Forgot your password?
typodupeerror
Security

Security Statistics and Operating System Conventional Wisdom 556

Posted by CmdrTaco
from the you-ain't-kiddin dept.
kev0153 writes "Microsoft Windows is more secure than you think, and Mac OS X is worse than you ever imagined. That is according to statistics published for the first time this week by Danish security firm Secunia. "Secunia is now displaying security statistics that will open many eyes, and for some it might be very disturbing news," said Secunia chief executive Niels Henrik Rasmussen. "The myth that Mac OS X is secure, for example, has been exposed." "
This discussion has been archived. No new comments can be posted.

Security Statistics and Operating System Conventional Wisdom

Comments Filter:
  • by Zorilla (791636) on Monday July 05, 2004 @12:21PM (#9613612)
    ...where MS wants you to use Firefox and Mac OS X is less secure than Windows!
    • by pegr (46683) * on Monday July 05, 2004 @12:24PM (#9613644) Homepage Journal
      Until LanManager authentication is totally removed (not just turned off) from Windows, Windows will not be secure. There are just too many exploits involving LM authentication to take Windows seriously.

      • Not sure I understand you. You seem to be implying that when LM auth is disabled (via local/group policy), it is still exploitable? This is news to me.

        Please elaborate.

        - Oisin
        • by pegr (46683) * on Monday July 05, 2004 @01:02PM (#9614011) Homepage Journal
          Not sure I understand you. You seem to be implying that when LM auth is disabled (via local/group policy), it is still exploitable? This is news to me.

          You can certainly turn it off, but unless you disable storing the LM hash, it's still available for cracking. In the wild, my experience is that LM hashes are available as a general rule (90% of the time or better). My insistance that LM authentication be removed outright is due to the "lazy admin" factor. So yes*, in practice, unless it is removed outright, many times it is still exploitable.

          *Definately needs qualifying. Can you turn off LM effectively? (yes) Do admins do it? ('fraid not...)

      • Until telnetd is totally removed (not just turned off) from Linux, Linux will not be secure. There are just too many exploits involving telnet to take Linux seriously.

        What's wrong with having insecure features that are disabled by default? Many people operate in secure environments where such features (which they need for interoperability reasons) offer a "good enough" degree of security. There's no point in making these people's life harder.
        • There's no telnetd on my machine which is a out of the box install.
        • Until telnetd is totally removed (not just turned off) from Linux, Linux will not be secure.

          So you're saying Linux is secure? Good. You see, it's been a few years since telnetd was installed in a base Linux install. I'd say that qualifies as "totally removed".

        • by lpontiac (173839) on Monday July 05, 2004 @01:17PM (#9614126)
          Until telnetd is totally removed (not just turned off) from Linux, Linux will not be secure. There are just too many exploits involving telnet to take Linux seriously.

          Bad example. There's a telnet service in Windows too.

          • by minion (162631) on Monday July 05, 2004 @02:53PM (#9614822)
            Until telnetd is totally removed (not just turned off) from Linux, Linux will not be secure. There are just too many exploits involving telnet to take Linux seriously.

            Bad example. There's a telnet service in Windows too.


            When was the last time telnet was exploitable? telnet is sniffable. Big deal, so is imap, pop3, smtp, http, you name it. Sniffing should not count against an OS - its a problem with the protocol, which is inherint to all internet based OSes. Heck, lets just say anything that uses TCP/IP is too insecure for internet access.

            Here's an example:

            RHSA-2004:174-09
            Fix: utempter local exploit.

            Ok. A local exploit. Granted, an exploit, but still, its a local exploit. This is what these so called "secuity" groups need to realize - webservers on the DMZ typically don't have local access for joebob to login to. Typically, they have ports 80,443, and maybe 22 open. So now, all of those 60+ exploits attributed to Red Hat become 0 (thats Zero, with a 0). True, Red Hat had more published advisories than Windows did in the same time period, but Windows didn't ship with nearly the amount of software Red Hat did, and no "sysadmin" is going to put a box on the DMZ, running every service on the box, with no firewall. It just doesn't happen.

            So all of these so called security groups can shove it, because thats not real world security. Why don't they do a study on how many linux/unix sys admins patch their boxes diligently vs how many windows admins bothered to patch their boxes with patches available months before code red and other internet problems plagued the internet?

            PS: On Windows, it'd be port 3389 (remote desktop), not port 22... And BOTH services (ssh and rdp) have had remote exploits available, so you can't retort with the "ssh is insecure" BS.
    • by JPriest (547211) on Monday July 05, 2004 @12:58PM (#9613964) Homepage
      XP Professional: 46 advisories in 2003-2004
      48% remote attack
      46% granting system access

      SuSE Linux Enterprise Server (SLES) 8 had 48 advisories in the same period,
      58% remote attack
      37% granting system access

      Red Hat's Advanced Server 3 had 50 advisories in the same period - despite the fact that counting only began in November of last year.
      66% remote attack
      25% granting system access

      Mac OS X 36 advisories
      61% remote attackers
      32% granting system access
      • by phillymacmike (445518) on Monday July 05, 2004 @02:23PM (#9614616)
        Time to slashdot my favorite soap opera. This article, a week old already, is a hatchet job.

        See Lies, Damned Lies, and Statistics [appleturns.com]

        The conclusion:(quote)

        Faithful viewer jfletch pointed out another Techworld article from almost two months ago that also quoted Secunia and claimed that Mac OS X's security problem at the time "makes Microsoft's current Sasser problems look no more than a nasty nip." (Of course, two months later Sasser still turns up in articles on Google News posted just hours ago, but who's counting?) Now, far be it from us to claim that there's some sort of Techworld-Secunia conspiracy intended to undermine Apple's attempt to gain an entry into the enterprise market, because we would never-- oh, who are we kidding? There's some sort of Techworld-Secunia conspiracy intended to undermine Apple's attempt to gain an entry into the enterprise market. We've been jawing about this incessantly for about four days straight, now, so determining motive is left as an exercise for the viewer. Follow the money!

