Slashdot Mirror
More Mac Vulnerabilities Than Windows In 2007?
eldavojohn writes "A ZDNet blog reports stats from Secunia showing OSX averaged 20.25 vulnerabilities per month while XP & Vista combined averaged 3.67/month. Is this report card's implication accurate, or is this a symptom of one company turning a blind eye while the other concentrates on timely bugfixes? 'While Windows Vista shows fewer flaws than Windows XP and has more mitigating factors against exploitation, the addition of Windows Defender and Sidebar added 4 highly critical flaws to Vista that weren't present in Windows XP. Sidebar accounted for three of those additional vulnerabilities and it's something I am glad I don't use. The lone Defender critical vulnerability that was supposed to defend Windows Vista was ironically the first critical vulnerability for Windows Vista.'"
They're just looking for excuses to downplay the results of the report.
_0_
\''\
'=o='
.|!|
.| |
more goatse for everybody
How many times does it have to be repeated? Counting vulnerabilities is a stupid way to measure security. Counting vulnerabilities is a stupid way to measure security. Counting vulnerabilities is a stupid way to measure security.
Shouldn't Slashdot link to some more insightful analysis?
-- Ed Avis ed@membled.com
They are not Microsoft.
Therefore
They are beyond criticism.
Anything that is not Microsoft, and makes us feel like the hipper kids in the street, is automatically beyond criticism. We all wish we were the rich kids in Redmond, but since we're townies instead, we will speak ill of them any time we can. Macintosh is not from Redmond. True, they are greedy and wealthy. But they are not our enemy so they are us.
(See also Apple's identity problem.)
technical writing / development
No artificial metric really matters in the security landscape.
In the end, what matters is the real-world security performance of these systems. Sure, it's not so easy to quantify and measure, but stories like this ZDNet fodder are just pageview generators, and nothing more.
but I'd hate for MacNN to get any ad revenue or new, regular visitors from the traffic this will generate.
/. post : http://www.rudis.net/content/2007/12/18/macnn-editors-egg-nog-consumption-increases-disastrous-results
I posted my retort on this just before the
I wish non-security folks would stop reporting on security "stuff"... I can't wait for NPR, CNN and Fox to run with this "breaking news!" tonight or tomorrow.
Mind the gap...
Linux costs more than Windows.
Open standards are bad for the economy.
Software patents are good for the economy.
Microsoft is a nice company.
Windows Vista is more secure than Mac OS/X.
OOXML is better than ODF.
Buying votes is a good way to build new standards.
People remain with Windows because they like it.
Firefox is less secure than Internet Explorer.
They're not really people, anyway...
My blog
Who has counted the bugs and security holes that were fixed without prior disclosure? It is like counting footsteps of two dinosaurs from their fossils and then comparing them for their health.
this whole article should be modded flamebait, counting vulnerabilities is a useless way to compare operating systems
Apple is the light, the truth and the way.
First, reporting on the number of flaws disclosed and fixed says nothing about the relative security of either platform. Both MS and Apple could be holding back on patches to their own software. Second, many of Apple's security patches address 3rd party open source software like Samba, Kerberos, etc, that are being patched when flaws are discovered.
Well, there's spam egg sausage and spam, that's not got much spam in it.
I'm absolutely not an Apple fanboi but this is bollocks. Apple (who are indeed significantly slowerthan other distributors in releasing patches) ship an awful lot of Free software - application software that is - with OS X, whilst Microsoft generally only patch the core OS (and Office, if you go to https://microsoftupdate.com/ rather than https://windowsupdate.com/ .) Hmmm, one day I must get round to doing that chart tracking who, of the main distros shipping common code such as (say) Zlib, releases what patches, when. Some of the Linux distys are particularly lax on this front.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
So let me see, we will have:
Assorted stuff I do sometimes: Lemuria.org
Why can the world accept Mac users for who we are? Stop spreading misinformation about the dangers of network intercourse!
XP has less flaws because it has been around so long. If they counted the number of UNPATCHED flaws, XP would definitely be on top.
Vista has no one using it, so no flaws are being sought.
Mac is middle-of-the-road, so it has a few.
News at 11...
Move along
I'm not a Mac user at all, but I'm will to bet, there is a substantial number of pirated, unpatched copies of Windows out there that you can count each one as a vulnerability in itself.
I own two Intel Macs, an iMac and a Macbook. I own two desktops that run XP and two desktops that run Linux.
