I'm not sure why people think that OS X has fewer security problems per line of code than Windows does.
First, let's be clear: OS X is likely to be more secure for the end-user than Windows XP. OS X does not typically run as a 'root' user so users are typically protected.
However, that merely makes the task more difficult for a hacker. There are a number of privilege escalation bugs that, once on a local machine, makes OS X as insecure as Windows.
OS X is less-exploited because it's not as profitable to exploit, nor as effective to write worms for. The low installed base of OS X machines means that hackers won't be able to make as much money off popup ads or spambots as they would if they hacked Windows. Furthermore, worms that spread themselves through randomly scanning IP addresses will not reach a critical mass because there aren't enough OS X machines to reach. Finally, many hackers work from Eastern European and East Asian countries where Macs are priced far more highly than PCs. Thus, they do not have access to those machines.
Finally, there certainly are fewer people looking for hacks in OS X than in Windows. 97% of computers do not use OS X. Thus, in order for there to be an equal number, the 3% of OS X users would have to have a 30 times greater percentage of hackers than those working on other operating systems.
All of these factors together are what protect Mac users from viruses. Aside from privilege separation, there's nothing inherently secure about OS X or Apple's development methods.
The security bugs in OS X are patched frequently. Us OS X users patch our systems as often as Windows users patch theirs. While Microsoft has 'patch Tuesday,' Apple has 'patch randomly' which seems to be as often as Microsoft. This security update was '2006-008,' meaning that it's the 8th security update of the year. Combined with 5 point releases of OS X this year (10.4.4 - 10.4.8), that's 13 updates--or, one more than the number of 'Patch Tuesdays' this year.
That's just OS X security updates, too. An
Apple list of security updates shows over 20 updates this year.
Yet despite the number of updates Apple does, they're still finding relatively disturbing bugs in OS X. Safari in particular is a scary program--it has several times contained bugs that are triggered by nothing more than visiting an image or disk image file that has been designed to crash and execute code. (Early versions of Safari had bugs that could run shell scripts right from specially-designed URLs, too). These bugs are ones that Microsoft and Mozilla fixed in their browsers years ago, yet Apple does not seem to have learned their lesson.
Compare Secunia's 2006 statistics for
Windows XP and
OS X. Apple has 38% unpatched advisories, and 13% of all bugs are extremely critical. On the other hand, Microsoft has 10% unpatched, and only 7% of all bugs are extremely critical.
We should not be defending Apple here. We should be pushing them to do better. I'm constantly amazed at how people defend Apple when they're making mistakes. If I wanted second-best, I'd be using Windows. Sadly, I think security is one area where Microsoft will ultimately put Apple to shame.
IE 7 in Vista is by far a more secure browser than any other. Its privilege separation should more-or-less eliminate serious spyware. OS X has nothing like this right now, and unless Apple steps up and adds it to Leopard (and thus far no one has seen evidence of this in the beta), Microsoft will be ahead in a critical area.
