The argument goes something like this:

Fan Boy: “Mac OS X is immune to viruses”

Windows: “No it isn’t.  Windows is just more dominant, so of course people are making viruses for it”

Fan Boy: “No it’s Windows poor security”

Windows FB: “Honestly, if OS X was really virus proof, don’t you think Microsoft would have reverse engineered it by now”

Here’s part of the answer, but first, we need some history…

Windows Security

Microsoft Windows, even from it’s earliest days, has had poor security practices.  Windows 1 – 3.1 were all designed to support a single “administrator” user, and while Windows 95 and 98 added support for other users, that was virtually cosmetic.  Hitting ESC at the login prompt would bypass the login, and give complete access to the computer.

Windows NT introduced the first true multiple user support for Windows, and introduced “non-administrator” accounts.  But, alas, a significant number of applications “broke” due to multiple user support, and can’t be run without Administrative access.

Even today with Windows XP, and Vista, some applications will not run correctly unless run from an administrative account.  This encourages people to use an Administrative account, since they don’t want to logout, and log back in to access a particular application.  Windows Vista and Windows 7 make this even more annoying, since now you have to authorize opening any application that wants administrator access.  If you want to change your screen saver you have to authenticate via Windows UCA…  And disabling UCA just allows applications to run wild, making the system significantly less secure.

Mac OS X Security

Mac OS X is a Unix-based graphical operating system, built on technologies developed at NeXT between the second half of the 1980s and Apple’s purchase of the company in late 1996. From its sixth release Mac OS X v10.5 “Leopard” and onwards, every release of Mac OS X gained UNIX 03 certification while running on Intel processors.

The first version released was Mac OS X Server 1.0 in 1999, and a desktop-oriented version, Mac OS X v10.0 “Cheetah” followed on March 24, 2001.  The server edition, Mac OS X Server, is architecturally identical to its desktop counterpart, and includes tools to facilitate management of workgroups of Mac OS X machines, and to provide access to network services. These tools include a mail transfer agent, a Samba server, an LDAP server, a domain name server, and others. It is pre-loaded on Apple’s Xserve server hardware, but can be run on almost all of Apple’s current selling computer models.

So first, the Server edition of Mac OS X and the desktop version of Mac OS X, are nigh identical with the exception of the add-on server software.  In otherwords, the inherit security of the OS is the same, the additions add additional features, not security.

Second, being Unix based, there are severe limitations to what the User & User processes can do.  For example, if I open an terminal windows typed in “rm -rf /”, the system would still boot up after it attempted to erase the entire hard drive.  Why?  Because it would only wipe out content owned by my user.  The OS files are owned by ROOT or SYSTEM user/groups.  Yes, if I SUDO’d (Super User Do) that same command would of been significantly more hazardous.  But wait…  I am an Administrator, why didn’t that damage the OS?

Because of Unix Security & Design.  An user can be an administrator, but that just allows the user to authenticate and authorize the command.  By default the Administrators are the same as an ordinary user, until they “request” that a command be elevated to a higher level.  Thus, I would have had to use the SUDO command at the terminal, or if I tried to trash the OS via the GUI, the Finder would have asked me to authenticate through a dialog window.

General

With Windows, it seems that there are significantly more UAC authentication dialog windows then on Macintosh.  Part of this seems to be that the UAC authentication must occur before the control panel is visible, whereas on the Macintosh you can open the System Preferences and examine all the settings, but until you attempt to change the setting, you do not need to authenticate.  In addition, you remain authenticated until you re-lock the authentication, or the authentication “timer” times out.

“No it isn’t.  Windows is just more dominant, so of course people are making viruses for it”

That argument doesn’t stick.  Take a glance at these figures from netcraft.

Developer	March 2010	Percent	April 2010	Percent	Change
Apache	112,747,166	54.55%	110,752,854	53.93%	-0.62
Microsoft	50,572,540	24.47%	51,284,570	24.97%	0.50
Google	14,592,133	7.06%	13,749,829	6.70%	-0.37

According to these figures, the Apache web server has a 54.55% (112 million servers) market share, verseus Microsoft’s IIS that has a 24.47% market share (~51 Million servers).  Is Microsoft more dominant?  Not at all, they have just under half as many web servers as Apache does…

So, using this logic…  Wouldn’t that mean that Apache would be the most heavily attacked and cracked web server on the planet?  It isn’t.  IIS, the Microsoft Web server, is the most heavily attacked web server…

Here’s some roughly figures of the number of Virus definitions that I have been able to gather from the virus companies…

iAntivirus (Mac)             116
ClamAV (Win)         759149
NortonAV (Win)    7077413
Pandasoft (Win)       168671

The follow graphs are from http://www.sans.org/top-cyber-security-risks/

First up, a graph showing the 2009 number of attacks against the Microsoft Windows platform.

The break down of the Microsoft OS Attacks.

Overall, it makes much more sense, that the Microsoft vulernability to attack, is due to legacy support of the earlier OSes & the applications that they run.  Mac OS X doesn’t have the same degree of baggage to be concerned with, and a more sensible security model based off an already established Unix security model.  Microsoft can’t afford to fix some of the security issues, due to the fact that it would prevent certain software from being able to be used.