Q: The myth that Apple operating systems are inherently more secure is slowly abating as Apple gains in market share and becomes a more attractive target for attackers; do you believe the relatively slow adoption of security standards like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) was simply a matter of cost over benefit?

A: Product security is something that is very hard to measure. Because of this, it is difficult for users to make purchasing decisions based on security and therefore companies have little incentive to spend money on it.

Apple doesn't have a perceived security problem by customers and so they haven't had a need to invest heavily in it. I've done what I can to try to educate people that Apple products aren't magical and can have security problems like every other product.

Q: Can you explain how DEP differentiates between data and executable code to prevent a successful exploit?

A: Each page in memory is marked as either executable or non-executable and the processor will not allow pages marked as non-executable to execute. In this way, the actual program and its associated libraries will run fine, but if the processor tries to execute data provided by the user (i.e. attacker), it will crash rather than "run" the data.

...

After the random drawing, I was fourth in line. So, four of us showed up with Safari exploits, but the first team won (from VUPEN). Now, the contest is over for that target and there are three of us with exploits but nothing to do with them.

Thats the worrying bit. If they have to submit those exploits as well then theres a good chance they will be addressed other wise...

"However, experience shows me that OS X probably has more bugs than a Windows browser. Every QuickTime vulnerability is accessible through the browser, and there are a lot of those! As for difficulty of exploitation, Mac OS X is weaker than Windows 7 as well. The industry standard for stopping exploitation are Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). While these are highly technical terms, the fact is that Windows since Vista practises full ASLR and DEP while OS X does not. OS X only randomises some portions of memory and so does not have full ALSR and its DEP is limited to only 64-bit processes, like Safari, but does not affect 32-bit processes like Flash."