OSNews

What makes you think that such a worm would be impossible if you put a fuzzer to an OGG vorbis or OGG theora file?

Heck, BIND which is internet-facing software that accepts much simpler requests than the average media file had exploitable buffer overflows for a number of versions.

Microsoft got the security religion rather late, but we've been pretty darn good at it for the last 7 years. As nbernardi said, it's a commercial enterprise now. Vista exploits go for $50,000 a pop... that's not chump change so there are many people looking. And it's a pretty asymmetric game... we have to release a lot of stuff on a deadline and make sure it is functional, secure, reliable, usable, localized, and everything else whereas the attackers can sit for a long time without any particular deadlines looking for one chink in the armor. And these days, attackers don't even bother going after the OS or even the Applications, but instead just ask users to open executable trojans... there's nothing an OS can do against a program that a user willingly launches.

Re: The ActiveX issue, how is ActiveX different in vulnerability from the Netscape/Mozilla plugin model that every other browser uses? It seems like the same attacks are applicable to both.

If the OS X market continues to grow, perhaps we shall see a similar set of attacks against that system... I mean, getting a user to click on a malicious program is not a particularly OS-specific attack (a trojan doesn't need root to do most of its useful dirty work).