Slashdot Mirror
Security Statistics and Operating System Conventional Wisdom
kev0153 writes "Microsoft Windows is more secure than you think, and Mac OS X is worse than you ever imagined. That is according to statistics published for the first time this week by Danish security firm Secunia. "Secunia is now displaying security statistics that will open many eyes, and for some it might be very disturbing news," said Secunia chief executive Niels Henrik Rasmussen. "The myth that Mac OS X is secure, for example, has been exposed." "
...where MS wants you to use Firefox and Mac OS X is less secure than Windows!
It would be cool if it didn't suck.
I don't think too many people have said MacOS X is especially secure just that no one cares enough to exploit it.
We would all like to thank the millions of dollars Microsoft invested in our research to bring it to the successful conclusion.
It took us a couple of tries to get the results so that they would give us the right answer, but eventually we figured out a way. Microsoft kept funding us all along the way.
Thank you!
You mean Debian GNU/Hurd, the only real Hurd distribution?
If you trace the money, there wont be much suprise in who it leads back too.
---- Booth was a patriot ----
Until LanManager authentication is totally removed (not just turned off) from Windows, Windows will not be secure. There are just too many exploits involving LM authentication to take Windows seriously.
right?
Stand clear of the doors. The doors are now closing.
I wouldn't be the least bit surprised to find that this "Secunia" derives funding from a common source with SCO.
Would be nice to see how many of these *potential* exploits resulted in actual malware/hackers using them.
Just because the potential is there doesn't mean these holes have exploits running in the wild.
It's a risk thing...Windows exploits are *more* likely to be exploited than Solaris ones, but that doesn't mean the Solaris ones won't be exploited (cf a couple of super computer centers getting hacked!)
...and everyone says that Microsoft is paying Secunia to do this, etc. (like with AdTI, though AdTI really is getting funding from MSFT, different story), read this: http://www.linuxinsider.com/story/32370.html
It seems that it was Secunia which released lots of IE bugs, and that Microsoft has had scuffles with them before. Unless someone here has evidence that they got funding from MSFT since then, don't say that.
The Mac and Linux communities need to accept the fact that Windows, however much you might HATE Microsoft, is more secure.
How many independent reports have we seen that come to the same conclusion? 10? 20? The head in the sand approach won't work. The "Microsoft Shill" theory doesn't hold water.
No, it is time for the Linux community to address these issues and bring Linux back up to the level of Windows.
And by the way, I'm a cybersecurity consultant, so I know what I'm talking about.
Does anyone know of this company? Are they another AdTI? Any known connections to SCO or Microsoft? Is it tinfoil hat time or is it time to reconsider our prejuidices about stability and security?
Your CPU is not doing anything else, at least do something.
Actually, I think the next stable release won't be that long now. And Hurd is definitely not going to be ready for all platforms Debian supports by that time.
Please correct me if I got my facts wrong.
The leadline makes it sound like XP is more secure than OS X, and then you read down to find its more like that OS X isn't much more secure than XP.
Now if the comparison included the length of time that exploits were left unpatched we would get an entirely different picture...
http://jfin.org/jFin pure java open source financial library
It had to be said
Each product is broken down into pie charts demonstrating how many, what type and how significant security holes have been in each.
FINALLY, someone who knows about pie charts, its so clear now, absolutlely no fud can be present in pie charts..
Lets be positive. I'm trying to rtfa but I keep having to do my 'chants' to get over the fud-ish language.
Maybe there's something in this,.. when I find some actually 'stuff' I'll get back to you.
The article opened with the words "The Microsoft Windows application".
I'm not sure I want to read any further.
from the article: "The Micorsoft Windows application is more secure than you think..."
...everybody can fuck around with her, while paying.
Windows 2000 - from the guys who brought us edlin
Didn't see the actual report, but I hope it's better than this incredibly inaccurate article!
:)
> The Micorsoft
erm, Microsoft?
> Windows application
Which one? Oh, you mean the Microsoft Windows "Operating System".
> is more secure than you think,
What do I think? Go on, what? Tell me!
> and Mac OS X is worse than you ever imagined
So what exactly did I imagine, dear writer?
Amateurs.
These sigs are more interesting tha
Looking at my email inbox, I see a ton of junk generated by the Windows virus/worm of the week. Looking at my firewall logs, I see very little probing for any of the Unix exploits.
When the difference in use of exploits is an order of magnitude or two higher for the 'doze stuff, it's hard to see how a mere "count of vulerabilities fixed" means much at all. The basic design differences between unix and 'doze are profound, which is why the 'doze exploits do so well.
If a sysadmin is lazy and security unaware, he will ALWAYS be cracked into and exploited regardless of the OS system used, Windows Linux whatever. At the same time if he is vigulant and security aware he will unlikely to be seriously cracked and his systems will be stable, again regardless of the OS involved.
What I have found is that managing Linux properly is a lot easier and cheaper than managing the Windows OS's properly due to the better OS design in philosophy and security, and attitude of the OS maintainers.
THAT to me is what is relevant.
Web Sig: Eddy Currents
The facts are hard to look at, yet we all know that Linux, despite opinions to the contrary, has suffered from system holes. And to be quite frank, the fact that Mac OSX is leaking like a swiss cheeze should not come as a surprise to anyone.
Linux is fallaible, but at least with open source we can find bugs and get rid of them quick, without waiting for patches. Windows is not as bad as OS X in this regard either.
I find the statement Linux suppliers took longer to release patches. Is that true? I know security consious admins will patch themselves but is it true that vendors will igorne minoe bugs?
Perhaps this is what the MS reps meant when they said Linux was becoming morew like windows.
May the Maths Be with you!
I can't see it metnioned in the article, and neither can I find the relevant stuff at secunia.com, but this is the first question I want to answered before I spend another 10 seconds on this: do the numbers actually compare Windows with RedHat/SuSE stripped down to what a plain Windows install does, or do they yet again include all the security advisories for the 3.000 (or whatever) packages included with the distros?
"When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
Mac OS X does not stand out as particularly more secure than the competition, according to Secunia.
The proportion of critical bugs was also comparable with other software - 33% of the OS X vulnerabilities were "highly" or "extremely" critical by Secunia's reckoning, compared with 30% for XP Professional and 27% for SLES 8 and just 12% for Advanced Server 3. OS X had the highest proportion of "extremely critical" bugs at 19%.
Oh, okay, well, by MY reckoning, none of the OS X vulnerabilities were "highly" or "extremely" critical, therefore by MY reckoning, OS X is the most secure of them all!
These studies analyze the statistics of the security advisories and attempt to draw conclusions. I don't see the value of it.
Here's what I do: I just *assume* that all operating systems and software is insecure (unless djb wrote it, heh). After all, I'm constantly updating FreeBSD, Gentoo, and Windows, all the time, anyway.
Since it only takes ONE show-stopper bug to let in an attacker, it really doesn't matter to me how *many* bugs each OS has.
In my experience, the easiest OS to upgrade is OS X. However I don't manage any production OS X servers, just my own computers, so take that with a grain of salt.
Next easiest is Gentoo. You can upgrade just the components you need, BUT it's a little hard to separate the security fixes from the non-security fixes (they are working on that though).
Next is FreeBSD. Like Gentoo, it's hard to pick out just the security updates, but they are working on that too. Rebuilding the base OS is time-consuming and risky, so FreeBSD gets a mark for that.
Next is Windows. Too GUI-oriented, and service packs are too complex and cause breakage.
However we do manage to keep all machines up to date and implement layered security (firewall, network IDS, host IDS [tripwire], remote syslog, log monitoring.......)
Use VMS!
Gamingmuseum.com: Give your 3D accelerator a rest.
...most likely. Though I'm not going to bother investigating ties between M$ and Secunia.
In the real world, Windows machiness are real sinkholes for real exploits, while Mac and Linux machines aren't.
"Only in their dreams can men truly be free 'twas always thus, and always thus will be."
--Tom Schulman
These are the statistics that really matter:
Secunia Virus Statistics
Of course you'll notice the common Win32. in front of all of them.
This research tells you nothing about how secure an OS is. The number of security advisories has a lot to do with how diligent the OS manufacturer is in informing the public about security problems. For all we know Apple could just be a lot better about airing its dirty laundry than microsoft. I would assume that due to the open source model, the statistcs on SUSE were fairly accurate.
Give me Classic Slashdot or give me death!
One problem with counting only advisories is simply that there are different levels of transparency to users and developers among Windows XP, Linux, Solaris, and Mac OS X. One thing the study doesn't mention (which is unknowable, so they conveniently brush it off as unimportant) is how many covered-up or known-only-by-crackers vulnerabilities exist in each platform.
Also, why didn't the study mention OpenBSD? What about default configurations? Where the documented vulnerabilities always relevant or were they very obscure (e.g., service X used by three people in Greenland)?
I think this article smells biased.
-- "Makes Little Debbie look like a pile of puke!" - Moe Szyslak
That OS X doesn't have any network service running when first installed!!.. Nothing, nada, zilch, zippo.. In order to get exploited you need to have something running that accepts connections.. The default install of the Mac OS X doesn't have a thing. Where as Windows has way too much enabled and exposed.. Most linux systems now days, while they may have some things running, most are only listenting to the internal host (not accessible outside the computer) and they default enable the firewall.
Somebody explain to me how this article supports the claims that have been based on it.
``Windows XP Professional saw 46 advisories in 2003-2004, with 48% of vulnerabilities allowing remote attacks and 46% enabling system access, Secunia said.
<snip>
SuSE Linux Enterprise Server (SLES) 8 had 48 advisories in the same period, with 58% of the holes exploitable remotely and 37% enabling system access.
<snip>
Mac OS X does not stand out as particularly more secure than the competition, according to Secunia.
Of the 36 advisories issued in 2003-2004, 61% could be exploited across the internet and 32% enabled attackers to take over the system.''
So, Windows XP and SLES had about the same number of vulnerabilities, but SLES manages to keep them out of the vital parts better. Mac OS X has had significantly (about 30%) fewer vulnerabilities, with the percentage of vulnerabilities leading to system level access on par with SLES.
What this says to me is that _if_ the detection ratio for all systems is the same (which I don't believe, but without this assumption, you can't say anything), WinXP is the worst, and OS X the most secure. This is exactly opposite to what is claimed.
