows Defender built in which runs if you do NOT install a third party anti virus.
  • You do realize that depending on the intent of a virus, you might not even know you have one as your personal information flows across the internets, right? Posted via the iMore App for Android
  • Huh... The post I replied to, mysteriously disappeared... Posted via the iMore App for Android
  • Microsoft left all the OS doors open and unlocked for decades, then gave up on security when they started recommending "nuke & pave" as a fix for a compromised computer. Windows helped create the malware industry by making it relatively easy to enter the malware business.
  • I despise one-sided article writers, don't you Rene??? Posted via the iMore App for Android
  • If you find something factually incorrect in anything I write, please point it out so I can fix it. If you dislike the facts, please feel free to vent that frustration :)
  • I find it fascinating that one would install an Apple-centric app on an Android device and waste time on posting gibberish. Kudos to Rene for creating a channel for the weak minds and allowing them to connect and show how bored and frustrated they are. I guess, when there are no productive apps in Googleland, you gotta do something.
  • This is my main astonishment as well. People get so tired of coming to a pro-Apple web site and listening to, uh ... pro-Apple information? Now I ask, which is more surprising, to read pro-Apple info on a pro-Apple web site or to complain about reading pro-Apple information on a pro-Apple website. A final thought: I simply can't get over how it is I'm supposed to apologize for choosing something other than Windows. I get that all day and everyday where I work, I don't need it here. If you're feeling so disenfranchised, than my I sincerely and urgently request that you go elsewhere for your non-Apple information? Please?!
  • What he said! Sent from the iMore App
  • I still have yet to hear a convincing answer to the simple question, if Apple is so vulnerable, where are all the real-world exploits of these vulnerabilities? The old "they're not a rich enough target" is surely utterly absurd at this point. Even if the systems of the world's most desired hacking targets aren't run on Apple products, the value of shutting up us smug Apple users who have the gall to never purchase antivirus software would be enough of a satisfaction to motivate people, wouldn't it?
  • "I still have yet to hear a convincing answer to the simple question, if Apple is so vulnerable, where are all the real-world exploits of these vulnerabilities? The old "they're not a rich enough target" is surely utterly absurd at this point."
    Is it really an absurd statement? I have yet to hear a better argument as to why this is the case. Surely OSX is not some impenetrable fortress of programming beyond hackers abilities. No one seriously takes that line of reasoning...
  • Err...in 2012, flashback infected more Macs by percentage of installed base than any PC infestation, ever. Source: Gruber, not exactly an anti-Mac writer http://daringfireball.net/2012/04/flashback_eword It is simply not possible to claim that Macs are impervious; wide-ranging attacks can and have happened.
  • I have to concede — you've proven your point. It has happened to Macs. I was wrong. But just because I was wrong, that doesn't change Rene's point that the report is grossly misleading on the relative vulnerability of Macs vs. other platforms.
  • No, it doesn't. Its not that I think Macs are particularly unsafe - I don't - I just see a trend in the Apple community to think security is Apple's responsibility, not their own, and I worry that complacency is going to lead us to a bad place. Sent from the iMore App
  • That's why Peter has been covering Mac security all week.
  • To me no system is more vulnerable than any other. It most comes down to I/O errors (idiot operators). I remember our general manager crashing our network trying to download a Paris Hilton sex tape. In cases like that the operating system doesn't matter. Sent from the iMore App
  • My first boss would log those as PEBCAK (Problem Exists Between Chair and Keyboard)
  • Haven't heard that in years... Lol Posted via the iMore App for Android
  • Number of vulnerabilities reported is one thing. How many are patched, how many remain unpatched after being reported, how many are reported internally via mailing lists (FOSS operating systems) and fixed even before the official stable release is out, how many are from development/beta branches, how many are exploited successfully? Different providers have different definitions for what constitutes a "vulnerability" too. In OpenBSD, anything malloc finds leaky and produces a core dump file for is considered a potential vulnerability. The same scenario gets a free-pass on any other operating system, fyi.
