Slashdot Mirror
More Mac Vulnerabilities Than Windows In 2007?
eldavojohn writes "A ZDNet blog reports stats from Secunia showing OSX averaged 20.25 vulnerabilities per month while XP & Vista combined averaged 3.67/month. Is this report card's implication accurate, or is this a symptom of one company turning a blind eye while the other concentrates on timely bugfixes? 'While Windows Vista shows fewer flaws than Windows XP and has more mitigating factors against exploitation, the addition of Windows Defender and Sidebar added 4 highly critical flaws to Vista that weren't present in Windows XP. Sidebar accounted for three of those additional vulnerabilities and it's something I am glad I don't use. The lone Defender critical vulnerability that was supposed to defend Windows Vista was ironically the first critical vulnerability for Windows Vista.'"
They're just looking for excuses to downplay the results of the report.
How many times does it have to be repeated? Counting vulnerabilities is a stupid way to measure security. Counting vulnerabilities is a stupid way to measure security. Counting vulnerabilities is a stupid way to measure security.
Shouldn't Slashdot link to some more insightful analysis?
-- Ed Avis ed@membled.com
They are not Microsoft.
Therefore
They are beyond criticism.
Anything that is not Microsoft, and makes us feel like the hipper kids in the street, is automatically beyond criticism. We all wish we were the rich kids in Redmond, but since we're townies instead, we will speak ill of them any time we can. Macintosh is not from Redmond. True, they are greedy and wealthy. But they are not our enemy so they are us.
(See also Apple's identity problem.)
technical writing / development
No artificial metric really matters in the security landscape.
In the end, what matters is the real-world security performance of these systems. Sure, it's not so easy to quantify and measure, but stories like this ZDNet fodder are just pageview generators, and nothing more.
but I'd hate for MacNN to get any ad revenue or new, regular visitors from the traffic this will generate.
/. post : http://www.rudis.net/content/2007/12/18/macnn-editors-egg-nog-consumption-increases-disastrous-results
I posted my retort on this just before the
I wish non-security folks would stop reporting on security "stuff"... I can't wait for NPR, CNN and Fox to run with this "breaking news!" tonight or tomorrow.
Mind the gap...
Linux costs more than Windows.
Open standards are bad for the economy.
Software patents are good for the economy.
Microsoft is a nice company.
Windows Vista is more secure than Mac OS/X.
OOXML is better than ODF.
Buying votes is a good way to build new standards.
People remain with Windows because they like it.
Firefox is less secure than Internet Explorer.
They're not really people, anyway...
My blog
Who has counted the bugs and security holes that were fixed without prior disclosure? It is like counting footsteps of two dinosaurs from their fossils and then comparing them for their health.
this whole article should be modded flamebait, counting vulnerabilities is a useless way to compare operating systems
Apple is the light, the truth and the way.
First, reporting on the number of flaws disclosed and fixed says nothing about the relative security of either platform. Both MS and Apple could be holding back on patches to their own software. Second, many of Apple's security patches address 3rd party open source software like Samba, Kerberos, etc, that are being patched when flaws are discovered.
Well, there's spam egg sausage and spam, that's not got much spam in it.
I'm absolutely not an Apple fanboi but this is bollocks. Apple (who are indeed significantly slowerthan other distributors in releasing patches) ship an awful lot of Free software - application software that is - with OS X, whilst Microsoft generally only patch the core OS (and Office, if you go to https://microsoftupdate.com/ rather than https://windowsupdate.com/ .) Hmmm, one day I must get round to doing that chart tracking who, of the main distros shipping common code such as (say) Zlib, releases what patches, when. Some of the Linux distys are particularly lax on this front.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
So let me see, we will have:
Assorted stuff I do sometimes: Lemuria.org
Why can the world accept Mac users for who we are? Stop spreading misinformation about the dangers of network intercourse!
I'm not a Mac user at all, but I'm will to bet, there is a substantial number of pirated, unpatched copies of Windows out there that you can count each one as a vulnerability in itself.
I own two Intel Macs, an iMac and a Macbook. I own two desktops that run XP and two desktops that run Linux.
I am personally tired of the stupid "insecure" talk. My iMac runs my servers with ports 80, 443, 22, 5900 open. I watch my logs and have not seen any bad stuff.
On the other hand, I once opened my XP boxes IIS server and saw a crap load of hits in the web logs trying to break it within 48 hours. Thankfully I was running IIS lockdown which really helps.
Comparing XP in 2007 to OS X 10.4 or 10.5 is just stupid. XP has been around for a long, long time. Do a fresh install of XP home SP0 and see how many security updates you need to download.
As a programmer with more than a decade of experience, I don't care about the number of releases for an OS. I care about the timely releases. From my experience, Apple and especially Linux will release a fix as soon as they have it. MS on the other hand seems to go through a PR machine.
Microsoft, I don't care if your product XYZ has a flaw, trust me as a programmer, there will always be flaws. Just release the damn info on the flaw and the URL to the fix. I don't think XP is "crap" because I have had to download more than a GB of updates since SP0. Really, I don't care. As a geek, I actually get excited about a new update from MS. I usually hope for new features, etc.
So, please MS, just publish and release the fixes. 95%+ of people out there don't care if you have 150 "vulnerabilities" or 20. We just want the fix. Give us our "fix" bro!
General, you are listening to a machine! Do the world a favor and don't act like one.