      • i've always been under the impression that most of the linux based distribution security advisories aren't exploitable remotely, unless you already have a user account on the system.

        can someone please enlighten me as to what exact services in linux have been exploitable in the last few years? i mean, a completely anonymous attacker gaining root access to a machine over a network?

        these 'statistics' apparently show some 20 holes in linux that are remotely exploitable by anonymous attackers. i call shenanig
    • "Welcome to Bizzaro World where MS wants you to use Firefox""

      Or perhaps, where they want a target for their MSIE developers to aim at?
  • by Anonymous Coward on Monday July 05, 2004 @12:22PM (#9613627)
    We would all like to thank the millions of dollars Microsoft invested in our research to bring it to the successful conclusion.

    It took us a couple of tries to get the results so that they would give us the right answer, but eventually we figured out a way. Microsoft kept funding us all along the way.

    Thank you!
    • by paranode (671698) on Monday July 05, 2004 @12:32PM (#9613717)
      These are the statistics that really matter:

      Secunia Virus Statistics [secunia.com]

      Of course you'll notice the common Win32. in front of all of them.
      • by JohnFromCanada (789692) on Monday July 05, 2004 @12:52PM (#9613908)
        "These are the statistics that really matter:
        Secunia Virus Statistics"

        Uh, no there not. Viruses in many cases stem from exploits in the underlying operating system. If there are exploits in the OS and it is worthwhile virus writers will start programming/scripting viruses for Mac. The fact that they continue to hold such a low market share makes it really unnecessary for a virus writer to target them, when they can infect 100000 times the amount of machines on a Windows OS. Exploits can lead to viruses and are easily just as problematic as without the exploit there would be no virus. Furthermore, Apple has been incredibly slow at releasing updates and fixes in the past. Unlike what all the Apple marketers want you to believe their OS is easily vulnerable just like all others. MS may be the worst but that is yet to be proven as they hold such a dominant position in the market that there is virtually no effort to produce viruses for the other platforms. Security takes effort and knowledge no matter what platform you are on.
        • by paranode (671698) on Monday July 05, 2004 @02:11PM (#9614536)
          The point is that PRACTICALLY, Microsoft is the most insecure operating system because you cannot hook a default install up to the internet without getting 20 worms by the time you patch it up.

          In THEORY, you are correct that it is all about exploits and there are possibly exploitable holes just as much in Linux or Mac. Difference? In the real world, they are exploited much less on the latter two. Also, critical issues are fixed MUCH faster in the latter two leading to a less vulnerable system.

          MOREOVER, these assclowns count a vulnerability in every piece of free software as a Linux vulnerability and only count core vulnerabilities in Microsoft. Similarly for Mac probably. So yes, exploits are what matters, but in the REAL WORLD there are more exploits for Windows and more boxes constantly being exploited, so your point is moot.
        • The fact that they continue to hold such a low market share makes it really unnecessary for a virus writer to target them, when they can infect 100000 times the amount of machines on a Windows OS.

          There's the market share argument again!

          Look, I won't bore you with the usual Apache has over 2/3 of the web server market share and all that. No, luckily (in this case?!), we can now highlight Mozilla as a product which still has a low market share in the browser market - as we all know - you see, recently we

        • by valmont (3573) on Monday July 05, 2004 @09:45PM (#9617523) Homepage Journal

          All this rambling about OS X's lack of security is moot. Here is the only factor that matters:

          A DEFAULT INSTALLATION OF THE CONSUMER-LEVEL VERSION OF MAC OS X (that ships with every mac) HAS ABSOLUTELY ZERO, ZILCH, NADA, NOTHING, NOT ONE NETWORK SERVICE ENABLED BY DEFAULT.

          There's no way you can remotely own a default installation of Mac OS X.

          Take a deep breath and re-run that sentence to yourself in your head.

          Plug a default installation of XP (that ships with every PC) on any open network, you're owned within seconds. It's that simple.

          Statistics are pointless when not scoped around what they really mean and their impact. So here's me doing everyone's job:

          As a consumer-level operating system, Mac OS X, since day 1, and up until today, has always been, and remains FAR MORE SECURE than windows. Because the consumer-level version of Mac OS X, also known as "Mac OS X Client" does not unnecessarily enable by default any services, because the vast majority of users don't need'em, and the few who do can turn them on easily. Windows could have done that at least since 2001 and heydays of CodeRed and Nimda, yet never bothered to take this very very VERY simple measure. This is your first basic most simple, strongest line of security: if you don't need it, don't even turn it on. Be humble about the software you run, and understand that in may in fact be vulnerable, at the very least, to buffer overflows. APPLE HAS GROKKED THAT FROM DAY ONE, MICROSOFT NEVER DID, though i'm hoping SP2 will turn all that useless crap off. Saying that Apple has been lagging in releasing security updates is simply untrue. They've addressed all real ones very fast.

          Now, as a server-level operating system, as far as security goes, it's all in the hands of a systems administrator. All services that run natively to the operating system are, in theory, at the very least, vulnerable to buffer overflows. And this goes regardless of which operating system you use. But frankly, if I was to admin a server, I'd still go with OS X, because I'd know that pretty-much all network services it runs come from the open-source community, if Apple is too slow to release a patch, I'll have known way ahead of time by keeping on-top of advisories and reading workarounds and solutions from the open-source community. If I'm running windoz 2003, I'm at the mercy of microsoft.

  • by nurb432 (527695) on Monday July 05, 2004 @12:24PM (#9613643) Homepage Journal
    If you trace the money, there wont be much suprise in who it leads back too.
  • Missing Stats? (Score:5, Interesting)

    by BearJ (783382) on Monday July 05, 2004 @12:24PM (#9613649)
    Ok, from my read of the article everything is roughly equally insecure, give or take. Question then becomes, how quickly are these problems responded to. Surely Microsoft as the largest company out there would be the quickest right?

    right?

    • Re:Missing Stats? (Score:5, Insightful)

      by radicalskeptic (644346) <tritone@gm[ ].com ['ail' in gap]> on Monday July 05, 2004 @12:39PM (#9613792)
      The stats don't make sense to me. Here's what I see:

      Windows XP Professional saw 46 advisories in 2003-2004, with 48% of vulnerabilities allowing remote attacks and 46% enabling system access, Secunia said.

      So that would mean, multiplying 46 by 48% would give you the number of remote attacks, and multiplying 46 by 46% would give you the number of attacks enabling system access. So for Windows:

      • 22.08 remote attacks.
      • 21.16 system access attacks.


      Don't ask me why they are not integers. I suppose that some advisorys covered more than one bug?

      Now, for OS X:Of the 36 advisories issued in 2003-2004, 61% could be exploited across the internet and 32% enabled attackers to take over the system.

