[ztnktl]

>Microsoft Windows ends up being the most secure general operating system

It already is. What, exactly, is better than Windows at security features on desktop computers? Linux? There is nothing in there that comes even close to the defensive features of windows, like HVCI, a subsystem that checks for driver signatures and the likes isolated by virtualization mechanisms, which completely prevents tempering with the kernel. Linux's support for secure boot only exists to make it convenient to dual boot with windows, it doesn't do enough to prevent kernel level rootkits, it's a total placebo and it's even worse if you use a distro that doesn't have signed kernels, like Archlinux. If you're self signing on the same computer, how exactly are you stopping malware?

Since Vista, the OS also gained some serious resilience against crashes that I have never seen on other operating systems. For example, it is possible for your desktop session to survive a GPU driver crash. On linux this is a guaranteed freeze or kernel panic. This is, fortunately, a rare event, but the last times I've seen my computer freeze on linux, it was always because of the graphic stack.

openBSD's slogan for having few remotely exploitable exploits out of the box doesn't mention that it's because it has literally no features enabled out of the box.

macOS and iOS are the systems with the greatest amount of privilege escalation fails by far. In fact, what do people think jailbreaks are? Some of which are truly frightening when you think about what could have been. Multiple jailbreaks were made that could be run just by browsing a webpage on safari. This means they punched through the browser, punched through privilege escalation and had the potential to install a rootkit on your phone. Just by visiting. A. Webpage.

How many times such a thing has happened on Windows in the recent years? visiting a webpage installed a rootkit on your computer?

[revelio]

Disagree, macOS is way ahead. Windows code signing is a half-implemented joke that doesn't do much and apps can easily tamper with each other at will (unless they're installed using MSIX which not much uses), whereas macOS code signing actually works and will stop apps tampering with each other completely.

The macOS app sandbox actually works. On Windows nothing uses the app sandbox due to serious bugs and performance regressions. Chrome rolls its own sandbox for example.

SIP successfully stops macOS getting screwed up. The number of Windows installs out there in some bizarre half-broken state is incredible. It's routinely the case that API calls which work on one Windows system don't work on others even at the same patch level for no clear reason at all, which trace back to weird configuration differences to the OS.

Windows still relies heavily on client side virus scanning. Apple do malware scanning server side and then lean on their code signing and integrity systems instead, which is one reason Macs have great battery life.

And then there's all the other more well known security things Apple do with secure processors and the like.

Windows is just so far behind and they're so drowning in tech debt it's unlikely they'll ever catch up.

[015a]

Its difficult to quantify something like this; so obviously treat this data with proper skepticism. But: CVE Database, just looking at 2022.

- Windows 11: 498 reported CVEs in 2022. [1] - MacOS: 379 CVEs [2] - iOS: 242 [3] - Android: 897 [4]

Linux isn't as well-comparable or categorized (especially given its just the kernel, and there are dozens of other "products" which make up an equivalent to what Microsoft would call "Windows 11"). Nonetheless: 306 [5]

You should check your preconceptions and susceptibility to Apple's marketing. No one is substantially far ahead or far behind (except maybe Android, but again, these are hard to compare apples-to-apples). Everyone still experiences roughly the same class and magnitude of vulnerabilities. But, everyone is also getting better at it.

[1] https://www.cvedetails.com/product/102217/Microsoft-Windows-...

[2] https://www.cvedetails.com/product/70318/Apple-Macos.html?ve...

[3] https://www.cvedetails.com/product/15556/Apple-Iphone-Os.htm...

[4] https://www.cvedetails.com/product/19997/Google-Android.html...

[5] https://www.cvedetails.com/product/47/Linux-Linux-Kernel.htm...

[revelio]

I'm not sure how that rebuts my point? macOS has a much lower number of CVEs than Windows. But there's a lot more to security than CVEs, and my post was about issues that CVEs don't track. BTW Apple marketing isn't what led to my views, they're based on direct experience with the security mechanisms of both operating systems up close and personal.

[015a]

Well, you know what they say about being too close to something to speak on it objectively. Which in this case means: there's the way these systems were designed to work, and how they actually work toward the end-goal of keeping the systems they secure, secure.

