More Mac Vulnerabilities Than Windows In 2007?

eldavojohn writes "A ZDNet blog reports stats from Secunia showing OSX averaged 20.25 vulnerabilities per month while XP & Vista combined averaged 3.67/month. Is this report card's implication accurate, or is this a symptom of one company turning a blind eye while the other concentrates on timely bugfixes? 'While Windows Vista shows fewer flaws than Windows XP and has more mitigating factors against exploitation, the addition of Windows Defender and Sidebar added 4 highly critical flaws to Vista that weren't present in Windows XP. Sidebar accounted for three of those additional vulnerabilities and it's something I am glad I don't use. The lone Defender critical vulnerability that was supposed to defend Windows Vista was ironically the first critical vulnerability for Windows Vista.'"

/. Windows bashing makes me want to throw a chair

[by Anonymous Coward]

They're just looking for excuses to downplay the results of the report.

Re:News Flash: nothing has changed

[wish bot (265150)]

I'm going to post this here because Slashdot's been full of MS shills for the past couple of weeks, and you're conveniently close to the top of this thread.

Security through obscurity will never beat actual security.

Well, here's my token sound bite too...

The proof's in the pudding.

MIcrosoft is the party guilty of underreporting vulnerabilities, including undocumented patches in updates - how much more obscure can you get?! On the other hand show me a significant linux virus or OS X exploit being used in the wild. Well? Where are they? Waiting.....

Re:News Flash: nothing has changed

[mhall119 (1035984)]

Well technically Apollo 11 [wikipedia.org] had more things go wrong than did Apollo 1 [wikipedia.org], but guess which one I would have rather been on?

Re:News Flash: nothing has changed

[Bert64 (520050)]

In that respect, any unix is more attractive including bsd.
But your right, many old school hackers will exclusively target unix machines because they are simply more useful from their perspective. People typically only target windows machines to run a particular program (their bot) which has a fixed set of built in capabilities. Gaining access to a shell gives someone far more scope, and makes it much easier to deploy new malicious code.
You will rarely get an attacker interactively connecting to a hacked windows system to do something, but this is common with compromised unix systems. When a windows box is compromised, it's typically by an automated process which will install a bot and move on to the next host. Automated attacks are less common on unix, partly also because of the increased diversity of unix systems.

Counting shows nothing

[Ed Avis (5917)]

How many times does it have to be repeated? Counting vulnerabilities is a stupid way to measure security. [com.com] Counting vulnerabilities is a stupid way to measure security. [iss.net] Counting vulnerabilities is a stupid way to measure security. [lwn.net]

Shouldn't Slashdot link to some more insightful analysis?

Re:Counting shows nothing

[slazzy (864185)]

This just goes to show, nothing,not even exploits run on Vista...

Re:Counting shows nothing

[Tony Hoyle (11698)]

If an exploit was running on vista slowing it down... ... how would you tell?

Re:Counting shows nothing

[bunratty (545641)]

Even Secunia itself says not to use their statistics to compare the overall security of products against one another [secunia.com].

Re:Counting shows nothing

[dgatwood (11270)]

Absolutely. Vulnerability counts are worthless. Here's the simplest example I can think of:

My friend and I both maintain a tool of some sort. We both get ten security vulnerability reports sent to us each year. I patch ten security bugs ten minutes after they are reported and my friend sits on the first ten bugs for a year, then the next year, we both fix ten vulnerabilities in the second year. However, for a user that keeps their system patched, I have an average of slightly over zero exposed vulnerabilities, while my friend's software exposes slightly over ten. According to the vulnerability count, however, I had 20 and my friend had 10.

Re:Counting shows nothing

[ByOhTek (1181381)]

Another issue would be severity.

1) Your friends flaws only allowed an administrator of the systm, on the local system to accidentally delete (but not read or otherwise modify) secur data of the users.
2) Your flaws allowed anyone to connect to the machine remotely and read/write/modify all of the secure data on the server.

