[nkozyra]

This is a common (and tired) response but it's really not entirely true - Windows does in fact have a lot of potentially catastrophic holes that are innately tied to higher privileges for users.

Most of what Windows has implemented since 7 with UAC, MSSE and now integrated with Defender is a layer on top that introduces some failsafes. I won't argue that it's been a massive and much-needed improvement to Windows, but Java and Flash still provide viable vectors to bypass it and infect a Windows machine.

Designing actual viruses - stuff that has the ability to read and modify the filesystem - is still harder to pull off undetected on OSX. This article intimates as much. Most of what's included here is either bundled applications you don't want - but you still have to actively find and then agree to - or browser modifications. Neither of those is within 500 sqmi of, say, CryptoLocker.

[JohnTHaller]

I never claimed that Windows or Mac OS X are more or less secure than the other. I very specifically said the following:

"Most of the infections on Windows aren't due to some huge security issue on Windows that Macs are magically immune to. They are due to the users themselves installing adware or malware-infected software from sites online."

This is 100% accurate and what most home users have to deal with in terms of issues on Windows. The vast majority of Windows issues that end users experience and get frustrated over have nothing to do with Java or Flash flaws or needing to compromise a system. The users themselves give the apps permission to install and do their thing.

It's also worth noting that Java and Flash don't provide much of an attack vector for the majority of Windows users you and I know anymore either. Firefox won't permit outdated versions of the Java or Flash plugins with security issues to run and will direct you to update. Chrome has its own version of Flash built in and automatically updated with the browser and disables Java by default. Even Internet Explorer blocks outdated ActiveX plugins like old and insecure versions of Flash and Java these days.

[nkozyra]

I still don't think that's true - visiting a malicious site without any action still provides far more of a risk on Windows than it does on OSX.

Are there improvements on the browser and OS side that are helping? Sure. Do those impact the vast majority of Windows users? Probably not. Look at browser & OS version usage and you'll see that the "users you and I know" are probably not indicative of the majority of users in general. At least not yet.

[JohnTHaller]

All major browsers on Windows block outdated Flash and Java by default. All major browsers on Windows are automatically updated to the latest version by default. So, for the vast majority of Windows users, the attack vectors you're mentioning simply don't apply anymore. That means users you and I know and most users we don't.

What I'd meant by that line was that this doesn't apply to users in other countries where the majority of users are still using hacked (and completely insecure) versions of Windows XP. Sadly, Windows XP still represents about 19% of online users. Thankfully, most of those users are using a 3rd party browser as IE 6 is down around 1%.

[lawnchair_larry]

This is a commonly held misconception among OS X fans, but it's in no way true. It hasn't been since Windows 98. The claim doesn't even make sense - if your user, privileged or not, can read or write files, that means malware can modify the filesystem. The OS has no mechanism for making this easy to detect relative to any other OS. CryptoLocker would run with absolutely no problems on OS X if someone ported it.

Remember, you don't need administrative privileges to destroy everything belonging to the user, which is most things you care about. And even if you do, elevating is trivial on both Windows and OS X.

Java and Flash behave no differently on OS X than Windows. They are no more or less of a hole in either OS. In fact, there are more protections against Java and Flash bugs on Windows. There just also happens to be more attacker investment in those platforms as well.

[Someone1234]

> but Java and Flash still provide viable vectors to bypass it and infect a Windows machine.

...Unlike Mac which doesn't have Java or Flash?

[nkozyra]

The key word here is "viable."