The simple number of vulnerabilities is not a good metric of security. I seem to remember that one of the Windows ones last year was one where displaying a picture in a web browser, ANY web browser, could compromise your machine. I don't remember seeing close to that severe for a Mac.
In fact you could make the argument the other way around: the reason there are so few fixes with Windows is because the problems are so big and far reaching that it takes a lot longer to patch them. This conclusion is also probably wrong but is just as valid as the one in the original post.
Let's assume that the software engineers working at all companies are equally qualified. On average, that will probably turn out to be true. Assuming that all programmers are equally qualified, let's assume, only for the sake of argument, that all software is released with a similar quantity of security flaws; say, X amount of flaws per Y amount of code. Now ask yourself this: Does having lots of fixes released on a constant basis imply something about the security of the company's product? Or does it imply something that is totally unrelated to software, which speaks not of the software's initial security status, but of the company's policy towards servicing flaws as they're found? I think that ultimately, all software will contain some level of bugs; the company's policy towards fixing them is what determines security.
I invented my own OS, which I call F.U. (Frackin Unix). My OS has only one bug (Bug #1 - Operating System Not found). Clearly my OS is more superior than any competitors due to its extremely low number of bug reports.
He shows CVE-2007-3896 only in July, but it was reissued in November as well... why wasn't that counted in November?
The July patch closed that CVE, and the November patched more of it... It should count both times, since they said it was closed.
I'd be interested to analyze them all next to each other, but not interested enough to actually dig into it myself =-)
Vista was a lost cause from the get-go, and OSX is still largely a 'niche' operating system. Is comparing the number of exploits in either truly noteworthy?
There was a discussion about firefox and explorer security that this topic reminded me of.
Frankly, I would LIKE a product to ship flawless but realize I dont live in a fantasy world so prefer them to fix their flaws in a timely fashion as they find them and am happy that the Mac, Linux and BSD communities respond in such a fashion.
This is my sig. There are many like it but this one is mine.
You must be a virgin.
But Microsoft are a CONVICTED MONOPOLY!111!11
If you haven't made a developer cry, you've wasted a day.
Yeah, I just checked -- your logs don't show any bad stuff coming through the Macs. Still, I was surprised by what I got just by typing "Oracle Password" into Spotlight.
If you're looking at vulnerabilities on new installations, in particular. In that case, you'd be comparing the thousands of licenses sold for OS X this year to the dozens of licenses for Vista that were purchased voluntarily this year.
Even a blind squirrel gets a nut now and then. (:
THL phish sticks
Bush is the best President in history because he has fixed fewer problems.
Well, it has never been successfully tested.
I receive daily many security advisories about patches, updates and vulnerabilities discovered in most IT spheres. If I was to count flaws on every products, I would say that Linux and Unix products are the poorest products regarding vulnerabilities. Obviously it's not the case!
.EXE files???
It is far more critical to have a Microsoft Windows flaw than a Mac or a Linux flaw, since the product is more widespread, so more likely to be actively and successfully exploited. Dumbly counting the numbers is a strange way to say that a product is more secure. Do I have to remember anybody that most viruses and spywares are
Ya... doesn't take a genius to figure out, the more something is widely used by the public the more flaws/security holes will be discovered. Mac's are much better than Windows in handling security, however it's kind of a new brainer when Mac's haven't been so much in the "public" eye for years to not hear much about security flaws, yet when the public is now jumping on the bandwagon... more people are going to discover more things and this will peak the malicious interests... so big fat... "DUH"...
If it appears in a movie, it must be true.
Well, it has never been successfully tested.
Right?
And people wonder why our country is going to hell....
"Slashdot, where telling the truth is overrated but lying is insightful."
In the end, it is impossible to analyze the security of software by means of analyzing second-hand or third-hand reports, and extremely difficult to do so by means of black-box testing by means of probably incomplete documentation. However, I cannot seriously imagine Apple or Microsoft conducting a thorough security audit and software analysis. For that matter, I don't believe either could afford to do so. Microsoft may be rich, but Vista is big and the kind of skills required to conduct a comprehensive audit wouldn't come cheap, certainly not in the volume needed to conduct such an audit fast enough to get the results before software changes invalidated said audit.
(Having said that, given that the world economy is so utterly dependent on the reliability of the IT infrastructure these days, there is also the question of how long it will be before it is uneconomic at a global level for there not to be such an audit. If an audit would cost a trillion dollars over the course of a year, then it only requires the total direct and indirect cost to business and government over the entire globe from such flaws to be a trillion and one dollars over the course of a year for it to be worth it almost instantly. However, the costs of flaws will always add up with interest but a single audit might easily be sufficient for the lifetime of an OS, if it's good enough. Given a long enough shelf-life and a high enough interest rate, how unreliable can we afford to have any software these days?)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I don't know which Windows Update you're counting, but I download 10 (on average) every month.
bash microsoft all you want however their new SDL is really making a difference in securing their products. of course they will continue to have issues it won't remove all the issues, however it has reduced their bug count big time. Take IIS 5/6/7 as a great example of how their process is making a difference. Bash away MS bashing zealots.
Believe me, if I started murdering people, there would be none of you left.
I clicked through a bunch of the vulnerabilities, and a lot of them are marked as reserved for future use. What's up with that? I think whatever script the dude used to compile this table, didn't work - either that or I don't understand the CVE process being used, because I don't see any indication of which systems are affected by them.
