Windows client machines have far greater protections within the OS – especially within the heap and stack –structures within the OS applications use to assemble code, request the memory to execute it and set a priority for that function compared to others also waiting to run.
Malicious code can corrupt data in heaps or stacks specific ways to cause other security modules to choke, or overflow the buffer protecting the heap, allowing the virus to assign itself whatever memory and priority it wants and give it access to the lists of data or resources linked to the heap or stack for easy reference.
Versions of Windows from XP SP2 and above use a security cookie to identify chunks of code as safe.
They also include the ability to unlink tables pointing to other resources so that if the heap or stack are corrupted, the virus can be isolated there, rather than learning how to access other disks, more memory or other machines.
Mac 10.5 uses a checksum to verify the identity of the code that's about to execute within the heap.
The Login Keychain with the Mac OS is also vulnerable to brute-force cracking of the user's password, which a piece of malware can be designed to do after getting itself enough memory and privileges to run.
Login Keychains typically contain login data for more than one user, so once one password is cracked, the malware can give itself privileges of all the users in the chain, then use those to authenticate it to various segments of the OS through which it can then explore.
The Windows User Account Control is also vulnerable to spoofing, but not as simply as MacOS, Stamos said.
The Lion version of OSX includes a sandbox that can trap malware in an area with restricted access to memory, disk and network access and refuse to elevate its privileges far enough that it can get itself out of the trap.
What about the server?
Within the server itself – or at least on the way to the server – malware has a far easier time.
The default install of the Snow Leopard version of Mac OSX leaves 28 network ports open and includes so many authentication flaws it's not reasonable to trust it.
The host of available authentication mechanisms, for example, allows an attacker to degrade the authentication – request and receive a simpler signon process – that relying on the comparatively save Kerberos authentication gives server administrators a false sense of security.