Slashdot Mirror

← Back to Stories (view on slashdot.org)

More Mac Vulnerabilities Than Windows In 2007?

Posted by Zonk on from the dogs-and-cats-living-together-mass-hysteria dept.

eldavojohn writes "A ZDNet blog reports stats from Secunia showing OSX averaged 20.25 vulnerabilities per month while XP & Vista combined averaged 3.67/month. Is this report card's implication accurate, or is this a symptom of one company turning a blind eye while the other concentrates on timely bugfixes? 'While Windows Vista shows fewer flaws than Windows XP and has more mitigating factors against exploitation, the addition of Windows Defender and Sidebar added 4 highly critical flaws to Vista that weren't present in Windows XP. Sidebar accounted for three of those additional vulnerabilities and it's something I am glad I don't use. The lone Defender critical vulnerability that was supposed to defend Windows Vista was ironically the first critical vulnerability for Windows Vista.'"

10 of 329 comments (clear)

  1. /. Windows bashing makes me want to throw a chair by Anonymous Coward · · Score: 5, Insightful

    They're just looking for excuses to downplay the results of the report.

  2. It's all academic. by phoebusQ · · Score: 5, Insightful

    No artificial metric really matters in the security landscape.

    In the end, what matters is the real-world security performance of these systems. Sure, it's not so easy to quantify and measure, but stories like this ZDNet fodder are just pageview generators, and nothing more.

  3. Re:Counting shows nothing by slazzy · · Score: 5, Funny

    This just goes to show, nothing,not even exploits run on Vista...

    --
    Website Just Down For Me? Find out
  4. It's not size that counts... by Tom · · Score: 5, Funny
    Ah, the usual "X has more Y than Z, so it must be better" strawman. With all the usual flaws. Didn't we have this discussion at least 50 times already?

    So let me see, we will have:
    • The windos fanboys drooling "told you so"
    • The Mac fanboys screaming "it ain't so"
    • The math fanboys going on about how you should trust statistics unless you've forged them yourself
    • The nitpicker faction revealing that they are comparing different kinds of bugs
    • The wannabe-blackhatters outlining that these vulnerabilities were more vulnerable than those vulnerabilities and should count more
    • The I-read-the-web-all-day group pointing out a contradicting article in some other magazine
    • The tinfoil-hat wearers telling us that it's all bullshit anyways and the article is only meant to get us upset and create ad impressions
    • The meta-commentators who point out that we've already been through all this and do we really need to re-hash this discussion again? :-)
    --
    Assorted stuff I do sometimes: Lemuria.org
    1. Re:It's not size that counts... by Anonymous Coward · · Score: 5, Funny

      One more:

      - People who don't know how to make bullet points

  5. Re:Counting shows nothing by bunratty · · Score: 5, Informative

    Even Secunia itself says not to use their statistics to compare the overall security of products against one another.

    --
    What a fool believes, he sees, no wise man has the power to reason away.
  6. Flaming Article by kaoshin · · Score: 5, Funny

    I invented my own OS, which I call F.U. (Frackin Unix). My OS has only one bug (Bug #1 - Operating System Not found). Clearly my OS is more superior than any competitors due to its extremely low number of bug reports.

  7. What a joke! by 99BottlesOfBeerInMyF · · Score: 5, Insightful

    So I took a look at a few sample vulnerabilities and it leaves me Flabbergasted. The person who wrote this article and composed the data should be beaten. The ones listed as OS X vulnerabilities are primarily holes in software that runs on OS X, much of which does not even ship with OS X by default. A lot of it is holes in various Web server modules, some of which do ship with OS X, but are disabled by default. Some of them are NOT EVEN VULNERABILITIES... like CVE-2007-3876 which is a number reserved for use by an organization for the next time they report a vulnerability, but they haven't assigned it to anything yet. Whole ranges of numbers listed are like that. I mean did the author even click on the links he's providing? I tried, I was more than twenty items into the list of "highly critical OS X vulnerabilities" before I found one that actually affected a default install of OS X, and it was a potential denial of service for SSL Web sites if you have a machine in the middle. Of the first 30, 12 were reserved for future use and not real vulnerabilities, 7 were holes in the same Perl library, and 5 were holes in tcpdump. Only one was a real, hole that could be exploited on a default install without additional software being added, or it being reconfigured as Web server or something.

    Another question is, for the real vulnerabilities to the OS's, how do they decide what the danger level is for a vulnerability? For example, one low rated one for WinXP (CVE-2007-2228) was a possible remote exploit, whereas a Highly cCritical one for OS X (CVE-2007-0267) was a denial of service on a machine, requiring a local user account. Does this make any sense to anyone?

    I'm all for pointing out security problems in OS X and other OS's and doing comparisons of relative security, but this is just a sad joke. Please, can we at least get articles by someone with the tiniest bit of a clue instead of the number game from someone who might be able to count, but apparently can't be bothered to read his subject matter.

  8. Re:Counting shows nothing by someone300 · · Score: 5, Insightful

    If you read some of the OS X vulnerabilities, you'll see that they're often in non-Apple software, such as CVE-2007-5476 (Highly Critical) which describes a "vulnerability in Adobe Flash Player 9.0.47.0 and earlier, when running on Opera before 9.24 on Mac OS X". The Microsoft vulnerabilities tend to be referring only to the Microsoft software

    Also, the way they rate vulnerabilities seems to be different. Microsoft "Highly critical" vulnerabilities seem to all be remote arbitrary code, and "Less critical" can be remote DoS, whereas "Highly critical" on OS X seems to sometimes include DoS. Infact, CVE-2007-4702 (less critical) doesn't even seem to be a security vulnerability. I thought it was discussed and found that the application firewall on OS X functioned as documented (though potentially not as a user would expect). CVE-2007-3036 and CVE-2007-0023 seem to describe similar vulnerabilities, but they're rated less critical on Windows than OS X.

  9. Re:News Flash: nothing has changed by wish+bot · · Score: 5, Informative
    I'm going to post this here because Slashdot's been full of MS shills for the past couple of weeks, and you're conveniently close to the top of this thread.

    Security through obscurity will never beat actual security.

    Well, here's my token sound bite too...

    The proof's in the pudding.
    MIcrosoft is the party guilty of underreporting vulnerabilities, including undocumented patches in updates - how much more obscure can you get?! On the other hand show me a significant linux virus or OS X exploit being used in the wild. Well? Where are they? Waiting.....
    --
    lemonade was a popular drink and it still is