Anyway. Such a study is ultimately pointless, we already know that MacOS X and Windows are both seriously insecure. A single vulnerability in the tangled morass of code making up modern web browsers is typically enough to compromise the entire machine (Vista being an exception to this). A single vulnerability in *any* app which talks over the network is usually enough to get your code onto the machine, and from there you have free reign to do more or less whatever you want. Requiring root is no panacea, you don't need root to do the things modern malware wants to do anyway. As that's the entire OS X desktop security system right there, we can surmise that the primary advantage it has security-wise is just obscurity. (yeah, i know 10.5 is supposed to have MAC for some basic daemons etc .... wake me up when it is properly and widely applied to desktop apps).
So I took a look at a few sample vulnerabilities and it leaves me Flabbergasted. The person who wrote this article and composed the data should be beaten. The ones listed as OS X vulnerabilities are primarily holes in software that runs on OS X, much of which does not even ship with OS X by default. A lot of it is holes in various Web server modules, some of which do ship with OS X, but are disabled by default. Some of them are NOT EVEN VULNERABILITIES... like CVE-2007-3876 which is a number reserved for use by an organization for the next time they report a vulnerability, but they haven't assigned it to anything yet. Whole ranges of numbers listed are like that. I mean did the author even click on the links he's providing? I tried, I was more than twenty items into the list of "highly critical OS X vulnerabilities" before I found one that actually affected a default install of OS X, and it was a potential denial of service for SSL Web sites if you have a machine in the middle. Of the first 30, 12 were reserved for future use and not real vulnerabilities, 7 were holes in the same Perl library, and 5 were holes in tcpdump. Only one was a real, hole that could be exploited on a default install without additional software being added, or it being reconfigured as Web server or something.
Another question is, for the real vulnerabilities to the OS's, how do they decide what the danger level is for a vulnerability? For example, one low rated one for WinXP (CVE-2007-2228) was a possible remote exploit, whereas a Highly cCritical one for OS X (CVE-2007-0267) was a denial of service on a machine, requiring a local user account. Does this make any sense to anyone?
I'm all for pointing out security problems in OS X and other OS's and doing comparisons of relative security, but this is just a sad joke. Please, can we at least get articles by someone with the tiniest bit of a clue instead of the number game from someone who might be able to count, but apparently can't be bothered to read his subject matter.
CVE-2007-5850 H
CVE-2007-5851 H
CVE-2007-5853 H
CVE-2007-5854 H
CVE-2007-5855 H
CVE-2007-5856 H
CVE-2007-5857 H
CVE-2007-5859 H
CVE-2007-5860 H
CVE-2007-5861 H
CVE-2007-5863 H
CVE-2007-6077 H
Shameless plugs and inaccessible site design FTW! - www.mistletoestreetmusic.com
I know that OS X is more secure, because I use it every day, and I can rely on it. I am a Mac fan boy, but only because Windows continued to let me down.
Any fool can talk, but it takes a wise man to listen.
OSX has lots of open source commands and daemons. It will be subject to more patches.
The fact there are more security holes being patches can also indicate there's more pro-active review.
George Ou.
I haven't used virus/"vulnerability" software on my Mac since OS 7. Still don't in OS X Leopard. All's well.
Comrades, I am a mac/ubuntu user who sort of tunes out Microsoft OS. So I don't really know this: In terms of practical security, is Vista a success? In other words as a haven for: the zombie army of spambots, viral/worm propagation, malicious spyware has Vista fixed the problem compared to XP? Forget theoretical exploits, has the tide turned? (Or does user ignorance negate any advances?) ---537
The Windows security problem count is front loaded by several years.
A similar argument can be made that there are more Mac security flaws this last year than Windows 95.
Instead of counting the number of security flaws over the last year, what happens to the number if the count is over that last two years. Three years. (You get the idea.)
----------
Any problem can be made unsolvable if there are enough meetings made to discuss it.
So I put the question to the crowd then...
Is Windows inherently more insecure than OSX for example?
True, you can say "security holes fixed != number of security holes", but then to even be equal on the score cards, Windows, as entire eco-system (Vista + XP) would still need 5 times more the number of vulnerabilities.
I put it to you my techie friends, Windows security isn't so bad after all and has evolved from non-existent to at least on the same footing with it's rivals (that's to say, I agree that I don't think this study can conclude much at all ultimately).
throw new NoSignatureException();
If it is not usable...It wont have any flaws
... until there is a self-replicating Mac virus in the wild.
Ever since they showed up a few years ago, Secunia seems to have been nothing but a pro-Windows, anti-everything-else trolling group. They've published countless "studies" claiming that Windows is more secure than god, every one of which involves some extremely skewed definitions of what constitutes a vulnerability and how one classifies its severity.
Some glorious day, perhaps slashdot will learn to ignore this variety of trolling (I'm looking at you, Cringely and Dvorak.). But until then, we'll all just need to ignore them individually.
Ballmer, is that you?
Mac OS X contains many third-party open source software packages. The bugs are found through source code auditing. These bugs may or may not become exploitable depends on how the code is used.
Just take a quick look at the bugs list. Most of them are found in third-party code like PCRE library. These are labeled "highly critical" without a demonstrable proof that it can be exploited. The software using PCRE is vulnerable to malformed regular expression strings, but I've never seen any software accepting arbitrary regular expression strings from another machine. (A web browser interprets JavaScript code from another machine, which may contain regular expressions, but JavaScript regular expression definitely isn't Perl compatible, so that's not PCRE.) Those same bugs also affect Linux. If you use Cygwin on Windows, these bugs also affect you, so they can be Windows bugs too.