      Using the same system as before, I got:

      • 21.96 remote attacks.
      • 11.52 system access attacks.


      So they're saying OS X allows HALF of the number of attacks that can gain access to a system as XP, but their conclusion is that "The myth that Mac OS X is secure, for example, has been exposed"???Hmmm....
      • Re:Missing Stats? (Score:5, Insightful)

        by zhiwenchong (155773) on Monday July 05, 2004 @01:02PM (#9614015)
        I think it's just a case of their phrasing being misleading.

        I believe they mean that
        1) Windows is not as insecure as YOU THINK
        2) Mac OS X is not as secure as YOU THINK (they assume Mac OS X users think that the operating system has 0 to few exploits)

        They're not really saying that Windows is more secure than Mac OS X. But the way the said it -- well, sure could mislead a lot of people.
        • Security is in some ways a binary state. Your OS only needs to have one flaw capable of giving remote root, and you're insecure. The other security flaws are just extras that make it harder to get back to secure when patching things up... so long as there's one way to get total control, you can be 0wned and the rest just doesn't matter at that point.

      • by cryptochrome (303529) on Monday July 05, 2004 @01:21PM (#9614170) Journal
        This article is complete garbage. Comparing proportions means nothing - particularly since they always add up to 100%! What matters is the actual number of exploits, and how likely they are to occur. The parent is absolutely right.
      • Re:Missing Stats? (Score:5, Insightful)

        by argent (18001) <peterNO@SPAMslashdot.2006.taronga.com> on Monday July 05, 2004 @02:03PM (#9614487) Homepage Journal
        It doesn't really make sense to bother counting system access attacks separately on Windows, because unless you lock the system down to the point where it's basically a kiosk there's no way to prevent the user getting system level access. The only statistic you need to worry about is remote user access, everything else is a given.

        For example, if you want to allow the user to release and renew their DHCP lease (which is an essential troubleshooting step for any problems involving IP address problems in a dynamic address environment) you have to give the user the right to load device drivers. Which can be boosted to system level access.

        Since access is associated only with the user... there's no setuid mechanism that allows a program to be run by the user but with elevated privileges... any code run by the user has that right, and thus any remote or local exploit really has to be treated as a root exploit.

        On any UNIX based system, the same operation can be controlled by the setuid mechanism, which isn't perfect but *does* allow more separation of privilege than exists in Windows. And Mac OS X makes extensive use of it... every time you enter your password to allow access to a system function you're using setuid.

        So those stats are really:

        XP: 22 remote access attacks, 43 system access attacks.
        OSX: 22 remote access attacks, 12 system access attacks.

        Also, OS X ships with all remote access turned off by default, including remote file system and shell. You have to explicitly enable it. XP ships open to the world, you have to close it, and there's things you *can't* close without setting up a firewall.

        So the statistics look more like this:

        XP: 22 remote access attacks, some open by default, all leading to system access.
        OSX: 22 remote access attacks, none open by default, no remote system access attacks open by default.

        Here's the statistic that I'm concerned about:

        There has been one significant browser-based hole on OS X. In the same time there have been multiple exploited holes in IE, including almost the same hole that was found in Safari, and after almost 10 years of similar browser-based holes being found on a regular basis with Microsoft making no attempt whatsoever to fix the underlying design flaw that makes them inevitable.

        Hopefully Apple will respond better than Microsoft.
      • by AYeomans (322504) <ajv@yeomans.o r g . uk> on Monday July 05, 2004 @03:53PM (#9615371)
        Note very carefully, they count advisories only once, even though they may include multiple vulnerabilities.

        The Windows XP Pro list includes:

        • Microsoft Windows 14 Vulnerabilities
        • Microsoft Windows RPC/DCOM Multiple Vulnerabilities
        • Microsoft Windows ASN.1 Library Integer Overflow Vulnerabilities
        • Microsoft Windows RPCSS Service DCOM Interface Vulnerabilities
        contain 14 + 4 + 2 + 3 = 23 vulnerabilities but Secunia only count 4 advisories. So the count is now 65 acknowledged vulnerabilities for XP Pro. Not including those silently fixed, nor the 38 vulnerabilities in Internet Explorer 6 alone [secunia.com].

        Actually, Secunia tend to publish alerts based the vendor bulletins. There are better sources for collated vulnerability information, such as Sintelli [sintelli.com] (free) or TruSecure [trusecure.com] (fee) which have far higher totals.

    • by khasim (1285) <brandioch.conner@gmail.com> on Monday July 05, 2004 @01:19PM (#9614144)
      In the Forrester report referenced in that article, they only STARTED counting from the time Microsoft PUBLICLY admitted to a problem.

      Which, in many cases, was when Microsoft had a patch ready.

      But www.eeye.com had reported security holes to Microsoft for MONTHS before a patch was made available.

      In other words, if Microsoft NEVER admitted PUBLICLY to a security hole, that security hole would NEVER be counted in the Forrester report.

      http://www.eeye.com/html/research/upcoming/index .h tml

      For the current listing.

      With Open Source software, the vulnerability is usually discussed on the mailing list.

      So, if a hole is discovered in Linux, and discussed on the mailing list and a patch is released 48 hours later.....

      And then Red Hat releases a .rpm 24 hours later...

      Forrester would count that as a 3 day delay.

      You take the medium threat from www.eeye.com that is 49 days overdue (actually informed 109 days ago) and Microsoft releases a patch the same day Microsoft admits to the hole....

      Forrester would count that a 1 day or less delay.
    • Re:Missing Stats? (Score:5, Informative)

      by burnin1965 (535071) on Monday July 05, 2004 @01:36PM (#9614290) Homepage
      And simply reading the article is exactly what this Microsoft shill is expecting everyone to do.

      This may be asking alot, but I'd like everyone to dig a little deeper and actual go to the secunia.com website and poke around at the statistics yourself. What you will find is that the guy who wrote this article is either too damned lazy to fully research his topic or he is intentionally using these statistics inaccurately in order to prove a false point.

      For those who don't have the time to find out for themselves what the statistics REALLY say, here is what I found:

      In the secunia.com statistics for Windows XP there is only a single exploit related to Internet Explorer. That sounds pretty good but its also blatantly false.

