You Can’t Have Your Cake and Eat it Too
You’ve probably heard Apple rag on how insecure Windows is, but then you may have also heard how awesome it is that you can run Windows apps on a Mac.
Guess what? To run Windows apps on a Mac, you have to run Windows in a virtual machine. Here’s a news flash for you: your computer isn't so secure anymore. Watch out for those 114,000 viruses infecting your computer.
All sarcasm aside, you shouldn’t have any problems with your Windows installation on a Mac if you take steps such as keeping Windows up-to-date and running a virus scanner. However, it is much easier to become vulnerable running Windows in a virtual machine. It’s also a good possibility that if you run a Mac, you may not know the steps needed to secure Windows.
When using Windows as your main OS, you probably run it almost every day. This allows Windows to fetch its updates, and for your virus scanner to do its thing. When your run an OS as a virtual machine, you may or may not boot it on a regular basis. I know this happens on one of my computers at home — I run Linux as the main OS, and run Windows via VMWare every few weeks.
Since you may not boot your Windows install on a regular basis, you might not get those updates in time. You might be more vulnerable than if you ran Windows only.
Moral of the story: You need to be even more concerned about Windows security if you run it on top of OSX. Perhaps someday you won’t need to run Windows to use Windows apps, but from what I have heard, darwine still has a way to go.
In case your were wondering, I currently don’t own a Mac (just two linux boxes and a Windows XP laptop). However, I must say that a Mac mini running Leopard and the new iMovie does look very tempting for editing and cataloging my home movies.
Comments
You heard this cryptic and bittersweet admission here first, folks:
One day, Will Bond will be in line for an iProduct.
Will, the great joy of running Windows in a VM is the option to restore from a previous snapshot. Granted as a Web UI developer I don't actually _use_ Windows for anything other than testing, but when it invariably gets corrupted (about once a quarter), I simply choose Revert To Snapshot from the Parallels Actions menu. Bingo! All the viruses are gone and I'm testing again in no time.
Furthermore, because I don't use Outlook, the impact of viruses are limited to my own virtual machine -- no one else really ever feels my pain in the form of unlimited spam.
Provided you have automatic update download turned on (I _never_ turn on automatic installation), you're reasonable assured of having the latest updates. However, you _do_ have to actually install them. But then, if you're not installing them, it doesn't matter how often you run Windows: you're still insecure.
So yes, running Windows on a Mac is a great (and arguably better) way to run Windows. But it still means you're running Windows, and just like running with scissors, you need to be _very_ careful.
(Of course, I should admit that as an Apple employee and long-time Mac owner, I might be a bit biased.)
Rob has a great point. While it's convenient to automatically mount drives within Windows, I _always_ do it the other way around: mount the Windows drive in OS X, because then Windows can't infect my Mac. But then, I don't need access to much in the way of local files (provided I can hit the Apache server on my laptop).
As a Mac user who runs a suite of Windows VMs for "web testings" I feel it is my duty to chime in.
First, if the windows VM has no direct access to your Mac OS X file system, your potential for disaster is NOWHERE near as bad as a fullblown windows machine. However, if you use the VM for more than what I do, you probably have set up shared folders and nullified this separation. For this reason, I recommend sharing something other than your Mac OS X home folder (a special "windows files" folder perhaps).
Second, if you use either of the two major VM products for OS X you have a VERY handy built-in rollback feature (much more useful and efficient than the windows system restore) that makes rolling back an infected system very easy. Again, this assumes you take the time to get your VM set up in pristine condition, take a snapshot, and keep it clean.
Third, if you are using windows VMs as I do, you're browsing a handful of sites that you control and are not using email or windows file sharing with the VM. Websites, email, and SMB shares being the triumverate of windows virus propagation, you are therefore avoiding the majority of infection points...
This is just my mileage, but for what I use my VMs for I think I've pretty much negated the need for windows security software. However, at the same time, I have to admit that knowing what to look for in an infected system and being perfectly willing to through away a VM if necessary, I'm a bit cavalier about my VMs and probably more reckless than the typical user should be.
Also, I think Apple gets a bad rap about "hyping their products".
I think most of their hype comes from the buzz of rumor sites and fanboy blogs. I'm not saying Apple isn't intentionally basking in the glow of their external hype, but I don't think they are directly responsible for it either.