Which is worse? It's severity and time of exposure. MacOS X didn't have any extremely critical vulnerabilities, but Windows had four, MacOS X had a lot more highly critical, and slightly more moderately/less critical. This makes the vulnerability count look even less meainingful (if every level counts 100x more than the previous level in terms of overall risk, and the average fix time was the same, Windows would be more vulnerable than MacOS X, even with only 15% the bug count.)

Re:Counting shows nothing

[ByOhTek (1181381)]

Actually he explained it, and it isn't wrong.

Any exploit that occured in both XP and Vista was only counted once for the total, not twice.
Just as any exploit that occured in both OS X.4 and X.5 was counted once, not twice.

As long as he did the same thing on both operating system pairs, it's ok. Though he should have given a breakdown of the X.4 and X.5 bugcounts as well.

Re:Counting shows nothing

[someone300 (891284)]

If you read some of the OS X vulnerabilities, you'll see that they're often in non-Apple software, such as CVE-2007-5476 (Highly Critical) which describes a "vulnerability in Adobe Flash Player 9.0.47.0 and earlier, when running on Opera before 9.24 on Mac OS X". The Microsoft vulnerabilities tend to be referring only to the Microsoft software

Also, the way they rate vulnerabilities seems to be different. Microsoft "Highly critical" vulnerabilities seem to all be remote arbitrary code, and "Less critical" can be remote DoS, whereas "Highly critical" on OS X seems to sometimes include DoS. Infact, CVE-2007-4702 (less critical) doesn't even seem to be a security vulnerability. I thought it was discussed and found that the application firewall on OS X functioned as documented (though potentially not as a user would expect). CVE-2007-3036 and CVE-2007-0023 seem to describe similar vulnerabilities, but they're rated less critical on Windows than OS X.

It's all academic.

[phoebusQ (539940)]

No artificial metric really matters in the security landscape.

In the end, what matters is the real-world security performance of these systems. Sure, it's not so easy to quantify and measure, but stories like this ZDNet fodder are just pageview generators, and nothing more.

Re:It's all academic.

[vertinox (846076)]

No artificial metric really matters in the security landscape.

One thousand exploits that allow someone to wipe a users home directory is nothing compared to single exploit that allows an unauthorized person to gain root access to the machine remotely.

Nonsense

[Cally (10873)]

I'm absolutely not an Apple fanboi but this is bollocks. Apple (who are indeed significantly slowerthan other distributors in releasing patches) ship an awful lot of Free software - application software that is - with OS X, whilst Microsoft generally only patch the core OS (and Office, if you go to https://microsoftupdate.com/ [microsoftupdate.com] rather than https://windowsupdate.com/ [windowsupdate.com] .) Hmmm, one day I must get round to doing that chart tracking who, of the main distros shipping common code such as (say) Zlib, releases what patches, when. Some of the Linux distys are particularly lax on this front.

Re:Nonsense

[99BottlesOfBeerInMyF (813746)]

If it ships with the OS it should be patched by the OS company. If Apple shipped something with a flaw, Apple gets to patch it. Same for Microsoft.

Agreed, although not all the "vulnerabilities" listed in this so-called study do ship from Apple, many are third-party applications that just run on OS X. Also, OS X includes a lot of cool tools with their OS, because they are free. 99.99% of the time, these tools are never used, let alone exposed to the outside world. For example, almost a third of the first 30 CVE's listed in this study apply to the same Perl, regular expression evaluator. Now how many users do you suppose turn on Apache and this module and make use of it on a Web page they're hosting from their home computer? I mean these tools are great for Web developers that want to test stuff on their workstation, but that is likely about all they are used for, in the very rare cases that they are used. That particular module accounts for 8 of the "vulnerabilities" in OS X listed.

