Slashdot Mirror
More Mac Vulnerabilities Than Windows In 2007?
eldavojohn writes "A ZDNet blog reports stats from Secunia showing OSX averaged 20.25 vulnerabilities per month while XP & Vista combined averaged 3.67/month. Is this report card's implication accurate, or is this a symptom of one company turning a blind eye while the other concentrates on timely bugfixes? 'While Windows Vista shows fewer flaws than Windows XP and has more mitigating factors against exploitation, the addition of Windows Defender and Sidebar added 4 highly critical flaws to Vista that weren't present in Windows XP. Sidebar accounted for three of those additional vulnerabilities and it's something I am glad I don't use. The lone Defender critical vulnerability that was supposed to defend Windows Vista was ironically the first critical vulnerability for Windows Vista.'"
They're just looking for excuses to downplay the results of the report.
How many times does it have to be repeated? Counting vulnerabilities is a stupid way to measure security. Counting vulnerabilities is a stupid way to measure security. Counting vulnerabilities is a stupid way to measure security.
Shouldn't Slashdot link to some more insightful analysis?
-- Ed Avis ed@membled.com
No artificial metric really matters in the security landscape.
In the end, what matters is the real-world security performance of these systems. Sure, it's not so easy to quantify and measure, but stories like this ZDNet fodder are just pageview generators, and nothing more.
Who has counted the bugs and security holes that were fixed without prior disclosure? It is like counting footsteps of two dinosaurs from their fossils and then comparing them for their health.
this whole article should be modded flamebait, counting vulnerabilities is a useless way to compare operating systems
First, reporting on the number of flaws disclosed and fixed says nothing about the relative security of either platform. Both MS and Apple could be holding back on patches to their own software. Second, many of Apple's security patches address 3rd party open source software like Samba, Kerberos, etc, that are being patched when flaws are discovered.
Well, there's spam egg sausage and spam, that's not got much spam in it.
I'm absolutely not an Apple fanboi but this is bollocks. Apple (who are indeed significantly slowerthan other distributors in releasing patches) ship an awful lot of Free software - application software that is - with OS X, whilst Microsoft generally only patch the core OS (and Office, if you go to https://microsoftupdate.com/ rather than https://windowsupdate.com/ .) Hmmm, one day I must get round to doing that chart tracking who, of the main distros shipping common code such as (say) Zlib, releases what patches, when. Some of the Linux distys are particularly lax on this front.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
So let me see, we will have:
Assorted stuff I do sometimes: Lemuria.org
I own two Intel Macs, an iMac and a Macbook. I own two desktops that run XP and two desktops that run Linux.
I am personally tired of the stupid "insecure" talk. My iMac runs my servers with ports 80, 443, 22, 5900 open. I watch my logs and have not seen any bad stuff.
On the other hand, I once opened my XP boxes IIS server and saw a crap load of hits in the web logs trying to break it within 48 hours. Thankfully I was running IIS lockdown which really helps.
Comparing XP in 2007 to OS X 10.4 or 10.5 is just stupid. XP has been around for a long, long time. Do a fresh install of XP home SP0 and see how many security updates you need to download.
As a programmer with more than a decade of experience, I don't care about the number of releases for an OS. I care about the timely releases. From my experience, Apple and especially Linux will release a fix as soon as they have it. MS on the other hand seems to go through a PR machine.
Microsoft, I don't care if your product XYZ has a flaw, trust me as a programmer, there will always be flaws. Just release the damn info on the flaw and the URL to the fix. I don't think XP is "crap" because I have had to download more than a GB of updates since SP0. Really, I don't care. As a geek, I actually get excited about a new update from MS. I usually hope for new features, etc.
So, please MS, just publish and release the fixes. 95%+ of people out there don't care if you have 150 "vulnerabilities" or 20. We just want the fix. Give us our "fix" bro!
General, you are listening to a machine! Do the world a favor and don't act like one.
The simple number of vulnerabilities is not a good metric of security. I seem to remember that one of the Windows ones last year was one where displaying a picture in a web browser, ANY web browser, could compromise your machine. I don't remember seeing close to that severe for a Mac.
In fact you could make the argument the other way around: the reason there are so few fixes with Windows is because the problems are so big and far reaching that it takes a lot longer to patch them. This conclusion is also probably wrong but is just as valid as the one in the original post.