  • Send Rene a doctor, please.. 555
    He probably too stress for anything anti Apple. Relax.. Anyway, I believe Apple is at peak right now.
  • Yeah I get the market share argument. That's been the argument for years and years and years now. And I concede that OS X isn't invulnerable. No system is. And yet, I persist: there are any number of people who are quite open in expressing their contempt for Apple/Mac/OS X/"fanbois." The popular notion of the hacker (admittedly one that could be ill-informed) is someone who takes delight in the challenge and notoriety of hacking per se. So there's not one person or group out there who would get a kick out of the notoriety that would come from some massive exploit that would let them pwn all these naive, cocky, virus protection-free Mac users?? Really?
  • It's a matter of percentages, and incentives. Breaking into any modern OS - Windows included - is hard. There are probably a half dozen or so truly talented folks who might get a kick out of breaking into OSX in their spare time. Occasionally, one succeeds, e.g. flashback. Meanwhile, the people for whom this is a job focus on the higher value target, which for the foreseeable future is Windows. More of them at work, and for pay, not for s*** and giggles, means that group is likely to have a success pop up more often.
  • using a clueless analyst (look at his history on apple for proof) to bolster your argument. you lost already. *sigh* if only you were just as critical on your own security articles.
  • You've not factually disputed anything in my article. It's also not my argument. The facts speak for themselves. Productively discussing them shouldn't be difficult.
  • I have discredited your misguided appeal to authority which in turn puts your whole premise in question. Here's a question for you; why do you think a misguided Apple bashing financial analyst should somehow be used as any authority for operating system vulnerabilities?
  • https://yourlogicalfallacyis.com/assets/FallaciesPosterHigherRes.jpg
  • I smell smug and hipster ^^^
  • Forgot to add; "The National Vulnerability Database (NVD) lists everything reported to it by vendors, including Apple, Microsoft, and others" - anybody can report a vulnerability. Is there any proof that nist.gov does not have a valid database of vulnerabilities? https://forms.cert.org/VulReport/
  • It's a valid database of vulnerability reports. And equally valid headline could be: "Apple leads industry in number of vulnerabilities disclosed" but without sufficient data that conclusion wouldn't be any better, right?
  • Easily, and the conclusions would be the same. It's certainly a flamebait article by a blogger, but again that is norm for you guys so I don't see the point.
  • "And equally valid headline could be: "Apple leads industry in number of vulnerabilities disclosed" " No, because vulnerabilities are not disclosed by the company.
  • All modern operating systems will have their vulnerabilities. Windows in the past has the worst publicised track record and there's no denying that. Old versions of Mac never had their vulnerabilities exploited like Windows as the user base was so small it didn't matter. Now we have Apple with its growing market share becoming a bigger target meaning the vulnerabilities are finally being exploited. The reality is that today the latest version of Windows and Mac OS are both fairly safe and secure operating systems. Real life computer viruses practically don't exist like they have in the past as these days it's all malware/adware that is usually given permission to install by not so savvy computer users of both Windows and Mac devices. These malware/adware also commonly exploit user installed software such as java and flash. There doesn't appear to be many common malware/adwares that can self install and directly exploit the users operating system these days. People are getting upset over a whole lot of nonsense that most computer users don't need to worry about if they they are running the latest operating system and updates and don't go installing dodgy malware bundled software.
  • Yeah, you right. 100% right. Posted via the iMore App for Android
  • Cogent.
  • Suck it Trebek
  • Mr. Connery!
  • what a complete and unbiased bit of shit some mistake for writing
  • Sarcasm?
  • Reminds me of that shoddy reporting of how your Android phone was going to be compromised by Russians at the winter Olympics. Sent from the iMore App
  • He said that?!