I am personally tired of the stupid "insecure" talk. My iMac runs my servers with ports 80, 443, 22, 5900 open. I watch my logs and have not seen any bad stuff.
On the other hand, I once opened my XP boxes IIS server and saw a crap load of hits in the web logs trying to break it within 48 hours. Thankfully I was running IIS lockdown which really helps.
Comparing XP in 2007 to OS X 10.4 or 10.5 is just stupid. XP has been around for a long, long time. Do a fresh install of XP home SP0 and see how many security updates you need to download.
As a programmer with more than a decade of experience, I don't care about the number of releases for an OS. I care about the timely releases. From my experience, Apple and especially Linux will release a fix as soon as they have it. MS on the other hand seems to go through a PR machine.
Microsoft, I don't care if your product XYZ has a flaw, trust me as a programmer, there will always be flaws. Just release the damn info on the flaw and the URL to the fix. I don't think XP is "crap" because I have had to download more than a GB of updates since SP0. Really, I don't care. As a geek, I actually get excited about a new update from MS. I usually hope for new features, etc.
So, please MS, just publish and release the fixes. 95%+ of people out there don't care if you have 150 "vulnerabilities" or 20. We just want the fix. Give us our "fix" bro!
General, you are listening to a machine! Do the world a favor and don't act like one.
Steve Jobs sneers at security, he does not take it seriously. Therefore, Apple does not take it seriously.
I was watching this real-time documentary called Pirates of Silicon Valley, and Jobs actually made fun of a guy in a job interview for being a virgin! He is a total a-hole.
The simple number of vulnerabilities is not a good metric of security. I seem to remember that one of the Windows ones last year was one where displaying a picture in a web browser, ANY web browser, could compromise your machine. I don't remember seeing close to that severe for a Mac.
In fact you could make the argument the other way around: the reason there are so few fixes with Windows is because the problems are so big and far reaching that it takes a lot longer to patch them. This conclusion is also probably wrong but is just as valid as the one in the original post.
Let's assume that the software engineers working at all companies are equally qualified. On average, that will probably turn out to be true. Assuming that all programmers are equally qualified, let's assume, only for the sake of argument, that all software is released with a similar quantity of security flaws; say, X amount of flaws per Y amount of code. Now ask yourself this: Does having lots of fixes released on a constant basis imply something about the security of the company's product? Or does it imply something that is totally unrelated to software, which speaks not of the software's initial security status, but of the company's policy towards servicing flaws as they're found? I think that ultimately, all software will contain some level of bugs; the company's policy towards fixing them is what determines security.
I invented my own OS, which I call F.U. (Frackin Unix). My OS has only one bug (Bug #1 - Operating System Not found). Clearly my OS is more superior than any competitors due to its extremely low number of bug reports.
He shows CVE-2007-3896 only in July, but it was reissued in November as well... why wasn't that counted in November?
The July patch closed that CVE, and the November patched more of it... It should count both times, since they said it was closed.
I'd be interested to analyze them all next to each other, but not interested enough to actually dig into it myself =-)
Vista was a lost cause from the get-go, and OSX is still largely a 'niche' operating system. Is comparing the number of exploits in either truly noteworthy?
There was a discussion about firefox and explorer security that this topic reminded me of.
Frankly, I would LIKE a product to ship flawless but realize I dont live in a fantasy world so prefer them to fix their flaws in a timely fashion as they find them and am happy that the Mac, Linux and BSD communities respond in such a fashion.
This is my sig. There are many like it but this one is mine.
But Microsoft are a CONVICTED MONOPOLY!111!11
If you haven't made a developer cry, you've wasted a day.
Yeah, I just checked -- your logs don't show any bad stuff coming through the Macs. Still, I was surprised by what I got just by typing "Oracle Password" into Spotlight.
If you're looking at vulnerabilities on new installations, in particular. In that case, you'd be comparing the thousands of licenses sold for OS X this year to the dozens of licenses for Vista that were purchased voluntarily this year.
Even a blind squirrel gets a nut now and then. (:
THL phish sticks
Bush is the best President in history because he has fixed fewer problems.
Well, it has never been successfully tested.
I receive daily many security advisories about patches, updates and vulnerabilities discovered in most IT spheres. If I was to count flaws on every products, I would say that Linux and Unix products are the poorest products regarding vulnerabilities. Obviously it's not the case!
.EXE files???
