Slashdot Mirror
More Mac Vulnerabilities Than Windows In 2007?
eldavojohn writes "A ZDNet blog reports stats from Secunia showing OSX averaged 20.25 vulnerabilities per month while XP & Vista combined averaged 3.67/month. Is this report card's implication accurate, or is this a symptom of one company turning a blind eye while the other concentrates on timely bugfixes? 'While Windows Vista shows fewer flaws than Windows XP and has more mitigating factors against exploitation, the addition of Windows Defender and Sidebar added 4 highly critical flaws to Vista that weren't present in Windows XP. Sidebar accounted for three of those additional vulnerabilities and it's something I am glad I don't use. The lone Defender critical vulnerability that was supposed to defend Windows Vista was ironically the first critical vulnerability for Windows Vista.'"
They're just looking for excuses to downplay the results of the report.
No artificial metric really matters in the security landscape.
In the end, what matters is the real-world security performance of these systems. Sure, it's not so easy to quantify and measure, but stories like this ZDNet fodder are just pageview generators, and nothing more.
Who has counted the bugs and security holes that were fixed without prior disclosure? It is like counting footsteps of two dinosaurs from their fossils and then comparing them for their health.
this whole article should be modded flamebait, counting vulnerabilities is a useless way to compare operating systems
How did they total the vulnerabilities on different versions of Mac OS X? They need to combine them in the same way for comparison to be fair.
Even that isn't necessarily fair, though. If they combine them by summing, then vulnerabilities that appear in more than one version of Mac OS X would make Mac OS X look disproportionately bad simply because there have been many more versions of Mac OS X than Windows in the same period of time.
The only truly fair way to do these comparisons is to compare the number of vulnerabilities on each version of the OS separately. Any combining will skew the numbers one way or the other.
Check out my sci-fi/humor trilogy at PatriotsBooks.
I own two Intel Macs, an iMac and a Macbook. I own two desktops that run XP and two desktops that run Linux.
I am personally tired of the stupid "insecure" talk. My iMac runs my servers with ports 80, 443, 22, 5900 open. I watch my logs and have not seen any bad stuff.
On the other hand, I once opened my XP boxes IIS server and saw a crap load of hits in the web logs trying to break it within 48 hours. Thankfully I was running IIS lockdown which really helps.
Comparing XP in 2007 to OS X 10.4 or 10.5 is just stupid. XP has been around for a long, long time. Do a fresh install of XP home SP0 and see how many security updates you need to download.
As a programmer with more than a decade of experience, I don't care about the number of releases for an OS. I care about the timely releases. From my experience, Apple and especially Linux will release a fix as soon as they have it. MS on the other hand seems to go through a PR machine.
Microsoft, I don't care if your product XYZ has a flaw, trust me as a programmer, there will always be flaws. Just release the damn info on the flaw and the URL to the fix. I don't think XP is "crap" because I have had to download more than a GB of updates since SP0. Really, I don't care. As a geek, I actually get excited about a new update from MS. I usually hope for new features, etc.
So, please MS, just publish and release the fixes. 95%+ of people out there don't care if you have 150 "vulnerabilities" or 20. We just want the fix. Give us our "fix" bro!
General, you are listening to a machine! Do the world a favor and don't act like one.
The simple number of vulnerabilities is not a good metric of security. I seem to remember that one of the Windows ones last year was one where displaying a picture in a web browser, ANY web browser, could compromise your machine. I don't remember seeing close to that severe for a Mac.
In fact you could make the argument the other way around: the reason there are so few fixes with Windows is because the problems are so big and far reaching that it takes a lot longer to patch them. This conclusion is also probably wrong but is just as valid as the one in the original post.
you didn't read a single link in the parents post, did you?
Under the influence of Post-Cyberpunk Gonzo Journalism
I know you put a lot of work into what you feel is a clever post, but all you did was come across as the exact kind of poster you are describing. And your link is really irrelevant as it was Apple supporters (mostly) who over-played the outsider status, not Apple itself. What kind of half-baked value system do you employ when you decide who is cool by what OS they use? An OS is a tool and you should use what fits your needs best. I'm a media junky and like to dabble in editing, that makes OS X my best choice. If I were still a PC gamer, you can bet I would use Windows. But that doesn't excuse the long history of Windows security issues, and an article that spins a a year where Windows finally has fewer vulnerabilities than another OS as proof of progress is really just proof how many people don't get it. The bigger question is how those vulnerabilities were handled, from point of discovery to solution, and that is where MS always breaks down.
Bush is the best President in history because he has fixed fewer problems.
Well, it has never been successfully tested.
Absolutely. Vulnerability counts are worthless. Here's the simplest example I can think of:
My friend and I both maintain a tool of some sort. We both get ten security vulnerability reports sent to us each year. I patch ten security bugs ten minutes after they are reported and my friend sits on the first ten bugs for a year, then the next year, we both fix ten vulnerabilities in the second year. However, for a user that keeps their system patched, I have an average of slightly over zero exposed vulnerabilities, while my friend's software exposes slightly over ten. According to the vulnerability count, however, I had 20 and my friend had 10.
Check out my sci-fi/humor trilogy at PatriotsBooks.
So I took a look at a few sample vulnerabilities and it leaves me Flabbergasted. The person who wrote this article and composed the data should be beaten. The ones listed as OS X vulnerabilities are primarily holes in software that runs on OS X, much of which does not even ship with OS X by default. A lot of it is holes in various Web server modules, some of which do ship with OS X, but are disabled by default. Some of them are NOT EVEN VULNERABILITIES... like CVE-2007-3876 which is a number reserved for use by an organization for the next time they report a vulnerability, but they haven't assigned it to anything yet. Whole ranges of numbers listed are like that. I mean did the author even click on the links he's providing? I tried, I was more than twenty items into the list of "highly critical OS X vulnerabilities" before I found one that actually affected a default install of OS X, and it was a potential denial of service for SSL Web sites if you have a machine in the middle. Of the first 30, 12 were reserved for future use and not real vulnerabilities, 7 were holes in the same Perl library, and 5 were holes in tcpdump. Only one was a real, hole that could be exploited on a default install without additional software being added, or it being reconfigured as Web server or something.
Another question is, for the real vulnerabilities to the OS's, how do they decide what the danger level is for a vulnerability? For example, one low rated one for WinXP (CVE-2007-2228) was a possible remote exploit, whereas a Highly cCritical one for OS X (CVE-2007-0267) was a denial of service on a machine, requiring a local user account. Does this make any sense to anyone?
I'm all for pointing out security problems in OS X and other OS's and doing comparisons of relative security, but this is just a sad joke. Please, can we at least get articles by someone with the tiniest bit of a clue instead of the number game from someone who might be able to count, but apparently can't be bothered to read his subject matter.
I haven't used virus/"vulnerability" software on my Mac since OS 7. Still don't in OS X Leopard. All's well.
If it ships with the OS it should be patched by the OS company. If Apple shipped something with a flaw, Apple gets to patch it. Same for Microsoft.
You forgot another aspect as well. What if your friend sits on the problems, but doesn't report then as vulnerabilities, but instead reports them as bugs.
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
... until there is a self-replicating Mac virus in the wild.
*okay, maybe I'm dating myself there.
"You know why you do not see me styling wit my homies? Because I have no homies!!" -Mojo Jojo
Agreed, although not all the "vulnerabilities" listed in this so-called study do ship from Apple, many are third-party applications that just run on OS X. Also, OS X includes a lot of cool tools with their OS, because they are free. 99.99% of the time, these tools are never used, let alone exposed to the outside world. For example, almost a third of the first 30 CVE's listed in this study apply to the same Perl, regular expression evaluator. Now how many users do you suppose turn on Apache and this module and make use of it on a Web page they're hosting from their home computer? I mean these tools are great for Web developers that want to test stuff on their workstation, but that is likely about all they are used for, in the very rare cases that they are used. That particular module accounts for 8 of the "vulnerabilities" in OS X listed.
It is fine to list these as vulnerabilities, but for a comparison to vulnerabilities in Windows, well they're pretty useless because of the use case as well as the dozens of other things wrong with this study. I mean, the OSS team developing this module lists each and every potential hole they an find on a public Website and it is counted by Secunia. Their list for MS includes only holes that have been discovered by the public and which MS has acknowledged. Since MS does not publish most of the bugs they find, none of those are counted against MS, including the ones they don't bother to fix (more than 50% according to an ex-MS developer I know).
Secunia knows this. Every respectable security expert knows this. The only problem is, random bloggers don't seem to know this, and write "articles" about it which get widespread readership, misinforming large numbers of people and leading them to make incorrect decisions that end up causing problems for everyone.
Ever since they showed up a few years ago, Secunia seems to have been nothing but a pro-Windows, anti-everything-else trolling group. They've published countless "studies" claiming that Windows is more secure than god, every one of which involves some extremely skewed definitions of what constitutes a vulnerability and how one classifies its severity.