  • I think it was NBC News, and not Rene. (for once) Rene may have parroted it all over the interwebs, but I didn't see him do it. Posted via the iMore App for Android
  • So let's just assume that Rene didn't do that.
  • I think the reason people publish this type of stories is tonget attention, i mean if you publish an invertigation about a windows virus it's boring... But OS X? That's another story...
  • All OS systems have vulnerabilities it's common knowledge. Their aren't indestructible look at the iCloud hack, Snapchat hack, Sony Hack, etc nothing surprising there. BUT it's the users error that one can potentially gain something harmful and infect their computer or phone. Android isn't malware invested, neither is Windows or iOS or OS x. It's what you install that can potentially infect your device. Always so much hate on both sides my my. Posted via the iMore App for Android
  • There was no iCloud hack.
  • Reports counting "number of vulnerabilities discovered for N period of time" bring no added value or awareness to users. Whichever platform I am on there will be the occasional article to put it on top with its number of vulnerabilities. No OS is perfect and in my opinion all OS have their biggest vulnerability sitting behind the keyboard, clicking everything that looks kind of "cool" and using "1234" to register for newsletters of kitten photos.
  • would be great if you crossed referenced NVD with Zero Day Initiative, Would give you a little more ground to make these points on, it is true that Apple is keeping up with security updates just as Microsoft, they are both neck and neck as far as response goes their is no first place or second place in infosec but every point short of pointing to Open source as an advantage yes lots of eyes but if you understand how for example kernel commits are submitted and accepted you realize this is what makes Open Source a lumbering Giant, but hey I still love my Arch linux =D
  • Nice Arkham City background..... We all know you can't run it on a Mac. "I'm da Blur boys!" - Me with 1200 ping. Fiber in Nashville? Save me based Google.
  • Great article Renee'. You see shit, you call it. :) The vitriol that ensued not long after this article is not surprising. That is the main reason why shoddy "reporting" is, well reported. Sent from the iMore App
  • The entire marketshare thing is in and of itself, misleading. When malware was still the province of little dipwads "proving" themselves, then marketshare in isolation mattered a bit more. Anyone who used a Mac in the System 6/early System 7 era can tell you Macs were most definitely not immune to malware. Ye gods, I hated getting floppies from UND, because every mac in every lab was just pure pestilence. System 7 actually had code designed to shut down the most virulent virii of the time. But now, malware is about money. To the tune of billions of dollars. As a money-making enterprise, malware writers go where the best ROI is. Right now, and probably into the future, that's in Phishing, which ignores platforms and hardware and goes straight for the weak link in all security, the human. After that, well, where's the most money at? Well, one would want to look at the financial sector, and major retail for that, and lo, where do we see the largest malware-enabled data breaches coming from? People with vast amounts of useful financial data. What are they running as their majority platform? Windows. It's the specific industry marketshare that matters, not just straight marketshare. Global marketshare isn't that important. Infecting every machine in say, a major global ad agency isn't going to get you the ROI that burrowing into Visa's credit card databases will. You go to where the money is.
  • I don't know why people that hate apple come follow apple news. If you love android and windows go support them, read and comment on websites that report about those OS systems.
  • Wow has the click bait been laid out so easily. ANY operating system's security is at the mercy of the user. I own both a Mac and several PC's and have less antivirus issues and "critical updates" to keep up with on a regular basis using Windows 7 in stark comparison to OS X which has much fewer security patches pushed to software update. When it comes to mobile operating systems, both iOS and Android are very robust. A device running Android can be easily taken advantage of due to app side loading that can introduce a complete mess of your personal data and overall security. iOS on the other hand, doesn't have this problem. Yes you can jailbreak your iPhone or other iThingys which, in turn also puts your personal security at risk. What do these issues have in common? The user.... Any OS over the years has always been at the mercy of those who wish to pirate applications and other issues. Other times it's just plain lack of experience using any computer and what OS it runs.
