übergeek said:
yo when i was talking about Mac OS X security as opposed to Windows et cetera, I wasnt just talking about Apache vs. IIS.
You're missing the point. The argument made was that MS's exploitability was simply a function of relative marketshare. I was showing this is demonstrably false by providing a contradictory parallel example.
And when you have a PC running Windows, with all the updates and patches installed, and you have common sense, plus your hardware is set up in an optimal way, you will never ever run into ANY problems with it. Maybe th occasional error, but that's common with Mac OS X as well.
There was not a patch available that would block DCOM when it hit. Even now, NT/2000/XP are exploitable out of the box - you have to configure network settings with the network unattached because otherwise your box will get owned in less than a minute. This is not true of other OSes.
SQL slammer had a patch... for SQL server. But MS, in it's wisdom, also included bits of MS-SQL code in numerous DESKTOP software programs for no apparent good reason. There was no reason for the SQL port to be left open on desktop machines by default, but that's exactly what MS did. I could be wrong, but I believe the desktop-level patch wasn't available until after the fact.
The XP UPNP exploit also did not have a patch, and for months MS argued that it wasn't exploitable - even though a known exploit existed. It wasn't until a news reporter demonstrated the exploit by taking over a computer in California from a computer in New Jersey (or was it New York? I forget) that this got remedied.
For a very recent example, look at the IE "%" URL bug. How long has that been around?
You also have to realize that Microsoft is doing a decent job dealing with security holes. Most viruses take advantage of the fact that most people do not bother downloading the patches for holes that were announced by MS. That's not the fault of the company or the OS (operating systems are inherently buggy, you cant do anything about it), its the fault of the admins and users.
I agree with this to a point. MS is doing a better job than they used to, in large part because they've seen that businesses are no longer ignoring the continual problems with Windows.
On your second point: Unfortunately, speaking as an admin, you don't always have control over your users. Just this week it came out that a particular Fortune 500 company's Windows network got owned and hosed due to the top execs insisting on having PCAnywhere running on their desktop computers with easy to remember passwords. The admins were against this, but had no power to enforce it on that tier of user. Also, depending on where you work (I work at a state university, for example) there are often political reasons you can't totally enforce good security policy across the board. Faculty and students want to be able to bring in their laptops and plug them into the network. The most we can do is try to educate users, but it only takes one to screw it up - even if all the other attached boxes are fully patched, network degradation due to the virus/worm's activities can bring all traffic down to a crawl.
While OSes all have bugs, you can't consider them equivalent. What's the worst OS X exploit you can think of? The DHCP poisoning attack? At worst that would let someone take over boxes on a subnet that he/she has the ability to insert a rogue server into. Compare that to the scope of the various MS Windows exploits I've mentioned above.