It is far more critical to have a Microsoft Windows flaw than a Mac or a Linux flaw, since the product is more widespread, so more likely to be actively and successfully exploited. Dumbly counting the numbers is a strange way to say that a product is more secure. Do I have to remember anybody that most viruses and spywares are
Ya... doesn't take a genius to figure out, the more something is widely used by the public the more flaws/security holes will be discovered. Mac's are much better than Windows in handling security, however it's kind of a new brainer when Mac's haven't been so much in the "public" eye for years to not hear much about security flaws, yet when the public is now jumping on the bandwagon... more people are going to discover more things and this will peak the malicious interests... so big fat... "DUH"...
In the end, it is impossible to analyze the security of software by means of analyzing second-hand or third-hand reports, and extremely difficult to do so by means of black-box testing by means of probably incomplete documentation. However, I cannot seriously imagine Apple or Microsoft conducting a thorough security audit and software analysis. For that matter, I don't believe either could afford to do so. Microsoft may be rich, but Vista is big and the kind of skills required to conduct a comprehensive audit wouldn't come cheap, certainly not in the volume needed to conduct such an audit fast enough to get the results before software changes invalidated said audit.
(Having said that, given that the world economy is so utterly dependent on the reliability of the IT infrastructure these days, there is also the question of how long it will be before it is uneconomic at a global level for there not to be such an audit. If an audit would cost a trillion dollars over the course of a year, then it only requires the total direct and indirect cost to business and government over the entire globe from such flaws to be a trillion and one dollars over the course of a year for it to be worth it almost instantly. However, the costs of flaws will always add up with interest but a single audit might easily be sufficient for the lifetime of an OS, if it's good enough. Given a long enough shelf-life and a high enough interest rate, how unreliable can we afford to have any software these days?)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I don't know which Windows Update you're counting, but I download 10 (on average) every month.
THAT'S NOT TRUE! THAT'S IMPOSSIBLE!
This text is only here to help circumvent the lameness filter which would not let me post the above yelling.
bash microsoft all you want however their new SDL is really making a difference in securing their products. of course they will continue to have issues it won't remove all the issues, however it has reduced their bug count big time. Take IIS 5/6/7 as a great example of how their process is making a difference. Bash away MS bashing zealots.
Believe me, if I started murdering people, there would be none of you left.
I clicked through a bunch of the vulnerabilities, and a lot of them are marked as reserved for future use. What's up with that? I think whatever script the dude used to compile this table, didn't work - either that or I don't understand the CVE process being used, because I don't see any indication of which systems are affected by them.
Anyway. Such a study is ultimately pointless, we already know that MacOS X and Windows are both seriously insecure. A single vulnerability in the tangled morass of code making up modern web browsers is typically enough to compromise the entire machine (Vista being an exception to this). A single vulnerability in *any* app which talks over the network is usually enough to get your code onto the machine, and from there you have free reign to do more or less whatever you want. Requiring root is no panacea, you don't need root to do the things modern malware wants to do anyway. As that's the entire OS X desktop security system right there, we can surmise that the primary advantage it has security-wise is just obscurity. (yeah, i know 10.5 is supposed to have MAC for some basic daemons etc .... wake me up when it is properly and widely applied to desktop apps).
So I took a look at a few sample vulnerabilities and it leaves me Flabbergasted. The person who wrote this article and composed the data should be beaten. The ones listed as OS X vulnerabilities are primarily holes in software that runs on OS X, much of which does not even ship with OS X by default. A lot of it is holes in various Web server modules, some of which do ship with OS X, but are disabled by default. Some of them are NOT EVEN VULNERABILITIES... like CVE-2007-3876 which is a number reserved for use by an organization for the next time they report a vulnerability, but they haven't assigned it to anything yet. Whole ranges of numbers listed are like that. I mean did the author even click on the links he's providing? I tried, I was more than twenty items into the list of "highly critical OS X vulnerabilities" before I found one that actually affected a default install of OS X, and it was a potential denial of service for SSL Web sites if you have a machine in the middle. Of the first 30, 12 were reserved for future use and not real vulnerabilities, 7 were holes in the same Perl library, and 5 were holes in tcpdump. Only one was a real, hole that could be exploited on a default install without additional software being added, or it being reconfigured as Web server or something.
Another question is, for the real vulnerabilities to the OS's, how do they decide what the danger level is for a vulnerability? For example, one low rated one for WinXP (CVE-2007-2228) was a possible remote exploit, whereas a Highly cCritical one for OS X (CVE-2007-0267) was a denial of service on a machine, requiring a local user account. Does this make any sense to anyone?
