That’s one of the more interesting take aways from this interview at zdnet with Pwn2Own Hacker Charlie Miller.

It’s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.

It’s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn’t have anti-exploit stuff built into it.

They go on to say that Chrome on Windows is the most secure:

here are bugs in Chrome but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. They’ve got that sandbox model that’s hard to get out of. With Chrome, it’s a combination of things — you can’t execute on the heap, the OS protections in Windows and the Sandbox.

I might have this bug and I might be able to get code execution. But now you’re in a sandbox and you have no permissions to do anything. You need another bug to get out of the sandbox. Now you need two bugs and two exploits. That raises the bar.

Worth a read.