Please correct me if I got my facts wrong.
Statistics don't change the facts that after running Mac OS X since it's inception, I've not had one OS X virus, or any of these exploits used against my machines. And the stats don't take into account not just how quickly a patch is released, but how quickly the users of that OS patch it.
-- oldthinkers unbellyfeel ingsoc
Microsoft products are researched more because of their wide use, while open-source products are easier to analyse because researchers have general access to the source code, Kristensen said.
"A product is not necessarily more secure because fewer vulnerabilities are discovered," he added.
In other news, ebola is much more lethal than cancer. And the Commodore VIC-20 OS is much less secure than Windows.
--
make install -not war
as a Mac OSX user I have to defend my lil OS that could.
This poll does not take into affect the time to resolution, effect of exploit, and how hard it was to actually perform the exploit. Honestly, all software has bugs, all software has exploits it is the result of those exploits that I am more concerned with. Quite often Apple finds and fixes exploits before their are programs in the wild to exploit them. The same goes for Open-Source software which I am sure that some of the OSX advisories were a result of given Apples embrace of OSS.
Ask an Apple user how many Viruses, pop-ups, and unexplained daemons they have had on their system. The number will almost always be 0.
The study compares security alerts between OSes, but one problem with that is that at least under Linux vendors not only release alerts for the core OS, but for applications as well.
If The Gimp has a security issue a Linux vendor will issue an alert for it.
If Photoshop has a security issue, MS won't inform you.
Also most alerts I see for Linux are pro-active, someone finding a bug that may be exploitable. Most alerts I see for MS are reactive, pluging a hole that has been exploited. That's the primary difference between open and closed source software. Not the number of bugs found, but when they're found and how fast they get fixed.
I would be far more interested to hear, on the MacOs example for instance, how Apple responded to its security holes and how that compared to those of Microsoft or the Linux community.
Oxford Dictionaries Online
I glanced through the article and they seem to say that MacOS X had 36 vulnerabilities while XP had 48 over the same period. They then claim that this is not significantly less. Even if you discard all but the "serious" of the vulnerabilities (of which they claim MacOS X had more, but I disagree, not having seen any exploits for them) the two come out even at best. Why, then, are they so happy about XP?
90% of security is the administrator. So it really doesnt matter how secure the 'system' is as a good admin can make most anything secure.
That said, most 'windows admins' are home users ( by percentage ) that have NO clue what they are doing...
Home *nix admins tend to have more clue..
---- Booth was a patriot ----
The website was pretty slow, so here's a mirror:
Mirror.
They're just counting bug fixes. And counting how many are labeled critical. Well, that still doesn't factor in, at all, how easy it is to exploit. Fact is, if you try to run a system level program on Mac OSX, it STILL will ask for admin password. So a program can't be run on your machine in kernel space without your knowledge. Windows seems to have been made for just this purpose. This study is laughable. It's just a count the bug fixes garbage. Linux has more fixes and updates because open source is more honest. How often have we heard of M$ waiting six months to release fixes that they knew about? How many holes are there that the public doesn't know about?
Once again, we have someone comparing Windows with RedHat, while not taking into account that RedHat is comprised of many many additional applications that don't have equivalents in the Windows install. Not to mention many server applications (Apache, bind, sendmail, rsync, etc.) that enable the remote access that many of the security vulnerabilities use. I would wager that OS X is in a similar situation (when compared with Windows).
Let's have one of these companies do a real test. Where they take a Windows install, and then a RedHat (or SuSE) install crafted to match it as closely as possible. No servers, Mozilla installed on the Linux system. Just the basics. Then count the vulnerabilities. It will tell a much different story.
-Todd
"The details of my life are quite inconsequential..."
How many vulnerabilities result in unauthorized access ?
WinXP 21
Suse 18
OS X 12
In Soviet America the banks rob you!
In research, it's vital to differentiate between correlation and mechanism. Stating that Linux and Mac OS/X are less secure than Windows based on kindergarten-level integer comparison is correlation: i.e. following/duplicating superficial attributes of known objects in hope of getting the same results in other objects. This is almost always baseless and useless. It's more important to undertand the underlying hidden reasons, or mechanisms: Windows security problems stem from awful designs in OS, such as integration of all sorts of applications into kernel space for speed acceleration. Whilst Linux and Mac OS/X security problems are mostly from mis-configurations.
Different suppliers report vulnerabilities differently. Consider every "cumulative update" you've seen, and every "multiple vulnerabilities in $product" advisory from CERT. A supplier which is more honest and meticulous about vulnerability reporting may have more advisories but better security -- while one which batches up several bugs in a single advisory will underreport.
A system which includes more software may have more advisories, even though most advisories do not affect most computers running that system. In Windows, a database server is a separate product whose advisories would not be counted against "Windows". Many Linux systems include at least two database servers, but they are not turned on by default. If a hole in MS SQL doesn't count against Windows, should one in mySQL count against Red Hat?
Unpatched vulnerabilities may go for months without the release of an official advisory. For instance, a number of holes in Internet Explorer have been known and discussed within the security community well in advance of any official advisory from Microsoft.
Systems which have better default system-wide security settings (e.g. packet filtering, services turned off by default) may have all kinds of "vulnerabilities" that can't actually be exploited. For instance, Mac OS X includes OpenSSH, but it's turned off until the user asks for it. A hole in OpenSSH cannot be exploited on a default-install Mac system.
Leaving it up to the supplier to decide if something is a "vulnerability" or a "feature" leads to underreporting. Take CD autorun, for instance, which allows the installation of spyware when a (mostly-)audio CD is inserted into a Windows PC. A security-conscious user regards this as a vulnerability, but the supplier regards it as a beneficial feature.
Some of the most common attacks -- such as viruses -- rely on social engineering, and on "features" that are not classed as "vulnerabilities". However, these attacks are also more prominent on some systems than on others. Any comparative assessment of security which discounts the most common attacks blinds itself to a wide segment of the security landscape.
Windows XP Professional and Windows XP Home Edition are listed separately. Windows XP Professional has 66 advisories total and 45 in the last year. Windows XP Home Edition has 58 total and 43 in the last year. For all versions of Mac OS X there are 36 total and 33 in the last year.
Windows XP Professional
http://secunia.com/product/22/
Windows XP Home Edition
http://secunia.com/product/16/
Mac OS X
http://secunia.com/product/96/
...this article reads like it was written by a PR person for Secunia. It's basically an advertisement for their service, with a bit of sensational news about OS X and Windows as the hook.
Looks to me like a case of a swiftly approaching deadline and a lazy editor at Computer Weekly. They just took a PR puff piece for Secunia, chewed it up, changed around a couple sentences, and spat it back out.
Pete Forsyth
This came up on OSNews a while back.
They count security patches from MS as 1 when they were actually patching 14 vulnerabilities.
They also didn't include the vulnerabilities in IE - which alone had nearly as many as OS X.
Their conclusion would be very different if they actually knew how to count.
It is nothing more than FUD dressed up as research.
Please post your comments about this article to columns@computerweekly.com
I don't know that it matters the purpose for rating security problems nor is the emphasis on head-to-head number of events matter a great deal either. For instance, I didn't note in the article a comparison of how quickly firms or organizations responded with security fixes or notices of the security problem. We all know that the Linux community would lead any such comparison.
It is interesting to note though that an OS or apps "perceived" security relies heavily on the community using it. That Windows is insecure is well known mostly because a lot of people take much delight in exploiting the flaws (and no doubt, there are a lot of flaws). However, with the flaws in *nix flavor OS, they're there but they are fixed quicker and there aren't a lot of people taking great delight in exploiting the flaws. The perception derives from this nuance.
On the issue of "who does or doesn't" get exploited - I installed RedHat 6.1 and before I could get the system updated and general security in place, someone had gained root access and left a funky UID behind as a "nya-nya". It had been connected to broadband for only 30 minutes. I installed RH 7 and there wasn't a repeat of the incident (although the attempts were numerous - once an exploitable IP gets found, it makes the rounds among certain folk).
Mod me troll, if you must, I can't help it.
Does this not really all boil down to sheer effort of continuous patching? Seems that all OS's and major applications have patch lists these days. Sure, the MS haters are actively exploiting the MS stuff, so the risk is higher. But if I had a Linux box, would I rest, not patch, because of this? I think not. Not to mention SSH, Apache, etc. I fear the junk that has no patches ... like printers and stuff that have web servers in them. Nice place for a Trojan to hide.
Peace
Of course, like all statistics though, these numbers only show part of the story. There are more holes (and more serious holes) in OSX, but does that really affect your systems security (i.e. the chances of your system being compromised)? There are less people (effectively zero) people who are writing worms for Mac OS, so you've got a very small chance of that happening and there are far less people who are experienced at targeted compromises of OSX systems (and most of those few are white hats) so again your chances of your system getting compromised are probably lower than a Windows user.
I'm not trying to minimize this though, this is something that I hope will be taken very seriously by Apple and is a real eye-opener for myself.
They aren't "happy about XP". I didnt read this as an "XP is awesome! buy it!" piece at all. I read it as a "wake up you zealots, you could be every bit as vulnerable as anyone else" piece.
A false sense of security is not your friend. Especially if it's only based on fanaticism and not any sort of facts.
I don't need no instructions to know how to rock!!!!
Friends, it's clear from Secunia's own data that we should all switch back to MacOS 9, since Secunia knows of only one security issue for that OS.
Friends, you just can't argue with pie charts.
Secunia is simply saying this to "show" that they are not "anti-Windows zealots." I haven't heard much about OS X servers being cracked, and the only viruses created for OS X have been non-replicating proofs of concept. Moreover, no OS X program can screw up your system unless YOU GIVE IT YOUR ADMIN PASSWORD-- and hopefully you have your personal data backed up anyhow, as hardware failure hits when you least expect it.
Even on an administrator account, you can't screw up the operating system without a chance to bail out at a password prompt. Try that on Windows.
Browsing through Secunia's Site doesn't reveal too much regarding the report mentioned in the article. The links to the vendor's security pages do show that Apple, Suse, and others list vulnerabilities and security issues for products not developed by the particular company. Apple lists Apache, OpenSSH, rsync, and others. Since most Linux and BSD operating systems report security vulnerabilities in third party applications. Thus listing Suse and Redhat as having 48 and 50 vulnerabilities respectively 57 of them are probably the same vulnerabilities.