It is fine to list these as vulnerabilities, but for a comparison to vulnerabilities in Windows, well they're pretty useless because of the use case as well as the dozens of other things wrong with this study. I mean, the OSS team developing this module lists each and every potential hole they an find on a public Website and it is counted by Secunia. Their list for MS includes only holes that have been discovered by the public and which MS has acknowledged. Since MS does not publish most of the bugs they find, none of those are counted against MS, including the ones they don't bother to fix (more than 50% according to an ex-MS developer I know).

Secunia knows this. Every respectable security expert knows this. The only problem is, random bloggers don't seem to know this, and write "articles" about it which get widespread readership, misinforming large numbers of people and leading them to make incorrect decisions that end up causing problems for everyone.

It's not size that counts...

[Tom (822)]

Ah, the usual "X has more Y than Z, so it must be better" strawman. With all the usual flaws. Didn't we have this discussion at least 50 times already?

So let me see, we will have:

• The windos fanboys drooling "told you so"
  
• The Mac fanboys screaming "it ain't so"
  
• The math fanboys going on about how you should trust statistics unless you've forged them yourself
  
• The nitpicker faction revealing that they are comparing different kinds of bugs
  
• The wannabe-blackhatters outlining that these vulnerabilities were more vulnerable than those vulnerabilities and should count more
  
• The I-read-the-web-all-day group pointing out a contradicting article in some other magazine
  
• The tinfoil-hat wearers telling us that it's all bullshit anyways and the article is only meant to get us upset and create ad impressions
  
• The meta-commentators who point out that we've already been through all this and do we really need to re-hash this discussion again? :-)
  

Re:It's not size that counts...

[BarryJacobsen (526926)]

Ah, the usual "X has more Y than Z, so it must be better" strawman. With all the usual flaws. Didn't we have this discussion at least 50 times already?

So let me see, we will have:

• The windos fanboys drooling "told you so"
  
• The Mac fanboys screaming "it ain't so"
  
• The math fanboys going on about how you should trust statistics unless you've forged them yourself
  
• The nitpicker faction revealing that they are comparing different kinds of bugs
  
• The wannabe-blackhatters outlining that these vulnerabilities were more vulnerable than those vulnerabilities and should count more
  
• The I-read-the-web-all-day group pointing out a contradicting article in some other magazine
  
• The tinfoil-hat wearers telling us that it's all bullshit anyways and the article is only meant to get us upset and create ad impressions
  
• The meta-commentators who point out that we've already been through all this and do we really need to re-hash this discussion again? :-)
  

You seem to have forgotten two:

• The list makers who will show everyone (using a list) exactly what will appear in the comments.
• The annoying jerks who point out things the list makers missed.

Re:It's not size that counts...

[by Anonymous Coward]

One more:

- People who don't know how to make bullet points

Flaming Article

[kaoshin (110328)]

I invented my own OS, which I call F.U. (Frackin Unix). My OS has only one bug (Bug #1 - Operating System Not found). Clearly my OS is more superior than any competitors due to its extremely low number of bug reports.

In other news..

[Selfbain (624722)]

Bush is the best President in history because he has fixed fewer problems.

What a joke!

[99BottlesOfBeerInMyF (813746)]

So I took a look at a few sample vulnerabilities and it leaves me Flabbergasted. The person who wrote this article and composed the data should be beaten. The ones listed as OS X vulnerabilities are primarily holes in software that runs on OS X, much of which does not even ship with OS X by default. A lot of it is holes in various Web server modules, some of which do ship with OS X, but are disabled by default. Some of them are NOT EVEN VULNERABILITIES... like CVE-2007-3876 which is a number reserved for use by an organization for the next time they report a vulnerability, but they haven't assigned it to anything yet. Whole ranges of numbers listed are like that. I mean did the author even click on the links he's providing? I tried, I was more than twenty items into the list of "highly critical OS X vulnerabilities" before I found one that actually affected a default install of OS X, and it was a potential denial of service for SSL Web sites if you have a machine in the middle. Of the first 30, 12 were reserved for future use and not real vulnerabilities, 7 were holes in the same Perl library, and 5 were holes in tcpdump. Only one was a real, hole that could be exploited on a default install without additional software being added, or it being reconfigured as Web server or something.

