Slashdot Mirror
Large Prize Offered For Writing Mac Virus
Mordant writes "Some experienced Mac developers are offering a $25K prize to the first person to successfully infect two 'naked' Internet-connected Macs running stock Apple software. The best part is that if any Symantec employee succeeds in infecting the Macs, the prize goes up to $50K (Symantec has been fanning the flames of totally bogus "Macs aren't more secure, it's just that Windows is a bigger target" technical-equivalence propaganda)!" Update: 03/26 20:24 GMT by Z : Well, that was quick. Jack Campbell has cancelled the contest, after he "...was contacted by a large number of Mac users, and Mac software professionals who shared their thinking with me about the contest."
"Macs aren't more secure, it's just that Windows is a bigger target"
While this statement may SOUND true, it's a fact, MAC OS X was built with more security in mind than Windows. Security was built into the OS from the ground up. That can't be said of Windows.
While making a statement such as "Macs can't have a virus" is false, I would say it would be more difficult to make one, than creating one for a Windows box, which seems like an Joe Shmoe can do.
Anyone want to dig up the Slashdot story from way back where a OS X Mac users machine was "infected" because the guy downloaded and proceeded to run "Office for Mac" (which was mysteriously less then 1MB) off a P2P network, and found out every folder he had rights to was deleted (the program was just a shell script that was likely written by an 8 year who had just discovered that they existed and that you could use the delete command in them).
Puts things in perspective: If a user downloading and voluntarely running an obvious trojan are enough to count as a newsworthy event so far as Mac security is concerned, there can't be that many people trying to infect the 2 Mac users connected to the internet.
As far as I'm aware there is no conclusive evidence that shows Macs are inherently more secure and would not suffer the virus problem that Windows does if it had Windows' market share.
The conclusive evidence is that OS X is a flavour of *BSD.
If that doesn't strike you as conclusive, then feel free to explain how it is that Apache running on *BSD has such a better security record than IIS running on Windows, despite the fact that the Apache setup has, always has had, and most likely always will have too, a market share far greater than that of IIS.
That certainly strikes *me* as being a pretty compelling counterargument to the greater market share theory of hacker victimization, anyway...
clicking 'Yes' to install things they really shouldn't
Macs use verbs in dialog boxes, instead of 'Yes', 'No' and 'Cancel'. The button to install software on a Mac would be 'Install Software', not 'Yes', so clueless users have a better sense of what they are doing.
Discussed better here
Guy asked me for a quarter for a cup of coffee. So I bit him.
As far as I'm aware there is no conclusive evidence that the "Windows Market Share" theory of exploitation holds any water at all. From a _design_ perspective Windows has been shown to be less secure than other operating systems. Wether it's targetted or not has no effect how secure Windows actually is! It just brings to light that it is insecure, incontravertably and demonstratably insecure.
Kind Regards
"A few great minds are enough to endow humanity with monstrous power, but a few great hearts are not enough to make us w
It had better be more than $50K for a Symantec Employee: according to my employment contract, writing a virus will result in my immediate termination. Such termination also means that I forfit all my stock options, worth far more than $50K at this point. And not to mention a great paying job with annual bonuses worth about half the original award.
So from an economic standpoint I'd be seriously in the hole, trading in options and bonuses worth a hell of a lot more than the amount being offered from a rather shady source.
No way!
Now that's interesting.. I did a similar experiment a while back
If you only read the headline, you might think I was agreeing with your position. However, my results were that the SP2 box went untouched for a couple weeks. And that none of the boxes that were infected had spyware, they had worms. It's also extremely rare that spyware gets on via any other mechanism besides web browsing.
So, I'd be curious to see the data you have to back up your claim.
Sure enough, do a whois on DVForge, and you get "Jack Campbell" with an email address of macmice.com . This is the guy behind MacWhispers. One slashdotter, adzoox, can tell us a lot about Jack Campbell (no, adzoox, thank the Cylon god, as an AC is this thread put it, is not Jack Campbel).
This kind of statement always puzzles me. I have two PCs permanently connected to the net, my wife has another, and so do both my parents and my sister in law (some of the most computer illiterate people that have actually managed to make it onto the net), and I've checked all of them for spyware on a reasonably regular basis over the past few years. The only one that's ever been infected with spyware (unless you are talking about things like cookies) was one of my PCs - and this was entirely my fault for installing some dodgy P2P software and not reading the Ts&Cs properly.
