Slashdot Mirror

← Back to Stories (view on slashdot.org)

More Mac Vulnerabilities Than Windows In 2007?

Posted by Zonk on from the dogs-and-cats-living-together-mass-hysteria dept.

eldavojohn writes "A ZDNet blog reports stats from Secunia showing OSX averaged 20.25 vulnerabilities per month while XP & Vista combined averaged 3.67/month. Is this report card's implication accurate, or is this a symptom of one company turning a blind eye while the other concentrates on timely bugfixes? 'While Windows Vista shows fewer flaws than Windows XP and has more mitigating factors against exploitation, the addition of Windows Defender and Sidebar added 4 highly critical flaws to Vista that weren't present in Windows XP. Sidebar accounted for three of those additional vulnerabilities and it's something I am glad I don't use. The lone Defender critical vulnerability that was supposed to defend Windows Vista was ironically the first critical vulnerability for Windows Vista.'"

16 of 329 comments (clear)

  1. Counting shows nothing by Ed+Avis · · Score: 4, Informative

    How many times does it have to be repeated? Counting vulnerabilities is a stupid way to measure security. Counting vulnerabilities is a stupid way to measure security. Counting vulnerabilities is a stupid way to measure security.

    Shouldn't Slashdot link to some more insightful analysis?

    --
    -- Ed Avis ed@membled.com
    1. Re:Counting shows nothing by ByOhTek · · Score: 4, Informative

      Actually he explained it, and it isn't wrong.

      Any exploit that occured in both XP and Vista was only counted once for the total, not twice.
      Just as any exploit that occured in both OS X.4 and X.5 was counted once, not twice.

      As long as he did the same thing on both operating system pairs, it's ok. Though he should have given a breakdown of the X.4 and X.5 bugcounts as well.

      --
      Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
    2. Re:Counting shows nothing by bunratty · · Score: 5, Informative

      Even Secunia itself says not to use their statistics to compare the overall security of products against one another.

      --
      What a fool believes, he sees, no wise man has the power to reason away.
    3. Re:Counting shows nothing by Stephan+Schulz · · Score: 4, Informative
      I checked out some of the bugs. A Windows bug was "unspecified bug in local procedure call may be used to execute arbitrary code" (one bug). For the Mac, it was "buffer overflow in handling of escape sequence \E\Q in PCRE library may allow crash (and possibly arbitrary code execution)" (one bug), "buffer overflow in handling of escape sequence \P\Q in PCRE library may allow crash (and possibly arbitrary code execution)" (second bug), ...

      As long as the bugs are counted at very different resolutions, and as long as very different functionality is compared, the numbers are worthless.

      --

      Stephan

    4. Re:Counting shows nothing by dgatwood · · Score: 2, Informative

      Right. Well, that's another example of the more general point I was alluding to, which is that the only vulnerabilities we know about are those that have either been disclosed by the company or disclosed by somebody who got pissed off waiting for the company to fix the bugs. The result is that vulnerability counts can be severely underreported, and you are at the mercy of the company's honesty and competence at deciding which bugs are security bugs when you try to determine how accurate your vulnerability numbers are.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  2. Not really objective by UnknowingFool · · Score: 3, Informative

    First, reporting on the number of flaws disclosed and fixed says nothing about the relative security of either platform. Both MS and Apple could be holding back on patches to their own software. Second, many of Apple's security patches address 3rd party open source software like Samba, Kerberos, etc, that are being patched when flaws are discovered.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  3. Nonsense by Cally · · Score: 4, Informative

    I'm absolutely not an Apple fanboi but this is bollocks. Apple (who are indeed significantly slowerthan other distributors in releasing patches) ship an awful lot of Free software - application software that is - with OS X, whilst Microsoft generally only patch the core OS (and Office, if you go to https://microsoftupdate.com/ rather than https://windowsupdate.com/ .) Hmmm, one day I must get round to doing that chart tracking who, of the main distros shipping common code such as (say) Zlib, releases what patches, when. Some of the Linux distys are particularly lax on this front.

    --
    "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
  4. Reissue only counts once? by TheSkyIsPurple · · Score: 3, Informative

    He shows CVE-2007-3896 only in July, but it was reissued in November as well... why wasn't that counted in November?

    The July patch closed that CVE, and the November patched more of it... It should count both times, since they said it was closed.

    I'd be interested to analyze them all next to each other, but not interested enough to actually dig into it myself =-)

  5. Re:Yawn by ILongForDarkness · · Score: 2, Informative
    True you can't compare a new OS to an old OS. Vista to OS 10.4 or 10.5 should be reasonibly fair. As people have already said there is a bunch of open source stuff in the OS that Apple doesn't control, however, they chose to include it in their product so IMHO they own the bugs (if you don't like it then code your own functionality, or let the end user download it).