I invented my own OS, which I call F.U. (Frackin Unix). My OS has only one bug (Bug #1 - Operating System Not found). Clearly my OS is more superior than any competitors due to its extremely low number of bug reports.
He shows CVE-2007-3896 only in July, but it was reissued in November as well... why wasn't that counted in November?
The July patch closed that CVE, and the November patched more of it... It should count both times, since they said it was closed.
I'd be interested to analyze them all next to each other, but not interested enough to actually dig into it myself =-)
I know you put a lot of work into what you feel is a clever post, but all you did was come across as the exact kind of poster you are describing. And your link is really irrelevant as it was Apple supporters (mostly) who over-played the outsider status, not Apple itself. What kind of half-baked value system do you employ when you decide who is cool by what OS they use? An OS is a tool and you should use what fits your needs best. I'm a media junky and like to dabble in editing, that makes OS X my best choice. If I were still a PC gamer, you can bet I would use Windows. But that doesn't excuse the long history of Windows security issues, and an article that spins a a year where Windows finally has fewer vulnerabilities than another OS as proof of progress is really just proof how many people don't get it. The bigger question is how those vulnerabilities were handled, from point of discovery to solution, and that is where MS always breaks down.
Bush is the best President in history because he has fixed fewer problems.
Well, it has never been successfully tested.
In the end, it is impossible to analyze the security of software by means of analyzing second-hand or third-hand reports, and extremely difficult to do so by means of black-box testing by means of probably incomplete documentation. However, I cannot seriously imagine Apple or Microsoft conducting a thorough security audit and software analysis. For that matter, I don't believe either could afford to do so. Microsoft may be rich, but Vista is big and the kind of skills required to conduct a comprehensive audit wouldn't come cheap, certainly not in the volume needed to conduct such an audit fast enough to get the results before software changes invalidated said audit.
(Having said that, given that the world economy is so utterly dependent on the reliability of the IT infrastructure these days, there is also the question of how long it will be before it is uneconomic at a global level for there not to be such an audit. If an audit would cost a trillion dollars over the course of a year, then it only requires the total direct and indirect cost to business and government over the entire globe from such flaws to be a trillion and one dollars over the course of a year for it to be worth it almost instantly. However, the costs of flaws will always add up with interest but a single audit might easily be sufficient for the lifetime of an OS, if it's good enough. Given a long enough shelf-life and a high enough interest rate, how unreliable can we afford to have any software these days?)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I clicked through a bunch of the vulnerabilities, and a lot of them are marked as reserved for future use. What's up with that? I think whatever script the dude used to compile this table, didn't work - either that or I don't understand the CVE process being used, because I don't see any indication of which systems are affected by them.
Anyway. Such a study is ultimately pointless, we already know that MacOS X and Windows are both seriously insecure. A single vulnerability in the tangled morass of code making up modern web browsers is typically enough to compromise the entire machine (Vista being an exception to this). A single vulnerability in *any* app which talks over the network is usually enough to get your code onto the machine, and from there you have free reign to do more or less whatever you want. Requiring root is no panacea, you don't need root to do the things modern malware wants to do anyway. As that's the entire OS X desktop security system right there, we can surmise that the primary advantage it has security-wise is just obscurity. (yeah, i know 10.5 is supposed to have MAC for some basic daemons etc .... wake me up when it is properly and widely applied to desktop apps).
So I took a look at a few sample vulnerabilities and it leaves me Flabbergasted. The person who wrote this article and composed the data should be beaten. The ones listed as OS X vulnerabilities are primarily holes in software that runs on OS X, much of which does not even ship with OS X by default. A lot of it is holes in various Web server modules, some of which do ship with OS X, but are disabled by default. Some of them are NOT EVEN VULNERABILITIES... like CVE-2007-3876 which is a number reserved for use by an organization for the next time they report a vulnerability, but they haven't assigned it to anything yet. Whole ranges of numbers listed are like that. I mean did the author even click on the links he's providing? I tried, I was more than twenty items into the list of "highly critical OS X vulnerabilities" before I found one that actually affected a default install of OS X, and it was a potential denial of service for SSL Web sites if you have a machine in the middle. Of the first 30, 12 were reserved for future use and not real vulnerabilities, 7 were holes in the same Perl library, and 5 were holes in tcpdump. Only one was a real, hole that could be exploited on a default install without additional software being added, or it being reconfigured as Web server or something.
Another question is, for the real vulnerabilities to the OS's, how do they decide what the danger level is for a vulnerability? For example, one low rated one for WinXP (CVE-2007-2228) was a possible remote exploit, whereas a Highly cCritical one for OS X (CVE-2007-0267) was a denial of service on a machine, requiring a local user account. Does this make any sense to anyone?
I'm all for pointing out security problems in OS X and other OS's and doing comparisons of relative security, but this is just a sad joke. Please, can we at least get articles by someone with the tiniest bit of a clue instead of the number game from someone who might be able to count, but apparently can't be bothered to read his subject matter.
CVE-2007-5850 H
CVE-2007-5851 H
CVE-2007-5853 H
CVE-2007-5854 H
CVE-2007-5855 H
CVE-2007-5856 H
CVE-2007-5857 H
CVE-2007-5859 H
CVE-2007-5860 H
CVE-2007-5861 H
CVE-2007-5863 H
CVE-2007-6077 H
Shameless plugs and inaccessible site design FTW! - www.mistletoestreetmusic.com
I haven't used virus/"vulnerability" software on my Mac since OS 7. Still don't in OS X Leopard. All's well.
... until there is a self-replicating Mac virus in the wild.
*okay, maybe I'm dating myself there.
"You know why you do not see me styling wit my homies? Because I have no homies!!" -Mojo Jojo
Ever since they showed up a few years ago, Secunia seems to have been nothing but a pro-Windows, anti-everything-else trolling group. They've published countless "studies" claiming that Windows is more secure than god, every one of which involves some extremely skewed definitions of what constitutes a vulnerability and how one classifies its severity.
Some glorious day, perhaps slashdot will learn to ignore this variety of trolling (I'm looking at you, Cringely and Dvorak.). But until then, we'll all just need to ignore them individually.
Mac OS X contains many third-party open source software packages. The bugs are found through source code auditing. These bugs may or may not become exploitable depends on how the code is used.
Just take a quick look at the bugs list. Most of them are found in third-party code like PCRE library. These are labeled "highly critical" without a demonstrable proof that it can be exploited. The software using PCRE is vulnerable to malformed regular expression strings, but I've never seen any software accepting arbitrary regular expression strings from another machine. (A web browser interprets JavaScript code from another machine, which may contain regular expressions, but JavaScript regular expression definitely isn't Perl compatible, so that's not PCRE.) Those same bugs also affect Linux. If you use Cygwin on Windows, these bugs also affect you, so they can be Windows bugs too.
On the other hand, since we can't audit proprietary Windows code, we only find bugs that are actually exploitable, in contrast to the open source bugs that are only potentially exploitable. Therefore, the severity of Windows bugs are vastly underrated compared to open source bugs. And there are more potentially exploitable bugs in Windows that we don't find, which aren't being counted.
That said, if you rely on bug counts and decide that Windows is more secure for you, I'd call you crazy.
Finally, why would Adobe Flash player bugs be counted as a Mac OS X bug?
I once had a signature.
Well, here's my token sound bite too...
MIcrosoft is the party guilty of underreporting vulnerabilities, including undocumented patches in updates - how much more obscure can you get?! On the other hand show me a significant linux virus or OS X exploit being used in the wild. Well? Where are they? Waiting.....lemonade was a popular drink and it still is
They weren't counting vulnerabilities, they were counting successful attacks. When you count successful attacks windows still loses really big time. Vulnerabilities, meh.
You seem to be confusing Pirates of Silicon Valley with Triumph of the Nerds, which is an actual documentary.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
I see. Someone makes a hypocritical post trashing a country, and that's not flamebait. Calling them on it is. I'll be sure to update my dictionary, because I'd always though it was the other way around.
I'd argue what really matters is how these vulnerabilities were discovered and what vulnerabilities have not been discovered, how these vulnerabilities have been reported and what vulnerabilities have not been reported, what the risk to normal users from vulnerabilities is, and (in the case of this article) which of these "vulnerabilities" are real and which are reserved numbers, only potential vulnerabilities, duplicates, and vulnerabilities that realistically cannot or will not ever be exploited.
In my opinion MS broke down when they did not perform the same level of code review, did not find as many potentially security related bugs, did not fix half the bugs they did find, and did not report either the bugs they found or even all the bugs they fixed. And then, or course, the speed with which those bugs they found, fixed, and announced were actually patched.