  • Not true. Older Windows OS allowed malware to silent install itself without notification. Windows Vista and IE7 was really the turning point for Windows protected mode, UAC, usable Standard User accounts, etc. People staying on XP didn't help themselves. 7 just seems good for them because they're coming from XP. If they were coming from Vista they'd see much of that was nothing new. 7 compared to Vista is like Windows 8.1 compared to 8, IMO. Vista also made to apparent how much developers actually needed to improve. It's UAC went apeshit with a lot of programs because the developers were used to having free reign over the system with earlier versions of Windows. Windows is very secure these days. People using the pre-2006 arguments... Let them embarrass themselves. Mac vs Windows is more an issue of personal preference. A lot of stuff is analogous. Desktop, Dashboard vs Start Screen, App List vs Launch Pad. Spotlight vs Windows Search. Etc. one thing I learned when I got an iMac is that it isn't worth buying one unless you really just prefer OS X to Windows, because other than integration with Apple devices there are very few things it can do that Windows can't (and vice versa) and very few things it can do that Windows cant (ditto). I'd say the same to a Windows user considering a Mac. 8.1 easily performs better than Yosemite even on the same hardware (like when dual booting them on an iMac), though. Even iTunes on Windows is faster than in Yosemite, with the Windows Maching running on worse hardware (my Notebook vs my iMac).
  • Also, to those asking others why they're here (this seems to be a trend on all Mobile Nations sites): Some people are actually platform agnostic (I myself use Windows, OS X, iOS, and Android). I'm resistant to the spin here. The writers here go out of their way to excuse anything that can be perceived as a negative about Apple, their platforms, or their software. On the flip side, they flip out (excuse the redundancy) whenever something which can be perceived as negative is written about Apple, their platforms, or their software. We all know this. This blog ( <- emphasis ) isn't new. I don't need to explain why I'm here as I use Apple products, and that speaks for itself. I don't need an excuse to complain about their products, because I use them (there are people here using 2-3 year old phones or computers from 2010-12 and acting like the Gatekeepers of Cupertino...). Stop asking people why they're ere. It's nothing but a veiled trolling attempt, and that got old about 5 years ago. I still come here because they still give tips on when Non-Apple companies update or release products. Sometimes knowing a product you use on a different product released an update for iOS, or OS X, or whatever can tip you into what they're working on for the platform you use - since the sensible among us know that it's not always possible to develop and release updates for all platforms concurrently (and often large companies have different teams working on different ports of their software). For example, reading about Office for iPad here was still useful for the Android users out there, since the port of Office they got was functionally identical to the iPad app. Mac OS X Yosemite: The Missing Manual is only $17 on the iBook Store and it's not like there is much to learn from the stuff they post on this blog, anyways. I come here mostly for tip-offs and to have lively discussions with other commenters and forumers. The content lacks, frankly (no offense).
  • The "Version-ing" argument, that all the critics of the original article are trying to use, doesn't make sense. The article in question shows MS broken down, but that would not mean Windows 8 vs 8.1 having 36 issues would add together to create 72 issues. They are the same issues. Mac does not isolate OS and patch independently so the article shows OSX as the current revision of issues, I am betting is the article broke out OS it would read much the same way. It is the old argument I always used to have when some hipster designer brought their Mac in 5-10 years ago and would proclaim "My Mac doesn't have Viruses", I would always retort with "Your Mac doesn't have users either"... Now that Mac is popular, people are finding and creating vulnerabilities, most likely ones Microsoft had to deal with a decade ago. Quit crying about it and deal with it, it is inevitable and means more people are using your favorite platform. They will catch up with Microsoft on security sooner or later.
  • Fine arguments, all. But the real question you gotta ask yourself is, How valuable is your time? Do you want to spend time dickin' around with your PC and it's headaches, or do you just want to get work done? Why would you want to have a car you have to fix constantly (something you knew when you bought it)? No one would. Bottom line truth: there's never been a successful serious viral attack against against a Mac.