Windows is IE, OS X is Firefox

By Daniel Miessler on January 24th, 2008: Tagged as Information Security | OS X | Security

osx_security

Many are wondering how OS X will fare against malware once it becomes a serious target. We won’t have to wait long; OS X is taking off and we’re going to see major efforts focused on it starting this year.

Some say it’ll be shown to be an open wound as soon as it’s given attention, while others think it’s inherently more secure than Windows and will handle the pressure fine.

I think we have a decent model to evaluate — Firefox.

A very similar debate existed prior to Firefox making it big, and what was the outcome? The answer is rather complex, but I think most will agree it reduces to something like this.

Firefox ended up having a significant number of vulnerabilities — far more than its fanboys ever imagined. But even after having its aura of invulnerability stripped away it still comes out far better than Internet Explorer in terms of relative risk to a user.

That’s my opinion, of course, but I think it’s an impartial and informed one. I’ve triaged upteen kagillion Windows systems that have been owned by malware, but I can’t recall a single one where the only browser used was Firefox. True, we need to take into account the kind of user that employs Firefox exclusively, i.e. an advanced one, but still.

My point is very simply that I expect the same kind of result from OS X.

It will take a massive thrashing starting in 2008 as its marketshare grows, and there will be an eruption of articles and blog posts exclaiming, “OS X just as vulnerable as Windows afterall!”.

But in the end, once things have stabilized and we have time to look back, the vulnerability numbers (and more importantly the relative impact) will show that OS X is far more secure than Windows. Not secure, not even almost secure, but much better than Windows.:

  • Digg
  • Reddit
  • HackerNews
  • StumbleUpon
  • DZone
  • Google Bookmarks
  • Twitter
  • Facebook
  • del.icio.us
  • FriendFeed
  • Posterous
  • RSS
  • email
  

Comments

  • Ken

    Very true.

  • matthew

    There isn't anywhere near the numbers on Firefox and/or OS X to come to these conclusions.


    In regards to Firefox, the users who would be most vulnerable use whatever comes with the PC. Until that is Firefox we won't be able to make solid comparison.


    I personally would be interested in seeing how the masses would react to websites asking them to install FF extensions.

  • dale

    I think you've come to a decent conclusion but the 2 OS's are closer than you think. Apple has already been rolling out tons of security fixes in their updates but they don't get nearly the amount of press as Microsoft does. All that needs to be done is get code on the box - at that point you're pwned for all intents and purposes.


    One comment on IE though - I believe ActiveX is the real security problem if you were to try and find one thing. I actually do all my "secure" work with IE and have all the confidence in it (and yes, I know what I'm doing and make quite a nice living in the network security field as well as tons of experience in the systems world).

  • dre

    Yes, but for every software assurance program also came a true-and-tried leader / evangelist for security -


    Microsoft Windows :: Michael Howard
    Microsoft code :: David LeBlanc
    Microsoft Internet Explorer :: Window Snyder
    I can give many examples for the Mozilla Project, but check this out:
    Mozilla Firefox :: also Window Snyder


    Apple Mac OS X :: whoever last worked on FreeBSD before version 4 or maybe the person responsible for Leopard's correct use of ProPolice/SSP
    Apple code :: nobody?
    Apple Safari :: certainly nobody if ISE found a vulnerability in a TIFF library within a few hours of owning an iPhone and downloading WebKit

  • I've already given up on Firefox security; they're both equally bad these days (both in terms of actual PR and security bullshit), and the only thing keeping Firefox users safer is the same thing keeping Mac users safer than Windows users; obscurity.


    So while I'll continue to use Firefox, I'm not using it for the core browser itself, but rather the useful extensions which exist for it that I utilise.

blog comments powered by Disqus

Twitter Microblog

twitter_icon      facebook_icon

Sample Original Content


Information Security

Tutorials and Primers

Culture & Society

Technology & Science

Politics

Philosophy & Religion

Miscellaneous

Tools & Projects


Blog Archives