Some glorious day, perhaps slashdot will learn to ignore this variety of trolling (I'm looking at you, Cringely and Dvorak.). But until then, we'll all just need to ignore them individually.
If you read some of the OS X vulnerabilities, you'll see that they're often in non-Apple software, such as CVE-2007-5476 (Highly Critical) which describes a "vulnerability in Adobe Flash Player 9.0.47.0 and earlier, when running on Opera before 9.24 on Mac OS X". The Microsoft vulnerabilities tend to be referring only to the Microsoft software
Also, the way they rate vulnerabilities seems to be different. Microsoft "Highly critical" vulnerabilities seem to all be remote arbitrary code, and "Less critical" can be remote DoS, whereas "Highly critical" on OS X seems to sometimes include DoS. Infact, CVE-2007-4702 (less critical) doesn't even seem to be a security vulnerability. I thought it was discussed and found that the application firewall on OS X functioned as documented (though potentially not as a user would expect). CVE-2007-3036 and CVE-2007-0023 seem to describe similar vulnerabilities, but they're rated less critical on Windows than OS X.
I see. Someone makes a hypocritical post trashing a country, and that's not flamebait. Calling them on it is. I'll be sure to update my dictionary, because I'd always though it was the other way around.
I'd argue what really matters is how these vulnerabilities were discovered and what vulnerabilities have not been discovered, how these vulnerabilities have been reported and what vulnerabilities have not been reported, what the risk to normal users from vulnerabilities is, and (in the case of this article) which of these "vulnerabilities" are real and which are reserved numbers, only potential vulnerabilities, duplicates, and vulnerabilities that realistically cannot or will not ever be exploited.
In my opinion MS broke down when they did not perform the same level of code review, did not find as many potentially security related bugs, did not fix half the bugs they did find, and did not report either the bugs they found or even all the bugs they fixed. And then, or course, the speed with which those bugs they found, fixed, and announced were actually patched.
It depends what you mean by an 'exposed vulnerability'. There is often a mindset that until a vulnerability is publicly disclosed, it cannot be exploited, and so it is the act of disclosure that creates security risks, rather than the act of writing the buggy code in the first place. If you are counting 'exposed vulnerabilities' you need to count exposure time from the date the vulnerable code was released to the date it was withdrawn or patched - not just counting from some arbitrary public disclosure date. The bug existed long before the program's author found out about it.
-- Ed Avis ed@membled.com
An improved metric would be the duration between announcement and fix for each vulnerability, totaled in some fashion. It doesn't take into effect severity, though.
Well technically Apollo 11 had more things go wrong than did Apollo 1, but guess which one I would have rather been on?
http://www.mhall119.com
"Assuming the user has at least a bit of a common sense and logical thinking"
You assume entirely too much.
Fifty watts per channel, baby cakes.
Can you explain why Linux becomes a very insecure operating system with the addition of PHP, while FreeBSD with PHP is still a secure operating system (which is implied in your post)?
You must be new here. :)
This is a very old tactic by Microsoft supporters to make Windows look much more secure than Linux.
Wait a minute, slammer was an MS SQL worm! MS as in Microsoft, it doesn't run on any other O/S so that hurts your argument.
BC
>I'm going to post this here because Slashdot's been full of MS shills for the past
>couple of weeks
What do you mean by "MS shill"? Do you actually mean you believe that Microsoft actually pays people to post on Slashdot, or is that just an all purpose term for people that disagree with you? If I vote for someone other than you will you also call me an "MS shill"?
Maybe MS shills are a secret conspiracy set up by "the man" to "keep you down". That sounds like the best bet to me.
>On the other hand show me a significant linux virus or OS X exploit being used in the wild.
>Well? Where are they? Waiting.....
Please do not spread misinformation. It may be legitimate to choose linux over windows on a security basis, depending on what security concerns you have specifically, but it is simply untrue that linux is somehow magically immune to security threats. Both linux and osx have viruses and exploits which have been used "in the wild".
Just a little above this article is a slashdot article about a squirellmail exploit...
As for viruses for linux and osx, there are some out there. However, the reason they aren't as widespread as windows viruses is widely known... the amount of linux and osx machines on the network isn't dense enough. You can't spread a virus effectively if the affected species is really small and spread out. If you email 100 people at random with an email with a linux virus attached, it may not be received by a single linux user, thus that propagation mechanism just doesn't work. This is impossible with a windows virus.