In my experience Microsoft only lists security vulnerabilities for their own products. With the methods used in these statistics vulnerabilities and the open source community are probably overcounted many many times over.
Secunia is probably just trying to get attention.
I don't think using the term "cybersecurity" helped you case, but then again people telling you they know what thier talking about because of "X" is ususally a good sign they don't.
Though I think we both could agree that no general purpose desktop operating system available today has adequate security.
"The last thing I want to do is deal with a bunch of people who want something."
Major Major
People are reading the summary and then this article and saying "bias! bias! bais!".
Re-read it carefully!
The summary is making it out to say that the article is suggesting windows is the most secure OS (or at least more secure than OSX). Clearly, the article is simply saying that all the OSes are equally insecure. The summary was written by a true slashdot/linux--fan in a way (intentionally or not) that influenced the opinions I see in these comments.
http://brandonbloom.name
So, the article says that OS X had 36 advisories last year, compared to 46 for Windows XP Professional. But somehow, the article opens with:
I don't see how, given that XP had more exploits than OS X, XP is "more secure than I think". Admittedly, OS X has had more security advisories than normal this year, but they've fixed them in short order. It seems to me that this article is taking a relatively small sample size (2003-2004) and suggesting that the problems during that sample (which were still significantly fewer than XP) are indicative of some long-term problem that we should "beware" of. This is bunk. It's easy to lie with statistics - suggesting that XP is magically "more secure" by counting advisories (which doesn't even support that claim!) is bogus because it doesn't take into consideration the length of time between the exploit being revealed and the patch becoming available nor the exposure to in-the-wild exploits. For instance, how many MS exploits are only fixed after lengthy exposure to real-world exploits (many of which you can probably find on my dad's computer?) Now, how often does the same thing happen on OS X (I can't think of this ever happening, but I won't say "never"). Furthermore, while my anecdotal experiences at a major university may be just that (anecdotal), the constant problems with zombie machines and exploited holes used for adware/malware strongly disputes their claim that XP is "more secure than I ever imagined" - likewise, the rather large Mac contingent at the university has no such problems. Give me a call when panicky mac users start bitching about adware on their computers. Until then, I think it's safe to file this article with all the other "Apple is dying" troll articles that we've seen since the early 1980s.
You are modded funny, but you might be right.
Many vulnerabilities have been discovered in Linux over the last twelve months. Most of these were in do_mremap. If vulnerabilities can continue to exist in one function, even after it has been supposedly looked at by many, and fixed several times, how much faith can you have that the rest of the kernel is any good? And this is even though Linus rejects patches that aren't elegant enough, so the kernel can be expected to be one of the less crappy parts of the system. I don't want to count how many vulnerabilities exist in commonly used userland software...
Turning the camera to Microsoft now, how many exploitable vulnerabilities have been discovered in their kernel in the last 12 months? Most of the exploits I have heard about exploit vulnerabilities in userland, and do things that do not require superuser privileges - sending email, network access over TCP/IP, etc. This would work just as well under any *NIX system that had vulnerable applications.
I don't have any numbers, but I am afraid that Windows may not be as insecure as is commonly thought.
Please correct me if I got my facts wrong.
From the products page of the Secunia web-site:
Stats means nothing if the operating system maker makes it difficult to patch some holes (how are normal persons supposed to know if they have Outlook Express 6.0 or 6.0 SP1 ), takes his time to address known vulnerabilities, and makes it impossible for pirated copies to update their version of the OS.
And it's sickening to hear that the only reason Windows is so much vulnerable is his popularity. It is not. Sloppy programmation and bad choices of default options definitively have their share.
I'm really having trouble believing this.... Mac OS is really FreeBSD (Darwin) and if you are not logged in as root.... how unsecure can it be? Sure I may be able to hack into your user space (not saying I can, but someone may be able to), but I still can't modify things that are owned by root. Am I wrong?
This has been duly covered and thrown out as complete rubbish before.
But this made me think - The numbers they give for Redhat and Suse are quite high. Thinking back over the last few months I don't think I needed to patch my server that number of times at all.
I think people need to distinguish between exploitable flaws and flaws that could be used in "theory".
Another point - flaws that are reported to Redhat aren't always installed on every server. A flaw could be reported in Apache, but that is not to say that everyone with Redhat Enterpise is running Apache.
Plan and simple: these type of statistics should always come with the caveat: your mileage may vary !!
[ Monday is a terrible way to spend one seventh of your life. ]
All modern OS's suck from a security standpoint. Why? Because we've only really GIVEN A FUCK about security for the last half a decade or so. Before that 99% of the worlds PCs were by
I don't know just where you were living, but Unix and Linux grew up on networked systems where multiple college students shared the same machines (well, Linux less than Unix here) because they were too expensive. Actually, Linux is almost an accidental beneficiary here. Linux used Unix as a role-model, and Unix grew up being attacked by hackers who wanted to play Space-Invaders or Cave or Hunt the Wumpus when their school accounts wouldn't cover it. And by Phd candidates trying for a few more runs on their thesis project. It's true these weren't *remote* exploits. They were local ones...where the attacker didn't have priviledged access. But that's the basis of all security. Once you do that, all you have to do is make remote connections a special case of local access.
I think we've pushed this "anyone can grow up to be president" thing too far.
I can't believe they are comparing OSS advisories with MS advisories and attempting conclusions based on the metrics.
More OSS bugs get discovered AND FIXED because the code is an open book.
Do they really think a patched OS is less secure than an unpatched OS?
A high advisory count for OSS means the code is being scrutinized. This is a Good Thing.
Or would you rather see advisories based on bugs found by people with enough time on their hands to disassemble Microsoft code and pore over that stuff? This is far more of a breeding ground for klller net worms. Though the metrics may be lower, i takess far takes longer for bugs to be discovered by the wrong people this way, and the results are far more devastating.
Also, how many MS users actually read advisories and patch their machines? The so-called "study" is fundamentally flawed in multiple ways.
The article does nothing more than prop up the myth of software security by obscurity.
The funny thing about Mac OS X and Linux... a great deal of the people who write the viruses and hack into Windows machines are (shock) Mac OS X and Linux users. I'd not so much call it 'security through obscurity' as 'honor among crackers'. ;)
By reading this you acknowledge that you have read it.
everyone's favorite browser with 38 advisories last year and according to Microsoft it's part of the Operating System. Internet Explorer alone has more vulnerabilities than all versions of Mac OS X. Additionally, just for icing on the cake IE has a wonderfully high 97% of the holes exploitable remotely.
http://secunia.com/product/11/
Someone should ask why anti virus updates aren't counted as system vulnerabilities...
XP Professional: 46 advisories in 2003-2004
48% remote attack
46% granting system access
SuSE Linux Enterprise Server (SLES) 8 had 48 advisories in the same period,
58% remote attack
37% granting system access
Red Hat's Advanced Server 3 had 50 advisories in the same period - despite the fact that counting only began in November of last year.
66% remote attack
25% granting system access
Mac OS X 36 advisories
61% remote attackers
32% granting system access
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
Emphasis mine.
Were not talking solid numbers, but numbers made by personal opinion. What is 'critical'?
MS can butter up the numbers so none of their holes are 'critical' if they so desire. So can anyone else.
"better OS design in philosophy and security, and attitude"
Bwahaha! You make it sound like everyone at Microsoft is chained to their desks and everyone working on the Linux distros is taking happy pills and working in pink rooms with butterflies and lambs painted on the walls.
Seriously, having programmed on both OS-X and Win XP extensively, the two operating systems are more alike than they are different. There's no fundamental difference in their architecture that would make one more secure over the other.
Best Buy can have you arrested
But if you want to have as much security by default as is possible, there's always OpenBSD.
social sciences can never use experience to verify their statemen
Firstly, this article is a summary of some other set of statistics. These summaries are usually horrible since the writers really don't understand statistics. Things never add up to 100%, and one quote often refers to a slightly different way of calculating things than another.
I don't know tons about security, so I read this with an open mind. But I KNOW some things are wrong:
I haven't read Forrester's research, so I would like to see it. (anybody know a link?) OSS is definitely faster at releasing patches. We see that time and time again. Perhaps they were comparing how long it took for the vendors like Red Hat to ship product updates for Apache, or put them on their web sites? But if I installed Apache, I don't look to Suse or Red Hat or Mandrake for my updates, I look to apt-get or apache.org. Of course, MS claims that all exploits come from MS patches anyway. (Which is proven not to be true on a weekly basis).
Lastly, the article rebuff's itself in the final quote:
Even though that is the basis for the article's comparisons. lol!I wonder...Could it be another case like we've see in the past where a "think tank" gets funding to do research and the later everyone finds out that the company/companies that funded the study are the one that the data showed to be better that all the rest. I wonder where secunia gets there funding for this new study. I tryed looking around on their webpage, but i didn't find the info i was looking for anywhere.
-Pizentios
How many web and mail servers are running Linux? Software is written by humans and human aren't perfect so yada yada yada... It's no suprise that Linux would have as many bugs as any other piece of software. It would appear though that those that choose to run Linux keep their servers patched and turn off unnecssary services more often than those that choose Windows. The majority of web servers use Apache. The majority of those Apache servers are Linux boxes yet we don't see the issues with Apache that we see with IIS.
Telnetd is removed from all modern Linux distribution default installs. Also, telnet doesn't have much exploits as such, it's just that it is not encrypted.
Or did, at any rate. For a number of years the US Army used Mac OS 9 and Webstar to host www.army.mil. Looking at Netcraft now, they've moved to OS X but are still using Webstar, which has a much lower rate of vulnerabilities then Apache.
My English teacher once told me that two positives don't make a negative. Two words for her: Yeah, right.
...where Pro-Microsoft comments are modded as trolls, we worship a penguin named Tux, and Bill Gates is hung if effigy every night!
According to the article, Mac OS X had the highest percentage of extremely critical vulnerabilities. Of course it also had LESS overall patches. They're obviously rounding numbers a lot, too, as I doubt any OS Developer will be releasing fractions of critical vulnerabilities. Apparently, if we want to run the system with the least critical holes, we should all be running Red Hat Linux Advanced Server.
