In their words: Experts weigh in on Mac vs. PC security

ronjor, you knew when you posted this you would start a firestorm of debate, so I will be the first to fire the first shot.

It seems most of these guys quoted in the article still buy into the "market share" argument. They pretend as if correlation == causation (a logical fallacy). The truth is, windows was designed initially without one iota of concern for security (back in the 95-ME days). There was no separation of privileges or users. Heck, there wasn't even a concept of users or privileges! (The FAT filesystem does not allow for extended attributes, permissions, or ACL's; it was simply a case of one user has free reign to everything).

Granted things improved once the NT kernel and NTFS was introduced to the desktop with XP, and things have no doubt improved even more with Vista/7. However, M$'s error of not designing Windows in the early days to be secure is still haunting them. (Even today, Windows still is not a truly multi-user OS as Unix is). Most users still run as admin and turn UAC off, etc. -- a result of them being conditioned to doing things the old way. Similarly, developers still code with the mindset of single user systems. Not to mention, M$ is still afraid to cut out all the backward compatibility bloat from the kernel (as evidenced by the 17 year old Windows vulnerability that was discovered by a Google coder recently).

So, yes, while M$ does have a bigger market share, and while that certainly will influence cyber criminal's decision to spend more time on Windows malware, it does not mean it is just as easy to write such malware for Unix (this would be a non-sequitur, another logical fallacy). Actually, it *is* easy to write Unix malware, but it is infinitely hard to get it to spread on its own. If even one out of 1000 malware coders wrote for Unix/Linux, we should see some signs of it in the wild, yet we don't and never have. As many of us *nix users are quick to point out: most servers on the Internet run some form of *nix, yet we are to believe they are not "significant" enough to matter. (The market share people always ignore the prevalence of *nix on servers. Hell, the Internet runs on *nix).

I do agree, however, that phishing is platform agnostic. There is simply no way an OS can defend against a user giving up his credit card number voluntarily. But phishing is a diversion from the real issues. The MS defenders like to sway the conversation away from 0's and 1's and confuse non-experts with the social engineering business. Yes, phishing is a big business and yes it is a problem, but it should not even come up at all when comparing OS's for security.

A lot of researchers like to put the onus on the browsers now, as if all OS's are equal in security and browsers are the main concern. What they fail to mention (or understand) is that the security of the OS will make a huge difference in how much damage an exploited browser can do in the first place. Does the OS default deny execution of executables (Linux and Unix do)? Does the OS provide security protections like SSP, ASLR, etc? Does the OS automatically enable the NX bit on the processor? (Linux has done most of these things since 2000, Windows only copied it with XP SP2).

And then you have browsers like Chrome that run from their own sandbox by default. This means, as Charlie Miller of PWN2OWN fame pointed out, that Chrome is infinitely more difficult to crack (even with a known exploit) than the competition.

So, basically, there is a difference in OS security and there is more to security than worrying about a browser.

EDIT: After reading the rest of the responses, I would say this is the most accurate explanation: