>Microsoft Windows ends up being the most secure general operating system
It already is. What, exactly, is better than Windows at security features on desktop computers? Linux? There is nothing in there that comes even close to the defensive features of windows, like HVCI, a subsystem that checks for driver signatures and the likes isolated by virtualization mechanisms, which completely prevents tempering with the kernel. Linux's support for secure boot only exists to make it convenient to dual boot with windows, it doesn't do enough to prevent kernel level rootkits, it's a total placebo and it's even worse if you use a distro that doesn't have signed kernels, like Archlinux. If you're self signing on the same computer, how exactly are you stopping malware?
Since Vista, the OS also gained some serious resilience against crashes that I have never seen on other operating systems. For example, it is possible for your desktop session to survive a GPU driver crash. On linux this is a guaranteed freeze or kernel panic. This is, fortunately, a rare event, but the last times I've seen my computer freeze on linux, it was always because of the graphic stack.
openBSD's slogan for having few remotely exploitable exploits out of the box doesn't mention that it's because it has literally no features enabled out of the box.
macOS and iOS are the systems with the greatest amount of privilege escalation fails by far. In fact, what do people think jailbreaks are? Some of which are truly frightening when you think about what could have been. Multiple jailbreaks were made that could be run just by browsing a webpage on safari. This means they punched through the browser, punched through privilege escalation and had the potential to install a rootkit on your phone. Just by visiting. A. Webpage.
How many times such a thing has happened on Windows in the recent years? visiting a webpage installed a rootkit on your computer?
Disagree, macOS is way ahead. Windows code signing is a half-implemented joke that doesn't do much and apps can easily tamper with each other at will (unless they're installed using MSIX which not much uses), whereas macOS code signing actually works and will stop apps tampering with each other completely.
The macOS app sandbox actually works. On Windows nothing uses the app sandbox due to serious bugs and performance regressions. Chrome rolls its own sandbox for example.
SIP successfully stops macOS getting screwed up. The number of Windows installs out there in some bizarre half-broken state is incredible. It's routinely the case that API calls which work on one Windows system don't work on others even at the same patch level for no clear reason at all, which trace back to weird configuration differences to the OS.
Windows still relies heavily on client side virus scanning. Apple do malware scanning server side and then lean on their code signing and integrity systems instead, which is one reason Macs have great battery life.
And then there's all the other more well known security things Apple do with secure processors and the like.
Windows is just so far behind and they're so drowning in tech debt it's unlikely they'll ever catch up.
Linux isn't as well-comparable or categorized (especially given its just the kernel, and there are dozens of other "products" which make up an equivalent to what Microsoft would call "Windows 11"). Nonetheless: 306 [5]
You should check your preconceptions and susceptibility to Apple's marketing. No one is substantially far ahead or far behind (except maybe Android, but again, these are hard to compare apples-to-apples). Everyone still experiences roughly the same class and magnitude of vulnerabilities. But, everyone is also getting better at it.
I'm not sure how that rebuts my point? macOS has a much lower number of CVEs than Windows. But there's a lot more to security than CVEs, and my post was about issues that CVEs don't track. BTW Apple marketing isn't what led to my views, they're based on direct experience with the security mechanisms of both operating systems up close and personal.
Well, you know what they say about being too close to something to speak on it objectively. Which in this case means: there's the way these systems were designed to work, and how they actually work toward the end-goal of keeping the systems they secure, secure.
I'll believe that Apple's operating systems are significantly and measurably more secure when they can make it a few years without a maliciously formatted iMessage crashing the kernel. Until then; its arguing minutia. Everyone has security issues. Everyone is taking steps toward improving their security. No one is so far ahead that they're worth white knighting on HackerNews.
The CVEs / Install Base ratio is a pretty silly metric for determining the security of a product. A large number of CVEs could tell you that the users and developers of a particular product care a lot (or are paranoid or are simply security minded) about security, and want to give notice of issues to as many people as possible.
This is a live issue in the Rust community, which does appear to care a great deal about security, as to how to deal with minor/theoretical vulnerabilities perhaps unworthy of a CVE.
Hold your horses there my good friend. Yes, Windows is better now than it was in the past but is still a shitty OS. None of them are actually. All of them continuously fail every single year at hackers gathering/hackatons/whatever public event, with multiple zero-day showing. Every single major OS out there is a joke from security point of view.
This. Parent it's deluded if Windows can even be compared to a hardenex Guix setup with rollbacks and sandboxed Chromium/Icecat's.