What spyware were you infected with? How did you detect it?
Hartman: Private Joker, do you believe in the Virgin Mary?
Joker: Sir, no sir!
Hartman: Well Private Joker! I don't believe I heard you correctly.
Joker: Sir, the private said "No sir!", sir!
Hartman: Well, you little maggot, you make me want to vomit!
...
Hartman: Are you trying to OFFEND me?
Joker: Sir, negative sir! Sir, the private believes that any answer he gives will be wrong, and the senior drill instructor will beat him harder if he reverses himself, sir!
Hartman: Who's your squad leader, scumbag?
Joker: Sir, the private's leader is Private Snowball, sir.
Hartman: Private Snowball!
Snowball: Sir! Private Snowball reporting as ordered, sir!
Hartman: Private Snowball, you're fired! Private Joker is promoted to squad leader.
Snowball: Sir, aye aye sir!
Hartman: Disapear scumbag!
Snowball: Sir, aye aye sir!
Hartman: Private Pyle!
Pyle: Sir, Private Pyle reporting as ordered, sir!
Hartman: Private Pyle, from now on, Private Joker is your new squad leader, and you WILL bunk with him. He'll teach you everything, he'll teach you how to pee!
Pyle: Sir, yes sir!
Hartman: Private Joker is silly and he's he ignorant, but he's got guts, and guts is enough.
RTFA. It's cancelled.
What a HUGE surprise. The linked page now explains, almost sorrowfully, why he decided to call it off. Read the last paragraph for a real laugh.
DVForge Cancels The Mac OS X Virus Prize
March 26, 2005 - For Immediate Release
Today, at 12::00 noon Central Time, DVForge, Inc. announces its
cancellation of the Mac OS X Virus Prize 2005 that the company
announced earlier in the day.
"In response to the statements put forth this past week by Symantec
Corporation suggesting that Mac users are at substantial risk to
infections from viruses, our company crafted and announced a contest
that would have paid a $25,000 prize for the successful creation of
such a virus," said Jack Campbell, DVForge, Inc. CEO, "During the first
several hours after making the public announcement, I was contacted by
a large number of Mac users and Mac software professionals who shared
their thinking with me about the contest. A few of these people are
extremely well-regarded experts in the field of Mac OS X security. So,
I have taken their advice very seriously, and have made the difficult
decision to cancel our contest. I have been convinced that the risk of
a virus on the OS X platform is not zero, although it is remarkably
close to zero. More importantly, I have been convinced that there may
be legality issues stemming from such a contest, beyond those
determined by our own legal counsel, prior to announcing the contest.
So, despite my personal distaste for what some companies have done to
take advantage of virus fears among the Mac community, and my own
inclination to make a bold statement in response to those fears, I have
no responsible choice but to retract the contest, effective
immediately."
The Mac OS X Virus Prize contest web page will remain active for the
foreseeable future, and will be used to show articles and links that
will help Mac users better understand the risk to computer viruses, and
the reasonable measures best used to continue enjoying virus-free usage
of their Mac OS X computer systems. That web page is located at
http://www.dvforge.com/virus.shtml
Jack Campbell, CEO
DVForge, Inc.
http://www.dvforge.com
jack@dvforge.com
The entire contents of this publication are Copyright (C) 2005 by
DVForge, Inc. Unauthorized duplication, re-transmission, downloading to
a database, or broadcasting via any means whatsoever any portion of
this publication is not permitted.
On this subject, I recently answered a query raised during a Chronicle of Higher Education colloquy. I believe it touches on the major issues here.
Question from Lisa L. Spangenberg, UCLA:
Given that there are no viruses or Trojan horses for the current Macintosh system, OS X 10.3, and given that it is essentially UNIX, and given that the most common applications (Microsoft Office Suite, Adobe applications) work very well on OS X, why don't more institutions adopt Macs and encourage faculty to use them?
Gregory A. Jackson:
Well, first of all, there are viruses and Trojans that afflict MacOS, witness Apple's periodic release of security fixes to counteract them.
First, that isn't true, regarding viruses. To date, there are no known viruses that specifically target Mac OS X. Last week's "trojan" was nothing more than an application with a different icon and misleading name that displayed a dialog box (which was an example posted to a USENET Mac programming group to illustrate this fact that has been known and possible on Mac OS for over twenty years; an antivirus vendor apparently thought this an appropriate time to dress it up, incorrectly, as some new, terrible exploit easily adapted for malicious means, when in reality it's nothing more than an application).