On the other hand, since we can't audit proprietary Windows code, we only find bugs that are actually exploitable, in contrast to the open source bugs that are only potentially exploitable. Therefore, the severity of Windows bugs are vastly underrated compared to open source bugs. And there are more potentially exploitable bugs in Windows that we don't find, which aren't being counted.
That said, if you rely on bug counts and decide that Windows is more secure for you, I'd call you crazy.
Finally, why would Adobe Flash player bugs be counted as a Mac OS X bug?
I once had a signature.
Well, here's my token sound bite too...
MIcrosoft is the party guilty of underreporting vulnerabilities, including undocumented patches in updates - how much more obscure can you get?! On the other hand show me a significant linux virus or OS X exploit being used in the wild. Well? Where are they? Waiting.....lemonade was a popular drink and it still is
ssshhh....
dont forget linux is more attractive to target for "cool" things like IRC daemons, XDCC bots and whatever. What else has a compiler and a great remote interface (the shell)? Windows are great for a botnet, but nothing else really.
Once you toss PHP into the mix, Linux is a very insecure operating system. I'll take FreeBSD any day. Much more professional development team, better documentation, very stable (as in config management stable) and ports rule.
Of course, I have to post anonymously because if you say anything bad about linux, you'll get modded into the ground no matter how right you are.
They weren't counting vulnerabilities, they were counting successful attacks. When you count successful attacks windows still loses really big time. Vulnerabilities, meh.
You seem to be confusing Pirates of Silicon Valley with Triumph of the Nerds, which is an actual documentary.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
Comment removed based on user account deletion
Comment removed based on user account deletion
NO! The proof is not in the pudding. That makes no fucking sense. The proof of the pudding is in the eating!
...can it go from Microsoft Vista to George Bush, Iraq etc. in a few posts
Repeating the groupthink here is way beyond any sort of organized bias, its now inbred into geekdom and a new dna test will soon emerge that will identify the gene that defines those who are born to believe the following-
-prefers mac or linus to windows regardless of obvious merits of all
-believes that no one can own intellectual property, in spite of deriving income or
some benefit from some intellectual property in some way, even if it was "way back when"
and will download to the hearts content and whine when property owners exercise their rights
-its the oil companies, GWB and Global Warming that is preventing widepsread linux adoption
-republicans stole the election from al gore while bill gates supplied the code to hack the
vote
This place should really be the Obama Campaign Headquarters being that is has become the token left wing blogspot for geeks...zzzzz
Macs R Stoopeed. Microsoft Wynndoze is moore Bettah!
One of IE bugs (currently exploited 0-day bug),
http://secunia.com/advisories/28036/
is not very pretty.
For example of Mozilla bugs,
http://secunia.com/product/12434/
vs. IE,
http://secunia.com/product/12366/
Of course, how the fsck how is 3rd party software the fault of the OS, I have no idea. IE is bundled, but can be disabled to browsing web sites (2003 server edition disables it). Most of the software is quite safe these days, but it still depends on how you use it. Exploits triggered by things like web browsers are the worst, but at least Vista addresses that issue by running IE in "lower than regular user account", not sure if that would protect vs. the IE bug in first link.
Summary: stop trolling for one side or another. If you get hacked it doesn't matter if you run Windows or Linux or BeOS.
You're honestly comparing one OS that comes with only a minimal featureset to a plethora of OSs, each of which comes with a full repository of applications?
Come on.
My new blog
Umm... I've been using Vista for 6 months now, and i have to admit, it ain't perfect - not by a long shot.
It's full of annoying bugs, stupid ideas etc, But unsecure? Far from it(Assuming the user has at least a bit of a common sense and logical thinking).
I've been using my Vista without any anti-virus anti-spyware etc stuff all the time without problems.
Now, i do scan my machine from time to time throughly, but i don't keep the software constantly monitoring etc.
Basically, the way i see it, Vista is at least as secure as any other OS out there,
assuming the user doesn't download and run any strange niceboobs.jpg.exe files(The same goes to linux with shell scripts for example(assuming chmod +x)).
Anyway, what i really wanted to point out is, Vista is crap, it's resource hungry and annoying sometimes but it sure as hell ain't that unsecure as most of you seem to think.
This ain't 2003 anymore and it ain't XP without service packs.
Mmm. Troll (but as there are real 'studies' that make the same error, I'll point it out). Your links say this at the top of the pages:
View Topics > Underlying OS > Linux (Any)
View Topics > Category > OS (Microsoft)
You're comparing security issues in applications that run on linux with security issues in Windows itself.
If you don't eat your meat, you can't have any pudding. How can you eat your pudding if you don't eat your meat?
Plus 5 leet0 points! for because it R teh funney! no seriously, that's hilarious.
Your last comments rather redundant though isn't it.
Obviously whatever OS you run once you're hacked, you're hacked but the whole point is that if an OS has more vulnerabilities then it's more likely to happen in the first place.
Well technically Apollo 11 had more things go wrong than did Apollo 1, but guess which one I would have rather been on?
http://www.mhall119.com
> I'll take FreeBSD any day. Much more professional development team, better documentation, ...right up until the point someone decides to run PHP apps. [snicker]
> very stable (as in config management stable) and ports rule.
