Slashdot Mirror


Security Statistics and Operating System Conventional Wisdom

kev0153 writes "Microsoft Windows is more secure than you think, and Mac OS X is worse than you ever imagined. That is according to statistics published for the first time this week by Danish security firm Secunia. "Secunia is now displaying security statistics that will open many eyes, and for some it might be very disturbing news," said Secunia chief executive Niels Henrik Rasmussen. "The myth that Mac OS X is secure, for example, has been exposed." "

11 of 556 comments (clear)

  1. Again Windows only vs. RedHat/SuSE plus apps? by Knuckles · · Score: 5, Insightful

    I can't see it metnioned in the article, and neither can I find the relevant stuff at secunia.com, but this is the first question I want to answered before I spend another 10 seconds on this: do the numbers actually compare Windows with RedHat/SuSE stripped down to what a plain Windows install does, or do they yet again include all the security advisories for the 3.000 (or whatever) packages included with the distros?

    --
    "When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
  2. They neglect to mention.. by EMR · · Score: 5, Insightful

    That OS X doesn't have any network service running when first installed!!.. Nothing, nada, zilch, zippo.. In order to get exploited you need to have something running that accepts connections.. The default install of the Mac OS X doesn't have a thing. Where as Windows has way too much enabled and exposed.. Most linux systems now days, while they may have some things running, most are only listenting to the internal host (not accessible outside the computer) and they default enable the firewall.

  3. Potential study problem by Synn · · Score: 5, Insightful

    The study compares security alerts between OSes, but one problem with that is that at least under Linux vendors not only release alerts for the core OS, but for applications as well.

    If The Gimp has a security issue a Linux vendor will issue an alert for it.

    If Photoshop has a security issue, MS won't inform you.

    Also most alerts I see for Linux are pro-active, someone finding a bug that may be exploitable. Most alerts I see for MS are reactive, pluging a hole that has been exploited. That's the primary difference between open and closed source software. Not the number of bugs found, but when they're found and how fast they get fixed.

  4. Re:Mac OSX and Linux - face the facts by mangu · · Score: 5, Insightful
    How many independent reports have we seen that come to the same conclusion?


    I once read that Hitler ordered a report made, signed by a hundred scientists, proving that Einstein was wrong. When they asked Einstein about it, he answered "if I was wrong, one scientist alone would be able to prove it".

  5. Re:Missing Stats? by radicalskeptic · · Score: 5, Insightful
    The stats don't make sense to me. Here's what I see:

    Windows XP Professional saw 46 advisories in 2003-2004, with 48% of vulnerabilities allowing remote attacks and 46% enabling system access, Secunia said.

    So that would mean, multiplying 46 by 48% would give you the number of remote attacks, and multiplying 46 by 46% would give you the number of attacks enabling system access. So for Windows:

    • 22.08 remote attacks.
    • 21.16 system access attacks.


    Don't ask me why they are not integers. I suppose that some advisorys covered more than one bug?

    Now, for OS X:Of the 36 advisories issued in 2003-2004, 61% could be exploited across the internet and 32% enabled attackers to take over the system.

    Using the same system as before, I got:

    • 21.96 remote attacks.
    • 11.52 system access attacks.


    So they're saying OS X allows HALF of the number of attacks that can gain access to a system as XP, but their conclusion is that "The myth that Mac OS X is secure, for example, has been exposed"???Hmmm....
    --
    WARNING: If accidentally read, induce vomiting.
  6. Correlation vs Mechanism by laudney · · Score: 5, Insightful

    In research, it's vital to differentiate between correlation and mechanism. Stating that Linux and Mac OS/X are less secure than Windows based on kindergarten-level integer comparison is correlation: i.e. following/duplicating superficial attributes of known objects in hope of getting the same results in other objects. This is almost always baseless and useless. It's more important to undertand the underlying hidden reasons, or mechanisms: Windows security problems stem from awful designs in OS, such as integration of all sorts of applications into kernel space for speed acceleration. Whilst Linux and Mac OS/X security problems are mostly from mis-configurations.

  7. Security reporting worse than you ever imagined by Frater+219 · · Score: 5, Insightful
    The reported study discusses the number and claimed severity of official security advisories for different systems. The factitious claims being made do not address the following problems:

    Different suppliers report vulnerabilities differently. Consider every "cumulative update" you've seen, and every "multiple vulnerabilities in $product" advisory from CERT. A supplier which is more honest and meticulous about vulnerability reporting may have more advisories but better security -- while one which batches up several bugs in a single advisory will underreport.

    A system which includes more software may have more advisories, even though most advisories do not affect most computers running that system. In Windows, a database server is a separate product whose advisories would not be counted against "Windows". Many Linux systems include at least two database servers, but they are not turned on by default. If a hole in MS SQL doesn't count against Windows, should one in mySQL count against Red Hat?