I'll believe that Apple's operating systems are significantly and measurably more secure when they can make it a few years without a maliciously formatted iMessage crashing the kernel. Until then; its arguing minutia. Everyone has security issues. Everyone is taking steps toward improving their security. No one is so far ahead that they're worth white knighting on HackerNews.

[seba_dos1]

> macOS has a much lower number of CVEs than Windows

More than 75% of Windows CVEs isn't exactly "a much lower number of CVEs", even without considering its actually much lower market share.

[gigel82]

You probably need to rebase that for usage stats (install base)

[mustache_kimono]

The CVEs / Install Base ratio is a pretty silly metric for determining the security of a product. A large number of CVEs could tell you that the users and developers of a particular product care a lot (or are paranoid or are simply security minded) about security, and want to give notice of issues to as many people as possible.

This is a live issue in the Rust community, which does appear to care a great deal about security, as to how to deal with minor/theoretical vulnerabilities perhaps unworthy of a CVE.

[amelius]

> Disagree, macOS is way ahead.

Apple is a consumer electronics company. For serious tools, use Windows.

[r0l1]

For serious privacy loss use Windows

[unnouinceput]

Hold your horses there my good friend. Yes, Windows is better now than it was in the past but is still a shitty OS. None of them are actually. All of them continuously fail every single year at hackers gathering/hackatons/whatever public event, with multiple zero-day showing. Every single major OS out there is a joke from security point of view.

[anthk]

This. Parent it's deluded if Windows can even be compared to a hardenex Guix setup with rollbacks and sandboxed Chromium/Icecat's.

I would think otherwise if Windows used virtualisation and sandboxing to run old Win32 apps from XP and below. Because lots of enterprise software depends on proper compatibility modes, and there the security gets thrown out of the window.

[helloooooooo]

iOS has some seriously nifty security mechanisms that takes advantage of features baked into the Apple Processors. Stuff like pointer authentication and page protection layer(something akin to HVCI, without the hypervisor). Jailbreaks are getting harder and harder.

Both Windows and iOS(I can’t speak to macOS) are becoming incredibly security mature operating systems via these security mechanisms that get stacked on top of one another. Saying on is better than the other in terms of security is hard to quantify.

Windows still does have some issues with user mode logical exploitation through DLL hijacking, or issues with credential relaying, although relaying targets are generally known and mitigated by enterprises.

iOS still has issues with remote attack surface, however it has gotten better with iOS 16 and Blastdoor +Lockdown

[hardware2win]

Anecdote:

Ive tested a two or three years old Chrome version with JIT compiler vulnerability and guess what - on empty Linux vm it managed to escape chrome and execute code

Meanwhile on Windows with Crowdstrike software installed Chrome just showed some error message about mem. access

Im not sure who handled that attack - was it Windows or Crowdstrike, but eitherway Ive been impressed

[selfmodruntime]

I can pretty much guarantee that the Windows kernel stopped unallowed memory access from chrome to outside apps.

[anthk]

Under OpenBSD pledge and unveil would send that Chromium instance SIGABRT'ed. Your parent comment it's utterly wrong.

[sekh60]

With or without SELinux enabled?

[hardware2win]

Idk, that was fresh instal

[jve]

I know Windows has many security features disabled by default. Where do I start to learn about them and maybe get some nice baseline recommendations for my home/office laptop?

[pjmlp]

One of the ways is to dive into "Windows Internals" book series,

https://www.microsoftpressstore.com/store/windows-internals-...

https://www.microsoftpressstore.com/store/windows-internals-...

Some of the content is available for free,

https://learn.microsoft.com/en-us/sysinternals/resources/win...

One of the main differences from Windows 11 to its predecessors is that all those defaults are now turned on,

Here are some of them,

https://learn.microsoft.com/en-us/windows/security/threat-pr...

https://learn.microsoft.com/en-us/windows/security/threat-pr...

https://techcommunity.microsoft.com/t5/windows-hardware-cert...

https://www.microsoft.com/en-us/security/blog/2020/07/08/int...

https://learn.microsoft.com/en-us/windows/security/informati...