Winner of this and last year’s PWN2OWN contest Charlie Miller made some bold statements last week, stating that Mac OS X is easier to exploit than Windows. In a new interview with Tom’s Hardware, Miller explains that that doesn’t mean users should avoid Mac OS X for security reasons. He also gives a little more insight into his winning exploits, and what exactly they do.
The statement “Mac OS X is easier to exploit than Windows” is something people easily assume to mean that the former is the less safe operating system of the two. Many people, among which myself, were quick to point out that what matters, in the end, is theoretical security vs. real-world security. Simply by looking at the statistics, it is pretty obvious that the Mac is simply the safer choice for any given home user.
Miller agrees with this assertion, and explains that Macs are safer than Windows machines. “Between Mac and PC, I’d say that Macs are less secure for the reasons we’ve discussed here (lack of anti-exploitation technologies) but are more safe because there simply isn’t much malware out there,” Miller says, “For now, I’d still recommend Macs for typical users as the odds of something targeting them are so low that they might go years without seeing any malware, even though if an attacker cared to target them it would be easier for them.” Miller adds that he is a Mac user himself (a Core Duo MacBook).
The question whether or not Miller actually gained root access with his two exploits has also been answered: no, he did not get root access, but he says it doesn’t really matter. “In neither case did I get root/admin access. That would have required additional vulnerabilities. However, just running as the user is still very bad,” Miller explains, “I could have still watched keystrokes as you went to an online bank, read your calendar and address book, sent emails, etc. In real life, one or all of these things would have occurred.”
Linux makes a small appearance during the interview, but Miller harshly dismisses it. “I’ll leave Linux out of the equation since I know my grandma couldn’t run it,” he says. I thought we had grown out of the grandma analogy by now. The fact of the matter is that no grandma would ever be able to install an operating system by herself, whether that be Windows, Mac OS X, or Linux. She would have someone do it for her, and in that case, you could set her up with a working, easy-to-use, and complete Linux install just as well as you could give her a Windows install.
Let’s retire Mythical Grandma, shall we?