OS X vs. Windows Security: Discovered vs. Undiscovered Vulnerabilities

With Apple OS X’s surging popularity many are wondering how vulnerable Apple’s OS X operating system is relative to Windows. You essentially have two sides — one saying that it’s inherently more secure (and hence less successfully attacked), and the other side saying that it’s only because of marketshare that fewer issues have surfaced.

A Model

I think I have a model for explaining the interaction between these two theories. Essentially, OS X has issues just like FreeBSD, Linux, Windows, or any other OS does; the issues just haven’t surfaced yet because of the lack of interest in exploiting such a small user-base. Where people go wrong, however, is assuming that it’s going to get as bad as Windows has been. It won’t.

Conceptualize this as if there are two ratings — one is the potential for attack, and the second is the degree to which the potential has been actualized.

So let us say that Windows has a 100% potential with an 50% actualized. In other words it’s highly vulnerable and has been and is being exploited considerably within that potential. OS X, on the other hand, has a much lower potential — say in the 30% range — but it’s seen virtually no exposure due to the lack of interest from attackers (due to limited marketshare). I’d say it’s actualized rating is around 5%.

The Future

What this means is that over the next year or so you’re going to see a massive increase in the flaws found in OS X due to the exponential increase in its popularity. Notice that using my model and numbers this means that OS X has 25% of its vulnerability potential untapped, whereas Windows (XP, 2003 Server, Vista, Longhorn Server, etc) has a full 50%.

The key here is that we’ve seen 50 points of vulnerability and exploitation activity come from the Windows side, while we’ve only seen 5 points from OS X. But as OS X becomes increasingly popular it’s numbers are going to spike radically.

Notice that OS X’s numbers can triple and even quadruple and still remain within its vulnerability potential. To the public this will seem to indicate it’s just as vulnerable as Windows, but in reality it will simply indicate how few OS X flaws have been previously discovered.

So, all the Mac zealots who think their platform is invulnerable are in for a violent awakening. But at the same time, the loyal Windows disciples are equally wrong if they think OS X is going to end up in as bad of shape as 2000, XP, or even Vista.: