More Mac Vulnerabilities Than Windows In 2007?

← Back to Stories (view on slashdot.org)

More Mac Vulnerabilities Than Windows In 2007?

Posted by Zonk on Tuesday December 18, 2007 @06:24AM from the dogs-and-cats-living-together-mass-hysteria dept.

eldavojohn writes "A ZDNet blog reports stats from Secunia showing OSX averaged 20.25 vulnerabilities per month while XP & Vista combined averaged 3.67/month. Is this report card's implication accurate, or is this a symptom of one company turning a blind eye while the other concentrates on timely bugfixes? 'While Windows Vista shows fewer flaws than Windows XP and has more mitigating factors against exploitation, the addition of Windows Defender and Sidebar added 4 highly critical flaws to Vista that weren't present in Windows XP. Sidebar accounted for three of those additional vulnerabilities and it's something I am glad I don't use. The lone Defender critical vulnerability that was supposed to defend Windows Vista was ironically the first critical vulnerability for Windows Vista.'"

7 of 329 comments (clear)

Min score:

Reason:

Sort:

Counting shows nothing by Ed+Avis · 2007-12-18 06:28 · Score: 4, Informative

How many times does it have to be repeated? Counting vulnerabilities is a stupid way to measure security. Counting vulnerabilities is a stupid way to measure security. Counting vulnerabilities is a stupid way to measure security.

Shouldn't Slashdot link to some more insightful analysis?

--
-- Ed Avis ed@membled.com
1. Re:Counting shows nothing by ByOhTek · 2007-12-18 06:38 · Score: 4, Informative
  
  Actually he explained it, and it isn't wrong.
  
  Any exploit that occured in both XP and Vista was only counted once for the total, not twice.
  Just as any exploit that occured in both OS X.4 and X.5 was counted once, not twice.
  
  As long as he did the same thing on both operating system pairs, it's ok. Though he should have given a breakdown of the X.4 and X.5 bugcounts as well.
  
  --
  Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
2. Re:Counting shows nothing by bunratty · 2007-12-18 06:41 · Score: 5, Informative
  
  Even Secunia itself says not to use their statistics to compare the overall security of products against one another.
  
  --
  What a fool believes, he sees, no wise man has the power to reason away.
3. Re:Counting shows nothing by Stephan+Schulz · 2007-12-18 10:14 · Score: 4, Informative
  
  I checked out some of the bugs. A Windows bug was "unspecified bug in local procedure call may be used to execute arbitrary code" (one bug). For the Mac, it was "buffer overflow in handling of escape sequence \E\Q in PCRE library may allow crash (and possibly arbitrary code execution)" (one bug), "buffer overflow in handling of escape sequence \P\Q in PCRE library may allow crash (and possibly arbitrary code execution)" (second bug), ...
  As long as the bugs are counted at very different resolutions, and as long as very different functionality is compared, the numbers are worthless.
  
  --
  Stephan
Nonsense by Cally · 2007-12-18 06:35 · Score: 4, Informative

I'm absolutely not an Apple fanboi but this is bollocks. Apple (who are indeed significantly slowerthan other distributors in releasing patches) ship an awful lot of Free software - application software that is - with OS X, whilst Microsoft generally only patch the core OS (and Office, if you go to https://microsoftupdate.com/ rather than https://windowsupdate.com/ .) Hmmm, one day I must get round to doing that chart tracking who, of the main distros shipping common code such as (say) Zlib, releases what patches, when. Some of the Linux distys are particularly lax on this front.

--
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Re:News Flash: nothing has changed by wish+bot · 2007-12-18 08:12 · Score: 5, Informative

I'm going to post this here because Slashdot's been full of MS shills for the past couple of weeks, and you're conveniently close to the top of this thread.
Security through obscurity will never beat actual security.

Well, here's my token sound bite too...
The proof's in the pudding.
MIcrosoft is the party guilty of underreporting vulnerabilities, including undocumented patches in updates - how much more obscure can you get?! On the other hand show me a significant linux virus or OS X exploit being used in the wild. Well? Where are they? Waiting.....

--
lemonade was a popular drink and it still is
Re:News Flash: nothing has changed by Bert64 · 2007-12-18 10:13 · Score: 4, Informative

In that respect, any unix is more attractive including bsd.
But your right, many old school hackers will exclusively target unix machines because they are simply more useful from their perspective. People typically only target windows machines to run a particular program (their bot) which has a fixed set of built in capabilities. Gaining access to a shell gives someone far more scope, and makes it much easier to deploy new malicious code.
You will rarely get an attacker interactively connecting to a hacked windows system to do something, but this is common with compromised unix systems. When a windows box is compromised, it's typically by an automated process which will install a bot and move on to the next host. Automated attacks are less common on unix, partly also because of the increased diversity of unix systems.

--
http://spamdecoy.net - free throwaway anonymous email - avoid spam!