| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by fpgeek 5192 days ago

> Such vulnerabilities are incredibly rare in Mac OS X since unlike Windows, kernel space is isolated from users.

That's just flat wrong and hasn't been true for an OS Microsoft has supported for mainstream use since 2003 [1]. Windows XP and all current Windows releases are based on the protected NT kernel which debuted in 1993 (with Windows NT 3.1). In fact, Microsoft and Apple stopped shipping OSes with unprotected kernels in the same year (2001) with Windows XP and OS X "Cheetah", respectively.

Look, Microsoft has made a lot of mistakes with respect to security (bad defaults, running as Administrator too often, too many low-level bugs, ...). Since OS X, Apple has had a much better security track record. That's why it is so frustrating to see people criticize Microsoft for mistakes they fixed a long time ago instead of focusing on current (or at least recent) issues.

[1] When Microsoft downgraded Windows 98/98SE/ME to paid support and critical security fixes only: http://support.microsoft.com/gp/lifean18

1 comments

dsrguru 5192 days ago

That can't be true. If NT-based versions of Windows implemented a system call mechanism that protected the kernel from users, XP wouldn't have been ridden with viruses, and there would have been no purpose in giving Vista and 7 the access control mechanism to warn users of potentially harmful system calls. By the way, Cheatah just refers to the original Mac OS X. Your phrasing "stopped shipping OSes with unprotected kernels ... [starting with] Cheetah" makes it sound like Mac OS X initially didn't have this protection, which is not the case.

fpgeek 5192 days ago

First, Cheetah wasn't the first Mac OS X. There was Mac OS X Server 1.0 in 1999 (see: Wikipedia). Cheetah was the first desktop-oriented version of Mac OS X.

Second, I didn't imply that prior versions Mac OS X didn't have kernel protection, I implied that prior versions of Mac OS didn't have kernel protection. This is indisputably true (see: Mac OS 9). Personally, I find Windows / Mac OS parallel surprisingly close here: Windows ME is to Windows XP as Mac OS 9 is to Mac OS X Cheetah.

Third, UAC (User Account Control), the access control introduced with Windows Vista, is almost entirely unrelated to kernel protection (except that UAC would probably be pointless without it). The problem UAC tries to solve is "users running as an administrator too often", not "the kernel isn't protected from user programs". In other words, it is Windows' answer to sudo, not a fundamental change to the Windows kernel.