Argghhhhh Mac OS X: Virus-Free

The Chronicle of Higher Education has, once a week or so, a “Colloquy,” or live discussions about a set topic. Readers submit questions in advance, which are answered by an “expert.”

This week the topic was “The High Cost of Computer Worms,” and the expert was one Gregory A. Jackson, vice president and chief information officer of the University of Chicago.

Just for the heck of it, I submitted a question; I’ve posted an excerpt below, but you can find the entire discussion here.

Question from Lisa L. Spangenberg, UCLA:

Given that there are no viruses or Trojan horses for the current Macintosh system, OS X 10.3, and given that it is essentially UNIX, and given that the most common applications (Microsoft Office Suite, Adobe applications) work very well on OS X, why don’t more institutions adopt Macs and encourage faculty to use them?

Gregory A. Jackson:
Well, first of all, there are viruses and Trojans that afflict MacOS, witness Apple’s periodic release of security fixes to counteract them. But the small installed base of Macs makes them an unexciting, low-visibility target for the bad guys, and so the weaknesses don’t get exploited much. In the case of Unix, the vulnerabilities are greater — even in the Mach kernel underlying MacOS — but once again the installed base makes for an uninteresting target. If, as you suggest, suddenly Macs were much more widely used, they’d rapidly become an interesting target, and we’d see more bad-guy action. An interesting consequence of this would be a focus on Apple’s policy for security updates, which is approximately that after a brief while you have to pay for them. But I digress.

As to why we don’t recommend more Macs anyway, which isn’t really what you were asking but what the hey, there are two vexing and continuing problems: it’s becoming harder and harder (and hence more and more expensive) to find qualified Mac technicians and support staff, and Macs themselves, with a couple of exceptions (such as iMacs and low-end iBooks), remain stubbornly more expensive than their Windows or Linux competitors.

His response is, of course, somewhat idiotic, as well as wrong. There are no viruses or Trojan Horses for Mac OS X. None. What’s more, all previous versions of the Mac OS (OS 9 and earlier) have a grand total of less than 30 non-Microsoft specific Macro viruses.

I would guess that the havoc caused by Microsoft Windows Trojans and viruses, not to mention the expenses related to university IT staff constantly updating and patching the OS, would exceed the supposed cost difference between purchasing and supporting Mac OS X. As for Jackson’s statement Apple’s “periodic release of security fixes to counteract them,” it is at best somewhat uninformed. Sure there are frequent security updates, but not because of viruses or Trojans; they’re proactive, before the problems can be maliciously exploited. Then there’s Jackson’s bizarre statement regarding “Apple’s policy for security updates which is approximately that after a brief while you have to pay for them.” This is completely false; Apple has never charged for a security update for Mac OS X. Heck, they’ve continued to produce updates for Jaguar/10.2, even though the current OS is Panther/10.3.

Next Jackson offers the particularly vapid chestnut that “the small installed base of Macs makes them an unexciting, low-visibility target for the bad guys.” This frequently repeated statement is particularly idiotic. First, Mac OS X is inherently more secure and harder to attack right out of the box because of basic precautions (via David Pogue).

1. Windows ships with five of its ports open; Mac OS X by default has those ports closed. Worms like Blaster use known vulnerabilities, including open ports, attack millions of PC’s. Microsoft says that it won’t have an opportunity to close these ports until the next version of Windows, “Longhorn, currently due some time in 2006.
2. When a program tries to install itself in Mac OS X (Linux does something similar), a dialog interrupts the user and asks for permission for that installation by asking the user to log in with an OS X account ID and password. Windows XP will go merrily ahead and install an application, potentially without the user even knowing, since the user doesn’t have to consent.
3. Administrator accounts in Windows (and therefore viruses that exploit Windows) have complete access to the entire operating system. In Mac OS X, even an Administrator user can’t touch the files that drive the operating system itself. A Mac OS X virus (if there were such a thing) could theoretically destroy all of the current user’s files, but wouldn’t be able to access other user’ files, and couldn’t touch the operating system itself. “Root” access is turned off by default in Mac OS X, and most people never have to create a root account.
4. No Macintosh e-mail program automatically runs scripts that come attached to incoming messages, as Microsoft Outlook does.

What’s more, the underlying core of Mac OS X is a descendent of BSD Unix. This is an operating system that’s roughly thirty years old, thirty years of life as an open source operating system, with thousands of professional engineers poking and prodding it in an effort to remove vulnerabilities. Microsoft, on the other hand, has millions of lines of proprietary code.

Certainly my university spends an inordinate amount of time and money simply on patching Windows boxes. The university purchases, and designs, systems to force updates on users’ (without, by the way, actually having to have those users consent to the practice) as preventive medicine. On a Mac OS X computer, Software Update will automatically check for updates, and politely ask if the user would like to install them.

I genuinely believe that for those users whose needs are met by using a Mac, the long term support and security cost savings will more than make up for any apparent difference in purchase price. That said, I’m also quite sure that there will eventually be Mac OS X specific Trojans and viruses, it’s just a matter of time, but I very much doubt the Mac OS will ever be as virus ridden and vulnerable as Windows. I think this earlier post is likely a more accurate reflection on why at least some academic IT departments don’t consider Macs.

Oh, and if there’s a college or university that truly thinks it’s difficult to find “qualified Mac technicians and support staff,” drop me a line; I know some people, (not to mention the spouse and myself) and heck, the dissertation is winding down anyway.

Update: I’m now speechless. Gregory A. Jackson serves on Apple’s Higher Education Advisory Board.