You're a smaller target - as long as the market is smaller. As more people switch (which is happening and shows no sign of stopping), the relative payoff for targeting non-IE/Windows installs gets bigger. And there's big money in botnets and other explois now, money enough to make pwning machines a career. I work it tech support, and one of the things I have had to deal over the last year was a flood of DNS changer trojans on the Mac. The worst part of it was that the attack pattern on the mac is MUCH less sophisticated and stealthy on the Mac (on Windows the trojan burrows in and attempts to hide that the DNS servers have been changed, whereas on the Mac it's blatantly obvious). Nonetheless, I almost NEVER see this trojan affecting our windows customers, whereas it was a significant proportion of our mac tickets. This isn't an apples-to-apples comparison as the attack vector is pure social engineering (install our codec to see the bewbs) rather than a technical exploit. But I think it shows the kind of cargo-cult security mindset that non-technical users can have. Call it the seat-belt effect, if you will. Or security via obscurity, which only works until it's worth someone's while to break that obscurity.These are all very good points, and are worth highlighting:
Also, the July 6 DirectShow exploit appears to not affect IE 8 per Symantec via PCMag. That would seem to show that MS is FINALLY beginning to start taking security seriously.
Finally, don't think I'm trying to suggest Win/IE is more secure than the alternatives. It's usually less secure, mostly because users hate security. The only secure computer is one that is walled up in a closet with no console or power, and even then you can always take down the wall with demo tools:) But someone who switched from IE8 to Firefox 3.5 is more vulnerable to the exploit in the original post than I am running IE8 on Vista. (Per Symantec via PCMag - if that's changed I haven't seen anything on it). IE8 isn't bulletproof either - see the recent pwn2own contest (in which all major desktop browsers were exploited) and it would appear that it took MS 3 months to close the exploited hole. But it's not exactly swiss-cheese either.
1. Nothing is invulnerable, as the Mac trojans demonstrate. I'd argue (in fact, I have) that the Unix architecture is inherently harder to attack than Windows, but this just shifts the focus of the Bad Guy. As long as users can be fooled into installing your malware, you're vulnerable.
2. If something is more popular, it will be attacked more (market share matters). The worse situation is something popular that has weak security (Internet Explorer 6 on unpatched Windows XP with the user running with Administrator privilege), but marketshare = target share. Sitemeter tells me that 15% of you use Safari; combine that (interesting market share levels) with Apple's very cavalier attitude to fixing security bugs quite frankly makes your risk higher than if they had the same attitude that, say, the Mozilla Firefox team has.
3. Microsoft is indeed taking security more seriously. I know for a fact that they have been for years (from conversations I had with some of them back in 2001). This is now ingrained at Microsoft in a way that it simply isn't at Apple. Their architecture hurts them, and I really don't know why Internet Explorer can't update itself like Firefox does, but security is no joke inside the halls at Redmond.
4. In this day and age, it's a big, big security miss for the browser not to auto-update itself with security fixes (this is the one place where I somewhat disagree with Ian). IE 8 may in fact be more than IE 7 (and for dang sure is better than IE 6, which was a security nightmare), but it stays vulnerable much longer than Firefox or Opera. This is the biggest step forward that Microsoft could make for user security. Case in point: Sitemeter tells me that more visitors here run IE6 than IE8, and three times as many people use IE7 as IE6 and IE8 combined. Your mileage may vary, void where prohibited, do not remove tag under penalty of law.
Ian, thanks for leaving the comment, which is well worth everyone's time. As you say, there are no silver bullets, and being a smart security user is the most important thing that anyone can do. Maybe I should do a post on security awareness a la Jeff Cooper's color codes. The old saying from the shooting range applies especially well to Internet security: the most important safety device is the one you find between your ears.