I'm all for pointing out security problems in OS X and other OS's and doing comparisons of relative security, but this is just a sad joke. Please, can we at least get articles by someone with the tiniest bit of a clue instead of the number game from someone who might be able to count, but apparently can't be bothered to read his subject matter.
CVE-2007-5850 H
CVE-2007-5851 H
CVE-2007-5853 H
CVE-2007-5854 H
CVE-2007-5855 H
CVE-2007-5856 H
CVE-2007-5857 H
CVE-2007-5859 H
CVE-2007-5860 H
CVE-2007-5861 H
CVE-2007-5863 H
CVE-2007-6077 H
Shameless plugs and inaccessible site design FTW! - www.mistletoestreetmusic.com
I know that OS X is more secure, because I use it every day, and I can rely on it. I am a Mac fan boy, but only because Windows continued to let me down.
Any fool can talk, but it takes a wise man to listen.
OSX has lots of open source commands and daemons. It will be subject to more patches.
The fact there are more security holes being patches can also indicate there's more pro-active review.
George Ou.
I haven't used virus/"vulnerability" software on my Mac since OS 7. Still don't in OS X Leopard. All's well.
Comrades, I am a mac/ubuntu user who sort of tunes out Microsoft OS. So I don't really know this: In terms of practical security, is Vista a success? In other words as a haven for: the zombie army of spambots, viral/worm propagation, malicious spyware has Vista fixed the problem compared to XP? Forget theoretical exploits, has the tide turned? (Or does user ignorance negate any advances?) ---537
The Windows security problem count is front loaded by several years.
A similar argument can be made that there are more Mac security flaws this last year than Windows 95.
Instead of counting the number of security flaws over the last year, what happens to the number if the count is over that last two years. Three years. (You get the idea.)
----------
Any problem can be made unsolvable if there are enough meetings made to discuss it.
So I put the question to the crowd then...
Is Windows inherently more insecure than OSX for example?
True, you can say "security holes fixed != number of security holes", but then to even be equal on the score cards, Windows, as entire eco-system (Vista + XP) would still need 5 times more the number of vulnerabilities.
I put it to you my techie friends, Windows security isn't so bad after all and has evolved from non-existent to at least on the same footing with it's rivals (that's to say, I agree that I don't think this study can conclude much at all ultimately).
throw new NoSignatureException();
If it is not usable...It wont have any flaws
... until there is a self-replicating Mac virus in the wild.
Ever since they showed up a few years ago, Secunia seems to have been nothing but a pro-Windows, anti-everything-else trolling group. They've published countless "studies" claiming that Windows is more secure than god, every one of which involves some extremely skewed definitions of what constitutes a vulnerability and how one classifies its severity.
Some glorious day, perhaps slashdot will learn to ignore this variety of trolling (I'm looking at you, Cringely and Dvorak.). But until then, we'll all just need to ignore them individually.
I've been pointing this fact out for years. And been getting modded down for the inconvenient truth, as well!
OS X
Windows XP
I don't know why Vista doesn't have it's own category (maybe not enough to report?). But anyhow, you can check OS (Microsoft), and search for Vista. Only four things show up...
And the worst one of all, of course, is Teh Lunix.
It's been a horrible, horrible year for MS haters. Moreso than usual. Those tail lights just keep getting farther, and farther, and farther away...
Security through obscurity will never beat actual security.
Ballmer, is that you?
Mac OS X contains many third-party open source software packages. The bugs are found through source code auditing. These bugs may or may not become exploitable depends on how the code is used.
Just take a quick look at the bugs list. Most of them are found in third-party code like PCRE library. These are labeled "highly critical" without a demonstrable proof that it can be exploited. The software using PCRE is vulnerable to malformed regular expression strings, but I've never seen any software accepting arbitrary regular expression strings from another machine. (A web browser interprets JavaScript code from another machine, which may contain regular expressions, but JavaScript regular expression definitely isn't Perl compatible, so that's not PCRE.) Those same bugs also affect Linux. If you use Cygwin on Windows, these bugs also affect you, so they can be Windows bugs too.
On the other hand, since we can't audit proprietary Windows code, we only find bugs that are actually exploitable, in contrast to the open source bugs that are only potentially exploitable. Therefore, the severity of Windows bugs are vastly underrated compared to open source bugs. And there are more potentially exploitable bugs in Windows that we don't find, which aren't being counted.
That said, if you rely on bug counts and decide that Windows is more secure for you, I'd call you crazy.
Finally, why would Adobe Flash player bugs be counted as a Mac OS X bug?