Another question is, for the real vulnerabilities to the OS's, how do they decide what the danger level is for a vulnerability? For example, one low rated one for WinXP (CVE-2007-2228) was a possible remote exploit, whereas a Highly cCritical one for OS X (CVE-2007-0267) was a denial of service on a machine, requiring a local user account. Does this make any sense to anyone?

I'm all for pointing out security problems in OS X and other OS's and doing comparisons of relative security, but this is just a sad joke. Please, can we at least get articles by someone with the tiniest bit of a clue instead of the number game from someone who might be able to count, but apparently can't be bothered to read his subject matter.

No point in comparing 'vulnerabilities'...

[subl33t (739983)]

... until there is a self-replicating Mac virus in the wild.

Re:Yawn

[IamTheRealMike (537420)]

I don't get it. You opened port 80 on different machines, and saw different traffic, none of which managed to exploit the web server.

I'm sceptical this tells us much about anything, beyond maybe the set up of your NAT/DMZ. Otherwise you should have received exactly the same traffic on both web servers. Bots don't check the OS before sending their exploitable GET requests.

Re:Yawn

[RzUpAnmsCwrds (262647)]

I am personally tired of the stupid "insecure" talk. My iMac runs my servers with ports 80, 443, 22, 5900 open. I watch my logs and have not seen any bad stuff.

This kind of cavalier attitude is what gets people hacked. Clearly you aren't watching your logs very carefully (or you're blocking those ports externally with some kind of firewall), because anyone who runs an SSH server (which is presumably what you're doing on port 22) knows that you get TONS of dictionary attacks. Before I disabled password authentication (and switched to using key-based authentication exclusively), I would sometimes get 20-30MiB of logs, all failed PAM logins with common usernames and from a variety of hosts. Clearly I'm not alone [google.com] either.

As a programmer with more than a decade of experience, I don't care about the number of releases for an OS. I care about the timely releases. From my experience, Apple and especially Linux will release a fix as soon as they have it.

From your experience? How do you even know when Apple has a fix? How do you know when the vulnerability has been reported? Are you basing this opinion on fact, or is it your "feel" that Apple is better than Microsoft about this?

Microsoft releases most patches during the Tuesday release cycle.

As someone who works in IT, I can tell you that we don't want patches released "as soon as they are ready". Patches need to be tested, and they need to be tested with other patches. You may not think that Apple patches cause issues, and usually they don't - but even one incompatibility could result in thousands of our users being down for hours or even days. 1000 employees being down costs us $1000000 per day. That's a damn big incentive to get it right.

With the Tuesday cycle, we can test ALL of the critical patches at once, together (about 2 weeks of both automated and manual testing). Then we can roll them ALL out to a pioneer group for a week, and see if any problems arise. If they don't, everyone gets the patch on the 4th week - and the process restarts. Our IT department has people dedicated to doing this cycle.

Guess what? We use the same Tuesday cycle for Mac and Linux patches. So what does Apple's "when it's ready" release process buy us? More time for the script kiddies to reverse-engineer the patch and exploit the vulnerability.

Comparing XP in 2007 to OS X 10.4 or 10.5 is just stupid

Agreed. Why don't we compare something like Windows Vista? Oh, wait, they did. Vista has fewer reported vulnerabilities than XP now, and far fewer than XP had in its first year of release. Not to mention far, far fewer than Mac OS X.

So, what does this mean? Do these numbers mean that Vista is more secure than Mac OS? No. The number of vulnerabilities is a poor measure for how secure an operating system is.

What it does mean, though, is that all is not well in Wonderland. Security is a process, and that process needs to be well-developed regardless of the software used. Mac OS X is not a silver bullet. Neither is Linux.