Wednesday, August 23, 2006

Is Windows inherently more vulnerable to malware attacks than OS X?

Tom Yager at InfoWorld must have his flame-retardant suit on today because he asks the question if Is Windows inherently more vulnerable to malware attacks than OS X? The first question for Mr. Yager is why was he swapping out an Xserve G5 for a Windows server anyway? The next is why was the Windows Server service Internet accessible in the first place? It's been a recommended best practice since worms starting targeting this service in Windows 2000 to make sure that is firewalled off from the Internet, and with Windows Firewall you can configure it to only respond to requests from internal IP's However, his billion (million just not being what it used to) dollar question still stands. I dont' remember anyone of any serious technical depth truly going on record and declaring OS X superior to malware by design and enumerating a number of reasons why they believe that to be the case. I don't think its very controversial to say that Windows has some serious design flaws that cause a number of problems, and those design flaws make eliminating or preventing malware much harder than it should be. I think Mr. Yager lists a good number of them, but he does make a few mistakes. In Windows XP and 2003, not all services (daemons in UNIX verbiage) launch as SYSTEM (LocalSystem in the Services MMC), there are two lower privileged accounts that are used, Local Service and Network Service. A TechNet article has the details, but the summary is:
  • Local System - Exactly as Yager describes, it is the SYSTEM
  • Local Service - Equivalent to an account in the Users group, it access network resources as a "null session with no credentials"
  • Network Service - Equivalent to an account in the Users group, but it accesses network resources as the computer account/
On my Windows XP SP2 system right now, I have A LOT of services running, 48 of them, it is a constant source of worry, e.g. do I absolutely need all this stuff running, here is the breakdown on service accounts:
Local Service4 services
Network Service2 services
Local System (i.e. SYSTEM)42 services
That is a lot of code that could potentially compromise any system, and it's not all Microsoft's, Symantec, Lotus, Apple, Check Point, and IBM all have services running as Local System. I am nowhere near technically competent on UNIX or OS X specific internals to suggest that Mr. Yager is correct about OS X's design. My deepest technical knowledge is on the Windows and .NET stacks, so there is no way I can judge if the list of OS X design choices absolutely prevent malware, but if Mr. Yager is correct in his OS X assertions, that sounds like better more manageable design then what MS has ended up with in the production versions of Windows. I don't think it's controversial to suggest MS is well aware of these problems is making a lot of changes in Vista, the most visible being User Account Control. this link details the "Security and Data Protection" improvements in Vista, and there is a section on Windows Services hardening. This is particular telling about previous versions of Windows:
Windows services represent a large percentage of the overall attack surface in Windows—from the perspective of the quantity of overall "always-on" code footprint in the system, and the privilege level of that code. Windows Vista limits the number of services that are running and operational by default. Today, many system and third-party services run in the LocalSystem account, where any breach could lead to unbounded damage to the local machine—including disk formatting, user data access, or driver installation.
Read the whole article for the steps MS has taken in Vista to harden Windows Services. Will these protections make Vista more secure than XP? I would put money on it. Riddle me this: When Vista comes out and the security design changes, which emulate OS X security design decisions from years ago, result in a reduction in malware, spyware, virus, etc., would anyone ever again seriously claim that OS X was more secure primarily through obscurity instead of primarily through better design and implementation? I am not looking forward to Vista from an end-user perspective, but I am eager to see if the security design changes make computing more safe for Windows users.