    Unpatched vulnerabilities may go for months without the release of an official advisory. For instance, a number of holes in Internet Explorer have been known and discussed within the security community well in advance of any official advisory from Microsoft.

    Systems which have better default system-wide security settings (e.g. packet filtering, services turned off by default) may have all kinds of "vulnerabilities" that can't actually be exploited. For instance, Mac OS X includes OpenSSH, but it's turned off until the user asks for it. A hole in OpenSSH cannot be exploited on a default-install Mac system.

    Leaving it up to the supplier to decide if something is a "vulnerability" or a "feature" leads to underreporting. Take CD autorun, for instance, which allows the installation of spyware when a (mostly-)audio CD is inserted into a Windows PC. A security-conscious user regards this as a vulnerability, but the supplier regards it as a beneficial feature.

    Some of the most common attacks -- such as viruses -- rely on social engineering, and on "features" that are not classed as "vulnerabilities". However, these attacks are also more prominent on some systems than on others. Any comparative assessment of security which discounts the most common attacks blinds itself to a wide segment of the security landscape.

  8. Re:Missing Stats? by zhiwenchong · · Score: 5, Insightful

    I think it's just a case of their phrasing being misleading.

    I believe they mean that
    1) Windows is not as insecure as YOU THINK
    2) Mac OS X is not as secure as YOU THINK (they assume Mac OS X users think that the operating system has 0 to few exploits)

    They're not really saying that Windows is more secure than Mac OS X. But the way the said it -- well, sure could mislead a lot of people.

  9. That depends upon how you count it. by khasim · · Score: 5, Insightful

    In the Forrester report referenced in that article, they only STARTED counting from the time Microsoft PUBLICLY admitted to a problem.

    Which, in many cases, was when Microsoft had a patch ready.

    But www.eeye.com had reported security holes to Microsoft for MONTHS before a patch was made available.

    In other words, if Microsoft NEVER admitted PUBLICLY to a security hole, that security hole would NEVER be counted in the Forrester report.

    http://www.eeye.com/html/research/upcoming/index .h tml

    For the current listing.

    With Open Source software, the vulnerability is usually discussed on the mailing list.

    So, if a hole is discovered in Linux, and discussed on the mailing list and a patch is released 48 hours later.....

    And then Red Hat releases a .rpm 24 hours later...

    Forrester would count that as a 3 day delay.

    You take the medium threat from www.eeye.com that is 49 days overdue (actually informed 109 days ago) and Microsoft releases a patch the same day Microsoft admits to the hole....

    Forrester would count that a 1 day or less delay.

  10. # Advisories != # Vulnerabilities != Security Risk by Trevin · · Score: 5, Insightful

    There are two major things wrong with this article, which have been touched on by other posters. One is that the number of vulnerabilities is different than the number of advisories, because advisories can cover multiple vulnerabilities.

    The second is that (as other posters have covered) Linux distributors post advisories and bug fixes for all software bundled with their distribution, not just the kernel and core libraries. Looking at the list of MS Windows XP advisories, all I see are the core components, with the glaring omission of Internet Explorer (which these days is in fact a core component of the operating system).

  11. Telnet? You're missing the point by minion · · Score: 5, Insightful

    Until telnetd is totally removed (not just turned off) from Linux, Linux will not be secure. There are just too many exploits involving telnet to take Linux seriously.

    Bad example. There's a telnet service in Windows too.


    When was the last time telnet was exploitable? telnet is sniffable. Big deal, so is imap, pop3, smtp, http, you name it. Sniffing should not count against an OS - its a problem with the protocol, which is inherint to all internet based OSes. Heck, lets just say anything that uses TCP/IP is too insecure for internet access.

    Here's an example:

    RHSA-2004:174-09
    Fix: utempter local exploit.

    Ok. A local exploit. Granted, an exploit, but still, its a local exploit. This is what these so called "secuity" groups need to realize - webservers on the DMZ typically don't have local access for joebob to login to. Typically, they have ports 80,443, and maybe 22 open. So now, all of those 60+ exploits attributed to Red Hat become 0 (thats Zero, with a 0). True, Red Hat had more published advisories than Windows did in the same time period, but Windows didn't ship with nearly the amount of software Red Hat did, and no "sysadmin" is going to put a box on the DMZ, running every service on the box, with no firewall. It just doesn't happen.

    So all of these so called security groups can shove it, because thats not real world security. Why don't they do a study on how many linux/unix sys admins patch their boxes diligently vs how many windows admins bothered to patch their boxes with patches available months before code red and other internet problems plagued the internet?

    PS: On Windows, it'd be port 3389 (remote desktop), not port 22... And BOTH services (ssh and rdp) have had remote exploits available, so you can't retort with the "ssh is insecure" BS.

    --

    -- If we don't stand up for our rights, now, there will be no right to stand up for them later.