All stats pulled from the article.For the highly and extremely critical vulnerabilities and their respective OS:
Windows XP: 46 advisories x 30% critical = 13.8
Mac OS X: 36 advisories x 33% critical = 11.88
SuSE: 48 advisories x 27% critical = 12.96
Red Hat: 60 advisories x 12% critical = 7.2
Solaris 9: 60 advisories x 20% critical = 12
As far as the less than "highly" critical holes in the OSes, so what? Those are just minor bug fixes. I appreciate companies like Secunia finding them, but when the majority have to be exploited on the full moon of a month not ending in "R" while waving a dead chicken and rubbing a balloon on your head and typing your root password with your left foot, I'm not so concerned. I won't even mention what *I* actually use. The whole article is pointless.
How many Mac zombies are there sending out millions of spam messages?
This May 2004 Macworld editorial talks about "Henny Penny" attitudes. [I guess they meant "Chicken Little" as in "The sky is falling".] Macworld writers have been dismissing Secunia for months as a FUD source for security issues with Linux and MAC OS.
Have you Meta Moderated t
This article is complete bunk. For example, There are 2 security errata on RHN right now for the kernel, both of which either require local access or a very poorly configured server to exploit, but this company probably counts both of them as critical although of the hundreds of servers I manage only 1 is vulnerable to either of these (I only have one machine with local users on it, and I'm not running the kernel NFS server anywhere).
Further, it states that RHEL 3 has had 50 vulnerabilities since last Nov... well, I'm quite sure that they are counting bugs in all of the software included with the distro. Most of my servers are just running a barebones amount of services, any one advisory might hit on 2 or 3 of my 500+ servers (unless its something like openssl/ssh..) But anyway, on the few windows servers I manage (about 10) every vuln hits on all ten of them every time. It is much more difficult to patch those 10 systems than the 500+ redhat boxes (log in to RHN select the errata, click apply, wait a few hours done). With the 10 windows machines, walk into the data center, walk to the windows rack, pop open the kvm, log in to 1 server, go to windowsupdate, start the download, log into the next, start download * 10, then reboot all 10 servers use my downtime for the next 2 years... and ok 2 hours later, during which time I had to actually be monitoring all of the boxes and couldn't do anything else, I've patched the latest IE hole....
One other point of note is how secure an operating system is _out_of_the_box_. For example, when I get a brand new Mac OS X machine, plug it into the net, and turn it on, it has 0 probability of getting rooted, because no services are running. This is true of a completely unpatched OS. On the other hand, if I install a brand new Windows box and connect it to the internet, it will usually be rooted within a day, because it starts 6-7 services automatically, ones that may have serious security holes or other problems. A Linux box is not particularly better than Windows in that respect, although the services generally have fewer holes, because it has a bunch of stuff in /etc/inetd.conf and several RPC services running.
I went to Secunia's site and saw no reference to the study, even for a price.
I am very suspicious of outfits who describe their results with hyperbole like "dispels the myth" but fail to make their research report available for scrutiny.
It sounds like this study uses "retrospective" methodology, which is OK, but one must be very careful to assess the meaning and transferrability of such results. In general, retrospectives don't yield blockbuster evidence that "dispels myths."
Here, in contrast is proposed hypothesis for a forward-looking study: I predict that a larger fraction of Windows machines will be compromised in the next 12 months than machines running non-windows operating systems. That is, the probability that a given Windows machine will be the victim of a successful attack is higher than the corresponding probability for a non-windows machine.
You can make statistics to prove just about anything you want. What makes the data useful is good analysis, which this article does not have.
The OS X/Linux vulnerabilities include many, many third party applications that they bundle. The Windows list almost exclusively covers Windows the operating system and IIS. If you really want to do a comparison, load up Windows with two or three office software suites, Visual Studio, Safe Source (the way that the Cisco hackers got in), etc., etc., and then compare vulnerabilities.
Further, the study doesn't correlate remote and system access attacks. The MS RPC vulnerability and the two Linux Kernel escalation of privilege vulnerabilities both gave system access. But one was sitting wide open for random attacker, and two took getting into the system in the first place. A very big difference.
Also, many Linux distributions and OS X ship with a minimum of services turned on, so they are inherently much safer out of the box. Most of
the vulnerabilities for *nix/OS X were server related, which desktop users wouldn't have on or installed. Most of the Windows ones were things that you'll find on almost all installations.
If you want, we can do a show of hands of how many Windows systems have been compromised vs. how many Macs. Even adjusted for the Windows/Mac ratio, I'm pretty sure that OS X will come up as safer.
With OS X and most modern Linux systems, you _have_ to work to create security problems. Whereas each new Windows installation I do requires a series of patching via CD or memory key before I can put it online to download the rest of the updates...
Suppose, some company designed an operating system with one exploit. Suppose that this single exploit was determined to be "critical". Sucunia would have us believe that this means that due to incompetence, this OS tops the chart with a 100% "critical" rating, even though the aggregate number of bugs is less than 2% of it's competitors, and the aggregate number of critical bugs, less than 9 %.Windows has 21 System exploits, MacOSX has 12. The OSs seem to have about the same vulnerability to "Remote" exploits, assuming, of course, that each release starts out with a clean slate, and that say, WindowsXP is invulnerable to a Windows NT exploit...
I work as an IT security analyst for a certain large R&D firm, and I can tell you with utter confidence that Windows is far less secure, not only because so many things are tied into the kernel, but becuase the admins that run Windows tend to know less about the inner working of their OS.
After 6 years years of being an IT geek, I've seen Solaris boxes get owned, as well as Windows boxes.
There is some truth to making an OS secure out of the box. The admins who then proceed to deploy the boxes MUSt turn on required services, not the other way around. We are living on an increasingly more dangerous Internet. OpenBSD, while utterly lacking in out-of-the-box ease of use, is the single most network ready OS out there for *nix if you require security. Linux has the Bastille project, secure distros, and the ability to view the code if I'm unsure.
Windows, Mac OS X, and most others are INSECURE out of the box. Being in a LAN beyond a firewall is also not a sure thing. Firewalls have rules that allow certain ports opened. What happens if next week there is a devastating exploit for SSH and that is an allowed port?
It boils down to what Bruce Scheier of Counterpane says: "Security is a process, not a product."
If one can deploy an OS that is "safe" like OpenBSD on a LAN, then so much the better. I'm hoping that all OS developers start to release products that are locked down by default. NOt only is this safer, but the admins who work the boxes tend to learn more about the security process. They tend to think.. "hmmm, should I run telnetd or not? Do I really need it?"
Security is a process, not a product.
The better comparison would be which vulnerabilities affected the average install of Windows & Linux, as opposed to the entire package list supplied.
A quick glance at RHN shows me 17 patches for my registered system. These are dated from 11-15-2002. If you look at just the patches that affect the server system I deployed in February, that narrows it down to 4.
One only applies if using the kernel nfs server. I don't. 3
Two others are local exploits -- and I am the only one with a shell account on my servers. Still, if someone could exploit Apache or my PHP scripts, it is *POSSIBLE* to maybe exploit these.
In all fairness, one of my systems was the victim of a DoS due to the recent OpenSSL vuln.
* * *
And, in the other corner, Windows XP -- the last Windows system I installed for someone.
They live out in the country and had a dial-up account. And the system was infected and 0wn3d before I could download the Windows Update updates -- from a fresh install.
I had to go home, download all the updates to a CD and bring it back. Also all the AV updates. And ZoneAlarm, and a dozen other packages to make the system useful and secure.
I know I compared a server system to a desktop. However, my desktop hasn't had a virus, worm or trojan in almost 10 years on my various Linux desktops. That wasn't a fiar comparison.
-Charles
Learning HOW to think is more important than learning WHAT to think.
1. Find security bugs in operating systems 2. ??? ->write analysis comparity security among them 3. Profit! -> Take funding from Microsoft showing how Windows is more secure!
Unrepentant Mac Apologism time! It seems that there are some "statistics" flying around that can be interpreted to mean that Mac OS X is, practically speaking, no more secure than Windows, and we certainly can't let that sort of stuff go unchecked, now, can we? Whether it's true or not, we mean. So we feel it's our sworn duty to cast all sorts of aspersions on the reliability of said stats and on the character and competence of those who compiled them. Of course, you'll have to keep in mind that absolutely nothing we say on the subject carries any weight whatsoever, since, far from being experts on computer security, our real expertise is in the field of making vegetables out of Play-Doh. (Corn on the cob is our specialty. We can get it all bumpy and everything.) However, while we're not security experts, we've seen one on TV; surely that counts for something.
Anyway, it's like this: faithful viewer C. J. Corbett tipped us off to a Techworld article last week with the ominous title of "Mac OS X security myth exposed" which leads off with this oh-so-fair-and-balanced sentence: "Windows is more secure than you think, and Mac OS X is worse than you ever imagined." See, security firm Secunia claims to have compiled some honest-to-goodness statistics proving once and for all that choosing Mac OS X over Windows is your surest path to having some scary 'net dude invade your system, swipe your financial data, and start leering at digital photos of your family members in an... unsavory manner.
How is this possible? Well, numbers don't lie, and while Windows XP Professional clocked "46 advisories in 2003-2004, with 48 percent of vulnerabilities allowing remote attacks and 46 percent enabling system access," Mac OS X racked up 36 such advisories, with 61 percent remotely exploitable and 32 percent allowing the takeover of the system. See? Worse than you ever imagined. It's like a wedge of Swiss cheese with a shotgun blast through the middle or something. Meanwhile, Windows users will no doubt be thrilled to hear that their virus-ridden, spyware-loaded, worm-propagating systems are more secure than they think. Good for them.
There are just a few problems with this argument, however. The first is the claim that Mac OS X isn't much better than Windows XP Professional because it had 36 security advisories compared to Windows's 46. Maybe we're fresh off the turnip truck or something, but 22% fewer advisories sounds quite a bit better to us. Also, if you actually look at the data to which Techworld refers, it's not 36 advisories for Mac OS X at all; it's 33. (Apparently Techworld decided to go back to 2002 to fetch its reported number.) Granted, the Windows number is also 45 instead of 46-- yeesh, Techworld; fact-check much?-- but even so, now we're talking about nearly 27% fewer security advisories for Mac OS X than for Windows XP Professional.