I once had a signature.
They weren't counting vulnerabilities, they were counting successful attacks. When you count successful attacks windows still loses really big time. Vulnerabilities, meh.
Comment removed based on user account deletion
Comment removed based on user account deletion
...can it go from Microsoft Vista to George Bush, Iraq etc. in a few posts
Repeating the groupthink here is way beyond any sort of organized bias, its now inbred into geekdom and a new dna test will soon emerge that will identify the gene that defines those who are born to believe the following-
-prefers mac or linus to windows regardless of obvious merits of all
-believes that no one can own intellectual property, in spite of deriving income or
some benefit from some intellectual property in some way, even if it was "way back when"
and will download to the hearts content and whine when property owners exercise their rights
-its the oil companies, GWB and Global Warming that is preventing widepsread linux adoption
-republicans stole the election from al gore while bill gates supplied the code to hack the
vote
This place should really be the Obama Campaign Headquarters being that is has become the token left wing blogspot for geeks...zzzzz
Macs R Stoopeed. Microsoft Wynndoze is moore Bettah!
Umm... I've been using Vista for 6 months now, and i have to admit, it ain't perfect - not by a long shot.
It's full of annoying bugs, stupid ideas etc, But unsecure? Far from it(Assuming the user has at least a bit of a common sense and logical thinking).
I've been using my Vista without any anti-virus anti-spyware etc stuff all the time without problems.
Now, i do scan my machine from time to time throughly, but i don't keep the software constantly monitoring etc.
Basically, the way i see it, Vista is at least as secure as any other OS out there,
assuming the user doesn't download and run any strange niceboobs.jpg.exe files(The same goes to linux with shell scripts for example(assuming chmod +x)).
Anyway, what i really wanted to point out is, Vista is crap, it's resource hungry and annoying sometimes but it sure as hell ain't that unsecure as most of you seem to think.
This ain't 2003 anymore and it ain't XP without service packs.
Plus 5 leet0 points! for because it R teh funney! no seriously, that's hilarious.
From the Mac-Fans...
- If a bank leaves the vault open and doesn't lock the front door, but only has 10 banks located randomly around the country, it is still the best and most secure bank, especially if they have pretty iMarble on the floors.
From the OSS-Fans...
- OS X sucks as much as Vista and everyone is evil.
From the Win-Fans...
- Holy Shit, we thought our crap sucked more than this.
"Assuming the user has at least a bit of a common sense and logical thinking"
You assume entirely too much.
Fifty watts per channel, baby cakes.
You would start getting 1 fps, rather than 2. That's a very visible difference.
I think we are comparing Apples to Oranges here. (Sorry could not resist) But it is true Apple counts ever small nt pick fix to every program. For example the recent Mac OS update listed about two dozen fixes. Microsoft lumps this kind of stuff all together and counts it as one fix. The other thing is "Who cares" what mattersis the final result: No one, or "hardly anyone" runs anti-virus or anti-spyware software on a Mac. It is simply not required. The fire wall is open by default too. It is not needed. So given the fact that most Macs have the firewall disabled and no anti-whatever can anyone point to even one Mac that have problems. I'm sure some did but the problem is very rare. On the other hand even with firewalls and anti-virus programs widely used we do hear now and then about eople having problems with Windows PCs. I would have thought that Microsoft as a company would be embarrassed that an anti-virus industry even exists. The fact that it does speaks volumes about Windows. People say it s only because Windows is the majority OS, so it is targeted. Hell no. Could you imagine the "bragging rights" a hacker could get if he was able to write a Mac OS virus that would spread in the wild? Believe me this is the Holly Grail and there is strong motivation. Use this analogy, do termites eat wood houses because most are made with wood and they leave brick houses alone because there are so few of them "so why bother?" No, the engineers who wrote Mac OS X, Solaris, BSD and Linux simply used bricks and avoided the whole termite problem. They built and OS that viruses can't live in.
...why the botnets are almost 100% Mac OS X machines and why they get all the viruses. Windows is just so much more secure.
More than 60,000 Windows programs won't run on Linux.
>I'm going to post this here because Slashdot's been full of MS shills for the past
>couple of weeks
What do you mean by "MS shill"? Do you actually mean you believe that Microsoft actually pays people to post on Slashdot, or is that just an all purpose term for people that disagree with you? If I vote for someone other than you will you also call me an "MS shill"?
Maybe MS shills are a secret conspiracy set up by "the man" to "keep you down". That sounds like the best bet to me.