      In fact, if you dig a little deeper into the statistics on their web site you discover that Internet Explorer 6 from 2003 to 2004 had 40 advisories by itself with 98% allowing remote attack and 31% enabling system access.

      secunia.com/product/11/ [secunia.com]

      So taking into account all the IE vulnerabilities instead of grouping them into one advisory we suddenly discover that Microsoft Windows XP Proffessional had 86 advisories from 2003 to 2004 with 71% allowing remote attacks and 38% enabling system access!

      Now some will say "not fair" because IE is a seperate application. All I can tell you is that if you actually looked at the statistics you would already know that the OSX and linux statistics include security advisories for ALL applications included in with the OS. So it is only fair to also include ALL Windows applications that come with Windows.

      So in conclusion, when I include the vulnerabilities of just one single Windows application the number of exploits in Windows is around double what you have with the likes of OSX or linux. I suspect that including other Windows applications that were excluded from the Windows statistics everyone will begin to understand why Windows is a haven for worms and viruses.

      I don't think I will be migrating from my Mac OSX and linux installs any time soon.

      burnin
      • Re:Missing Stats? (Score:3, Insightful)

        by Anonymous Coward
        Now some will say "not fair" because IE is a seperate application.

        Didn't Microsoft swear under oath that it was not a separate application, but was instead an integral part of the OS?
  • by user no. 590291 (590291) on Monday July 05, 2004 @12:24PM (#9613651)
    I wouldn't be the least bit surprised to find that this "Secunia" derives funding from a common source with SCO.
    • Re:Follow the money. (Score:4, Interesting)

      by fuzzix (700457) on Monday July 05, 2004 @12:37PM (#9613758) Journal
      I wouldn't be the least bit surprised to find that this "Secunia" derives funding from a common source with SCO.

      Not true. Secunia is its own private concern and judging from correspondence they have with the [theinquirer.net] inquirer [theinquirer.net] I very much doubt they'll be swayed by "contributions" as easily as our R&D friends at Adti.

      That said, there are some omissions from the article such as which applications in the Linux distros were vulnerable and how long it took for each vuln to be patched.
  • by martin (1336) <maxsec&gmail,com> on Monday July 05, 2004 @12:24PM (#9613652) Journal
    Would be nice to see how many of these *potential* exploits resulted in actual malware/hackers using them.

    Just because the potential is there doesn't mean these holes have exploits running in the wild.

    It's a risk thing...Windows exploits are *more* likely to be exploited than Solaris ones, but that doesn't mean the Solaris ones won't be exploited (cf a couple of super computer centers getting hacked!)
    • by laudney (749337) <br260@[ ].ac.uk ['cam' in gap]> on Monday July 05, 2004 @12:41PM (#9613815) Homepage
      In research, it's vital to differentiate between correlation and mechanism. Stating that Linux and Mac OS/X are less secure than Windows based on kindergarten-level integer comparison is correlation: i.e. following/duplicating superficial attributes of known objects in hope of getting the same results in other objects. This is almost always baseless and useless. It's more important to undertand the underlying hidden reasons, or mechanisms: Windows security problems stem from awful designs in OS, such as integration of all sorts of applications into kernel space for speed acceleration. Whilst Linux and Mac OS/X security problems are mostly from mis-configurations.
  • by Xshare (762241) on Monday July 05, 2004 @12:25PM (#9613654) Homepage
    ...and everyone says that Microsoft is paying Secunia to do this, etc. (like with AdTI, though AdTI really is getting funding from MSFT, different story), read this: http://www.linuxinsider.com/story/32370.html [linuxinsider.com]
    It seems that it was Secunia which released lots of IE bugs, and that Microsoft has had scuffles with them before. Unless someone here has evidence that they got funding from MSFT since then, don't say that.
    • by robogun (466062) on Monday July 05, 2004 @12:31PM (#9613705)
      Explain then the FUD from these guys, and why they ignore, in terms of everyday use, why only Windows/IE users can get r00ted by simply browsing a website, and OSX users can't. How come when I re-install Win2K SP# it takes 63 security updates over nine reboots before I can even consider plugging in directly to the net.

      This article is so beyond common sense and everyday experience, I cannot see how it can possibly hold up to examination.
      • I'd also take exception with the statement that "The myth that Mac OS X is secure, for example, has been exposed.". Reading the article it seems to show that OSX was infact the most secure, even by their criteria. Why does the fact it is apparently more secure than the competition lead them to say it is not secure? (or have I missed something important here?)
      • why only Windows/IE users can get r00ted by simply browsing a website,

        An unpatched OS X system can "get r00ted" by simply browsing to a websight. Safari has an extension association that would allow a page to call the command terminal and run any command desired. Oops, you're rooted. It has been patched, but so have most of the bugs viruses use in Windows.
    • But isn't it interesting that now when ever anyone appears to support Microsoft, they're automatically suspect of being a MS sock puppet? Years of string-pulling by Bill and Monkeyboy have put wireheads everywhere on alert. Looks like yet another underhanded tactic is backfiring on them.
    • It's a good point, but the article doesn't seem to justify the conclusions.

      I have no knowledge of WHERE they are getting their funding. But they don't seem to have any criteria by which someone besides themselves can judge the security of a system. Saying "Mac security is worse than anyone imagined" is nugatory without saying how bad you think someone had imagined it as being...unless you give some other indication of how bad you think it is. Perhaps they did, and I just didn't understand them. I must
  • by Anonymous Coward on Monday July 05, 2004 @12:25PM (#9613659)
    The Mac and Linux communities need to accept the fact that Windows, however much you might HATE Microsoft, is more secure.

    How many independent reports have we seen that come to the same conclusion? 10? 20? The head in the sand approach won't work. The "Microsoft Shill" theory doesn't hold water.

    No, it is time for the Linux community to address these issues and bring Linux back up to the level of Windows.

    And by the way, I'm a cybersecurity consultant, so I know what I'm talking about.
    • by mangu (126918) on Monday July 05, 2004 @12:38PM (#9613776)
      How many independent reports have we seen that come to the same conclusion?


      I once read that Hitler ordered a report made, signed by a hundred scientists, proving that Einstein was wrong. When they asked Einstein about it, he answered "if I was wrong, one scientist alone would be able to prove it".