Now take a look at the advisories themselves, and notice how no fewer than eleven of those 33 advisories (that's a third, for the mathematically inept) are titled "Mac OS X Security Update Fixes Multiple Vulnerabilities" or something similar. Yes, in its advisory count, Secunia is including those advisories it generated just to report that Apple had fixed something. Does anyone else find it a little odd that Secunia penalizes Apple for fixing problems, including ones that were fixed so quickly that Secunia had never found out about them in the first place? (While they may describe a flaw and immediately note the presence of a patch, none of the Windows advisories appears to exist simply to announce that Redmond had fixed a bunch of holes.)
Notice also that Secunia yaps on about how, for Mac OS X, "of the 36 advisories issued in 2003-2004, 61 percent could be exploited across the Internet and 32 percent enabled attackers to take over the system"-- but never mentions how many could be exploited across the Internet to enable attackers to take over the system. Personally, we aren't much concerned about exploits that require local access to a Mac, because if any
Anything about FreeBSD, NetBSD or OpenBSD?
In the Forrester report referenced in that article, they only STARTED counting from the time Microsoft PUBLICLY admitted to a problem.
x .h tml
.rpm 24 hours later...
Which, in many cases, was when Microsoft had a patch ready.
But www.eeye.com had reported security holes to Microsoft for MONTHS before a patch was made available.
In other words, if Microsoft NEVER admitted PUBLICLY to a security hole, that security hole would NEVER be counted in the Forrester report.
http://www.eeye.com/html/research/upcoming/inde
For the current listing.
With Open Source software, the vulnerability is usually discussed on the mailing list.
So, if a hole is discovered in Linux, and discussed on the mailing list and a patch is released 48 hours later.....
And then Red Hat releases a
Forrester would count that as a 3 day delay.
You take the medium threat from www.eeye.com that is 49 days overdue (actually informed 109 days ago) and Microsoft releases a patch the same day Microsoft admits to the hole....
Forrester would count that a 1 day or less delay.
I find this article difficult to take seriously given the second word in the abstract, 'Microsoft', is misspelled on the ComputerWeekly site. I'd hope any professional author writing a professional article would at LEAST grind it through spell checking software before publishing, particularly for a piece intended for management types instead of tech weenies. WTF is 'micorsoft'?
Secondly, it's not the bugs that are known and reported that concern me, it's those undiscovered and/or kept hidden. The reporter sensationalizes that fact even with quotes from Secunia's CTO saying bugcount is more or less irrelevant..
-Erik
... consider your brain on the internet...
How many can get faulty information into it without your knowledge?
Now, consider your computer on the internet....
How many can get faulty information onto it without your knowledge?
Now there are two ways to solve the problem, one of which works with absolute certainty.
*) Do not connect to the internet.
or
Become aware of all communications from the internet and your computer.
This second solution direction may require reducing such communications to human understandable parts....
but if that happened then the wool would be lifted from the eyes of the end users as to what they really can do....
This article is complete garbage. Comparing proportions means nothing - particularly since they always add up to 100%! What matters is the actual number of exploits, and how likely they are to occur. The parent is absolutely right.
---If you can't trust a nerd, who can you trust?
Telnet has been a depreciated protocol for donkeys years now. Most Linux distros I know will not enable it (hey, the daemon isn't even installed, so I call it more than turned off as you call it) unless you really want it and indeed sshd is the preferred option.
MS Windows does come with a lot of software (server editions come with IIS etc.), but Redhat comes with more (5 mail servers, 4 RDBMSs ...). XP Pro is not a server OS. Redhat ES is. We should be comparing Windows Server 2003, with a comparable groups of server packages (including Exchange etc.).
Posters recognized by their sig,
Why not just stick with numbers for the entire statement?
Rewritten: "Windows XP Professional saw 46 advisories in 2003-2004, with 22 vulnerabilities allowing remote attacks and 21 enabling system access, Secunia said."
An even better way: "Windows XP Professional saw 46 advisories in 2003-2004, with 15 vulnerabilities allowing remote attacks and 14 enabling system access and 7 enabling system access via a remote attack, Secunia said."
(I just took 7 from each to make it clearer.)
I don't trust percentages given without support.
Look! I spend hours each week cleaning adware/spyware/viruses off of my client's Windows machines. This is in spite of the fact that I have gotten throught to most of them and they have the protection that Windows requires (firewall, AV software, updated machines).
I have helped setup a few (very few - 3 so far) Linux boxes for clients that were fed up with the situation. I never hear from them unless it is a "I can't get my (pick one) scanner, printer, camera, [something]" working on Linux." Don't get me wrong, I get plenty of that from Windows clients, too. But I would much rather work on those problems than cleaning yet another spyware/adware/trojan infested machine!
I am not a slouch at this (take that however you want, I manage to stay pretty clean on my network at home), but I have myself been infested with that particularly nasty bugger, CoolWWSearch, a couple of times. Both stemmed from a switch to IE 6.0 that was forced on me by my DSL provider. The second time, I had IE 6.0 buttoned down as tight as it can be! I have since switched DSL providers and dropped back to IE 5.0. No problems!
Now I have to have some Windows machines at home: my clients depend on it, my regular job depends on it and my son wants to run those nifty on-line games. So I don't have a choice. But I find myself increasingly using non-Microsoft products to keep Windows from being compromised!
My firewall runs Linux (IPCop). Stripped down to its essentials, the firewall has only required 9 updates in a year of service. I use Mozilla to browse the Web and manage e-mail. I haven't used it long enough to venture a guess about updates but CoolWWSearch ain't been back! I never did use Outlook so I haven't suffered from any of the myriad of Outlook exploits! The list grows as I do more for my clients; do you really think I am going to recommend IIS or SQLServer with their security histories?
So these stats don't mean anything to me. I don't care whether or not other products are inherently more secure or it is just the fact that Windows is more popular. The fact is that connecting to the Internet, as it exists today, with Windows is like playing Russian roulette with 5 bullets (assuming a 6-shot revolver)!
Just looking at the number of critical issues for an operating system is absurd. What about default configuration? OS X by default does not listen on any network ports. Scan a Windows XP system and you'll see MANY ports, including 137, 138, 139, and 445 - the NetBIOS services that are typically exploited by attackers. With those services you can launch remote password guessing and other attacks against the base system.
On anoter note, how about we tally the number of viruses and trojans for the different operating systems? This is one of the most important security problems facing businesses today. Gee, I think we'll see a MUCH different ratio for OS X vs. Windows XP.
I can't stand it when a security company comes up with skewed statistics in an effort to get press and web hits. The comparison of only the number and type of vendor bulletins is not an effective measurement of OS security.
Interesting time to publish this - right between last week's IIS/IE multiple exploits and this week's Evaman Worm outbreak.
Now that CERT and the Dept. of Homeland Security both recommend consumers abandon Intenet Explorer, can we get them to recommend dropping Outlook Express?
Can we please differentiate between a vulnerability and an exploit? Mac OS X has no exploits (aside from proof-of-concepts). It has had vulnerabilites, including some serious ones, but *not one* has turned into an exploit.
That makes how many have been reported compared to Windows utterly irrelevant.
And all that talk about "but windows has more users so it gets viruses written" is horseshit too. Why do people write viruses, for notoriety, right? Well remember the noise that surrounded the discovery of a simple vulnerability in Mac OS X? Can you image the fame that would surround the writer of the first OS X virus? It would be *huge*.
Finally, even if that supposition were true, wouldn't it still be better to be on OS X? There's no way it'll ever get to 98% marketshare, so it'll always be safer by that logic.
I wondet what would be the Secunia diagnosis in this case:
Patient A's clinical history:
Headache
Influenza
A small scar in his hace
A broken arm
Patient B:
Stomach cancer
Which of the two patients is in a worse state? According to Secunia, patient A would be really bad, he has three lines in his medical record!!!!
Amazing, indeed
FYI thebroken has some basic TechTV-style coverage of LM hashes:
http://www.thebroken.org/
including the regkey that disable thems.
For all the haters: Seems like this situation is akin to the MD5-vs-DES crypt(3) dialog Debian gives you upon install--except that shadow doesn't also store the weaker DES hash when you select MD5.
For those of you still on a Microsoft platform: I've heard that L0phtcrack works wonders reversing an LM hash on modern hardware. Godspeed with your WinXP password recovery.
Windows XP Professional saw 46 advisories in 2003-2004
:P
:thumbsdown: People who "know" try to persuade and convince dumb lames who "think they know". And they get loads of cash for it.
:P
Right. 46. In 2003-2004. 46. If this was 42, I would've swallowed it with a sad grin. 46. Jeez, people, counting shouldn't be so hard
Anyway, I'm sick and tired of these kinds of "opinions" and "reviews"
They know they lie. We know they lie. Those who don't, will find out eventually. I'm waiting for that day
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
I haven't seen it mentioned yet but it should be pointed out that virtually everything in Unix or Mac OS X "could be exploited across the internet". A temporary file bug in gzip could be exploited across the internet. A bug in automake could be exploited across the internet.
How many of these "over the network" holes can be done by somebody without an account? If the number of those in both OS X and Linux combined, covering the range of software that comes with Windows, is more than two or three then that would be a newsworth story. What this story is really saying is that even though you can't do squat remotely in Windows there's still a huge number of remote exploits.
Somehow, the rest of your post does not support, and seems to contradict, your initial statement.
A "respectable security source" that knowingly mis-counts vulnerabilities and then publishes an inflammatory "report" based upon such?
That sounds like the opposite of "respectable" to me.
I was looking at Secunia's Virus Info Page .. right under the graph it says "Based on Information delivered by BullGuard".
That set off a few bells... Know what BullGuard is? It's spyware that happens to come bundled with Kazaa. Amusingly, you can see BullGuard on Kazaa's *cough* No Spyware Policy Page, where they try to pretend that their bundled software isn't spyware.
http://cltracker.net -- powerful craigslist multi-city search
If this is an indication of where they're going with XP SP2 and onwards, things are going to seriously improve. We're actually considering rolling out Windows Server 2003 Web Edition on laptops - from a security point of view it's well worth the extra 50 UKP it costs, and the hardware compatibility is excellent to...