A Pirate and a Puritan look the same on a balance sheet.
In that respect, any unix is more attractive including bsd.
But your right, many old school hackers will exclusively target unix machines because they are simply more useful from their perspective. People typically only target windows machines to run a particular program (their bot) which has a fixed set of built in capabilities. Gaining access to a shell gives someone far more scope, and makes it much easier to deploy new malicious code.
You will rarely get an attacker interactively connecting to a hacked windows system to do something, but this is common with compromised unix systems. When a windows box is compromised, it's typically by an automated process which will install a bot and move on to the next host. Automated attacks are less common on unix, partly also because of the increased diversity of unix systems.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
From the Mac-Fans...
- If a bank leaves the vault open and doesn't lock the front door, but only has 10 banks located randomly around the country, it is still the best and most secure bank, especially if they have pretty iMarble on the floors.
From the OSS-Fans...
- OS X sucks as much as Vista and everyone is evil.
From the Win-Fans...
- Holy Shit, we thought our crap sucked more than this.
"Assuming the user has at least a bit of a common sense and logical thinking"
You assume entirely too much.
Fifty watts per channel, baby cakes.
You would start getting 1 fps, rather than 2. That's a very visible difference.
Can you explain why Linux becomes a very insecure operating system with the addition of PHP, while FreeBSD with PHP is still a secure operating system (which is implied in your post)?
You must be new here. :)
This is a very old tactic by Microsoft supporters to make Windows look much more secure than Linux.
I think we are comparing Apples to Oranges here. (Sorry could not resist) But it is true Apple counts ever small nt pick fix to every program. For example the recent Mac OS update listed about two dozen fixes. Microsoft lumps this kind of stuff all together and counts it as one fix. The other thing is "Who cares" what mattersis the final result: No one, or "hardly anyone" runs anti-virus or anti-spyware software on a Mac. It is simply not required. The fire wall is open by default too. It is not needed. So given the fact that most Macs have the firewall disabled and no anti-whatever can anyone point to even one Mac that have problems. I'm sure some did but the problem is very rare. On the other hand even with firewalls and anti-virus programs widely used we do hear now and then about eople having problems with Windows PCs. I would have thought that Microsoft as a company would be embarrassed that an anti-virus industry even exists. The fact that it does speaks volumes about Windows. People say it s only because Windows is the majority OS, so it is targeted. Hell no. Could you imagine the "bragging rights" a hacker could get if he was able to write a Mac OS virus that would spread in the wild? Believe me this is the Holly Grail and there is strong motivation. Use this analogy, do termites eat wood houses because most are made with wood and they leave brick houses alone because there are so few of them "so why bother?" No, the engineers who wrote Mac OS X, Solaris, BSD and Linux simply used bricks and avoided the whole termite problem. They built and OS that viruses can't live in.
and you want to rag on MS for their patching efforts, apple are even worse and flat out refuse to patch some things till service pack time.
If you mod me down, I will become more powerful than you can imagine....
Wait a minute, slammer was an MS SQL worm! MS as in Microsoft, it doesn't run on any other O/S so that hurts your argument.
BC
the irony of this all, is that your post is only true on opposite day.
...why the botnets are almost 100% Mac OS X machines and why they get all the viruses. Windows is just so much more secure.
More than 60,000 Windows programs won't run on Linux.
>I'm going to post this here because Slashdot's been full of MS shills for the past
>couple of weeks
What do you mean by "MS shill"? Do you actually mean you believe that Microsoft actually pays people to post on Slashdot, or is that just an all purpose term for people that disagree with you? If I vote for someone other than you will you also call me an "MS shill"?
Maybe MS shills are a secret conspiracy set up by "the man" to "keep you down". That sounds like the best bet to me.
>On the other hand show me a significant linux virus or OS X exploit being used in the wild.
>Well? Where are they? Waiting.....
Please do not spread misinformation. It may be legitimate to choose linux over windows on a security basis, depending on what security concerns you have specifically, but it is simply untrue that linux is somehow magically immune to security threats. Both linux and osx have viruses and exploits which have been used "in the wild".
Just a little above this article is a slashdot article about a squirellmail exploit...
As for viruses for linux and osx, there are some out there. However, the reason they aren't as widespread as windows viruses is widely known... the amount of linux and osx machines on the network isn't dense enough. You can't spread a virus effectively if the affected species is really small and spread out. If you email 100 people at random with an email with a linux virus attached, it may not be received by a single linux user, thus that propagation mechanism just doesn't work. This is impossible with a windows virus.
NO no! I doubt...I think its Windows. Java Programming
Although I support OSX, WinXP (Vista as little as possible) and Linux at work, I mainly use WinXP at work and am fairly happy with it. I don't have mountains of crappy little systray thingies in there and keep the OS slimmed down to a minimum. At I have three Macs, with OSX 10.4 and 10.5. One of the reasons why I like Macs is because the Macs with such an enormous amount of software. I have music editors, video editors, DVD editors, photo editors, at least two web servers (apache and tomcat), document viewers (PDF and whatever else), Music juke boxes, a complete developers kit of software IDEs, numerous languages (bash, perl, php, python, ruby, java, objc, c, applescript) and the full complement of Unix tools.