  • Micorsoft? (Score:3, Funny)

    by philkar77 (752923) on Monday July 05, 2004 @12:28PM (#9613677)
    from the article: "The Micorsoft Windows application is more secure than you think..."
  • by rainer_d (115765) * on Monday July 05, 2004 @12:29PM (#9613686) Homepage
    ...everybody can fuck around with her, while paying.
  • by djh101010 (656795) * on Monday July 05, 2004 @12:29PM (#9613690) Homepage Journal
    Looking at my email inbox, I see a ton of junk generated by the Windows virus/worm of the week. Looking at my firewall logs, I see very little probing for any of the Unix exploits.

    When the difference in use of exploits is an order of magnitude or two higher for the 'doze stuff, it's hard to see how a mere "count of vulerabilities fixed" means much at all. The basic design differences between unix and 'doze are profound, which is why the 'doze exploits do so well.
  • by eamacnaghten (695001) on Monday July 05, 2004 @12:30PM (#9613695) Homepage Journal
    The article is an irrelevance and does not deal with the real issues of security.

    If a sysadmin is lazy and security unaware, he will ALWAYS be cracked into and exploited regardless of the OS system used, Windows Linux whatever. At the same time if he is vigulant and security aware he will unlikely to be seriously cracked and his systems will be stable, again regardless of the OS involved.

    What I have found is that managing Linux properly is a lot easier and cheaper than managing the Windows OS's properly due to the better OS design in philosophy and security, and attitude of the OS maintainers.

    THAT to me is what is relevant.

  • The facts are hard to look at, yet we all know that Linux, despite opinions to the contrary, has suffered from system holes. And to be quite frank, the fact that Mac OSX is leaking like a swiss cheeze should not come as a surprise to anyone.

    Linux is fallaible, but at least with open source we can find bugs and get rid of them quick, without waiting for patches. Windows is not as bad as OS X in this regard either.
    I find the statement Linux suppliers took longer to release patches. Is that true? I know security consious admins will patch themselves but is it true that vendors will igorne minoe bugs?

    Perhaps this is what the MS reps meant when they said Linux was becoming morew like windows.
  • by Knuckles (8964) <knuckles&dantian,org> on Monday July 05, 2004 @12:30PM (#9613697)
    I can't see it metnioned in the article, and neither can I find the relevant stuff at secunia.com, but this is the first question I want to answered before I spend another 10 seconds on this: do the numbers actually compare Windows with RedHat/SuSE stripped down to what a plain Windows install does, or do they yet again include all the security advisories for the 3.000 (or whatever) packages included with the distros?
    • by robin_j (593703) on Monday July 05, 2004 @12:56PM (#9613956)
      I can't see it metnioned in the article, and neither can I find the relevant stuff at secunia.com, but this is the first question I want to answered before I spend another 10 seconds on this: do the numbers actually compare Windows with RedHat/SuSE stripped down to what a plain Windows install does, or do they yet again include all the security advisories for the 3.000 (or whatever) packages included with the distros?

      The list of advisories for RedHat AS 3 is listed at the bottom and currently it contains 51 advisories and what they were issued for. I copied the list and sorted them so here you can see a list of exactly what they included:
      CVS
      ethereal
      FreeRADIUS
      gaim
      glibc
      gnupg
      httpd
      iproute
      ipsec-tools
      kdelibs
      kdepim
      kernel
      krb5
      lftp
      LHA
      libpng
      libxml2
      mod_python
      mod_ssl
      mozilla
      Mutt
      NetPBM
      net-snmp
      nfs-utils
      OpenOffice
      OpenSSL
      PWLib
      Quagga
      rsync
      slocate
      squid
      squirrelmail
      sysstat
      tcpdump
      utempter
      XFree86

      As you can see a lots of these are what might be called non-OS components. I've had a quick look at XP Home and it doesn't even seem to include issues with IE which according to MS is an integral part of the OS unlike Linux and Mozilla, yet they happily bundled them together.

      Strange that..........
  • what does it prove? (Score:3, Interesting)

    by Anonymous Coward on Monday July 05, 2004 @12:30PM (#9613700)

    Mac OS X does not stand out as particularly more secure than the competition, according to Secunia.

    The proportion of critical bugs was also comparable with other software - 33% of the OS X vulnerabilities were "highly" or "extremely" critical by Secunia's reckoning, compared with 30% for XP Professional and 27% for SLES 8 and just 12% for Advanced Server 3. OS X had the highest proportion of "extremely critical" bugs at 19%.

    Oh, okay, well, by MY reckoning, none of the OS X vulnerabilities were "highly" or "extremely" critical, therefore by MY reckoning, OS X is the most secure of them all!

    These studies analyze the statistics of the security advisories and attempt to draw conclusions. I don't see the value of it.

    Here's what I do: I just *assume* that all operating systems and software is insecure (unless djb wrote it, heh). After all, I'm constantly updating FreeBSD, Gentoo, and Windows, all the time, anyway.

    Since it only takes ONE show-stopper bug to let in an attacker, it really doesn't matter to me how *many* bugs each OS has.

    In my experience, the easiest OS to upgrade is OS X. However I don't manage any production OS X servers, just my own computers, so take that with a grain of salt.

    Next easiest is Gentoo. You can upgrade just the components you need, BUT it's a little hard to separate the security fixes from the non-security fixes (they are working on that though).

    Next is FreeBSD. Like Gentoo, it's hard to pick out just the security updates, but they are working on that too. Rebuilding the base OS is time-consuming and risky, so FreeBSD gets a mark for that.

    Next is Windows. Too GUI-oriented, and service packs are too complex and cause breakage.

    However we do manage to keep all machines up to date and implement layered security (firewall, network IDS, host IDS [tripwire], remote syslog, log monitoring.......)

  • by operagost (62405) on Monday July 05, 2004 @12:32PM (#9613709) Homepage Journal
    Use VMS! [openvms.org]
  • Junk Science (Score:5, Insightful)

    by Hatta (162192) on Monday July 05, 2004 @12:33PM (#9613730) Journal
    The statistics, based on a database of security advisories for more than 3,500 products during 2003 and 2004

    The proportion of critical bugs was also comparable with other software - 33% of the OS X vulnerabilities were "highly" or "extremely" critical by Secunia's reckoning, compared with 30% for XP Professional and 27% for SLES 8 and just 12% for Advanced Server 3. OS X had the highest proportion of "extremely critical" bugs at 19%.


