In late 2001, when Mac OS X 10.1 came out, I switched from a Dell/Win2K laptop to a 400Mhz Titanium Powerbook. Since then, I've remained a satisfied Mac OS X user and my experience with Microsoft Windows has been fairly limited to what I hear about it. Still, when looking at my broadband connection's firewall access logs over the past few years, I can most definitely affirm that Microsoft Windows has been directly affecting me through those silly worms, most of which could have been easily avoided. They're constantly probing internet addresses and polluting logs. Which is essentially the root of today's rant about various layers of end-user operating system security. While there is no magic bullet when it comes to securing a computer, it remains important to identify what can be done to improve security on a consumer operating system.
Disabling ALL Network Services on a Default Installation
Since 2001 and the rampant spread of CodeRed and Nimda, one would have hoped Microsoft would have had the forethought to learn from their past mistakes and establish the first very basic layer of security for an end-user, regular consumer's desktop operating system: ensure all listening network services are turned-off on a default installation of their operating system. The vast majority of computer users unwrap their computer, plug it into their broadband modem and turn it on. Back in 2001, the whole concept of "always-on, broadband connectivity" was not exactly new. It had been around for a couple of years. Jump forward to 2004, you can still buy a windows XP machine, plug it into an unprotected network and get infected by Sasser within seconds. I am having a hard time understanding why people are not infuriated by this. I can understand the challenges of establishing more complex layers of security surrounding user interaction, but for crying out loud, you wanna talk about an easy fix, a low-hanging fruit, the simplest, yet strongest first line of defense from worms? There is not a single consumer windows user out there who has had any need for services that were enabled by default on their operating system, WHY THE HECK were they ever enabled? How hard is it to just say "oops, we'd better turn that off by default".
Contrast that with Apple's Mac OS X. Through today, ever since its early beta releases in early 2000, no port has ever been turned-on on a default installation of Mac OS X. Flaws will continue to be found in various services, this holds true for all operating systems, but if those services are not running, you won't get infected through them. It's that simple.
Provided you've got this basic layer covered, infecting a networked end-user computer becomes a challenge greater by many orders of magnitude: It will require the help of the user of that computer.
Protecting the Computer from its User
To this day, a consumer is instructed to upgrade their Windows operating system by pointing their Internet Explorer web browser to http://windowsupdate.microsoft.com/. From this point, the web browser takes a life of its own, scours your hard drive for existing software and offers you a list of updates to install, at which point you are allowed to pick which packages you wish to install. The entire update process happens inside the web browser. No I didn't download a piece of software which I subsequently saved to my desktop, before making the conscious decision to "double-click" an installer. I just a hit a website with the web browser, and it started instantly "doing things to my computer", and somehow, I am taught "to be okay with that".
Through the implementation of their "ActiveX" technology, Microsoft has blurred the line between "web browsing" and "running applications". They've implemented a "certificate system", whereby no website could arbitrarily do things to your computer without your prior, conscious consent. Here's the big problem though: While conscious, this consent remains uneducated. The vast majority of internet consumers are grossly uneducated about the possibly dire consequences of clicking "Yes" to an ActiveX dialog prompt. After all, they remember doing something very similar when updating their operating system, why should they not allow this "very cool screen saver" to install itself?
This results in consumers clobbering-up their systems with spyware, adware and various forms of "malware", calling their Internet Service Provider's technical support complaining about what they perceive as a lousy service, when in fact, they are victims of their own uneducated greed and lust for "free stuff".
Microsoft Windows does not exactly help protect a computer from its user.
On the other hand, Mac OS X's web browser, Safari, does not enable websites to attempt to modify the operating system, or install components or applications. System updates are performed via an automated, enabled-by-default, separate, Software Update Application, which warns the user about available updates, and offers to trigger the installation. This mechanism is part of its own user-interface: While updates are downloaded, it is very clear to the user that what they are doing is not in any way related to web browsing.
The line between this layer and the previous one can be fuzzy, while still real: the former is affected by broader overall architectural and design decisions. Application-Level Security, on the other hand, is more closely affected by more specific "software bugs" and granular "design" decisions, and I can't really see a magic bullet for this one. Applications need to be tested, used and abused, hopefully security holes are found early and patched before they can do too much harm.
We've recently seen such issues in Mac OS X regarding various services used by a small percentage of users that were patched quickly (apple file sharing, quicktime code injection), and issues regarding protocol handling and application launching which I find very troubling and very dangerous should a user stumble upon a malicious web site.[update: this issue was fixed shortly after this post]. Apple has been lagging on addressing these issues while not communicating a roadmap to the public. Probabilities of exploiting those recent vulnerabilities are however fairly low because they require a static malicious web site to infect a user. Once found, that site could easily be terminated. Apple should still address those issues: I'm really not comfortable browsing the web knowing some web site could mount a remote disk onto my computer and launch an arbitrary application.
Microsoft has also been plagued for years with such security issues, most notably within their flagship e-mail application, Outlook, which has greatly facilitated the spread of e-mail bound viruses. Similar security issues have also been found in their web browser, Internet Explorer. A lot of Microsoft Application-Level security flaws have stemmed from the tight integration of e-mail and web-browsing with core operating system components, allowing malicious applications to bypass the most basic levels of application and user permissions.
Defining very precise rules under which a given application may be executed and creating a protected environment for this application's execution have been at the core architecture of Unix-based operating systems, which were designed, from the ground-up, as multi-user environments. Those systems have had decades to mature, and Mac OS X inherits its core architecture from them.
No computer system is secure in absolute terms. Simple and complex decisions will promote better security at various layers. As of this writing, I believe that, in relative terms, Mac OS X is a more secure average consumer operating system than Microsoft Windows. In follow-up blog entries, I'm hoping to cover consequences of the devastating effects that infected networked consumer computers have had on various Internet infrastructures and services. Another entry will offer steps to further secure a Mac OS X computer, encouraging contributions from Windows 2000 and XP experts to achieve similar goals.