While Windows has a fair amount of stuff in it (and apart from WMP, the quality is often somewhat disheartening, I must say - *Movie Maker* seems to be a typical Microsoft throw away application) and the amount and quality is improving, OSX simply has far far more. A lot of that stuff is 3rd party code, such as perl, tcpdump etc (these two feature prominently in the latest security patch) for which Apple is not really responsible, except, of course, for security updates to them as they become available.
Thus, I would say that a good portion of the Apple patches are to underlying Unix tools.
That doesn't of course excuse Apple or make Apple magically more secure than Windows, but it does show a decent sense of security responsibility. That said, even Microsoft is much better in the last year or so at providing security updates to its system. They have also deactivated things like the gaping holes in automatic macro execution in Outlook and Office in general, and even IE7 is no longer the bug magnet that IE6 used to be. BUT, Windows, by design, still has some flaws that are simply not present on other systems. The worst of the lot is ActiveX. The fact that Windows Update runs in the browser with an ActiveX control having direct access to your machine is something that simply should not be allowed to happen. Taking over a Mac remotely is not something that you often hear about.
I suspect however, that Vista, with its massive overkill in the security department, will mostly be better in terms of security as years go by. It's just a pity that Microsoft's implementation of sudo (UAC) as opposed to Apple's only using it for truly sensitive tasks makes users become desensitised to security.
Umm. no. I'm talking about:
Headline: Microsoft releases 3 patches on patch tuesday
Reaction: ZOMG!!! This just goes to show how much Windows sucks!!! Use Linux or Firefox or Thunderbird or MacOS!!!!
If you need web hosting, you could do worse than here
The culture around FreeBSD is more mature and they take things like local privilege vunralibilties more seriously. I lost interestest in Linux right about the time they decided the send the kernel versioning scheme straight to hell. When you roll out kernel level security fixes with new features, that is plain old amature.
PHP might leak like a sieve, but at least on FreeBSD I'm fairly sure when the next poorly written PHP app cannot run some damn injected script and get root. PHP apps are nutorious for leaking like a sieve, letting anybody run any damn code locally. On Linux, I can pretty much promise that the minute you run code you can get root somehow. PHP is a great scripting host for anybody looking to run local code on your server.
Basically, the linux kernel and the surrounding userland tools give me the creeps. I dont trust any of them at all - I remember back a few years ago, the man page (or was it the info page... another rant there) for "sudo" had a good long rant about how it was evil to have a "wheel" group. Look it up... it was there! Definitely not what I'd call "enterprise grade".
FreeBSD (and OpenBSD/NetBSD) are about the closest you can come to an enterprise grade operating system that isn't sponsored or sold by a corporation. It is a shame more vendors like dell didn't support freebsd on their servers. Linux is just amature hour.
Maybe it's only noticed because Apple fixes the bugs quickly?
Besides, which OS would be able to walk around on the internet without virus protection?
I am glad I have switched to Vista. Good bye Mac OS X.
The vulnerability count only prove that some people are very, very stupid. No amount of vulnerability counting will counter the fact that there are over 150000 various viruses, trojans and assorted other infections for Windows, with multiple vectors. The amount of viruses on OSX? None. Zero. Zip. Nada. And one Trojan. That makes a difference of what? 150000 to one? Anyone pretending that these counts mean a damn thing are shills or stupid. It's not that complex. You can count have all the automotive recalls among various manufacturers you want, but if only one manufacturers autos blow up on a daily basis, it doesn't matter shit how many recalls the other guy issues.
Fiat Homos et Pereat Theos
If you say so... [ymess.ro]
The report may be accurate, but all that really tells us is that Vista had more _disclosed_ vulnerabilities than OS X. While such a large difference (a factor 5!) is certainly cause for raising eyebrows, the concrete implications of these figures are far from clear. In particular, it says nothing at all about the relative security of the systems. Of course, people will use them that way.
Please correct me if I got my facts wrong.
How would you know how many vulnerabilities there actually are? It is impossible to exactly count them in Windows, or OS X. For example, Red Hat Desktop Workstation v5 has 70 vulnerabilities, while Windows Vista has 24, according to Secunia. That would contradict what most people think, but it is probably because Redhat is open source, while Windows is not. In this case, we are comparing two closed source operating systems, so the number of security vulnerabilities probably depended more on the testing each went through than the operating systems here.
Security by OBSCURITY (less users, thus, less of an attack surface area exists for potential interlopers) is what MacOS X enjoys. From the point of view of those who are out to make monies illegally via exploits online, attacking Windows (the MOST USED OS PLATFORM THERE IS, mind you) makes a hell of a lot more sense to do. If MacOS X (or Linux, or BSD, etc. et al) were the MOST used (especially on noobz/new folks to computing's systems)? The tables WOULD be turned, & for obvious reasons (in the eyes of attackers of personal computers/hackers/crackers).
Seriously, I have to say that despite the fact that the parent and grandparent posts are obviously flame bait, it's absolutely hilarious how the Mac community, the Linux community, and the overall anti-Microsoft community come out with their FUD and spin blazing any time anything indicates that perhaps Microsoft is doing good at something. You talk about how much more secure IIS 6 has been than Apache and people start working up these huge conspiracy theories about how Microsoft is hiding bugs and how Microsoft's bugs are all MORE vulnerable and MORE important so we should count them two or three times! Nevermind the fact that the other vendor has decided to describe their vulnerability as critical. Maybe they should invent "not-so-critical" and "zomg-critical" so that your biased classification of bugs would have more of a foundation than simply something you subjectively decided on your own. And yet through out all of this crying about security reports daring to rule in Microsoft's favor, none of the spin spewed by Mac and Linux lovers has any of the proof or evidence that is always demanded from statements made favoring Microsoft. Linux people are allowed to spew FUD all day and all night and have it accepted as gospel, especially if they support their contrived arguments by appealing to the authority of some other, more important Linux fanboy. Mac people are no different.
