Slashdot Mirror
More Mac Vulnerabilities Than Windows In 2007?
eldavojohn writes "A ZDNet blog reports stats from Secunia showing OSX averaged 20.25 vulnerabilities per month while XP & Vista combined averaged 3.67/month. Is this report card's implication accurate, or is this a symptom of one company turning a blind eye while the other concentrates on timely bugfixes? 'While Windows Vista shows fewer flaws than Windows XP and has more mitigating factors against exploitation, the addition of Windows Defender and Sidebar added 4 highly critical flaws to Vista that weren't present in Windows XP. Sidebar accounted for three of those additional vulnerabilities and it's something I am glad I don't use. The lone Defender critical vulnerability that was supposed to defend Windows Vista was ironically the first critical vulnerability for Windows Vista.'"
They're just looking for excuses to downplay the results of the report.
How many times does it have to be repeated? Counting vulnerabilities is a stupid way to measure security. Counting vulnerabilities is a stupid way to measure security. Counting vulnerabilities is a stupid way to measure security.
Shouldn't Slashdot link to some more insightful analysis?
-- Ed Avis ed@membled.com
No artificial metric really matters in the security landscape.
In the end, what matters is the real-world security performance of these systems. Sure, it's not so easy to quantify and measure, but stories like this ZDNet fodder are just pageview generators, and nothing more.
Who has counted the bugs and security holes that were fixed without prior disclosure? It is like counting footsteps of two dinosaurs from their fossils and then comparing them for their health.
First, reporting on the number of flaws disclosed and fixed says nothing about the relative security of either platform. Both MS and Apple could be holding back on patches to their own software. Second, many of Apple's security patches address 3rd party open source software like Samba, Kerberos, etc, that are being patched when flaws are discovered.
Well, there's spam egg sausage and spam, that's not got much spam in it.
I'm absolutely not an Apple fanboi but this is bollocks. Apple (who are indeed significantly slowerthan other distributors in releasing patches) ship an awful lot of Free software - application software that is - with OS X, whilst Microsoft generally only patch the core OS (and Office, if you go to https://microsoftupdate.com/ rather than https://windowsupdate.com/ .) Hmmm, one day I must get round to doing that chart tracking who, of the main distros shipping common code such as (say) Zlib, releases what patches, when. Some of the Linux distys are particularly lax on this front.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
So let me see, we will have:
Assorted stuff I do sometimes: Lemuria.org
I own two Intel Macs, an iMac and a Macbook. I own two desktops that run XP and two desktops that run Linux.
I am personally tired of the stupid "insecure" talk. My iMac runs my servers with ports 80, 443, 22, 5900 open. I watch my logs and have not seen any bad stuff.
On the other hand, I once opened my XP boxes IIS server and saw a crap load of hits in the web logs trying to break it within 48 hours. Thankfully I was running IIS lockdown which really helps.
Comparing XP in 2007 to OS X 10.4 or 10.5 is just stupid. XP has been around for a long, long time. Do a fresh install of XP home SP0 and see how many security updates you need to download.
As a programmer with more than a decade of experience, I don't care about the number of releases for an OS. I care about the timely releases. From my experience, Apple and especially Linux will release a fix as soon as they have it. MS on the other hand seems to go through a PR machine.
Microsoft, I don't care if your product XYZ has a flaw, trust me as a programmer, there will always be flaws. Just release the damn info on the flaw and the URL to the fix. I don't think XP is "crap" because I have had to download more than a GB of updates since SP0. Really, I don't care. As a geek, I actually get excited about a new update from MS. I usually hope for new features, etc.
So, please MS, just publish and release the fixes. 95%+ of people out there don't care if you have 150 "vulnerabilities" or 20. We just want the fix. Give us our "fix" bro!
General, you are listening to a machine! Do the world a favor and don't act like one.
I invented my own OS, which I call F.U. (Frackin Unix). My OS has only one bug (Bug #1 - Operating System Not found). Clearly my OS is more superior than any competitors due to its extremely low number of bug reports.
He shows CVE-2007-3896 only in July, but it was reissued in November as well... why wasn't that counted in November?
The July patch closed that CVE, and the November patched more of it... It should count both times, since they said it was closed.
I'd be interested to analyze them all next to each other, but not interested enough to actually dig into it myself =-)
I know you put a lot of work into what you feel is a clever post, but all you did was come across as the exact kind of poster you are describing. And your link is really irrelevant as it was Apple supporters (mostly) who over-played the outsider status, not Apple itself. What kind of half-baked value system do you employ when you decide who is cool by what OS they use? An OS is a tool and you should use what fits your needs best. I'm a media junky and like to dabble in editing, that makes OS X my best choice. If I were still a PC gamer, you can bet I would use Windows. But that doesn't excuse the long history of Windows security issues, and an article that spins a a year where Windows finally has fewer vulnerabilities than another OS as proof of progress is really just proof how many people don't get it. The bigger question is how those vulnerabilities were handled, from point of discovery to solution, and that is where MS always breaks down.
Bush is the best President in history because he has fixed fewer problems.
