I’m about to tread, yet again, on religious ground.

John Gruber, attacking an eWeek article, incited a response by Tom Ptacek over at Matasano. I suggest you read those articles, especially the Matasano response, because they highlight very clearly some of the technical differences between OS X and Windows Vista.

I’ve been spending a lot of time, we’re talking a year or two, trying to decide if OS X is inherently more secure. I’m not a vulnerability researcher or OS developer, so I can’t dig in like Ptacek, but as an analyst I’m pretty good at weeding through the BS and I’m geeky enough to know what I’m talking about.

OS X is more secure than my XP PC, but Vista changes everything. This is not your usual Windows.

Tom’s response to Gruber focuses on Windows Vista, but Tom could have explained that more clearly. Gruber probably hasn’t hammered on a recently-released, barely-production-deployed OS so his arguments are tailored towards Vista. I think all the pundits need to be clear about which OS versions they are talking about. To a very real degree they are debating around each other- Tom focusing on Vista, and John on XP. This was something I was planning to write about after I got my hands on a non-beta copy to play with, but Tom beat me to the punch.

OS X is more secure than XP for a variety of reasons, including the user account model, lack of SYSTEM, quiet network profile, some core code signing, and so on. That said, OS X was not designed with a secure development lifecycle, and does not include the advanced security features shipping in Vista. Not that Vista is perfect, but there are clear indications that the game may have changed. (And yes, I’ve simplified a lot)

  1. The Secure Development Lifecycle is far more than some marketing campaign. MS hammers their code harder than anyone… ANYONE else in development today. Independent review, multiple security code scanning engines, mandatory training, and dropping beta versions to hackers like free candy. I talk with a lot of vendors; many have good processes, but I haven’t found any major vendor that makes such an effort. Ignore XP- it never went through this process, but look at SQL Server 2005, one of the first major applications to go through this process. No vulnerabilities to date- just one shared-code flaw (XML Core Services). Vista is the first consumer OS to go through this process. Bugs will still be found, but I suspect far fewer than XP.
  2. Memory randomization- key code hops around in memory. This makes it incredibly hard for an attacker to point to system code, since the code always moves. No hardcoding addresses. This may be the most significant change in the OS security.
  3. C#, which will probably be the most common application language used on the Windows platform, uses memory virtualization, just like Java. Again, nothing’s perfect, but this means C# apps are much less likely to suffer some of the common families of flaws that have crippled Windows so far.
  4. The user privilege model is stronger, but not perfect. MS cut back a little here to keep some enterprise customers happy, but the improvements are still very real. Old code demanding admin access runs off virtual registries rather than corrupting the main system registry.
  5. Browser isolation- most major malware today on XP comes in email or over the browser (and half the email stuff uses the browser). IE 7 itself is stronger, and the browser runs in a more isolated and less privileged mode.

I’m just running off other’s evaluations, so take it or leave it, but the hard-core researchers I know all tell me Vista is not the MS software we’re used to. Everything from the browser, to the kernel, to the programming languages used to build applications is significantly improved. And I haven’t even mentioned all the new security features, like a real 2-way firewall, PatchGuard, and so on. Will it all work? I don’t know, but I do know those who have hacked away at Vista come away impressed.

So is Vista more secure than OS X? I think so, but we’ll still see more malware for Windows for a long time to come. And Apple has plenty of time to take some of the same security steps. Heck, with less ties to legacy applications Apple could probably jump ahead if they put their minds to it. Vista might see life on my Mac, but replacing my XP virtual machine.

But with Vista now released we all need to be clear about which operating systems we’re discussing. On paper Vista has more security built in at a more fundamental level than OS X. But Vista is brand new, and we’ll have to watch the world kick the tires for a while. Apple needs to respond with similar features, where needed, if they are to compete in the security game. If they want to.

The truth is, security is still not a major factor in most people’s OS choice. I’m sitting here saying I think Vista is more secure, but I don’t plan on switching off my Mac. Security is about being “good enough”. As the major target for attacks, “good enough” for Windows is significantly higher than “good enough” for Macs. Until Apple sees the same kinds of exploits on the same scale there will be little motivation for them to invest so deeply in security.

The game isn’t over, but it’s definitely a different game than just a few weeks ago.