There are two major things wrong with this article, which have been touched on by other posters. One is that the number of vulnerabilities is different than the number of advisories, because advisories can cover multiple vulnerabilities.
The second is that (as other posters have covered) Linux distributors post advisories and bug fixes for all software bundled with their distribution, not just the kernel and core libraries. Looking at the list of MS Windows XP advisories, all I see are the core components, with the glaring omission of Internet Explorer (which these days is in fact a core component of the operating system).
Perhaps MS have "funded" this research because everyone is buying X serves, like me. To be frank I couldn't give a toss what a possible MS funded company says, they would already be way to tainted for my tastes.
Viruses on my 6 OS X systems: NIL, ZERO, NADA, 0
Viruses on my 3 xp machines, to many to mention, that is why they have remained switched off for the last 4 months.
Fuck off secunia, fuck off MS.
How many of OSX's exploits were still exploitable when behind a firewall?
The problem with Windows is exploits in IE and Outlook/Outlook Express.
In the XP stats they show one advisory for IE. But looking at the exploits statistics on the same website you find that the one Microsoft application by itself has about as many exploits as other competing operating systems and all their applications combined:
secunia.com/product/11/
Sorry Windows lovers, its time to face the facts, your OS of choice and associated applications are a haven for worms and viruses not because there are so many of you, its because the software is crap.
burnin
Here's a pretty decent explanation:
WHO/WHOM
b) All Linux distros ship far more software than Microsoft does with Windows, and rarely will all of it be installed and running on a given system. If a vulnerable package isn't installed on a given system, then that system isn't vulnerable. To compare like with like, you'd need to take Windows' stats and add them to IIS, Exchange, Mozilla, Office/OpenOffice.org, Cygwin/SFU, SQL server, a bunch of free and shareware IRC clients and so on.
If folks are going to play these silly pissing contests, then the only fair way to do it is to take account of the period of vulnerability and base comparisons on "role profiles" (e.g. PHP web server, anti-spam MTA, static web server, graphical desktop).
--
There is truth in your statement, however, it does not change the fact that Windows and its associated applications have a significantly larger number of flaws when compared to the competition.
If you look at the secunia statistics for IE you find that by itself it has nearly as many exploits as competing operating systems and all their associated applications combined.
secunia.com/product/11/
burnin
as with other flawed "surveys," this one doesn't seem to account for features that are disabled by default, or that can't be exploited if the vunerable package isn't installed.
I know what you need to do when you want a file server, use File Exchange! Sure, it is exploitable (can be crashed, vulnerable to DoS, possibly allows access to every file on the server to anybody) but heck, I haven't had the time to issue advisories yet! And if I had, the leaks are years old already! And if they hadn't, it would be only three advisories!
:-P
And sure it runs on Windows, but what OS has been "proven" to be the safest by Secunia
Gha, seems that didn't do it (did catch me telnetting in doing a "SEARCH /"-request though). Okay, trying:
SetEnvIf Request_URI "^SEARCH.*" nolog
SetEnvIf Request_URI ".*(\\x90)+.*" nolog
If this doesn't work I'm going to get angry, and you wouldn't like me when I'm angry.
Cool. Will this full rainbow table allow for simpler decryption of Windows encrypted files?
Based on my limited Windows knowledge I believe it will: The NTLM hash is not one-to-one. However the rainbow table can (in theory) provide multiple NTLM keys, one of which is probably the original user password that will ALSO re-hash for EFS.
Seems like your LM RT is an EFS accelerant. Comments?
The point is that PRACTICALLY, Microsoft is the most insecure operating system because you cannot hook a default install up to the internet without getting 20 worms by the time you patch it up.
In THEORY, you are correct that it is all about exploits and there are possibly exploitable holes just as much in Linux or Mac. Difference? In the real world, they are exploited much less on the latter two. Also, critical issues are fixed MUCH faster in the latter two leading to a less vulnerable system.
MOREOVER, these assclowns count a vulnerability in every piece of free software as a Linux vulnerability and only count core vulnerabilities in Microsoft. Similarly for Mac probably. So yes, exploits are what matters, but in the REAL WORLD there are more exploits for Windows and more boxes constantly being exploited, so your point is moot.
Too many question, but just one answer: that study stinks
Secunia asserts that all the advisories are available on their site.
Perhaps it would be interesting for someone to check their
analysis using their own data.
They claim that, for Mac OS X, "Of the 36 advisories issued in
2003-2004, 61% could be exploited across the internet and 32%
enabled attackers to take over the system." But it is interesting
that they don't reveal the intersection of these two numbers: in
other words, what percentage enabled attackers to take over the
system across the internet.
They also don't talk about actual exploitation of vulnerabilities
that occurred, such as in billions of dollars for Windows exploits
vs. dollars for Mac exploits.
This smells like more Microsoft-funded FUD...
that if Apple is not keeping up with the BSD Unix development, that the BSD exploits that need to be patched, may not be patched quick enough in OSX.
Apple did the same thing with MKLinux, the development of MKLinux fell behind that of other Linux systems, and Apple was slow to patch the security holes found in Linux.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
This is mainly the area of English majors who wish to justify their degrees while out looking for teaching positions. Ignoring them is usually the best thing to do.
"Music is everybody's possession. It's only publishers who think that people own it." - John Lennon.
There is no such thing as "the Linux OS". There are only "Linux distributions" (or "GNU/Linux distributions" if you please) containing "Linux" (which is just a kernel) and a bunch of pieces of code that are not Linux, but individual pieces like a compiler (GCC), an editor (nano, EMACS, vim), a libc (glibc), a graphical environment (X.org)......
I am sick of hearing about "Linux OS". There is no such god-damned thing. It's like calling DOS systems (DR-DOS, MS-DOS, PC-DOS, FreeDOS, etc.) the "io.sys/msdos.sys OS".
Honey, I shrunk the Cygwin
The fact that they continue to hold such a low market share makes it really unnecessary for a virus writer to target them, when they can infect 100000 times the amount of machines on a Windows OS.
There's the market share argument again!
Look, I won't bore you with the usual Apache has over 2/3 of the web server market share and all that. No, luckily (in this case?!), we can now highlight Mozilla as a product which still has a low market share in the browser market - as we all know - you see, recently we've seen malware target this particular browser, trying to trick users to installing a malicious extension via XPI.
Mind you, this is not a bug being exploited, but the usual "let's hope the gullible user clicks the 'OK'-button" type of trick. It will not install without user intervention!
Anyway, the bottom-line is that the market share argument is getting old, IMHO. But more importantly, this problem has been handled excellently by the Mozilla developer and user communinity. Blocking of onload-activated XPI installations has been implemented promtly as well as an extension website whitelist (though this one is not activated by default as of yet).
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
Anyone know where I can find a copy of this "Micorsoft Windows"?
No stores near me seem to have it.
I wonder how XP Home would have fared in this little contest. That's the real bad one. Of course, they might not have had the computing resources to find a number that high. Remember - there are three kinds of lies. Lies, damn lies, and statistics.
I think their point is that it's not the operating system that mucks things up, it's the proliferation of the OS that makes it more effective to make things muck up. If you can write an exploit for OSX vs XP Home and have it take the same amount of time to write, you're better off with the XP Home exploit because you get more compromised machines with the same work.
Your OS is not secure. There are exploits. Don't be smug, or some writer that's got a lot of time and motivation will wipe that grin right off your face.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
But usually you'd get a TCP stack on the floppy your ISP gave you when you signed up. Like many small ISPs we used to distribute an install floppy containing the shareware version of Trumpet Winsock, which included a PPP dialer. When MS finally came out with a free install kit for making floppies for Windows 3.1 that included IE, the Windows TCP stack, and a nice dialer it was like a godsend (even though we viscerally hated what MS was trying to do with IE).
I'm tired of seeing this argument when the big advantage of Microsoft, and the excuse for M$'s poor security, is supposed to be EASE OF USE. That is the raison d'etre for an OS with a GUI that can't be turned off, right?
A diligent operator would rule out Microsoft for all but legacy applications. Besides security, cost and feature sets rule every deployment from web servers and databases to desktops. If you have not concluded this yet, you have not done your homework. If you don't believe this, ask yourself why so many diligent system administrators at well funded Fortune 100 companies continue to have their servers rooted and other companies do just fine with Apache and others.
This particular study seems to make the critical mistake of comparing an operating system to a software distribution. "Suse" with it's thousands of programs should be compared to ALL M$ and everything you could possibly put on it, not simply the $300 OS itself. How many of those Suse exploits came from running something silly like eterm for logs? There's a huge difference between M$ exploits on services that can't be turned off and an exploit in an optional program for which there are several secure alternatives. That this distinction was not clearly stated throws the article's conclusions into question.
Friends don't help friends install M$ junk.
Until telnetd is totally removed (not just turned off) from Linux, Linux will not be secure. There are just too many exploits involving telnet to take Linux seriously.
Bad example. There's a telnet service in Windows too.
When was the last time telnet was exploitable? telnet is sniffable. Big deal, so is imap, pop3, smtp, http, you name it. Sniffing should not count against an OS - its a problem with the protocol, which is inherint to all internet based OSes. Heck, lets just say anything that uses TCP/IP is too insecure for internet access.
Here's an example:
RHSA-2004:174-09
Fix: utempter local exploit.
Ok. A local exploit. Granted, an exploit, but still, its a local exploit. This is what these so called "secuity" groups need to realize - webservers on the DMZ typically don't have local access for joebob to login to. Typically, they have ports 80,443, and maybe 22 open. So now, all of those 60+ exploits attributed to Red Hat become 0 (thats Zero, with a 0). True, Red Hat had more published advisories than Windows did in the same time period, but Windows didn't ship with nearly the amount of software Red Hat did, and no "sysadmin" is going to put a box on the DMZ, running every service on the box, with no firewall. It just doesn't happen.
So all of these so called security groups can shove it, because thats not real world security. Why don't they do a study on how many linux/unix sys admins patch their boxes diligently vs how many windows admins bothered to patch their boxes with patches available months before code red and other internet problems plagued the internet?
PS: On Windows, it'd be port 3389 (remote desktop), not port 22... And BOTH services (ssh and rdp) have had remote exploits available, so you can't retort with the "ssh is insecure" BS.
