Windows is IE, OS X is Firefox

By Daniel Miessler on January 24th, 2008: Tagged as Information Security | OS X | Security

osx_security

Many are wondering how OS X will fare against malware once it becomes a serious target. We won’t have to wait long; OS X is taking off and we’re going to see major efforts focused on it starting this year.

Some say it’ll be shown to be an open wound as soon as it’s given attention, while others think it’s inherently more secure than Windows and will handle the pressure fine.

I think we have a decent model to evaluate — Firefox.

A very similar debate existed prior to Firefox making it big, and what was the outcome? The answer is rather complex, but I think most will agree it reduces to something like this.

Firefox ended up having a significant number of vulnerabilities — far more than its fanboys ever imagined. But even after having its aura of invulnerability stripped away it still comes out far better than Internet Explorer in terms of relative risk to a user.

That’s my opinion, of course, but I think it’s an impartial and informed one. I’ve triaged upteen kagillion Windows systems that have been owned by malware, but I can’t recall a single one where the only browser used was Firefox. True, we need to take into account the kind of user that employs Firefox exclusively, i.e. an advanced one, but still.

My point is very simply that I expect the same kind of result from OS X.

It will take a massive thrashing starting in 2008 as its marketshare grows, and there will be an eruption of articles and blog posts exclaiming, “OS X just as vulnerable as Windows afterall!”.

But in the end, once things have stabilized and we have time to look back, the vulnerability numbers (and more importantly the relative impact) will show that OS X is far more secure than Windows. Not secure, not even almost secure, but much better than Windows.:

  • Digg
  • Reddit
  • StumbleUpon
  • description
  • Google
  • del.icio.us
  • TwitThis
  • Facebook
  • MySpace
  • E-mail this story to a friend!
  • Print this article!

Viewing 5 Comments

    • ^
    • v

    Very true.

    • ^
    • v

    There isn't anywhere near the numbers on Firefox and/or OS X to come to these conclusions.


    In regards to Firefox, the users who would be most vulnerable use whatever comes with the PC. Until that is Firefox we won't be able to make solid comparison.


    I personally would be interested in seeing how the masses would react to websites asking them to install FF extensions.

    • ^
    • v

    I think you've come to a decent conclusion but the 2 OS's are closer than you think. Apple has already been rolling out tons of security fixes in their updates but they don't get nearly the amount of press as Microsoft does. All that needs to be done is get code on the box - at that point you're pwned for all intents and purposes.


    One comment on IE though - I believe ActiveX is the real security problem if you were to try and find one thing. I actually do all my "secure" work with IE and have all the confidence in it (and yes, I know what I'm doing and make quite a nice living in the network security field as well as tons of experience in the systems world).

    • ^
    • v

    Yes, but for every software assurance program also came a true-and-tried leader / evangelist for security -


    Microsoft Windows :: Michael Howard
    Microsoft code :: David LeBlanc
    Microsoft Internet Explorer :: Window Snyder
    I can give many examples for the Mozilla Project, but check this out:
    Mozilla Firefox :: also Window Snyder


    Apple Mac OS X :: whoever last worked on FreeBSD before version 4 or maybe the person responsible for Leopard's correct use of ProPolice/SSP
    Apple code :: nobody?
    Apple Safari :: certainly nobody if ISE found a vulnerability in a TIFF library within a few hours of owning an iPhone and downloading WebKit

    • ^
    • v

    I've already given up on Firefox security; they're both equally bad these days (both in terms of actual PR and security bullshit), and the only thing keeping Firefox users safer is the same thing keeping Mac users safer than Windows users; obscurity.


    So while I'll continue to use Firefox, I'm not using it for the core browser itself, but rather the useful extensions which exist for it that I utilise.

 

Trackbacks

(Trackback URL)

  • Internet Security Love

    01/02/08 at 3:37 AM

    [...] kind words recently came my way from Mike Rothman, of Security Incite. Speaking about my recent post on OS ...

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus

My Twitter Microblog

    Discovered Content


    About dmiessler.com

    This site is an avatar for my own self-assigned life purpose--an attempt to model the world in the most accurate way possible, and to do so without bias or fear of unpleasant truth. I desire to develop, articulate, and perpetually improve models of how things work, and then to use that understanding to increase happiness and reduce suffering. I seek those on similar paths and thrive on sharing an appreciation of the interesting and beautiful with others.



    Blog
    Study
    Writing
    Infosec
    Technology
    Politics

            

    Top Original Content


    Security & Technology

    Philosophy & Science

    Culture & Society

    Blog Archives