If you're referring more broadly to security issues in general, almost all of the security and security-related updates for Mac OS X to date have been updates for primarily server-type services that ship with the OS, all of which are disabled by default, and the lion's share of which are never even enabled, much less touched, on the vast majority of systems. I'm not saying that they should be ignored, but Apple's comprehensive and swift response to the most minor security issues does not rise to the level of the staggeringly numerous, sometimes completely automated, remote exploits, worms, and so on for Windows. It is no longer possible to even get through a full installation Windows XP on a machine connected to a public network without it being exploited before you even have a chance to patch it.
It's definitely possible for Mac OS X to have viruses, worms, trojans, and other malware - Mac OS X is not invulnerable, and no sensible person would claim it to be. But the underlying philosophical design principles are fundamentally more secure than Windows, period. Since the major ingredient for the success of a worm or virus is some ability to spread, witness the fact that there is no way with anything built into Mac OS X to perform automated propagation of a virus, and no current known ways to exploit a machine remotely, not to mention that potentially exploitable network services are disabled to begin with anyway (and remain that way unless explicitly enabled), a stark contrast to Windows. Any hope for automatic propagation would require a comparatively high level of sophistication, and perhaps even its own mail server - not to mention some intrinsic vulnerability to exploit. On the other hand, there are still, to this moment, unfixed vulnerabilities in certain versions of Outlook that will spread certain virus variants simply by previewing a message, and nothing more. There is simply no equivalent to this on any other platform. Microsoft's track record and attitude on security (though admittedly much improved) versus other vendors speaks volumes on this topic.
It takes work and thought to do security, and do it right. Ease of use and security aren't mutually exclusive. The key is to make security easy to use, and Apple has so far been on the right road with Mac OS X.
But the small installed base of Macs makes them an unexciting, low-visibility target for the bad guys, and so the weaknesses don't get exploited much.
The marketshare argument only goes so far. This seems to be a version of the "Macs have no software" argument. It is indeed true that they are targeted less for this reason. But the argument that it's straight cause-and-effect is disingenuous
"The virus author who has the balls to infect every Mac..."
I RTFA twice, and nowhere does it say anything about the contest goal being to "infect every Mac" or even set thvirus loose in the "wild." It DOES say that the object was to infect TWO Macs with a HARMLESS virus.
FTFA: "...sponsoring a contest that challenges virus writers to actually prove that they can introduce a harmless virus into two modern OS X Macs."
Ignorance is curable, stupid is forever.
ActiveX doesn't work on a Macintosh, it doesn't do squat. :)
A quick visit to the website reveals that their
"Mac Virus Contest" is a totally bogus bit of
showmanship. ( From the: "Even bad publicity
is still publicity" Department ):
DVForge Virus Prize 2005
The Contest That, Sadly, WIll Never Be
Contest goal: To lay to rest, once and
for all, the myths surrounding the lack
of spreading computer virii on the
Macintosh OS X operating system, by
sponsoring a contest that challenges
virus writers to actually prove that
they can introduce a harmless virus
into two modern OS X Macs.
That was the goal of a contest
announced recently by DVForge, but,
due to a variety of influencing factors
was cancelled shortly after having been
announced.
A Statement About The Contest Cancellation
"In response to the statements put forth
this past week by Symantec Corporation
suggesting that Mac users are at
substantial risk to infections from viruses,
our company crafted and announced a contest
that would have paid a $25,000 prize for
the successful creation of such a virus,"
said Jack Campbell, DVForge, Inc. CEO,
"During the first several hours after making
the public announcement, I was contacted by
a large number of Mac users, and Mac software
professionals who shared their thinking with
me about the contest. A few of these people
are extremely well-regarded experts in the
field of Mac OS X security. So, I have taken
their advice very seriously, and have made
the difficult decision to cancel our contest.
I have been convinced that the risk of a virus
on the OS X platform is not zero, although it
is remarkably close to zero. More importantly,
I have been convinced that there may be legality
issues stemming from such a contest, beyond
those terminated by our own legal counsel,
prior to announcing the contest. So, despite
my personal distaste for what some companies
have done to take advantage of virus fears
among the Mac community, and my own inclination
to make a bold statement in response to those
fears, I have responsible choice but to retract
the contest, effective immediately."