One of IE bugs (currently exploited 0-day bug),
http://secunia.com/advisories/28036/
is not very pretty.
For example of Mozilla bugs,
http://secunia.com/product/12434/
vs. IE,
http://secunia.com/product/12366/
Of course, how the fsck how is 3rd party software the fault of the OS, I have no idea. IE is bundled, but can be disabled to browsing web sites (2003 server edition disables it). Most of the software is quite safe these days, but it still depends on how you use it. Exploits triggered by things like web browsers are the worst, but at least Vista addresses that issue by running IE in "lower than regular user account", not sure if that would protect vs. the IE bug in first link.
Summary: stop trolling for one side or another. If you get hacked it doesn't matter if you run Windows or Linux or BeOS.
Well technically Apollo 11 had more things go wrong than did Apollo 1, but guess which one I would have rather been on?
http://www.mhall119.com
In that respect, any unix is more attractive including bsd.
But your right, many old school hackers will exclusively target unix machines because they are simply more useful from their perspective. People typically only target windows machines to run a particular program (their bot) which has a fixed set of built in capabilities. Gaining access to a shell gives someone far more scope, and makes it much easier to deploy new malicious code.
You will rarely get an attacker interactively connecting to a hacked windows system to do something, but this is common with compromised unix systems. When a windows box is compromised, it's typically by an automated process which will install a bot and move on to the next host. Automated attacks are less common on unix, partly also because of the increased diversity of unix systems.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
"Assuming the user has at least a bit of a common sense and logical thinking"
You assume entirely too much.
Fifty watts per channel, baby cakes.
Can you explain why Linux becomes a very insecure operating system with the addition of PHP, while FreeBSD with PHP is still a secure operating system (which is implied in your post)?
You must be new here. :)
This is a very old tactic by Microsoft supporters to make Windows look much more secure than Linux.
Could that have something to do with the fact that "Linux" means tens of thousands of different applications? In fact, how exactly is a SquirrelMail a Linux security threat? Why not a Windows security threat? Doesn't it run on Windows too? It's a web app.
Please make a difference between security threats targeted at GNU/Linux itself (the kernel and GNU tools) and something targeted at a 3rd-party app which may very well run on other OS as well.
Are you actually dumb as a rock or just trolling? How can you say there aren't enough Linux machines out there? What do you think most of servers of all kinds run on? Don't you think that a virus or worm would have a lot more to gain by breaking into servers than personal desktop computers?
That settles it, you ARE as dumb as a rock. You seem to really believe that somehow Linux apps are staying out of harm's way by sheer luck and hiding behind the poor Windows computers. Has it ever crossed your brain that perhaps Linux apps are designed with security first in mind? Such as, I dunno, NOT ALLOWING BLOODY EMAIL ATTACHMENTS TO BE EXECUTED?
i ate crayons when i was a kid and now i have two braincells and the blue ones taste nicer
Link please.
when you are talking about spreading a virus via email, you are almost universally(now adays) talking about a trojan, but that is irrelevant to whether or not the population of users outside of windows is ever high enough to allow such a virus/trojan to spread. Then you show me a trojan for OSX that can hose my system without specifically asking for a password, which normally only happens when I want to install system software (which is about once every few months or so, when a security update is released). Then compare that to the ease-of-infection on an XP system, or a Vista system that has UAC disabled because it annoys the hell out of people.
You really should try to make a distinction between trojans and virsuses, you know. I can write an almost 100% fail-safe linux trojan in about 2 seconds:
#!/bin/sh
sudo rm -rf /
Does that mean linux is just as unsafe as Windows? I don't think so, because no user in his/her right mind would consider typing in their user password for some obscure binary or shell script they from an unknown source. That's completely different from the windows world, in XP clicking a link in your MSN client can be enough, clicking an email attachment, whatever, because so many people run with admin privileges. So XP and everything before that can be considered unsafe just because of the fact that using it on a day-to-day basis means running as admin for 99% of people. For Vista things are a little harder, but since it asks for your password so often, people get lazy and just fall back to their Windows-conditioned 'ok, ok, ok' habits.
I have yet to see a Linux email program that will actually allow an attachment to be treated as executable code and run. Therefore I call bullshit (or ignorance) on your claim.
i ate crayons when i was a kid and now i have two braincells and the blue ones taste nicer