Windows is IE, OS X is Firefox
By Daniel Miessler on January 24th, 2008: Tagged as Information Security | OS X | Security
Many are wondering how OS X will fare against malware once it becomes a serious target. We won’t have to wait long; OS X is taking off and we’re going to see major efforts focused on it starting this year.
Some say it’ll be shown to be an open wound as soon as it’s given attention, while others think it’s inherently more secure than Windows and will handle the pressure fine.
I think we have a decent model to evaluate — Firefox.
A very similar debate existed prior to Firefox making it big, and what was the outcome? The answer is rather complex, but I think most will agree it reduces to something like this.
Firefox ended up having a significant number of vulnerabilities — far more than its fanboys ever imagined. But even after having its aura of invulnerability stripped away it still comes out far better than Internet Explorer in terms of relative risk to a user.
That’s my opinion, of course, but I think it’s an impartial and informed one. I’ve triaged upteen kagillion Windows systems that have been owned by malware, but I can’t recall a single one where the only browser used was Firefox. True, we need to take into account the kind of user that employs Firefox exclusively, i.e. an advanced one, but still.
My point is very simply that I expect the same kind of result from OS X.
It will take a massive thrashing starting in 2008 as its marketshare grows, and there will be an eruption of articles and blog posts exclaiming, “OS X just as vulnerable as Windows afterall!”.
But in the end, once things have stabilized and we have time to look back, the vulnerability numbers (and more importantly the relative impact) will show that OS X is far more secure than Windows. Not secure, not even almost secure, but much better than Windows.:
![[image]](http://mowser.com/img?url=http%3A%2F%2Fdmiessler.com%2Fimages%2Fstumbleupon_120x20.gif)
--
6 Comments »
Very true.
Comment by Ken — 1/26/2008 @ 9:34 am
There isn’t anywhere near the numbers on Firefox and/or OS X to come to these conclusions.
In regards to Firefox, the users who would be most vulnerable use whatever comes with the PC. Until that is Firefox we won’t be able to make solid comparison.
I personally would be interested in seeing how the masses would react to websites asking them to install FF extensions.
Comment by matthew — 1/26/2008 @ 2:37 pm
I think you’ve come to a decent conclusion but the 2 OS’s are closer than you think. Apple has already been rolling out tons of security fixes in their updates but they don’t get nearly the amount of press as Microsoft does. All that needs to be done is get code on the box - at that point you’re pwned for all intents and purposes.
One comment on IE though - I believe ActiveX is the real security problem if you were to try and find one thing. I actually do all my “secure” work with IE and have all the confidence in it (and yes, I know what I’m doing and make quite a nice living in the network security field as well as tons of experience in the systems world).
Comment by dale — 1/28/2008 @ 2:05 am
Yes, but for every software assurance program also came a true-and-tried leader / evangelist for security -
Microsoft Windows :: Michael Howard Microsoft code :: David LeBlanc Microsoft Internet Explorer :: Window Snyder I can give many examples for the Mozilla Project, but check this out: Mozilla Firefox :: also Window Snyder
Apple Mac OS X :: whoever last worked on FreeBSD before version 4 or maybe the person responsible for Leopard’s correct use of ProPolice/SSP Apple code :: nobody? Apple Safari :: certainly nobody if ISE found a vulnerability in a TIFF library within a few hours of owning an iPhone and downloading WebKit
Comment by dre — 1/28/2008 @ 4:27 pm
[...] kind words recently came my way from Mike Rothman, of Security Incite. Speaking about my recent post on OS X and Firefox security, he says, This post is actually a great piece of analysis from Daniel Miessler. It’s so [...]
Pingback by Internet Security Love — 2/1/2008 @ 3:37 am
I’ve already given up on Firefox security; they’re both equally bad these days (both in terms of actual PR and security bullshit), and the only thing keeping Firefox users safer is the same thing keeping Mac users safer than Windows users; obscurity.
So while I’ll continue to use Firefox, I’m not using it for the core browser itself, but rather the useful extensions which exist for it that I utilise.
Comment by kuza55 — 2/3/2008 @ 8:37 am
RSS Feed For This Post...
This Post's TrackBack URI
Leave a Comment...