Please don't respond with "a lot less malware/viruses for OS X". And please no hype and no fan-boy answers. The reason why I am asking this here is because I want feedback from developers who write software for both systems and have intimate knowledge of the security restrictions in which to operate.
Using both Windows and OS X concurrently and writing all kinds of different software on both, I recently asked myself this question and could not come up with a single, solid answer. Default responses like "OS X is UNIX underneath" don't really cut it for me.
Is it really just that Windows' default security settings are too permissive; that on Windows XP, normal users are Administrators by default? Are Windows Vista and 7 as secure as OS X? In my day job as software developer I have been forced to secure publicly accessible Windows machines and I used to do admin for my own set of Windows servers. In both cases, I believe that the machines ended up no less secure than a Linux or OS X counterpart.
Examples for where I don't really see a difference in security, but maybe I am ignorant:
I am not aware of anything on the Mac that prevents software from wreaking havoc as soon as I convinced the user to let me elevate privileges for my process. From observing other Mac users, who also frequently enter their password to do software updates and when installing new things on their machines, I do not believe that OS X provides better interactive security protection than UAC (unless you count the inconvenience of having to enter your password instead of just clicking a button).
UAC in Windows 7 or even Vista SP1/SP2 does not seem to bother people more than the root access password popup on the Mac whenever I have to install a software update (which is frequent), want to install some new piece of software or run one that needs elevated privileges (for whatever reason). So I don't see a difference there.
Default firewall settings seem to be as permissive on the Mac as on Windows. In order to participate in Samba file sharing (even if the Mac is not sharing any files), it appears I need to set the firewall on the Mac to allow all incoming connections. iChat and Skype also seem to not function correctly with the firewall locked down. I used to do regular port scanning on my own networks and test servers I administered, but I haven't tested the Mac's firewall "from the outside," so I can't make a statement.
According to these (all time) statistics:
- Windows XP: http://secunia.com/advisories/product/22/?task=statistics
- Windows Vista: http://secunia.com/advisories/product/13223/?task=statistics
- Mac OS X: http://secunia.com/advisories/product/96/?task=statistics
Mac OS X has had a higher percentage of vulnerabilities with Criticality of Extremely or Highly (43%) than Windows XP (38%) or Vista (35%). Also, a lot more vulnerabilities seem to be remotely exploitable on the Mac (70%) compared to XP (59%) or Vista (55%).
In OS X's favor, however, is that total system access seemes to be a lot less likely (19%) than on XP (51%) or Vista (42%).
Even though the total number of vulnerabilities seems to be somewhat decreasing for all systems over time, I'd say it's a wash between the two from a security perspective. Keep in mind that it is not clear (at least to me) if these statistics are just for the OS or whether they include ALL software that ships with the OS default installation, e.g. iLive. According to research, 67.87% of all statistics are incorrect or even made up on the spot ;-).
So, where does the claim to a more secure system come from for the Mac? Is it really just marketing hype or am I missing something important?
Notes: I bought a MacBook 9 months ago and am very happy with it ... actually, I really enjoy this aluminum MacBook with back-lid keyboard. But, VMware Fusion is running all the time because I am writing software targeting both operating systems. And my next desktop system is going to be Vista 64 Ultimate, because I need more RAM for all the VMs, am tired of waiting for Visual Studio to compile things in a VM on a laptop, and I can get a complete new PC workstation with 1.2 TB of real RAID 10 (2.4 TB disk space, dedicated, caching controller with battery backup, not the on-board controller) and 16 GB of memory including dual monitors for less than what a new MacBook Pro would cost with AppleCare. This question is not about, price, though. I don't run any anti-virus software on either OS ...