    This research tells you nothing about how secure an OS is. The number of security advisories has a lot to do with how diligent the OS manufacturer is in informing the public about security problems. For all we know Apple could just be a lot better about airing its dirty laundry than microsoft. I would assume that due to the open source model, the statistcs on SUSE were fairly accurate.
  • by upsidedown_duck (788782) on Monday July 05, 2004 @12:33PM (#9613734)

    One problem with counting only advisories is simply that there are different levels of transparency to users and developers among Windows XP, Linux, Solaris, and Mac OS X. One thing the study doesn't mention (which is unknowable, so they conveniently brush it off as unimportant) is how many covered-up or known-only-by-crackers vulnerabilities exist in each platform.

    Also, why didn't the study mention OpenBSD? What about default configurations? Where the documented vulnerabilities always relevant or were they very obscure (e.g., service X used by three people in Greenland)?

    I think this article smells biased.

  • by EMR (13768) on Monday July 05, 2004 @12:35PM (#9613742)
    That OS X doesn't have any network service running when first installed!!.. Nothing, nada, zilch, zippo.. In order to get exploited you need to have something running that accepts connections.. The default install of the Mac OS X doesn't have a thing. Where as Windows has way too much enabled and exposed.. Most linux systems now days, while they may have some things running, most are only listenting to the internal host (not accessible outside the computer) and they default enable the firewall.
  • by RAMMS+EIN (578166) on Monday July 05, 2004 @12:36PM (#9613745) Homepage Journal
    Somebody explain to me how this article supports the claims that have been based on it.

    ``Windows XP Professional saw 46 advisories in 2003-2004, with 48% of vulnerabilities allowing remote attacks and 46% enabling system access, Secunia said.

    <snip>

    SuSE Linux Enterprise Server (SLES) 8 had 48 advisories in the same period, with 58% of the holes exploitable remotely and 37% enabling system access.

    <snip>

    Mac OS X does not stand out as particularly more secure than the competition, according to Secunia.

    Of the 36 advisories issued in 2003-2004, 61% could be exploited across the internet and 32% enabled attackers to take over the system.''

    So, Windows XP and SLES had about the same number of vulnerabilities, but SLES manages to keep them out of the vital parts better. Mac OS X has had significantly (about 30%) fewer vulnerabilities, with the percentage of vulnerabilities leading to system level access on par with SLES.

    What this says to me is that _if_ the detection ratio for all systems is the same (which I don't believe, but without this assumption, you can't say anything), WinXP is the worst, and OS X the most secure. This is exactly opposite to what is claimed.
  • by nattt (568106) on Monday July 05, 2004 @12:36PM (#9613752)
    Statistics don't change the facts that after running Mac OS X since it's inception, I've not had one OS X virus, or any of these exploits used against my machines. And the stats don't take into account not just how quickly a patch is released, but how quickly the users of that OS patch it.
  • Black and White (Score:4, Informative)

    by INeededALogin (771371) on Monday July 05, 2004 @12:37PM (#9613764) Journal
    as a Mac OSX user I have to defend my lil OS that could.

    This poll does not take into affect the time to resolution, effect of exploit, and how hard it was to actually perform the exploit. Honestly, all software has bugs, all software has exploits it is the result of those exploits that I am more concerned with. Quite often Apple finds and fixes exploits before their are programs in the wild to exploit them. The same goes for Open-Source software which I am sure that some of the OSX advisories were a result of given Apples embrace of OSS.

    Ask an Apple user how many Viruses, pop-ups, and unexplained daemons they have had on their system. The number will almost always be 0.
  • by Synn (6288) on Monday July 05, 2004 @12:38PM (#9613772)
    The study compares security alerts between OSes, but one problem with that is that at least under Linux vendors not only release alerts for the core OS, but for applications as well.

    If The Gimp has a security issue a Linux vendor will issue an alert for it.

    If Photoshop has a security issue, MS won't inform you.

    Also most alerts I see for Linux are pro-active, someone finding a bug that may be exploitable. Most alerts I see for MS are reactive, pluging a hole that has been exploited. That's the primary difference between open and closed source software. Not the number of bugs found, but when they're found and how fast they get fixed.
    • In the XP stats they show one advisory for IE. But looking at the exploits statistics on the same website you find that the one Microsoft application by itself has about as many exploits as other competing operating systems and all their applications combined:

      secunia.com/product/11/ [secunia.com]

      Sorry Windows lovers, its time to face the facts, your OS of choice and associated applications are a haven for worms and viruses not because there are so many of you, its because the software is crap.

      burnin
  • by carndearg (696084) on Monday July 05, 2004 @12:38PM (#9613773) Homepage Journal
    I think this research misses the point. They deal with the number of security advisories, not with how quickly or effectively (or even if) the holes were fixed.

    I would be far more interested to hear, on the MacOs example for instance, how Apple responded to its security holes and how that compared to those of Microsoft or the Linux community.

  • by nurb432 (527695) on Monday July 05, 2004 @12:39PM (#9613783) Homepage Journal
    90% of security is the administrator. So it really doesnt matter how secure the 'system' is as a good admin can make most anything secure.

    That said, most 'windows admins' are home users ( by percentage ) that have NO clue what they are doing...

    Home *nix admins tend to have more clue..

  • Just counting (Score:3, Insightful)

    by miraclemax (702629) <magikmykl@mac.com> on Monday July 05, 2004 @12:40PM (#9613798)
    They're just counting bug fixes. And counting how many are labeled critical. Well, that still doesn't factor in, at all, how easy it is to exploit. Fact is, if you try to run a system level program on Mac OSX, it STILL will ask for admin password. So a program can't be run on your machine in kernel space without your knowledge. Windows seems to have been made for just this purpose. This study is laughable. It's just a count the bug fixes garbage. Linux has more fixes and updates because open source is more honest. How often have we heard of M$ waiting six months to release fixes that they knew about? How many holes are there that the public doesn't know about?
  • Still not accurate (Score:5, Interesting)

    by signe (64498) on Monday July 05, 2004 @12:41PM (#9613804) Homepage
    Once again, we have someone comparing Windows with RedHat, while not taking into account that RedHat is comprised of many many additional applications that don't have equivalents in the Windows install. Not to mention many server applications (Apache, bind, sendmail, rsync, etc.) that enable the remote access that many of the security vulnerabilities use. I would wager that OS X is in a similar situation (when compared with Windows).

    Let's have one of these companies do a real test. Where they take a Windows install, and then a RedHat (or SuSE) install crafted to match it as closely as possible. No servers, Mozilla installed on the Linux system. Just the basics. Then count the vulnerabilities. It will tell a much different story.