Having said that, I do think they intentionally leaked the early photos of the new Apple Keyboard that accompanies the new iMac. It remains to be seen as to wether this was intended to take advantage of the rumor mill hype machine or wether it was to expose leaks... but either way, the fact that ole Stevie J mentioned the leak in his presentation makes me think he ordered/permitted the leak...
@Jeff, Errol
I understand that the two of you may have a handle on keeping your own Windows VMs in check, however it is something to think about that your Windows installations could easily be used as a vector to attack other computers. The Blaster worm comes to mind.
Being the computer savvy users that you are, it is almost a duty of yours to use your systems in a manner that is not going to infect others. Because of this, I highly recommend being more proactive about not getting infected in the first place.
@Will
Frankly, Windows systems aren't that dangerous when properly kept up and run by an attentive person. I admit, as stated, I'm not the typical user and do not recommend my practices for typical users.
Having said that, I think the safeguards I practice are more than adequate. As probably all who read Communiqué understand, "security" isn't a finite answer, it's always additive. We put various levels of security on our web apps knowing that they are not ultimately secure but rather "more secure" than without those layers.
A windows machine is no different.
I simply feel that I reach a level of security “more adequate” than any of those system protector products could achieve and without the bloat and slowdowns associated with them.
This is accomplished by a combination of things. I won’t repeat my earlier comments but I’ll clarify the use of my virtual machines.
As VMs typically hog resources, I naturally only run them during the limited times I need them (usually less than an hour per week for me). I understand that the nonsavy user may leave his running all the time, but we’re not talking about them right now...
I also only use this machine to test websites I'm building myself, or occasionally a site a friend is or one that only works with IE.
Thirdly, I keep a regular watch on what processes are running on my system, etc. and pretty much try to always rollback to a known good snapshot before installing system updates.
Now, it is true that this system could become infected in some way that is totally unnoticeable by me, is able to accomplish its evil in less than 1 hour per week, and survive to make it into my snapshot. This risk is considerably small and, I think, no less than the risk of this very same thing happening under the nose of Symantec, OneCare, McAfee, or even AVG (my personal favorite).
As it stands, I seriously don't think that I'm putting any of the majority of windows users in danger nor am I recklessly abandoning my "duties" as a savvy user to help keep the community clean.
I also do occasionally use sites like OneCall and Trend Micro's Housecall just to make sure...
But this is quite rare, again, owing mostly to the fact that I run my VMs so infrequently. I have a separate VM for IE6 and IE7 on XP and a third for Vista... Since most of what I have to do is simple IE specific debugging each of these VMs only sits open for about 10 minutes.
Most of my development takes place in Safari and Firefox on the Mac... that's where I spend my days and weeks. My VMs get about 5 hours per month each, so that's about 60 hours per year... not a typical Windows user :-)
@Errol
Great comments! I think it is important (as you did) to stress how you use your system and to encourage others who use Windows on top of OSX to be mindful of the different steps that should be taken when using Windows in a VM.
For what it's worth, I have a PC desktop at home running Windows XP. I keep automatic updates on and don't have any anti-virus software. The machine has been virus free since I got it back in 2003.
While not keeping up with Windows updates *WILL* cause you to get viruses (as we've seen here), I've never found it overly difficult to avoid viruses on Windows.
(I've also recently switched to a Mac at work, and I have Windows running on top of it for testing and what not as well. It runs very impressively once you have enough RAM.)
Read something more recent.
Statements and opinions expressed in this blog and any comments made are the private opinions of the respective poster, and, as such, iMarc LLC is neither responsible nor liable for such content.
Visitors
Also, Mac users running virtualization software may assume that if their Windows system is infected, the damage will be limited to the virtual environment. But if you have enabled file sharing between the virtual Windows machine and your Mac, you've created a vector for all sorts of havoc emanating from that virtual machine. All the more reason to keep up to date on Windows and virus updates.
(Side note: imho, the Mini is crippled by a 2.5" laptop hard drive. You can replace it with a faster one, but it's still going to perform like a laptop drive. If you're feeling adventurous, convert the Mini to using an external SATA drive. The drive is the main reason I've never seriously considered a Mini for my own use.)