DVForge, Inc. supports honesty and integrity by
manufacturers in all public communication. And,
we strongly discourage the use of exaggeration,
innuendo, or loosely stated claims in an effort
to increase sales of a company's products. We
believe in accurate, fair marketing statements,
and in allowing an accurately informed public to
then make its own decisions about purchasing,
or not purchasing, a company's products or
services. We implore all Mac industry businesses
to support these same values.
We do not endorse the creation or distribution
of computer viruses. U.S. and international law,
as well as simple good judgment forbid the
transmission of computer viruses.
I get no end of amusement from people claiming that Mac users buy Macs because "they don't know anything about computers," or something to that effect. The fact of the matter is, this particular Mac user sees his computer for what it is: an appliance. It's not a platform, a political party, or a religion. It's a machine, not entirely unlike a toaster or Cuisinart.
When choosing a computer, I took into consideration:
1) What I need it to do.
2) How I plan to interact with it.
3) How much effort I need to put into maintaining it.
3a) How much effort I need to put into making sure my machine stays mine (i.e. not compromised by some bored malcontent.)
So, over the course of several decades, I test-drove a few different machines, running different OSs (disclosure: I ran DOS and Windows variants up to and including XP, various Linux distributions, and Mac OS X.) It became glaringly obvious that OS X was far and away the OS of choice for the amount of time and effort I intend to invest in using and maintaing my computer.
I'm not a BSD advocate or a network security guru because, quite frankly, the subjects absolutely bore me to tears. However, even I can appreciate the simple, quiet wisdom of turning most networking services OFF on a fresh install of an OS (as does OS X.) Just think how much more secure our computing environment would be if people only enabled the services they absolutely needed.
No the article doesn't say that explicitly, you'd have to understand how viruses spread, and make a logical connection to get there.
Let me help you out.
Here's my paraphrasing of the individual claims, from memory. I'd quote better, but oh look, they've cancelled already.
-We have two Macs on different Internet connections. We won't tell you the IPs.
-We're going to check for the next couple of months and see if they are infected, just by being on the Internet.
-(Vague statements about being successful enough in the wild)
Leaving alone the email vector, which I've agreed elsewhere is(was) viable, how do the viruses get onto their two Macs? Has to be both, mind you.
Whoops- must clarify:
System 7 days, by which time my Mac Plus
Noting of course, Mac Plus could not run System 7, but I fequently used other Macs at college and work that did.
named Switchback which infected OSX Macs, but nobody noticed it.
There are others such as Renepo.B
MacOS MW2004 Trojan, MP3 Concept, Opener, and a sound driver virus.
I think clearly the only virus myth about OSX, is the myth that OSX has no viruses that can infect it. Apparently there are at least several examples of OSX viruses, and that number seems to grow. It may even double every year.
I've always felt that using a computer without virus protection was like having unprotected sex without a condom with multiple partners. Back in the old days, when they used to say that the Commodore Amiga had no viruses, and that only MS-DOS suffered from viruses, Amigas got their own viruses that infected their systems. Usually it was one of those Amiga demo programs that people downloaded from BBSes to show off the Amiga's graphics and sound. Someone would infect it with a virus and pass it around. Amiga users felt that the Amiga virus was a myth, and many got hit. Now I see the same thing happen for OSX, only OSX is on the Internet and is subject to more danagers than the BBS world once offered.
So yes, the facts speak for Symantec, that OSX viruses exist, and possibly they could grow in number.
This bone-headed stunt of offering a contest to virus infect two Macs only shows how gullable people are. It was a phoney contest.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
People wouldn't have been up in arms about MacTable if he had been reselling furniture.
What he was doing was presenting others' furniture as his own design, taking all the credit for it, and showboating about how long it took him to design this gorgeous hunk of desk.
Except he had no hand in designing it, he wasn't building it, and he wasn't even an authorized outlet for the furniture in question. Hell, he didn't even take the pictures -- he lifted them straight from the manufacturer.
The shady business practices continue to the present day, with rebranded OEM products (the desk was a premium name brand) heralded as his own design, and speakers which probably suck being marketed the Monster way: "They're super duper! So super duper we're not releasing technical specifications, because they're just so super you need to hear the difference to believe it and the crazy pricing scheme! Super! How many watts are the speakers? It doesn't matter -- they're SUPER!"