-- If we don't stand up for our rights, now, there will be no right to stand up for them later.
When it comes to security, what I want to know, from most important to least is;
.sig
How many remote exploits allow privileged access?
How many remote exploits allow non-privileged access?
How many exploits allow privilege escalation?
I'm interested in the other stuff, but a DoS attack, or cross server scripting bug isn't on the same scale.
Neither the article, nor the Secunia web site seems to help answer those three questions for any OS.
-- not a
in slackware's install process (and im sure many other linux disto's) it asks you which services to start from /etc/rc.d/*
if you dont tick any of those boxes, there aren't any servers running - no remote exploits. on the other hand, Windows XPsp1 makes it very difficult to turn off the right services, some of which cannot be disabled, and the firewall is off by default (meaning rpc [msblaster] is open for the world to see by default). i know rpc has been fixed, its just an example.
I dont think they're so much funded by SCO or M$ as the "researcher" is just a dumbass, and grabbed some figures and sloppily put them together, saw he had an interesting attention grabbing story and published it, regardless of being carefully looked at, not to mention he stretched some facts like it takes days to patch linux or any of the free unixes, which is prolly the longest delay for any opensource based patch. Also, he failed to mention how long it took M$ to update patches. I have a feeling this reearcher played with unix, got lost and stuck to good 'ol windows. and is a Microsoft apologist as well.
A google for "linux virus list" does actually turn up with something. The first site returns as many as 35 results (in TOTAL) in a search for linux viruses (of which some are not technically viruses but exploits). Compare that with a list of new windows viruses and exploits for just the last year. Giving some credit to arguments such as 'Windows is more popular so it will be attacked more', it's been a long time since I had to deal with any virus/security issues of my own. Definitely neglectable compared to the number of AGV/adaware/firefox/thunderbird/zonealarm installs that I've been doing for Windows.
My favorite quote of course is "A product is not necessarily more secure because fewer vulnerabilities are discovered". This may be true, but given the statistics (35 viruses vs. 50000), and daily reality, I know which system I feel more comfortable with. I don't see daily reality shifting to the other side of the scale anywhere in the near future.
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
1) Exploiting unix trust relationships gave a lot of people shells on machine they do not have passwords for. Think NFS, and the 'r' services.
2) There were a lot of remote security holes found in unix. Think about bind, telnetd, shd, finger, sendmail,wu_ftpd or even pine.
3) Sniffing passwords was easier back then before switches and encryped login services (ie: ssh) were wide spread, so getting local access on most networks was not very difficult once you had a foothold on one.
4) It wasn't until the dot com boom when every new security company and hacker looking to get a real job and source code became more common that a lot of security holes were found and patched. Just look at red hat 6.0.
Question then becomes, how quickly are these problems responded to
I think a more appropriate question is:
If everything is equally secure/insecure, then why pay for something that is no more secure than something you can get for free???????
Also, Im surprised and disappointed they neglected to include/mention other servers like OpenBSD, NetBSD, Gentoo, Debian, Mandrake... Its not right. Market share means nothing. They should have everything in there : (
I've seen numerous posts regarding the inaccuracies in Secunia's reporting of Mac OS X and Linux in this report. There's one big point, though, I haven't seen anyone bring up.
;)
Secunia is comparing Linux servers -- SuSE Linux Enterprise Server and Red Hat Advanced Server -- to a desktop Windows (XP Pro) and an uncertain Mac OS X (are they counting OS X Server vulnerabilities? It's a mystery!).
Well, no shit you're going to get bigger Linux (and potentially OS X) numbers that way! They're comparing a desktop operating system that ships with minimal (but still too many) services enabled to a Linux distribution made up of dozens of running services and a million optional parts which may or may not be installed on any system.
Other posters can banter all they like about how Secunia isn't taking money from Microsoft, but more than a cursory glance reveals it isn't exactly a level playing field regardless of who's funding them. (Yeah, yeah, I know, it's Slashdot
the attacker didn't have priviledged access. But that's the basis of all security. Once you do that, all you have to do is make remote connections a special case of local access. Come on, I would pick a FreeBSD/Linux based OS every time on principle alone but we live in a completely different world now. Just look at WiFI hacks. Its not as simple as you say,
but you are right. The way permissions is handled by Linux/Unix based O.S.' was a tried and thrusted addition to the development of security on those O.S.'
Look at these:
...) brought us stable operating systems; some new hardware could get us stable and secure operating systems.
By secure I DON'T mean hardware-addons like TCPA. TCPA is inadequate for a free-programmable computer architecture.
IBM z/OS V1.x
one vulnerabilty (in Sendmail, which was ported to z/OS)
By the way, most (if not all) parts of z/OS were written in PL/1.
IBM OS/400 - V4.x, V5.x
zero vulnerabilities
(Note, that OS/400's kernel ("SLIC"), written in C++, is absolutely closed code (afaik you can't even access its machine code on the iSeries 400's DASD), so nobody outside IBM knows, what kind of bugs might be in that kernel; anyway, because of its single-level storage architecture, this system has hardware pointer-in-memory protection, which, as a side-effect, prevents many of the most dangerous kinds of exploits, for example overwriting of return-addresses, overwriting of function pointers and such; so it's impossible to "smash the stack" on this machine)
Conclusion:
===========
To err is human; as long as people use Assembler, C or similar programming languages, they will probably cause buffer overflows and similar bugs; for this reason, we should take advantage of more intelligent hardware architecture, including features like tagged pointers and special CPU instructions for modifying addresses (so you still can change a function pointer, but only if you use the correct instruction; overwriting it using instructions for copying data areas (MOV on intel) would cause the pointer protection hardware to invalidate the pointer). Better hardware is a good foundation for better software. "Protected mode" (memory protection, preemptive multitasking,
Use a suitable programming language to implement applications; you don't need to mess around with direct memory access, pointers and such, if you're programming software for accounting or a spread sheet application. Many commercial applications for z/OS and OS/400 are written in COBOL, PL/1, etc. rather than in C, and they do not seem to have nearly as many critical bugs as most C programs; OpenVMS people will tell you the same story, I don't know what programming language they used to write most of their applications, but I know it wasn't C.
If you can't get an open source Ada, Cobol, PL/1,... compiler, at least use C++ (use std::string).
Don't forget Java; java programs might not be as fast as compiled code, but especially non-GUI applications are still pretty fast, and Java is a well-designed language.
Unfortunately, there are no results for trusted operating systems such as Trusted Solaris; it would be interesting, whether the same bugs that are critical on standard operating systems could cause system access or any similarly critical escalation of privileges on trusted operating systems (my guess is, commonly not; these systems have extremely strong security implemented in kernel code). By the way, Solaris 10 will include many key security features that were only available in Trusted Solaris before (including privilege sets and compartment-like process separation).
Book hint: "The Inside Story of the IBM iSeries" by Frank Soltis, the system architect of the iSeries 400 (aka AS/400) and OS/400; especially interesting because of the fact, that this system's design is very different from common hard- and software architecture;
See, I said that not upgrading my Apple Lisa would pay off in the end.
I agree (I should, I'm the parent-poster). Though I don't use OpenBSD, doubt I'll ever use it for my desktop (I use Debian/Gentoo), if you have something where security is vitally important, OS' other than OpenBSD just don't hack it.
social sciences can never use experience to verify their statemen
HAHAHAHAHAHAHAHA!A ! ...UAHAHAHAHA! (etc.)
BWUAAAAHAHAHAHAHAHAHAHAHAHAHAH
*GASP!*
*wipes tears from eyes*
I'll buy into the Linux isn't the heaven of security thing and also that we'll have some stuff heading our way once Unix desktops (Mac OS X and Linux) are mainstream and that there'll be some stuff to get sorted out. One being the ridance of the allmighty root.
But good heavens, what a load of bullcrap this article is.
Give me a break. Windows XP is evidently the most insecure OS on the Inet ever! You can probably even root the damn thing through it's media player using a pipe organ emulating modem tones. Every Idiot on this entire planet can write a Outlook-compatible VBScript twoliner that formats your HD, blows your UPC, floods the Net with "Bigger Dick NOW!" E-Mails and Sasser rippoffs and shuts down the power grid on your entire block.
And now these silly f*ckers through about with statistics listing the amount of security warnings and using them to rate the secureness of an OS? Give me a f*ckin' break, man. These people probably just got some Mickeysoft gold partner contract shoved up their behind and now wanna play nice with the dark side.
What a truckload of nonsense. I can't believe this makes it onto a IT webzine nowadays.
We suffer more in our imagination than in reality. - Seneca
see Subject.
We suffer more in our imagination than in reality. - Seneca
But these are still isolated systems where people are handed accounts. The history of Internet security on Unix still sucks. This is evident in IPv4 and SMTP, where trust is simply assumed, or sendmail where debugging features, with root-level access, are built into the product itself.
It is a very different world we have today. You don't have a dumb terminal hanging off of a miniframe, or an individual PC hopelessly disconnected, and all of the current OSes aren't built for this. All they can do is adapt.
The Windows XP Pro list includes:
- Microsoft Windows 14 Vulnerabilities
- Microsoft Windows RPC/DCOM Multiple Vulnerabilities
- Microsoft Windows ASN.1 Library Integer Overflow Vulnerabilities
- Microsoft Windows RPCSS Service DCOM Interface Vulnerabilities
contain 14 + 4 + 2 + 3 = 23 vulnerabilities but Secunia only count 4 advisories. So the count is now 65 acknowledged vulnerabilities for XP Pro. Not including those silently fixed, nor the 38 vulnerabilities in Internet Explorer 6 alone.Actually, Secunia tend to publish alerts based the vendor bulletins. There are better sources for collated vulnerability information, such as Sintelli (free) or TruSecure (fee) which have far higher totals.
Andrew Yeomans
$10 says that when they considered MacOS X and Linux distributions they included bug and security releases for all the packages that are available for the distribution, not just for the core OS/core set of functionality.
I'm fairly certain that there've not been 30+ kernel exploits in a year for Linux, ever.
Windows XP offers a significantly small subset of what a Linux distro offers. What's combined in Linux all depends on what the task of the server is.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
GATUS: "Quick now, release the article."
MARCELLUS: "Yes my Lord. As you wish."
GATUS: "We've proven Windows is secure! Now let's feast."
