There are a couple of different ways that I’ve heard this Myth expressed. The first can be seen as promulgated by Apple marketing as “built upon Unix security foundation”, or, as articulated at http://www.apple.com/macosx/features/security/:
Security At the Core
Apple makes its source code available and uses time-tested open source software; the developer community examines the system’s security measures, illuminates areas of weakness, discusses and finally implements improvements to close security holes. Through this cooperation, which is inherent in open software development, Apple and the open software community can provide a more secure system and quickly respond to security issues. Apple works closely with security watchdog organizations CERT and FIRST.
The second thing that I think contributes to this Myth is the idea that Mac OS X is more “conservative” in the way Apple approaches security. Again, Apple marketing reinforces this idea, which you can read at http://www.apple.com/macosx/features/security/ under “Secure Default Configuration” and “Personal Firewall”. However, that doesn’t seem to be the full story.
Rather than re-inventing the wheel, I scavenged around a bit and found The Mac OS X Threat Landscape: An Overview by Symantec, which Aaron Adams digs into this a bit deeper. Under “Mixing Mach and BSD”, one of the more interesting findings is:
Another example is the chroot() system call, which is part of BSD. This call restricts a process to an isolated environment designed to prevent access to files, processes, and devices that are external to that environment. Again, however, these restrictions are applied only to BSD services. Using Mach-specific kernel services, it’s possible to effectively break out of the restricted environment and carry out activities on the root of the system.
Further information regarding attacks on these types of weaknesses can be found in the following e-zine article: Abusing Mach on Mac OS X, http://uninformed.org/?v=4&a=3&t=sumry
in the following section, “Default services and firewall policies”, Aaron finds:
Research has been conducted and made publicly available at security conferences and websites on default services and firewall policies for OS X. On Mac OS X 10.3 (Panther), the firewall is disabled by default; after activating it, only TCP rules are implemented. UDP and ICMP activity is permitted without restriction to the system. On Mac OS X 10.4 (Tiger), it’s possible to activate UDP and ICMP filtering, but simply enabling the firewall will not turn them on.
Furthermore, on systems where firewalls are enabled and UDP filtering has been enabled, there are holes in the rules that allow an attacker to contact any UDP service, namely by setting their source port to 67 or 5353, ports associated with the DHCP and Bonjour services.
Research has also shown that by probing Bonjour it’s possible to fingerprint the Security Update status of a target host, revealing to the attacker the security posture of the host.
Further information on these discoveries can be found in the following conference given by Jay Beale at Defcon 14. http://bastille-linux.sourceforge.net/jay/dc14.pdf
That’s the look backward, in some sense, as to how Mac OS X may or may not benefit from it’s Unix roots. Looking forward from there, though, progress has been made in security architecture since Unix was the pinnacle of Internet computing. Again, I don’t need to re-invent the wheel, I’ll just point you over to Gunnar Peterson’s OS Security Features Chart, where the Matasano team posted up this default exploit mitigation chart (read sources there):
I should also note, as does Matasano, that recent minor versions of Mac OS X have added NX stack protection.
Even with that though, the idea that Mac OS X leads the pack in security architecture seems pretty hard to support…