In the past he's repeatedly also created a whole cadre of imaginary friends to defend him when he's attacked on Mac message boards. Where Jack leads and is rousted out, a half dozen more new users suddenly appear to leap to his defense and plug his products. Mysteriously all from the same IP as him.
I am not doing anything special.
Great.
I make sure to fdisk the mbr before an instal, just to make sure someone did not hide something on the hard drive before the instal. I do the instal off-line. Add a software firewall, then connect through a router to the net to get the service packs. I have never had any spyware on my system ever. I disable active-x from IE, and when I did my instal the only net protocol I install is tcp/ip, I do not instal the other 2- client or file & printer sharing.
And all this "nothing special" you do is basically done by anyone who installs Windows?
Right here you've nicely illustrated the trouble with Windows: as a power user you have no problems because you know that there's all this stuff, which is on by default, that you have to disable. You know that you have to have to add a firewall before connecting to the net. You know that you can't take a new Windows computer out of the box, plug it in, turn it on, and go on the net.
For the average user this is way beyond "not doing anything special," and it's decidedly non-trivial.
Ditto from another Symantec employee.
*sigh*
I don't know why I bother with the tin-foil hat brigade, but it is an explicit terminatable offense at Symantec to write--or help in writing--a virus. They just clean out your desk and have security escort you out of the building that day, no appeal. Your stock options and stock purchase plan options are immediately revoked, you lose back vacation pay, and you get no severence. Just a bootprint on your ass as you're kicked out the door.
But of course I'm part of the conspiracy, so you'll probably think I'm either a dupe or a lying spokes-hole.
I like being part of conspiracies; I worked many years ago for JPL in the same building the Weekly World News claimed housed an alien spacecraft that was being studied by the military--and the tinfoil hat brigade didn't believe me then when I told them it was just so much hokem...
That's a direct result of the design of Windows. Whenever i use Windows, I am constantly amazed at the number of stupid dialog boxes one has to click through, to perform even simple tasks. Making things worse, their dialogs are often confusing and poorly-written. Many of them even mangle the English language.
If Microsoft had not conditioned users to view dialog boxes as mere annoyances, then maybe they would not dismiss them so quickly without reading them. In contrast, dialog boxes are much rarer on Macs, and they are written much more clearly, and are more useful. They encourage the user to pay attention to them.
... and then they built the supercollider.
http://spl.haxial.net/viruses.html
At least the dialog guards against the most common types of viruses and security holes. Sure, most users will blindly type in a password if a software installer asks them to, but what about an e-mail attachment or random internet site?
/tmp...
It would be better if the OS provided customizable permissions (grant networking access seperately from hard drive access, for example), but I've yet to see a good security setting setup or user interface to allow that sort of thing...
It would also be nice if you could 'spoof' root access to trick software into thinking it has full access to your system.
For instance, the OS could intercept all calls to update files outside of a folder called "buggy-app" on the desktop, and use an overlay file system and copy-on-write to store the changes in a special directory. Only the spoofed program would use the files that it created and modified, and the changes it performed could be reversed by deleting the stuff the OS put in
Add this to restricting read access to sensitive user information, and this could be a first step toward sandboxing applications.
"A critical security update is needed for your $RANDOM_APP. The update has been downloaded. Installing update..."
[Password Dialog Here]
Or somesuch.
I think that's the sort of thing a security-minded expert would prefer, and the average user would be overwhelmed by. Yes, it would. I believe that Debian kinda-sorta does this with "fakeroot". I'd like an actual sandbox... Yup! I've been pondering the need for this sort of thing for awhile. If it's clean enough, and robust enough, you can run _all_ of your applications in their own sandboxes. I think that this approach is simple enough to work for both the average home user and powerful enough to make a security guru happy. Exactly. And if you want to keep the changes, you can put it in $HOME/.sandboxes/appname, or, since we're on the Mac, perhaps $HOME/Sandboxes/Appname/...I like the way you're thinking.
Pick One: http://www-rohan.sdsu.edu/~stremler/sigs/sigs.html (Note - disable Javascript first!)
NeXT figured out that this could potentially be a gigantic security hole and switched off file access from display postscript.
Wrong, in no way is virii EVER correct. Notice the extra "i"? Is it actually "virius"? Have you recently checked the statii on your projects?
One could then excuse oneself by saying "viri" but that is already a Latin word -- for "men".