>On the other hand show me a significant linux virus or OS X exploit being used in the wild.
>Well? Where are they? Waiting.....
Please do not spread misinformation. It may be legitimate to choose linux over windows on a security basis, depending on what security concerns you have specifically, but it is simply untrue that linux is somehow magically immune to security threats. Both linux and osx have viruses and exploits which have been used "in the wild".
Just a little above this article is a slashdot article about a squirellmail exploit...
As for viruses for linux and osx, there are some out there. However, the reason they aren't as widespread as windows viruses is widely known... the amount of linux and osx machines on the network isn't dense enough. You can't spread a virus effectively if the affected species is really small and spread out. If you email 100 people at random with an email with a linux virus attached, it may not be received by a single linux user, thus that propagation mechanism just doesn't work. This is impossible with a windows virus.
NO no! I doubt...I think its Windows. Java Programming
Although I support OSX, WinXP (Vista as little as possible) and Linux at work, I mainly use WinXP at work and am fairly happy with it. I don't have mountains of crappy little systray thingies in there and keep the OS slimmed down to a minimum. At I have three Macs, with OSX 10.4 and 10.5. One of the reasons why I like Macs is because the Macs with such an enormous amount of software. I have music editors, video editors, DVD editors, photo editors, at least two web servers (apache and tomcat), document viewers (PDF and whatever else), Music juke boxes, a complete developers kit of software IDEs, numerous languages (bash, perl, php, python, ruby, java, objc, c, applescript) and the full complement of Unix tools.
While Windows has a fair amount of stuff in it (and apart from WMP, the quality is often somewhat disheartening, I must say - *Movie Maker* seems to be a typical Microsoft throw away application) and the amount and quality is improving, OSX simply has far far more. A lot of that stuff is 3rd party code, such as perl, tcpdump etc (these two feature prominently in the latest security patch) for which Apple is not really responsible, except, of course, for security updates to them as they become available.
Thus, I would say that a good portion of the Apple patches are to underlying Unix tools.
That doesn't of course excuse Apple or make Apple magically more secure than Windows, but it does show a decent sense of security responsibility. That said, even Microsoft is much better in the last year or so at providing security updates to its system. They have also deactivated things like the gaping holes in automatic macro execution in Outlook and Office in general, and even IE7 is no longer the bug magnet that IE6 used to be. BUT, Windows, by design, still has some flaws that are simply not present on other systems. The worst of the lot is ActiveX. The fact that Windows Update runs in the browser with an ActiveX control having direct access to your machine is something that simply should not be allowed to happen. Taking over a Mac remotely is not something that you often hear about.
I suspect however, that Vista, with its massive overkill in the security department, will mostly be better in terms of security as years go by. It's just a pity that Microsoft's implementation of sudo (UAC) as opposed to Apple's only using it for truly sensitive tasks makes users become desensitised to security.
Umm. no. I'm talking about:
Headline: Microsoft releases 3 patches on patch tuesday
Reaction: ZOMG!!! This just goes to show how much Windows sucks!!! Use Linux or Firefox or Thunderbird or MacOS!!!!
If you need web hosting, you could do worse than here
Maybe it's only noticed because Apple fixes the bugs quickly?
Besides, which OS would be able to walk around on the internet without virus protection?
I am glad I have switched to Vista. Good bye Mac OS X.
The vulnerability count only prove that some people are very, very stupid. No amount of vulnerability counting will counter the fact that there are over 150000 various viruses, trojans and assorted other infections for Windows, with multiple vectors. The amount of viruses on OSX? None. Zero. Zip. Nada. And one Trojan. That makes a difference of what? 150000 to one? Anyone pretending that these counts mean a damn thing are shills or stupid. It's not that complex. You can count have all the automotive recalls among various manufacturers you want, but if only one manufacturers autos blow up on a daily basis, it doesn't matter shit how many recalls the other guy issues.
Fiat Homos et Pereat Theos
If you say so... [ymess.ro]
The report may be accurate, but all that really tells us is that Vista had more _disclosed_ vulnerabilities than OS X. While such a large difference (a factor 5!) is certainly cause for raising eyebrows, the concrete implications of these figures are far from clear. In particular, it says nothing at all about the relative security of the systems. Of course, people will use them that way.
Please correct me if I got my facts wrong.