How about some current, factual evidence demonstrating that any of the crying and hot air being spewed below has some basis in reality? Secunia discloses their methodology, and they base it on factual information from reliable sources. Their research is favoring Microsoft. Can we have some actual research from the Mac or Linux community disproving anything that Secunia's research is showing? Is there anything documented that backs up the claims that Mac OS X and/or Linux has been more secure than Windows XP or Vista over the past year? Or is it all suppositions and FUD? Is it too much to ask that there be some kind of proof beyond forums full of fanbois? All I'm hearing is "Microsoft is hiding bugs", "Everyone knows (Linux|Macs) are more secure", "Vista sucks! Microsoft sucks!", and "uh oh, yet another Microsoft shill".
It's real easy to call someone a shill (ad hominem) and appeal to the authority of pro-Linux or pro-Mac e-magazine articles (which don't provide sources or any kind of empirical evidence to back up their assertions, making them as valuable as forum posts, except they're formatted nicer). How about you guys live up to the standards you've been demanding of Microsoft's PR department for years? Put your research where your mouth is.
Oh, and since I'm going to be called a MS shill by some idiot, let me ask another question. What happened to all of the Linux vs Microsoft server benchmarking? Linux guys were really hot on that for a long time. Then I recall Microsoft challenging Red Hat to a benchmark, which they declined. I haven't seen any Linux kiddies publishing benchmarks showing Apache is faster than IIS in a long time. I haven't seen benchmarks showing that Linux is faster than Windows Server in a long time. This used to be a favorite past-time of the Linux camp. What happened? Does epoll (2002) and/or aio (2002?) not keep up with I/O Completion Ports (1994)?
WTB more information from Mac and Linux camps to back up their name-calling towards people who dare speak in favor of Microsoft, and their unfounded claims of superior security and performance.
BT has BB
What are these "service packs" of Apple's that you speak of?
Sadly, I totally agree...a very large portion of articles posted here that have any negative connotation on Windows are often missing key facts and are played in the article description more than pac man.
/. and is Pro or anti Windows, do your own research.
/. Windows articles with a grain of salt when it could be EASILY changed by some filtering done by the editors.
My default rule is, if it is on
It's just tarded that we have to take
"How am I supposed to find Vista vunerabilities when I'm busy rebooting every 5 minutes?"
I hope everyone took the time to read the article, and to find other articles on the same data, or the data itself. Unfortunately, once again, I find myself having difficulty seeing past a slashdotter's inability to simply report information without introducing controversy on his own terms or relaying the bais of a bad journalist.
The only content of this post that wasn't quoted was in the form of the question "Is this report card's implication accurate, or is this a symptom of one company turning a blind eye [1]while the other concentrates on timely bugfixes," which is actually not a question.
One side of this supposed question, "Is this report card's implication accurate," suggests the data is flawed. OK, we can consider that good, yet obvious question, but I hope they back it up (they did not). The other side begins by accusing "one company" as "turning a blind eye (to problems)." This side of the question has already validated the first part of this supposed question, because this claim, if true, would invalidate any study that relies on such a company such as this to report security flaws without silently fixing them. I wonder which company they mean? The second part of the "question" continues, glorifying the "timely bugfixes" of the "other" company. Which company is which, here, slashdotter? You might as well come out and clearly accuse who you accuse so we can see how baised and unfounded those claims are without backup, no matter what name you put on these companies. Adding question marks at the end of a sentence doesn't always make it a question, but does sometimes help in evoking a lean in support toward a statement hidden inside a valid question, as the slashdotter did here. Also, notice the "[1]" citation's placement (on the "timely bugfixes" company's side). Citations/footnotes (unfortunately) add an immediate, and in this case, false sense of validity to information they're placed on. A reader could be misled to believe what the slashdotter wrote as a statement of fact if they did not notice this was simply linking to the article they read, in which case it belongs at the beginning of this "question." However, the entire statement portion of the question, including claims toward both of these ambiguous companies, is subjective, coming completely from the mind of the slashdotter, with no support to them, so validates no usage of any citation at all.
The slashdotter goes on to quote the author's statements against Windows Vista. The author failed to provide any details of Mac OS vulnerabilities, instead showcasing Apple's generosity in paying hackers to "hack" a Macbook, then give them a bunch of money and a free Macbook (thanks Apple! *ding!*). Herein lies both the author and the slashdotter's bais. I can't fault the slashdotter for reporting what they read, and not being objective about it, but this is clearly flame fodder to post like they have.
This slashdotter seems to have already made up his mind, but I hope you would read the article, and try to gather some more information from other sources. Citing some more sources that analyze the same data, or back up the seemingly baised statements made in the post, would have been helpful.
So for every 150000 PCs there is only 1 Mac? Your obscurity argument doesn't hold water. Mac OSX has plenty of marketshare to have at least a blip on the hacker radar. Unless, of course, you are suggesting that a computer system that has roughly 100 million machines online isn't worth anyone's time? Certainly there are enough anti-Mac bigots out there who would love to just hack a Mac one time, just to say they could?
