Windows 7 security is nothing like OSX. Windows has services which will allow any malware author to execute any code they like without UAC prompting them.

Actually, no. Windows (Vista onward) and OS X pretty much have the same privilege separation. Well, technically, all of the NTs did, but Microsoft idiotically made default accounts the equivalent to superuser up to and including XP, in order to keep apps running that were used to Win 9x non-existent privilege system. OS X runs services with varing levels of permissions just like the NTs (the various daemons) that run under accounts like lpt, nobody, like WIndows has services that run at various levels of permissions (Local Service, Network Service, System). In both cases, lower priviliged programs (the user) can’t affect upper level programs and services ( Local Service, Network Service, System) without jumping through an elevation barrier (UAC on WIndows, Authenticate on OS X, gksu on my beloved Ubuntu box.) (Although Seven puts a privilege elevation hole right in the middle of the OS, to molify the people complaining about UAC — akin to what Raymond Chen describes as asking for a security hole as a feature, and Microsoft happily obliging.)

I actually agree with pretty much everything Joe wrote here about the malware system on Windows. While marketshare plays a bit of a role, it’s simply cheaper (I like to think of it in economic terms) to write malware for Windows for all of the reasons Joe describes. Microsoft needs to make it much much more expensive to write malware. Obvious things include closing any security holes they find, but there are many things they can do that aren’t obvious which can really help.

For instance, everybody agrees OS X applications are well designed and aesthetically pleasing. Mac developers pride themselves on making Mac-like applications, even though it is incredibly hard. That is an expense. A piece of Mac malware will not spread if it looks like an ugly Windows program. Contrast that to a Windows computer that I had to clean of a program called WinAntiSpyware. Dialog boxes were written in barely literate English, with poor grammar, and many typographic errors (probably because most malware is written in Eastern Europe). If something as ugly as WinAntiSpyware was ported to OS X, it would fail dramatically.

The Mac also sports a very protective community (as Joe once again had the misfortune to rediscover, with the misunderstood Steve Jobs post). It’s a double edged sword, but it does help protect the Mac OS ecosystem from threats. Getting around that community is also expensive. (I’m not sure Microsoft could foster such a community, or if it is even too late given that the Windows install base is huge).

The System Registry is an example of putting all you eggs in one basket.

This really is not true. The registry is not a single basket except how it is represented to users. Settings are logically segregated. (User settings are put in one set of files in the user profile directory; while machine settings are stored in the System directory of the boot machine.) Programs should alter their own keys and only their own keys, and corruption of a program key does not cause damage elsewhere. And of course, given that different settings are stored in different files,an error in one file does not destroy the whole registry.

.) Up until Vista Windows Update was built into a webpage + ActiveX in IE, making users accustomed to getting updates and patches through webpages; which in turn makes them much more likely to download from nefarious fake update and patch sites.

.) No inclusion of anti-spyware + av tools although it’s clearly an essential OS function in the Windows world, thus making users vulnerable to malware posing as such tools. In my personal experience these are some of the most common malware infections.

To me these above changes in Vista, 7 and with Morro are the most significant security enhancements Microsoft have done on the user end, rather than ASLR, patch-tuesday, and other core security enhancements, which is more effective in combating server vulnerability patterns than bad-user-habit-patterns.

.) A lazy software ecosystem were multi-user unaware apps are still common-place, hence triggering a wave of UAC notifications in Vista and resulting in a huge chunk of Windows apps being Administrator-privilege-only even though they really don’t have to be.
That is 100% Microsoft’s fault though as the single-user mentality – “i’ll just write my preferences into C:\Program Files\MyShittyApp\conf” – should have died / been killed with the replacement of Windows ME in ‘00 not kinda-sorta discouraged with Vista in ‘07.

.) Windows out of the box being unable to work with essential files and standards like PDF, Java, Flash in many cases, etc which means a Windows user generally has to go and hunt for and install a larger number of helper programs than a OSX user for instance. Generally an OSX user will be installing a whole lot less of these kind of auxilliary apps when they first get their machine, thus they won’t be installing as much malware inadvertently.

.) The core business model of “Windows by Microsoft + identical bland boxes by 100 competing companies” of course also doesn’t help when these 100 competing box pushers feel compelled to “differentiate” using helpful wireless network managers, Lenovo-style GINA replacements and other unnecessary system tools that ultimately just slow down the overall Windows experience, thus causing people to click on those “Registry fixer” or “Windows speed-up tool” and other such malware ad links.

Apologies about the length but those are my 2 cents at any rate…

Unlike peripheral, software, services, or other ecosystem components it generates zero sales pull back into the ecosystem.
These vendors are also responsible for their fair share of problems (example nVidia Vista drivers, etc), but also give back to the Windows world.

Brilliant article in all and again begs the question of why i can read this analysis for free but have to pay subscriptions to places like the WSJ or FT for their often times less though out content…

For real security look at Android and the iPhone. Android isn’t even vulnerable to user-installed malware and the iPhone needs the binary to be signed before it will even run.

Apple tried selling via retailers but they were shunned because of a backroom deal made by Microsoft. That is why they have their own stores. OSX development is way more open and accessible than Windows development.

The idea of open hardware has added to the instability of the Windows infrastructure. Expecting manufactures to independently follow complex guidelines is tough. Then expecting them to explore all the possible permutations of coexistence, is really tough. The consequence has created a great deal of confusion, resulting in the comment, “It works fine on my computer”. Microsoft added insult to injury with operating systems that have been less than stable. Part of Apple’s success is that they have controlled both the hardware and the software. They have a much easier problem to solve. This is not necessarily a bad thing, as long as market share stays below 50% or so.

Another area where I find fault with the Windows ecosystem revolves around ActiveX and the System Registry. What poor choices they were, particularly in the area of unintended consequences. ActiveX gave developers tremendous power and flexibility in controlling and manipulating Windows. Unfortunately, for all the good that ActiveX can do, there is more than enough bad that can occur. Using IE, to hook to Outlook, to extract an Address Book, to propagate spam, is the tip of the iceberg. The System Registry is an example of putting all you eggs in one basket. Old wives tales are old, and wise, for a reason. Expecting everyone to behave correctly, and not corrupt the registry, was ill-conceived. Shame on Microsoft for ever letting this concept get passed the idea stage.

Back to your ecosystem idea. If the parasite kills the host, it too shall parish. It needs to continue to feed off the host or it too will die. Or, it needs to evolve itself, and find another host to feed off of. The cybercriminals could conceivably kill off Microsoft. Which gets us to the basic question, can malware survive outside the Windows ecosystem?