    -Todd
  • by Frater 219 (1455) on Monday July 05, 2004 @12:43PM (#9613823) Journal
    The reported study discusses the number and claimed severity of official security advisories for different systems. The factitious claims being made do not address the following problems:

    Different suppliers report vulnerabilities differently. Consider every "cumulative update" you've seen, and every "multiple vulnerabilities in $product" advisory from CERT. A supplier which is more honest and meticulous about vulnerability reporting may have more advisories but better security -- while one which batches up several bugs in a single advisory will underreport.

    A system which includes more software may have more advisories, even though most advisories do not affect most computers running that system. In Windows, a database server is a separate product whose advisories would not be counted against "Windows". Many Linux systems include at least two database servers, but they are not turned on by default. If a hole in MS SQL doesn't count against Windows, should one in mySQL count against Red Hat?

    Unpatched vulnerabilities may go for months without the release of an official advisory. For instance, a number of holes in Internet Explorer have been known and discussed within the security community well in advance of any official advisory from Microsoft.

    Systems which have better default system-wide security settings (e.g. packet filtering, services turned off by default) may have all kinds of "vulnerabilities" that can't actually be exploited. For instance, Mac OS X includes OpenSSH, but it's turned off until the user asks for it. A hole in OpenSSH cannot be exploited on a default-install Mac system.

    Leaving it up to the supplier to decide if something is a "vulnerability" or a "feature" leads to underreporting. Take CD autorun, for instance, which allows the installation of spyware when a (mostly-)audio CD is inserted into a Windows PC. A security-conscious user regards this as a vulnerability, but the supplier regards it as a beneficial feature.

    Some of the most common attacks -- such as viruses -- rely on social engineering, and on "features" that are not classed as "vulnerabilities". However, these attacks are also more prominent on some systems than on others. Any comparative assessment of security which discounts the most common attacks blinds itself to a wide segment of the security landscape.

  • by midifarm (666278) on Monday July 05, 2004 @12:47PM (#9613860)
    ...that in their super critical statistical analysis that he never actually gave a number of OS X incidents, just some vague percentages? No real specifics at all. I mean sure if OS X had 10 security holes and 6 were critical that you be 60%, whereas if XP had 100 holes with only 37 of those as critical it'd only be 37%. By that logic XP would be rock solid secure! This just seems like Apple bashing, and had they mentioned what percentage of the OS X holes were in common open source programs that may have been across the board amongst Linux/Unix systems? At least I can gather that if there's a hole in Windows that M$ is to blame for the bad code, not a class project from MIT!

    Peace

  • by YouHaveSnail (202852) on Monday July 05, 2004 @12:48PM (#9613869)
    Friends, it's clear from Secunia's own data [secunia.com] that we should all switch back to MacOS 9, since Secunia knows of only one security issue for that OS.

    Friends, you just can't argue with pie charts.
  • by JeffTL (667728) on Monday July 05, 2004 @12:48PM (#9613870)
    Secunia is simply saying this to "show" that they are not "anti-Windows zealots." I haven't heard much about OS X servers being cracked, and the only viruses created for OS X have been non-replicating proofs of concept. Moreover, no OS X program can screw up your system unless YOU GIVE IT YOUR ADMIN PASSWORD-- and hopefully you have your personal data backed up anyhow, as hardware failure hits when you least expect it.

    Even on an administrator account, you can't screw up the operating system without a chance to bail out at a password prompt. Try that on Windows.
  • Lies! Lies! Lies! (Score:5, Informative)

    by fname (199759) on Monday July 05, 2004 @12:57PM (#9613962) Journal
    I'll quote from the only true site for Mac news, As the Apple Turns [appleturns.com]:
    Notice also that Secunia yaps on about how, for Mac OS X, "of the 36 advisories issued in 2003-2004, 61 percent could be exploited across the Internet and 32 percent enabled attackers to take over the system"-- but never mentions how many could be exploited across the Internet to enable attackers to take over the system. Personally, we aren't much concerned about exploits that require local access to a Mac, because if anyone's climbing in through a window downstairs, we've got more important things to worry about than whether or not he can mess with our Finder preferences. We picked one of those advisories at random, noted that it's tagged with an impact of "System access" and a location of "From remote," and then scoped out the description of the flaws to find that the only ones listed that appear to allow "escalation of privileges" can only be exploited by "malicious, local users." So as long as we keep the doors locked at night and don't tick off our housemates to the point of digital vandalism, we're apparently all right.
    Please read the entire article, as it thoroughly points out the many flaws to this study, and points to other articles [techworld.com] where Secunia makes other ridiculous OS X security claims. Oh yeah, and the site is damn funny too.
  • Interesting wording (Score:3, Interesting)

    by digitalgimpus (468277) on Monday July 05, 2004 @12:58PM (#9613967) Homepage
    The proportion of critical bugs was also comparable with other software - 33% of the OS X vulnerabilities were "highly" or "extremely" critical
    by Secunia's reckoning, compared with 30% for XP Professional and 27% for SLES 8 and just 12% for Advanced Server 3. OS X had the highest proportion of "extremely critical" bugs at 19%.


    Emphasis mine.

    Were not talking solid numbers, but numbers made by personal opinion. What is 'critical'?

    MS can butter up the numbers so none of their holes are 'critical' if they so desire. So can anyone else.
  • by MobyDisk (75490) on Monday July 05, 2004 @12:59PM (#9613984) Homepage

    Firstly, this article is a summary of some other set of statistics. These summaries are usually horrible since the writers really don't understand statistics. Things never add up to 100%, and one quote often refers to a slightly different way of calculating things than another.

    I don't know tons about security, so I read this with an open mind. But I KNOW some things are wrong:

    A recent Forrester Research study compared Windows and Linux supplier response times on security flaws and was heavily criticised for its conclusion that Linux suppliers took longer to release patches.

    I haven't read Forrester's research, so I would like to see it. (anybody know a link?) OSS is definitely faster at releasing patches. We see that time and time again. Perhaps they were comparing how long it took for the vendors like Red Hat to ship product updates for Apache, or put them on their web sites? But if I installed Apache, I don't look to Suse or Red Hat or Mandrake for my updates, I look to apt-get or apache.org. Of course, MS claims that all exploits come from MS patches [slashdot.org] anyway. (Which is proven not to be true on a weekly basis).