A sibling to your comment posted another good link: allow me to redund* http://spl.haxial.net/viruses.html
Note there that the dictionary includes "emoticon" and "smiley" but does not include virii - however viruses is there as a plural form. So the dictionary is evolving along with the language.
If you want to slog through the whole Tom Christiansen article, you'll actually see that in Latin, there IS no plural for virus.
* little joke there
It's not virii because virii is the plural of the non-existent word "virius" (declined as filius). And it can't be viri, either, because viri is vir nominative plural. That's the exhaustive explanation. The more meaningful explanation is that virus had no plural in the Latin for the same reason that love, information and water (usually) have no plurals in English. Virus originally meant filth, venom or poison, and so a mass noun, not a count noun. So viruses is correct, either because it's the standard rule for the formation of English plurals, because all the other possibilities are exhausted, or because the OED says so, whichever seems most convincing.
This thread has the wrong idea about how this feature works. The dialog does not appear the first time any app is launched. It only appears if you try to open a document or URL that results in the Finder having to launch an app that you have never launched before. There are very few legitimate situations where you would have to do this, so it's quite likely that some users have never seen the message before.
This dialog is meant to deter the following exploit:
There really isn't that much to distinguish modern operating systems.
That's laughably absurd. Please understand I don't say this with malice, but you are ignorant. Please open yourself to learning before speaking on subjects you are ignorant of.
They all have integrated networking, more or less elaborate means of access control, a pretty GUI and some utility apps
Oh, you mean they are all OS's? I guess Firefox and IE are equally exploitable as well, since they both "are integrated multimedia/hyperlink graphical viewiers with a pretty UI and integrated plug-in architectures"?
Microsoft has made some baffling mistakes wrt to the implementation of some of it's userland software, but has ultimately fixed all of them as far as I'm aware.
That's absurd. What do you think the odds are that you have seen the last Windows virus/worm, that MS has finally fixed the last of their mistakes?
On the other hand Apple doesn't seem to take privilege escalation very seriously.
This isn't even in the same ballpark as Windows' security flaws. You can't exploit that remotely, and you can't base a worm on it. The best you can go for is a trojan, which is bad, but not the issue.
A number of them have been mentioned by another poster in this thread.
Will you quit showing your blatant sub-retard ignorance? They were all jokes, trojans, an actual legitimate program called "SoundDiver Virus" (and not a "sound driver virus" like the poster claimed), or required you to enter your admin password. Some idiot just googled for "mac os x virus" and pasted.
No, I contend that Windows is subjected to the most attacks because it has the largest market share.
Yeah, NO SHIT. Everyone can agree on this. But the point is that there is not one single virus or worm for OS X. NOT ONE! No one is saying OS X should have an equal number of viruses and worms as Windows. But why not one? You don't understand how operating systems work. You understand a few concepts, but you don't actually understand the security models involved. If you did, you'd realize that market share doesn't account for the disparity.
The largest and most important parts of OS X don't derive from BSD. At it's lowest level, OS X runs a Mach kernel, which was originally developed at CMU. Quartz, Cocoa and Carbon are NEXT/Apple developments. The "BSD heritage" of OS X is mostly a syscall table and some commandline tools that nobody uses.
Your last sentence is patently absurd and completely false. The rest is just facts that you clearly do not understand.
Even so, who said BSD was all there was to OS X? NO ONE. What was stated was that because OS X has a BSD foundation (and is, in fact, based directly on BSD, and OS X is Unix), it has certain design features which are, in practice, far more secure than those of Windows. That doesn't mean someone couldn't make a security hole ridden BSD, but it would certainly be less likely.
I'm telling you again, as a professional sysadmin and programmer, and a computer hobbyist (many architectures and OS's, including Amiga, OS/2, and Linux since prior to kernel 1.0 was released) that you do not understand the issue.
Services on by default, a lame firewall, ActiveX, Outlook, UI policies on file extensions, VB script, and a poor security policy, are all things that MS should have (and could have at any time in the past ~10 years) fixed by now. Had these things been taken care of, the Windows world of "viruses, worms, trojans and spyware" would be so incredibly small compared to now that it's hard to imagine.
Those things are all vectors, easily exploited vectors, for infecting Windows. Mac OS X has its potential vectors as well, but they are all more difficult to exploit. That's really all there is to it. The BSD heritage helps here similar to how decisions made in Win95 are still haunting MS now. You don't go a