The plural of anecdote is not proof.
For example, I have been using Windows 2000 without antivirus software for several years, and I have not had a virus on it even when I was using it on networks that had active network worms that were known to attack Windows 2000.
By your logic this means that Windows 2000 is at least as secure as any other OS out there.
What this means, actually, is that I actively track security lists and make sure that I am not using components of Windows that are known to have security flaws in ways that expose them to unknown data sources. For example, the only thing I used IE for is Windows Update, and I disable things like the messenger service, and so on.
This was also the policy I enforced as a network administrator, and that was more effective in keeping my part of the network secure than the official policy for our company... which included antivirus, but also required IE and required many known-insecure services be enabled.
IF the user is aware of the components that need to be avoided, Windows can be used safely.
But in the default configuration, Windows is wide open. Even Vista is still using inherently unsafe components, and using unproven internal firewalls and sandboxes to keep the computer as a whole secure even if one component is compromised. This is a potentially useful technique, but it should be a backup rather than a required part of the security model.
Apple is not innocent either. They have copied part of Microsoft's browser and desktop integration, albeit not the most dangerous part... but they have had several vulnerabilities that could have been completely avoided by NOT using the same LaunchServices database for both internal helper applications (such as those used Finder) and sandboxed ones (the ones that could be used by Safari), and by NOT treating files with known extensions as "safe" to open.
But compared to ActiveX?
flagged as troll and flaimbait. I responded directly to the person's post. I hate seeing people post things here acting like they know what they are talking about so i responded accordingly. a troll surfs around to find things to say just to get things stirred up. this was not a troll event! but to be honest, i could care less. ;)
"IE is bundled, but can be disabled to browsing web sites (2003 server edition disables it)." - by gnuman99 (746007) on Tuesday December 18, @03:51PM (#21743732) Some "FYI":
In Windows XP (not sure if it was SP #1, OR SP #2 that implements it though) you have IE in a "safe mode" also, very much like the one for IE6/IE7 in Windows Server 2003 outta the box stock, prior to any service packs it offered or came out later with.
It's a shortcut of IE7 that uses the -extoff switch on IE's commandline.
It's almost "hidden away", because it is stuffed into the Start -> All Programs -> Accessories -> System Tools folder... but, it IS there.
APK
P.S.=> I am not sure if this commandline switch works with IE6 & below, but I know it does with IE7, & yes... on XP as well as Windows Server 2003... apk
"So for every 150000 PCs there is only 1 Mac? Your obscurity argument doesn't hold water. Mac OSX has plenty of marketshare to have at least a blip on the hacker radar." - by stewbacca (1033764) on Wednesday December 19, @03:57PM (#21756254) Go tell a spyware maker that, ok?
I don't think you understand the motives of the people creating these things nowadays... std./traditional viruses are NOT what is prevalent out there today (I know, I have to remove them from @ least 4-5 systems a day, & I see what I see for years now doing it).
The creators of SPYWARE (the more prevalent threat out there today) are out to either:
1.) Get your bank account info.
2.) Get your credit card info.
3.) Use your machine to attack other machines
4.) Send spam mails
(& who KNOWS what else... the point being, write your malware to get the most "surface area possible" so it can corral the MOST machines it can to use them for said enumrated purposes above (& especially for the points noted above for what is MOST USED in the way of OS' out there today, Windows)).
His explanation holds plenty of water.
This is NOT about "bragging rights" bullshit: These people, like the RBM (Russian Business Network) are about making money, OR, selling off TONS of "botnetted" zombied systems for attack dogs for rent.
ALSO: DO YOU PAY ATTENTION TO SECURITY NEWS OUT THERE (& specifically, what methods get used in 99% of the attacks (roughly but consistently))?
Well, if not?
Most of the threats are javascript related, IFRames related, & lately Adobe Flash/Shockwave (heck, even adobe reader did) + Quicktime related as well (bad activeX controls also, such as RealPlayrer had VERY recently).
Are the browsers on other systems that use those addons for scripting impervious to said attacks, especially in their webbrowsers that call upon them for page rendering? No.
Windows is just "out there" more, & thus, the one to target, for the purposes enumerated above.
" I am a Mac fan boy, but only because Windows continued to let me down." - by AccUser (191555) on Tuesday December 18, @02:13PM (#21742070) Homepage Read, AND APPLY, what is listed here on a Windows 2000/XP/Server 2003 & even VISTA setup:
http://forums.tweaktown.com/showthread.php?s=95da64f88f66f615773c4e77ac12ca87&t=25596
& let Windows "let you down", no more, in terms of security...
Just by following a tool (CIS Tool) that guides you thru MOST of it, & then some more tips that page advises you on in 12 relatively simple steps & rules to use, you won't get "burned" by nearly as much malware of any kind IF any @ all anymore.
(Yes, sometimes you sacrifice some "glitzy" animations & such online, but big deal - better than paying for a spyware/virus/trojan/malware removal).
APK
P.S.=> I've been running the SAME setup since 2002 on 1 system here using the setup noted above on Windows Server 2003 & another system also using it here (not sharing files between them, just online via my LinkSys router), & no virus/trojan/malware/spyware etc. et al on EITHER of them... how? By simply applying what is noted above, & not being stupid... apk