How would you know how many vulnerabilities there actually are? It is impossible to exactly count them in Windows, or OS X. For example, Red Hat Desktop Workstation v5 has 70 vulnerabilities, while Windows Vista has 24, according to Secunia. That would contradict what most people think, but it is probably because Redhat is open source, while Windows is not. In this case, we are comparing two closed source operating systems, so the number of security vulnerabilities probably depended more on the testing each went through than the operating systems here.
Security by OBSCURITY (less users, thus, less of an attack surface area exists for potential interlopers) is what MacOS X enjoys. From the point of view of those who are out to make monies illegally via exploits online, attacking Windows (the MOST USED OS PLATFORM THERE IS, mind you) makes a hell of a lot more sense to do. If MacOS X (or Linux, or BSD, etc. et al) were the MOST used (especially on noobz/new folks to computing's systems)? The tables WOULD be turned, & for obvious reasons (in the eyes of attackers of personal computers/hackers/crackers).
Sadly, I totally agree...a very large portion of articles posted here that have any negative connotation on Windows are often missing key facts and are played in the article description more than pac man.
/. and is Pro or anti Windows, do your own research.
/. Windows articles with a grain of salt when it could be EASILY changed by some filtering done by the editors.
My default rule is, if it is on
It's just tarded that we have to take
"How am I supposed to find Vista vunerabilities when I'm busy rebooting every 5 minutes?"
I hope everyone took the time to read the article, and to find other articles on the same data, or the data itself. Unfortunately, once again, I find myself having difficulty seeing past a slashdotter's inability to simply report information without introducing controversy on his own terms or relaying the bais of a bad journalist.
The only content of this post that wasn't quoted was in the form of the question "Is this report card's implication accurate, or is this a symptom of one company turning a blind eye [1]while the other concentrates on timely bugfixes," which is actually not a question.
One side of this supposed question, "Is this report card's implication accurate," suggests the data is flawed. OK, we can consider that good, yet obvious question, but I hope they back it up (they did not). The other side begins by accusing "one company" as "turning a blind eye (to problems)." This side of the question has already validated the first part of this supposed question, because this claim, if true, would invalidate any study that relies on such a company such as this to report security flaws without silently fixing them. I wonder which company they mean? The second part of the "question" continues, glorifying the "timely bugfixes" of the "other" company. Which company is which, here, slashdotter? You might as well come out and clearly accuse who you accuse so we can see how baised and unfounded those claims are without backup, no matter what name you put on these companies. Adding question marks at the end of a sentence doesn't always make it a question, but does sometimes help in evoking a lean in support toward a statement hidden inside a valid question, as the slashdotter did here. Also, notice the "[1]" citation's placement (on the "timely bugfixes" company's side). Citations/footnotes (unfortunately) add an immediate, and in this case, false sense of validity to information they're placed on. A reader could be misled to believe what the slashdotter wrote as a statement of fact if they did not notice this was simply linking to the article they read, in which case it belongs at the beginning of this "question." However, the entire statement portion of the question, including claims toward both of these ambiguous companies, is subjective, coming completely from the mind of the slashdotter, with no support to them, so validates no usage of any citation at all.
The slashdotter goes on to quote the author's statements against Windows Vista. The author failed to provide any details of Mac OS vulnerabilities, instead showcasing Apple's generosity in paying hackers to "hack" a Macbook, then give them a bunch of money and a free Macbook (thanks Apple! *ding!*). Herein lies both the author and the slashdotter's bais. I can't fault the slashdotter for reporting what they read, and not being objective about it, but this is clearly flame fodder to post like they have.
This slashdotter seems to have already made up his mind, but I hope you would read the article, and try to gather some more information from other sources. Citing some more sources that analyze the same data, or back up the seemingly baised statements made in the post, would have been helpful.
So for every 150000 PCs there is only 1 Mac? Your obscurity argument doesn't hold water. Mac OSX has plenty of marketshare to have at least a blip on the hacker radar. Unless, of course, you are suggesting that a computer system that has roughly 100 million machines online isn't worth anyone's time? Certainly there are enough anti-Mac bigots out there who would love to just hack a Mac one time, just to say they could?
The plural of anecdote is not proof.
For example, I have been using Windows 2000 without antivirus software for several years, and I have not had a virus on it even when I was using it on networks that had active network worms that were known to attack Windows 2000.
By your logic this means that Windows 2000 is at least as secure as any other OS out there.
What this means, actually, is that I actively track security lists and make sure that I am not using components of Windows that are known to have security flaws in ways that expose them to unknown data sources. For example, the only thing I used IE for is Windows Update, and I disable things like the messenger service, and so on.
