Originally Posted by SolipsismX
I wasn't able to rattle off a dozen things instantly as to why UNIX is inherently more secure than Windows. Because knowing and proving are not the same thing I will look for a more concrete answer other than "because."
I think the main reasons are the following:
- UNIX has always had the source code in the open so if people wanted to find vulnerabilities, they could be found more easily and fixed easily.
- UNIX systems have a better OS layout. One thing that Serlet always pointed to was the registry. The Windows registry is an easy place for malware to hide because it's a very complex database of keys that even if something was out of place, you couldn't really tell and just one or two keys can break the whole system.
- Windows systems have far wider hardware support and have such a huge amount of drivers that again, it's easier for malware to abuse. This is called "dll hell". You could far more easily hide a keylogger in there than with OS X.
- The permissions structure of UNIX systems is more sensible. They keep the core system isolated with higher permissions and it mostly doesn't change. Windows is such a mish-mash of structures that they end up hiding things you do need access to and not properly protecting some things you shouldn't touch. They are in a bit of a rut because unlike Apple, they don't have the luxury of abandoning legacy when they feel like it.
- The Windows program structure is messy. You have hierarchies of app folders with dependent files scattered everywhere. OS X apps are bundles so an entire app can be self-contained and easy to find and the Activity Monitor has a simple view of running processes - it would be nice if Apple's ones were labelled but it's a lot easier to spot suspicious tasks.
There are basically fewer places for malware to hide in a UNIX system. Windows does benefit from security by obscurity in that it's closed source. UNIX systems benefit from the low market share.
If UNIX systems had an 80%+ marketshare, you can bet there would be more security vulnerabilities taken advantage of but the OS design is still safer and more than anything easier to repair. If something did screw up the core OS, you can restore it easily and be up and running. You can't reset the Windows registry that way because it screws up all your apps. You can't reset all your dlls or you have to reinstall hardware again. The Mac system has a very clean separation here.
Adding more talented security staff like Kristin is icing on the cake (still essential though) because they can weed out the obscure vulnerabilities before anyone can take advantage of them - they actually issue updates for a lot of core software people won't even know exists so they sift through it all the time. I'd like to see them tie down some app functionality like externally linking dynamic libraries. One of the Java exploits does that with the browser. There are reasons to allow dynamic libraries to hook into apps at run-time but it's asking for trouble with Safari and it should be an explicit choice made by the user. Same goes for installing apps that just ask for an admin password - loads of legitimate apps ask for it and I want to know why it's asking so I can tell at a glance if it's doing something it shouldn't.