Kaspersky Lab founder Eugene Kaspersky made headlines last week when he declared that Apple was "10 years behind Microsoft in terms of security."
Kaspersky was referring to the recent spread of the Flashback family of malware, which was greatly aided by Apple's long delay in patching a known software flaw.
But is Apple really 10 years behind the times?
"I'd say that Apple's got another 10 years to go before their security will become as much of a laughingstock as Microsoft's," said Jonathan Zdziarski, author of "Hacking and Securing iOS Applications" (O'Reilly, 2012) and a forensic scientist who hacks into iPhones for Chicago-based viaForensics.
"Comparing Apple and Microsoft is like comparing apples and oranges," said Mikko Hypponen, chief security officer of Finnish anti-virus firm F-Secure.
[ FAQ: The New Mac Virus and Apple Anti-Virus Options ]
Trustworthy computing
Kaspersky's choice of 10 years as the time frame was not random. In January 2002, then-Microsoft chairman Bill Gates issued his famous "Trustworthy Computing" memo to all company personnel. He wrote it shortly after the release of Windows XP, when the brand-new platform was under constant attack by virus writers and hackers.
"Every week there are reports of newly discovered security problems in all kinds of software, from individual applications and services to Windows, Linux, Unix and other platforms," Gates wrote in the memo. "Our responsiveness has been unmatched — but as an industry leader we can and must do better. ... Eventually, our software should be so fundamentally secure that customers never even worry about it."
Gates' memo inaugurated a companywide focus on security, an aspect that had been neglected for the first two decades of Microsoft's existence.
Ten years later, Windows 7 users still need to worry about malware, but Microsoft's current platform is tremendously much stronger and more secure than Windows XP. (Even today, XP, not Windows 7, gets the most malware attacks.)
"Microsoft has improved their security massively since 2002," Hypponen said. "Today, they are [a] model for good security process in many ways."
Microsoft got to that point by essentially outsourcing Windows security. The entire anti-virus industry, with sales of several billion dollars per year, is built on defeating malware that targets Windows.
The existence of that industry frees up Microsoft to work on patching Windows, which it does extensively every month. Microsoft's open model lets major Windows software makers such as Adobe or Oracle do the same without Microsoft's approval.
Go your own way
Apple, on the other hand, disdains third-party anti-virus software for Macs — though it does exist — and insists on patching certain pieces of third-party software itself.
The Flashback software flaw, discovered in January, was patched for Windows in three weeks. It wasn't patched for Macs until after nearly three months — and after an estimated 600,000 Macs worldwide had been infected.
"Apple needs to learn the meaning of transparency," Zdziarski said. "They need to communicate with their user base and with the security community. They need to be quicker to respond to threats."
He pointed out that Apple's closed-lipped attitude also applies to iOS, the software that runs the iPhone, iPad and iPod Touch.
"Some iOS attacks from the past took months to fix," Zdziarski said. "The [iPhone] jailbreak community had fixes out for users before Apple did. That's shameful."
Qualified kudos
Despite the secrecy, and despite the lack of attacks on Mac OS X, Apple has for many years incorporated the latest security innovations into its operating systems.
"Apple might have some sort of an attitude problem, which shows in their slow patch cycles and so [on]," Hypponen said. "But otherwise, it's hard to critique them with all they've done with OS X: app sandboxing, memory randomization, NX [non-executable memory] support, [the] App Store model."
When the iPhone was introduced, Apple was starting from scratch on a brand-new operating system. It took the opportunity to bake advanced security features into iOS from the very beginning.
"[The] iPhone (or actually, iOS) is a massive security success," Hypponen said. "iOS is now 5 years old and we still haven't seen a single malware attack against it."
Zdziarski wasn't sure how long that blissful interlude would last.
"With Objective-C applications now on over 100 million-plus devices, the threat is very real," he said, referring to the programming language used to create Mac OS X and iOS software.
"It's only a matter of time before a serious worm hijacks tens of millions of devices and thousands of App Store apps at once, and similar on the desktop," Zdziarski said. "Flashback seemed small potatoes; more of a warning that Apple runs the risk of screwing up as big as Microsoft in letting poor design lead to widespread attacks."