Well, it has never been successfully tested.
So I took a look at a few sample vulnerabilities and it leaves me Flabbergasted. The person who wrote this article and composed the data should be beaten. The ones listed as OS X vulnerabilities are primarily holes in software that runs on OS X, much of which does not even ship with OS X by default. A lot of it is holes in various Web server modules, some of which do ship with OS X, but are disabled by default. Some of them are NOT EVEN VULNERABILITIES... like CVE-2007-3876 which is a number reserved for use by an organization for the next time they report a vulnerability, but they haven't assigned it to anything yet. Whole ranges of numbers listed are like that. I mean did the author even click on the links he's providing? I tried, I was more than twenty items into the list of "highly critical OS X vulnerabilities" before I found one that actually affected a default install of OS X, and it was a potential denial of service for SSL Web sites if you have a machine in the middle. Of the first 30, 12 were reserved for future use and not real vulnerabilities, 7 were holes in the same Perl library, and 5 were holes in tcpdump. Only one was a real, hole that could be exploited on a default install without additional software being added, or it being reconfigured as Web server or something.
Another question is, for the real vulnerabilities to the OS's, how do they decide what the danger level is for a vulnerability? For example, one low rated one for WinXP (CVE-2007-2228) was a possible remote exploit, whereas a Highly cCritical one for OS X (CVE-2007-0267) was a denial of service on a machine, requiring a local user account. Does this make any sense to anyone?
I'm all for pointing out security problems in OS X and other OS's and doing comparisons of relative security, but this is just a sad joke. Please, can we at least get articles by someone with the tiniest bit of a clue instead of the number game from someone who might be able to count, but apparently can't be bothered to read his subject matter.
... until there is a self-replicating Mac virus in the wild.
Mac OS X contains many third-party open source software packages. The bugs are found through source code auditing. These bugs may or may not become exploitable depends on how the code is used.
Just take a quick look at the bugs list. Most of them are found in third-party code like PCRE library. These are labeled "highly critical" without a demonstrable proof that it can be exploited. The software using PCRE is vulnerable to malformed regular expression strings, but I've never seen any software accepting arbitrary regular expression strings from another machine. (A web browser interprets JavaScript code from another machine, which may contain regular expressions, but JavaScript regular expression definitely isn't Perl compatible, so that's not PCRE.) Those same bugs also affect Linux. If you use Cygwin on Windows, these bugs also affect you, so they can be Windows bugs too.
On the other hand, since we can't audit proprietary Windows code, we only find bugs that are actually exploitable, in contrast to the open source bugs that are only potentially exploitable. Therefore, the severity of Windows bugs are vastly underrated compared to open source bugs. And there are more potentially exploitable bugs in Windows that we don't find, which aren't being counted.
That said, if you rely on bug counts and decide that Windows is more secure for you, I'd call you crazy.
Finally, why would Adobe Flash player bugs be counted as a Mac OS X bug?
I once had a signature.
Well, here's my token sound bite too...
MIcrosoft is the party guilty of underreporting vulnerabilities, including undocumented patches in updates - how much more obscure can you get?! On the other hand show me a significant linux virus or OS X exploit being used in the wild. Well? Where are they? Waiting.....lemonade was a popular drink and it still is
Well technically Apollo 11 had more things go wrong than did Apollo 1, but guess which one I would have rather been on?
http://www.mhall119.com
In that respect, any unix is more attractive including bsd.
But your right, many old school hackers will exclusively target unix machines because they are simply more useful from their perspective. People typically only target windows machines to run a particular program (their bot) which has a fixed set of built in capabilities. Gaining access to a shell gives someone far more scope, and makes it much easier to deploy new malicious code.
You will rarely get an attacker interactively connecting to a hacked windows system to do something, but this is common with compromised unix systems. When a windows box is compromised, it's typically by an automated process which will install a bot and move on to the next host. Automated attacks are less common on unix, partly also because of the increased diversity of unix systems.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
You must be new here. :)
This is a very old tactic by Microsoft supporters to make Windows look much more secure than Linux.
Could that have something to do with the fact that "Linux" means tens of thousands of different applications? In fact, how exactly is a SquirrelMail a Linux security threat? Why not a Windows security threat? Doesn't it run on Windows too? It's a web app.
Please make a difference between security threats targeted at GNU/Linux itself (the kernel and GNU tools) and something targeted at a 3rd-party app which may very well run on other OS as well.
Are you actually dumb as a rock or just trolling? How can you say there aren't enough Linux machines out there? What do you think most of servers of all kinds run on? Don't you think that a virus or worm would have a lot more to gain by breaking into servers than personal desktop computers?
That settles it, you ARE as dumb as a rock. You seem to really believe that somehow Linux apps are staying out of harm's way by sheer luck and hiding behind the poor Windows computers. Has it ever crossed your brain that perhaps Linux apps are designed with security first in mind? Such as, I dunno, NOT ALLOWING BLOODY EMAIL ATTACHMENTS TO BE EXECUTED?
i ate crayons when i was a kid and now i have two braincells and the blue ones taste nicer