Pwn2Own 2010: The Mac isn't more secure
Remember the "Get a Mac" (video) television advertising campaign started in 2006 to advertise the advantage of the Mac platform over Microsoft Windows? I distinctly remember the one in which PC aka Windows "fell sick" as a result of a virus (video) and where Mac helpfully highlighted how the Mac platform wasn't susceptible to them.
Well, try telling that to the participants at the Pwn2Own 2010 hacking contest this week. Challengers were presented on day one with a Windows PC running the latest patched versions of IE8, Firefox, Chrome, an iPhone and Safari on a MacBook Pro on Snow Leopard. The task involves hacking into them without making modifications or exploiting weaknesses in any third party applications or plug-ins.
And you guessed it, with the exclusion of Google's Chrome browser, Firefox, IE8, Safari and iPhone were all overcome on day one of Pwn2Own 2010. Or pwn'ed, to use the hacker slang for being hacked. Even the iPhone, which runs only signed software (unless you jailbreak it, of course), sent forth its text messages after being directed to by a specially crafted website.
So there you go: The Mac is not more secure, a fact that Tony Bradley at PC World concurs with. In fact, Bradley summed up my sentiments exactly when he wrote:
"Despite the common perception that the Mac OS X operating system is just inherently more secure than Windows, the reality is that the primary reason Macs aren't attacked and compromised more often is that the platform with 92 percent market share promises malware developers a significantly higher return on investment than the platform with 5 percent market share."
So is the current state of security in software that we use at work and at home; software that many of us cannot do without? Is the situation really so dismal?
Charlie Miller, the security researcher who successfully exploited Safari on the MacBook Pro laptop, voiced his disdain at the state of security of current software in general. So much so that he says he will not hand over his knowledge of more than 20 vulnerabilities that he has uncovered in software from Adobe, Microsoft, and yes, Apple too.
Miller, who will be taking the floor at the CanSecWest security conference in which the Pwn2Own contest was held, did however say that he will demonstrate how he found the vulnerabilities, and that he hopes software makers will pay attention.
Now, there is no doubt at all in my mind that security has improved dramatically in the last few years, buoyed by a seemingly unending stream of well-publicized exploits and security breaches. However, it is equally clear that a lot remains to be done, and it would be fallacy to assume that using a less popular platform will offer any kind of protection to a determined hacker.
If the contest is any indication, it is really not a question of which platform is more secure, but an acknowledgment that all operating systems or software can be vulnerable. While there is not much consumers can do about poorly-coded software until vendors get their act together, it makes sense to adhere to time-honed security best practices in the meantime.