1. Comparative studies exist.
2. Comparative studies need funding.
3. Was this study funded, however indirectly through international shills, by Microsoft?
Q.E.D. The whole study was a pretense to read about Microsoft, helping them advertise.
This post encoded with ROT26. If you can read it, you've violated the DMCA. Handcuffs please, sergeant.
Remember, it ain't a vulnerability if we don't tell anyone about it...
Meanwhile, Sc71pt k1ddi3z run wild on your OS.
This post encoded with ROT26. If you can read it, you've violated the DMCA. Handcuffs please, sergeant.
What complete crap. Let's look at their statistics without being completely brain dead.
To get the reported "36 advisories" for Mac OS X, they have to count 2002, 2003, and 2004. See for yourself: . Yet to get the reported "46 advisories" for Windows XP Professional, they have to count only 2003 and 2004. They left out an entire year. Count Windows over the same years as they're counting Mac OS X, and Windows XP Professional has 61 advisories.
They lump together all versions of Mac OS X, including Server. For example, the sendmail bug only affects 10.2.x and 10.1.x, not 10.3.x, which does not ship with sendmail. And the Apache 2 bug only affects Mac OS X Server. Yet they only consider one version of Windows, Windows XP Professional. It would take too long to figure out all the bugs they left out on Windows, but one category is easy: Microsoft IIS, their equivalent to Apache (which they considered on the Mac), has ten advisories listed over 2002-2003-2004. So that brings the total to 71.
They throw in Quicktime bugs for the Mac, but leave out Windows Media Player on Windows. That's 2 more for Windows, bringing its total up to 73.
And it gets a lot worse. They happily throw in the Safari bugs into the Mac OS X list, but they only throw in one IE bug into the Windows list. Go to the IE 6 page and see for yourself. There's 54 bugs listed on their Internet Explorer 6 page for 2002-2003-2004; their web browser alone is more vulnerable than all of Mac OS X put together. That brings the Windows total up to 127, more than three and a half times the Mac OS X.
If they scrutinized Windows the same way they did the Mac, it wouldn't look so "surprising" at all. It would just confirm what we've all known: the Mac isn't perfect, but it's a heck of a lot better than Windows.
hate PPronunciation Key(ht)
v. hated, hating, hates
v. tr.
To feel hostility or animosity toward.
To detest.
To feel dislike or distaste for: hates washing dishes.
The Safari browser hole didn't allow superuser code to be run, only the particular users code - *any time* setuid is used on OS X, it will pop up a password dialog, and if you're dumb enough to not Cancel an unprovoked password demand, you deserve to be r00ted.
Contrast this with the Windows (and Linspire...) model, where Joe User is already root, and the ability to run arbitrary user code becomes a lot more of a problem. OS X isn't "perfectly secure", nothing short of a totally unplugged bx is, but it is a hell of a lot MORE secure than Windows.
Facts do not cease to exist because they are ignored. - Aldous Huxley
The article goes for OpenBSD in a way too. It is a really unsecure system by design and the project team's policies make it even worse.
They outright LIE to maintain their "clean status" and are technically years behind the rest.
I find it interesting that they creatively left out the count of actual security holes found on Windows XP and only reported the percentage. I'm betting that the amount of critical flaws in Windows XP is actually a lot higher (in count, not percentage) to any of the other operating systems compared.
Did anyone else notice this creative trick to NOT display the statistics for Windows XP?
I dunno about you guys... but to me, it isn't the "percentage" of bugs that allow system comprimise, but how many, period. =P I love it how people can bend statistics to make their favorite (or their sponsor) company look better.
Anyone know the missing statistic from the article?
From Secunia Virus Statistics web page:
Indicates the percentage of scans that resulted in a found infection (e.g. 1% means that in 10.000 virus scans, 1.000 of these scans resulted in found infections).
They did this twice, too. So does 1% equal one percent of machines infected, or ten percent?
(I refer to this as "Oakland School Administration math" because a high administrator of the Oakland California schools, while testifying before the state legislature, cited the percentages of black teachers in Oakland schools vs. black people in the US population, with the percentage far lower for the teachers. But in the same testimony she gave the actual numbers of black teachers and total teachers, and in fact the percentage of black teachers in their schools was far HIGHER than blacks in the general population. She'd blown the percentage computation. Doubly funny, since she was testifying about how the new teacher certification tests were unfair because they required far too much arithmetic.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
The Safar bug you're referring to could have (before it was patched a few weeks ago) allowed someone to 1) run arbitrary code 2) as the user who is running Safari, 3) using whatever available binaries are on the system. This is a FAR CRY from "r00ting," which would require superuser prviledge elevation.
There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
I work on Mac OS X Panther, Windows XP, and Fedora Core 2. For me, I personally haven't had hacking or virus troubles on any of those systems. Indeed, Windows XP has had other problems of its own, but security has never been an issue for me.
Why? Same old thing - be vigilant about patching your system and do virus scans regularly. Apply at least basic firewalls. Turn off window pane viewing and complex html in external mail programs. Don't download attachments unless you're sure of what they are.
In reality, security of your system comes down to whether or not you're a dumbass. I know that there are extreme cases where someone is made to suffer even if they did all they possibly could, but for the home user those seem few and far between.
I do wish that my systems came with better security from the outset, but that doesn't mean I wouldn't remain vigilant. People with home or car alarms still don't leave their doors unlocked, neither should we neglect the personal responsibility of our computers.
There's a lot of religious fervor about which system is better whenever there's an article like this. People who bicker about it on slashdot don't really make much sense to me because any person that's reading slashdot in the first place is probably smart enough to actually keep their system - whatever OS it may be - up to snuff. Generally speaking, the statistics in the article probably don't apply to "us" as much - they apply to the technologically limited.
I think it would actually be kind of scary to see stats on slashdot users' computers!
Every article I've ever read from Secunia is vastly overexaggerated utter rubbish.
Please stop using them as a source, for real news.
Thank you!
"Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
You don't need root to do the things most malware/trojan programs do. This is doubly the case for non-secured windowing systems like Quartz.
This is crap. The article is crap, these researchers are crap. MacOS X is baddass.
Fuck off you PC weenies.
sshd http ftp smb all don't normally work unless you let them to. So defence is better.
...)This even applys to the task bar beside the clock in windows.
The simple fact is that Microsoft OS protection system is 5 years out of date. And Linux desktop interface is 5 years out of date. Basicly one worked on defence one worked on pretty now both are doing catchup. The question is what one gets there first.
Of course I tell people to shutdown any service they have no use for(deamon
Basicly people are given a computer and given no protection information note we don't leave houses without door locks any more but we level computer with out them.(linux has one well built door lock built in the firewall windows is only getting started on its.)
Top 10 Viruses/Worms last 24 hours: Score 10/10 x 2 for W32 platform.
Approximate (sic) viruses on my 3 Macs over the past 18 months: ZERO.
No. of EMail viruses received: 811. No. of Exploits: Nil (all for W32).
OS/X works in theory but will it work in practice.
GjB@irl
While you have many valid points, still, security was built in from the very beginning. And many of the holes were patched while the cost of doing so was only a campus machine needing a reboot (well, not *quite* that simple, but close)!
OTOH, you could point to spam as an example of one place where the patching didn't get applied in time, so now it will be a HUGE job to fix things. And the fix will need to be right the first time.
I think we've pushed this "anyone can grow up to be president" thing too far.
Any language, natural or otherwise, is a code, in which meaning is derived from words (spelled properly) arranged meaningfully with other words and punctuation. Unless both sender and receiver decode the message using the same rules and syntax, information will be garbled, if not dangerously corrupted. If the rest of the world thinks '"' means "inch", and Spinal Tap think '"' mean "foot", well...
We all know this. We're all grammar nazis. The ones that aren't write bad code, bad specs, bad documentation, bad support e-mails, bad comments, and bad posts to slashdot.
That said, as an olive branch to those who argue otherwise, I will not bother proofreading this post.
I've seen this article, and its completely wrong... The reason is that they are basing the results on all the linux programs, which means that they are using security advisaries for programs even like X-chat and such, advisaries which MS will never release, so the valnerablilities exist, but are hidden.
Its also been long known that IE and OE, and the entire internal infrastructure of Windows is insecure, while linux can be set up without those problems (I personally would never set up a public remote shell using windows).
It also doesn't take into account a lot of things such as propolice, or other systems that are commonly enabled on linux distributions today.
Dont give this article any credit.. Because I bet that if we compared the internal list from Microsoft of known security flaws, with all the internal lists of linux, then there will be a clear winner security wise.
The only people who use public exploits to highlight the security of the operating systems, are either done by highly incompetant security "experts", or by people trying to bend the results like what MS tried to do previously by comparing an ancient copy of redhat to windows 2003.
This is exactly my experience. I usually get said automatic updates by email from my friends.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Thats because you do things ASS backwards.
First you patch it up, then you connect it to the internet.
I think you missed it. Try again.
I'm sorry, I hate to be a Mac zealot, but...
A friend buys a Windows PC. Eventually I will almost certainly have to repair their system after they load a trojan, get a virus, or spyware. If they call me about their computer it's something messy, like a driver that doesn't work or a corrupt registry.
A friend buys a Mac. I never have to repair their computer. If they call me it's for advice on Word or Photoshop features. They never, ever call me regarding viruses/trojans or spyware. I never need to repair their system.
I know this is anecdotal, but it happens time and time again. Ask anyone who supports both Macs and PCs and they'll tell you.
So from my point-of-view, it doesn't matter whether the Mac is theoretically insecure. In my real-world experience I would much rather have my friends and family using Macs -- and that's just because of security, not to mention the other advantages of OS X.
No, I don't want to explore the Recycle Bin.
"I don't know just where you were living, but Unix and Linux grew up on networked systems where multiple college students shared the same machines (well, Linux less than Unix here) because they were too expensive."
And I don't know just where you were living, but the first timeshare systems had passwords with no other security, and all users basically had access to all files. Read "Hackers". The primary goal was to share information -- security takes that away.
And the grandparent poster was right. We've only "given a fuck" since now home computers are being targetted, en masse. It used to be corporate servers, then corporate workstations. Virus/worm writers are deliberately trying to take over home machines, and that's where the real danger comes out.