This was also the policy I enforced as a network administrator, and that was more effective in keeping my part of the network secure than the official policy for our company... which included antivirus, but also required IE and required many known-insecure services be enabled.
IF the user is aware of the components that need to be avoided, Windows can be used safely.
But in the default configuration, Windows is wide open. Even Vista is still using inherently unsafe components, and using unproven internal firewalls and sandboxes to keep the computer as a whole secure even if one component is compromised. This is a potentially useful technique, but it should be a backup rather than a required part of the security model.
Apple is not innocent either. They have copied part of Microsoft's browser and desktop integration, albeit not the most dangerous part... but they have had several vulnerabilities that could have been completely avoided by NOT using the same LaunchServices database for both internal helper applications (such as those used Finder) and sandboxed ones (the ones that could be used by Safari), and by NOT treating files with known extensions as "safe" to open.
But compared to ActiveX?
"IE is bundled, but can be disabled to browsing web sites (2003 server edition disables it)." - by gnuman99 (746007) on Tuesday December 18, @03:51PM (#21743732) Some "FYI":
In Windows XP (not sure if it was SP #1, OR SP #2 that implements it though) you have IE in a "safe mode" also, very much like the one for IE6/IE7 in Windows Server 2003 outta the box stock, prior to any service packs it offered or came out later with.
It's a shortcut of IE7 that uses the -extoff switch on IE's commandline.
It's almost "hidden away", because it is stuffed into the Start -> All Programs -> Accessories -> System Tools folder... but, it IS there.
APK
P.S.=> I am not sure if this commandline switch works with IE6 & below, but I know it does with IE7, & yes... on XP as well as Windows Server 2003... apk
"So for every 150000 PCs there is only 1 Mac? Your obscurity argument doesn't hold water. Mac OSX has plenty of marketshare to have at least a blip on the hacker radar." - by stewbacca (1033764) on Wednesday December 19, @03:57PM (#21756254) Go tell a spyware maker that, ok?
I don't think you understand the motives of the people creating these things nowadays... std./traditional viruses are NOT what is prevalent out there today (I know, I have to remove them from @ least 4-5 systems a day, & I see what I see for years now doing it).
The creators of SPYWARE (the more prevalent threat out there today) are out to either:
1.) Get your bank account info.
2.) Get your credit card info.
3.) Use your machine to attack other machines
4.) Send spam mails
(& who KNOWS what else... the point being, write your malware to get the most "surface area possible" so it can corral the MOST machines it can to use them for said enumrated purposes above (& especially for the points noted above for what is MOST USED in the way of OS' out there today, Windows)).
His explanation holds plenty of water.
This is NOT about "bragging rights" bullshit: These people, like the RBM (Russian Business Network) are about making money, OR, selling off TONS of "botnetted" zombied systems for attack dogs for rent.
ALSO: DO YOU PAY ATTENTION TO SECURITY NEWS OUT THERE (& specifically, what methods get used in 99% of the attacks (roughly but consistently))?
Well, if not?
Most of the threats are javascript related, IFRames related, & lately Adobe Flash/Shockwave (heck, even adobe reader did) + Quicktime related as well (bad activeX controls also, such as RealPlayrer had VERY recently).
Are the browsers on other systems that use those addons for scripting impervious to said attacks, especially in their webbrowsers that call upon them for page rendering? No.
Windows is just "out there" more, & thus, the one to target, for the purposes enumerated above.
" I am a Mac fan boy, but only because Windows continued to let me down." - by AccUser (191555) on Tuesday December 18, @02:13PM (#21742070) Homepage Read, AND APPLY, what is listed here on a Windows 2000/XP/Server 2003 & even VISTA setup:
http://forums.tweaktown.com/showthread.php?s=95da64f88f66f615773c4e77ac12ca87&t=25596
& let Windows "let you down", no more, in terms of security...
Just by following a tool (CIS Tool) that guides you thru MOST of it, & then some more tips that page advises you on in 12 relatively simple steps & rules to use, you won't get "burned" by nearly as much malware of any kind IF any @ all anymore.
(Yes, sometimes you sacrifice some "glitzy" animations & such online, but big deal - better than paying for a spyware/virus/trojan/malware removal).
APK
P.S.=> I've been running the SAME setup since 2002 on 1 system here using the setup noted above on Windows Server 2003 & another system also using it here (not sharing files between them, just online via my LinkSys router), & no virus/trojan/malware/spyware etc. et al on EITHER of them... how? By simply applying what is noted above, & not being stupid... apk