I would think otherwise if Windows used virtualisation and sandboxing to run old Win32 apps from XP and below. Because lots of enterprise software depends on proper compatibility modes, and there the security gets thrown out of the window.
iOS has some seriously nifty security mechanisms that takes advantage of features baked into the Apple Processors. Stuff like pointer authentication and page protection layer(something akin to HVCI, without the hypervisor). Jailbreaks are getting harder and harder.
Both Windows and iOS(I can’t speak to macOS) are becoming incredibly security mature operating systems via these security mechanisms that get stacked on top of one another. Saying on is better than the other in terms of security is hard to quantify.
Windows still does have some issues with user mode logical exploitation through DLL hijacking, or issues with credential relaying, although relaying targets are generally known and mitigated by enterprises.
iOS still has issues with remote attack surface, however it has gotten better with iOS 16 and Blastdoor +Lockdown
Ive tested a two or three years old Chrome version with JIT compiler vulnerability and guess what - on empty Linux vm it managed to escape chrome and execute code
Meanwhile on Windows with Crowdstrike software installed Chrome just showed some error message about mem. access
Im not sure who handled that attack - was it Windows or Crowdstrike, but eitherway Ive been impressed
I know Windows has many security features disabled by default. Where do I start to learn about them and maybe get some nice baseline recommendations for my home/office laptop?
If, a big if, you don't need version control, rsync will do. It can handle any imaginable amount of data and it can work over ssh or for local file syncing. It is much, much faster than other solutions too.
It is my main tool to manage things that aren't code, and I give myself the ability to go back to older files or undelete things in a KISS manner by having multiple rsync destinations that are used in rotation.
> Feels like they've adopted some patterns from OSX for the better.
No, Windows 11 is a cargo cult. It imitates the look of an OS X dock (centered icons, no window titles, large icons etc) but not the parts that makes it properly functional. Have you tried to drag and drop an app to make a shortcut there? It doesn't work. For that matter, many modern windows 11 things do not understand the very notion of drag and drop.
By the way, the windows 11 taskbar has no quicklaunch. Without quicklaunch, you can't pin documents or folders to your taskbar.
Mac OS X allows you to drag anything to the dock. App, folders, documents. In the case of folders, clicking them will even show you the last modified files in a quick preview list. The dock can't do everything a windows taskbar can do, but it has its own advantages.
Windows 11's taskbar is, on the other hand, a dock with no advantages. There's nothing it does that makes it an improvement over what Windows 7 could already do (I cite windows 7 because it was the one that added most of the features that can make the taskbar feel more like OS X's dock, but those features, like grouped windows, were purely optional). You can't even have it on the sides of the screen anymore too. It was rewritten.. just for the sake of being rewritten. Developer churn at MS with no improvement on the user's side. Why?
I, as a person who has dealt for many reasons regularly with all the major desktop OSes, hate Windows 11 the most for how arbitrary the loss of features has felt. I hate it almost as much as I hate Gnome 3, but one advantage Gnome 3 has is that... you don't have to use it, Linux has a lot of real desktops. KDE, XFCE, LXDE, customized tilers..
Hate is such a strong word… I personally prefer Windows 11 to the jumbled mess that MacOS has recently become. Windows Subsystem for Linux is a major improvement over the BSD junk running on Macs. The tabloid headlines and Edge are annoying but it’s easy enough to turn that stuff off.
It already is. What, exactly, is better than Windows at security features on desktop computers? Linux? There is nothing in there that comes even close to the defensive features of windows, like HVCI, a subsystem that checks for driver signatures and the likes isolated by virtualization mechanisms, which completely prevents tempering with the kernel. Linux's support for secure boot only exists to make it convenient to dual boot with windows, it doesn't do enough to prevent kernel level rootkits, it's a total placebo and it's even worse if you use a distro that doesn't have signed kernels, like Archlinux. If you're self signing on the same computer, how exactly are you stopping malware?
Since Vista, the OS also gained some serious resilience against crashes that I have never seen on other operating systems. For example, it is possible for your desktop session to survive a GPU driver crash. On linux this is a guaranteed freeze or kernel panic. This is, fortunately, a rare event, but the last times I've seen my computer freeze on linux, it was always because of the graphic stack.
openBSD's slogan for having few remotely exploitable exploits out of the box doesn't mention that it's because it has literally no features enabled out of the box.
macOS and iOS are the systems with the greatest amount of privilege escalation fails by far. In fact, what do people think jailbreaks are? Some of which are truly frightening when you think about what could have been. Multiple jailbreaks were made that could be run just by browsing a webpage on safari. This means they punched through the browser, punched through privilege escalation and had the potential to install a rootkit on your phone. Just by visiting. A. Webpage.
How many times such a thing has happened on Windows in the recent years? visiting a webpage installed a rootkit on your computer?