    Microsoft has come up with the idea of "Patch Tuesday" to control the update process. While your systems might be vulnerable for an extra few days (30 at most in a worst case), you also gain better control over the scheduling of staff to test and deploy the patches. You don't have to go to their website every morning to see if something came out (or have some service that does, a la auto update or what ships with linux distros). Is it better? Well for the security paranoid, no. However, being an IT manager myself, I can appreciate a company trying to make things predicable as much as possible for me. If my site has autoupdate enabled, and things stop working the day after patch Tuesday, the first thing I'll do is roll back a box to the day before and see if things start working again. If so, push the roll back to everyone, then hit the test servers/workstations, and localize the patch problems, to the specific patch/app combo that is the issue. Much, much better than having random crap pushed at random times.

  6. third party open source software by pikine · · Score: 3, Informative

    Mac OS X contains many third-party open source software packages. The bugs are found through source code auditing. These bugs may or may not become exploitable depends on how the code is used.

    Just take a quick look at the bugs list. Most of them are found in third-party code like PCRE library. These are labeled "highly critical" without a demonstrable proof that it can be exploited. The software using PCRE is vulnerable to malformed regular expression strings, but I've never seen any software accepting arbitrary regular expression strings from another machine. (A web browser interprets JavaScript code from another machine, which may contain regular expressions, but JavaScript regular expression definitely isn't Perl compatible, so that's not PCRE.) Those same bugs also affect Linux. If you use Cygwin on Windows, these bugs also affect you, so they can be Windows bugs too.

    On the other hand, since we can't audit proprietary Windows code, we only find bugs that are actually exploitable, in contrast to the open source bugs that are only potentially exploitable. Therefore, the severity of Windows bugs are vastly underrated compared to open source bugs. And there are more potentially exploitable bugs in Windows that we don't find, which aren't being counted.

    That said, if you rely on bug counts and decide that Windows is more secure for you, I'd call you crazy.

    Finally, why would Adobe Flash player bugs be counted as a Mac OS X bug?

    --
    I once had a signature.
  7. Re:News Flash: nothing has changed by wish+bot · · Score: 5, Informative
    I'm going to post this here because Slashdot's been full of MS shills for the past couple of weeks, and you're conveniently close to the top of this thread.

    Security through obscurity will never beat actual security.

    Well, here's my token sound bite too...

    The proof's in the pudding.
    MIcrosoft is the party guilty of underreporting vulnerabilities, including undocumented patches in updates - how much more obscure can you get?! On the other hand show me a significant linux virus or OS X exploit being used in the wild. Well? Where are they? Waiting.....
    --
    lemonade was a popular drink and it still is
  8. Re:Counting vulnerabilties shows nothing by kholburn · · Score: 2, Informative

    They weren't counting vulnerabilities, they were counting successful attacks. When you count successful attacks windows still loses really big time. Vulnerabilities, meh.

  9. Re:Steve Jobs and Security by VGPowerlord · · Score: 2, Informative

    You seem to be confusing Pirates of Silicon Valley with Triumph of the Nerds, which is an actual documentary.

    --
    GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
  10. Re:News Flash: nothing has changed by Renig · · Score: 1, Informative

    NO! The proof is not in the pudding. That makes no fucking sense. The proof of the pudding is in the eating!

  11. Re:News Flash: nothing has changed by gnuman99 · · Score: 2, Informative

    One of IE bugs (currently exploited 0-day bug),
      http://secunia.com/advisories/28036/
    is not very pretty.

    For example of Mozilla bugs,
        http://secunia.com/product/12434/
    vs. IE,
        http://secunia.com/product/12366/

    Of course, how the fsck how is 3rd party software the fault of the OS, I have no idea. IE is bundled, but can be disabled to browsing web sites (2003 server edition disables it). Most of the software is quite safe these days, but it still depends on how you use it. Exploits triggered by things like web browsers are the worst, but at least Vista addresses that issue by running IE in "lower than regular user account", not sure if that would protect vs. the IE bug in first link.

    Summary: stop trolling for one side or another. If you get hacked it doesn't matter if you run Windows or Linux or BeOS.

  12. Re:News Flash: nothing has changed by Bert64 · · Score: 4, Informative

    In that respect, any unix is more attractive including bsd.
    But your right, many old school hackers will exclusively target unix machines because they are simply more useful from their perspective. People typically only target windows machines to run a particular program (their bot) which has a fixed set of built in capabilities. Gaining access to a shell gives someone far more scope, and makes it much easier to deploy new malicious code.
    You will rarely get an attacker interactively connecting to a hacked windows system to do something, but this is common with compromised unix systems. When a windows box is compromised, it's typically by an automated process which will install a bot and move on to the next host. Automated attacks are less common on unix, partly also because of the increased diversity of unix systems.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!