BrownDuck wrote:
Sweetums wrote:
Windows apparently has a decent security model (I really don't know much about security in general and I won't pretend to be any sort of expert) but it's been royally @#%^ed by developers expecting root access
...
OSX's default admin account seems to be an account with sudo privileges, since the root user is disabled by default. You have to dig around in the preferences for it.
This is the default security model in Windows 7. Windows 7 users may think of the "Run as Administrator" context menu option a form of sudo for windows. By default, even the local administrator user doesn't have certain OS rights. For example, to use certain command line utilities to update windows configuration settings, you need to find a shortcut to the command prompt (cmd.exe) and run it as administrator so the context of the programs run within it gain those necessary rights.
Windows still has some security problems though that are inherent to the very design of the OS. The start and end of it is the very concept of a system registry. They've made efforts to modularize it, but because they've had this mechanisms for managing application resources from day one they still have to support something that is similar in design (and thus similarly insecure).
As Sweetums correctly points out, software developers make this worse by writing their code such that it expects to be able to both read and write to various registry files not just on installation, but while running. It's scary the number of software applications out there for which the solution to various problems (automated patching and updating are the biggest culprits) is to run as administrator. Well, if I have to run half the software on the planet as administrator then even with a "run as" option, I'm likely to just log in as administrator in the first place and avoid all those hassles. Almost can't blame users for doing this.
And some (most?) software is written in such a way that you can't just run some components as administrator and the rest as a regular user anyway. Windows security, like all OS security, is predicated on levels of trust between various components of the system. The best way to prevent the part of the OS that's interacting with some outside programs from putting other parts at risk is to not give trust between those two parts. And there are ways of doing this *if* the OS was designed from day one to do it. Windows wasn't (and still isn't). That's why it becomes vulnerable.
Quote:
By and large, the biggest security holes in windows are still dependent on user stupidity. I can't tell you how many users I've seen tricked into actively executing a virus loader through some form of fake antivirus popup (yes, there are ones that manage to defeat modern browser popup blockers) or an email asking them to click a link to "claim a package" that "UPS" is holding for them. As Mac and OSX scoop up a larger portion of the user base, it's inevitable that the mac user space will be deluged with this same stupidity.
Yup. User space is always vulnerable. Doesn't matter which OS you're on. I can write a simple virus to infect a user's unix account in probably about 10 minutes. I could even write it in such a way that it can spread to other users over time and do various nasty stuff. However, the entirety of that nasty stuff is pretty much limited to what that user can do. Which in the unix world is limited to control of his account and files. So while the infected user may be inconvenienced, it's much harder to actually infect the systems themselves. In the Windows world, one user getting infected can result in the system getting infected. And heaven forbid if you've given trust within your domain in a stupid way, because now other systems can be infected.
And honestly don't get me started on (virus) Exchange servers. Whoever at MS thought that shared/compressed data space for all users on a server was a super idea should be strung up by the fingernails. I mean, I get this from a database perspective, but doing this with random stuff people receive in their inboxes? Disaster waiting to happen.
Quote:
I always used to laugh when Apple fanboys boasted about the low numbers of Mac viruses in the wild because all that really meant is that the product failed to grab a large enough portion of the market to be relevant.
I laugh at Apple fanboys in general. They're the epitome of people who buy stuff because they think it makes them look smarter or special. Yeah... No. It doesn't.