I recently asked a group of computer support technicians what they felt was the biggest threat to OS X security. Their response was, "Windows". At first I thought this was a jibe at Windows by a bunch of Apple worshipers, but as I mulled it over for a few days I began to consider a different perspective.
Consider the recent Quicktime vulnerability. This is a good example of poor application security, a topic that is often overlooked by system administrators and security professionals alike. In this case the operating system may well have been perfectly hardened, but the weakness fell within the installed application. We all know that there are scores of vulnerabilities and exploits targeting Windows itself. Well, what happens when we introduce Windows into the OS X environment? Boot Camp and Parallels both allow Windows to have access to some portions of the OS X data on our drives. That access, in the case of Boot Camp is pre-boot, meaning that all of the security features built into OS X are bypassed. I would imagine that it will be only a matter of time before a clever bad guy engineers an exploit for this particular weakness.
This brings me to my original point that application security is often overlooked. I would venture to say that if we look in to the liquid crystal ball that we will see a dramatic rise in exploits of application weaknesses in both OS X and Windows. I challenge you to look visit your favorite bug tracking site and look specifically for applications that have been ported to OS X. PHP and MySQL alone have dozens of exploits already posted. We've beaten the dead horse (otherwise known as Windows security stinks) until it should have been dead twice. How long will it take before we seriously look at the security of the applications that we load onto our "hardened" operating systems?