    Lastly, the article rebuff's itself in the final quote:

    A product is not necessarily more secure because fewer vulnerabilities are discovered," he added.
    Even though that is the basis for the article's comparisons. lol!
  • by Biotech9 (704202) on Monday July 05, 2004 @01:17PM (#9614129) Homepage
    Unrepentant Mac Apologism time! It seems that there are some "statistics" flying around that can be interpreted to mean that Mac OS X is, practically speaking, no more secure than Windows, and we certainly can't let that sort of stuff go unchecked, now, can we? Whether it's true or not, we mean. So we feel it's our sworn duty to cast all sorts of aspersions on the reliability of said stats and on the character and competence of those who compiled them. Of course, you'll have to keep in mind that absolutely nothing we say on the subject carries any weight whatsoever, since, far from being experts on computer security, our real expertise is in the field of making vegetables out of Play-Doh. (Corn on the cob is our specialty. We can get it all bumpy and everything.) However, while we're not security experts, we've seen one on TV; surely that counts for something.

    Anyway, it's like this: faithful viewer C. J. Corbett tipped us off to a Techworld article last week with the ominous title of "Mac OS X security myth exposed" which leads off with this oh-so-fair-and-balanced sentence: "Windows is more secure than you think, and Mac OS X is worse than you ever imagined." See, security firm Secunia claims to have compiled some honest-to-goodness statistics proving once and for all that choosing Mac OS X over Windows is your surest path to having some scary 'net dude invade your system, swipe your financial data, and start leering at digital photos of your family members in an... unsavory manner.

    How is this possible? Well, numbers don't lie, and while Windows XP Professional clocked "46 advisories in 2003-2004, with 48 percent of vulnerabilities allowing remote attacks and 46 percent enabling system access," Mac OS X racked up 36 such advisories, with 61 percent remotely exploitable and 32 percent allowing the takeover of the system. See? Worse than you ever imagined. It's like a wedge of Swiss cheese with a shotgun blast through the middle or something. Meanwhile, Windows users will no doubt be thrilled to hear that their virus-ridden, spyware-loaded, worm-propagating systems are more secure than they think. Good for them.

    There are just a few problems with this argument, however. The first is the claim that Mac OS X isn't much better than Windows XP Professional because it had 36 security advisories compared to Windows's 46. Maybe we're fresh off the turnip truck or something, but 22% fewer advisories sounds quite a bit better to us. Also, if you actually look at the data to which Techworld refers, it's not 36 advisories for Mac OS X at all; it's 33. (Apparently Techworld decided to go back to 2002 to fetch its reported number.) Granted, the Windows number is also 45 instead of 46-- yeesh, Techworld; fact-check much?-- but even so, now we're talking about nearly 27% fewer security advisories for Mac OS X than for Windows XP Professional.

    Now take a look at the advisories themselves, and notice how no fewer than eleven of those 33 advisories (that's a third, for the mathematically inept) are titled "Mac OS X Security Update Fixes Multiple Vulnerabilities" or something similar. Yes, in its advisory count, Secunia is including those advisories it generated just to report that Apple had fixed something. Does anyone else find it a little odd that Secunia penalizes Apple for fixing problems, including ones that were fixed so quickly that Secunia had never found out about them in the first place? (While they may describe a flaw and immediately note the presence of a patch, none of the Windows advisories appears to exist simply to announce that Redmond had fixed a bunch of holes.)

    Notice also that Secunia yaps on about how, for Mac OS X, "of the 36 advisories issued in 2003-2004, 61 percent could be exploited across the Internet and 32 percent enabled attackers to take over the system"-- but never mentions how many could be exploited across the Internet to enable attackers to take over the system. Personally, we aren't much concerned about exploits that require local access to a Mac, because if any
  • Just looking at the number of critical issues for an operating system is absurd. What about default configuration? OS X by default does not listen on any network ports. Scan a Windows XP system and you'll see MANY ports, including 137, 138, 139, and 445 - the NetBIOS services that are typically exploited by attackers. With those services you can launch remote password guessing and other attacks against the base system.

    On anoter note, how about we tally the number of viruses and trojans for the different operating systems? This is one of the most important security problems facing businesses today. Gee, I think we'll see a MUCH different ratio for OS X vs. Windows XP.

    I can't stand it when a security company comes up with skewed statistics in an effort to get press and web hits. The comparison of only the number and type of vendor bulletins is not an effective measurement of OS security.
  • by Brett Johnson (649584) on Monday July 05, 2004 @01:30PM (#9614237)

    Interesting time to publish this - right between last week's IIS/IE [us-cert.gov] multiple [washingtonpost.com] exploits [slashdot.org] and this week's Evaman Worm outbreak [slashdot.org].

    Now that CERT [washingtonpost.com] and the Dept. of Homeland Security [yahoo.com] both recommend consumers abandon Intenet Explorer, can we get them to recommend dropping Outlook Express?
  • by borjam (227564) on Monday July 05, 2004 @01:35PM (#9614278)
    I wondet what would be the Secunia diagnosis in this case:

    Patient A's clinical history:

    Headache
    Influenza
    A small scar in his hace
    A broken arm

    Patient B:

    Stomach cancer

    Which of the two patients is in a worse state? According to Secunia, patient A would be really bad, he has three lines in his medical record!!!!

    Amazing, indeed
  • by schmiddy (599730) on Monday July 05, 2004 @01:40PM (#9614322) Homepage Journal
    I was looking at Secunia's Virus Info Page [secunia.com] .. right under the graph it says "Based on Information delivered by BullGuard".

    That set off a few bells... Know what BullGuard is? It's spyware that happens to come bundled with Kazaa. Amusingly, you can see BullGuard on Kazaa's *cough* No Spyware Policy [kazaa.com] Page, where they try to pretend that their bundled software isn't spyware.
  • by Trevin (570491) on Monday July 05, 2004 @01:43PM (#9614339) Homepage

    There are two major things wrong with this article, which have been touched on by other posters. One is that the number of vulnerabilities is different than the number of advisories, because advisories [secunia.com] can cover multiple vulnerabilities [secunia.com].

    The second is that (as other posters have covered) Linux distributors post advisories and bug fixes for all software bundled with their distribution, not just the kernel and core libraries. Looking at the list of MS Windows XP [secunia.com] advisories, all I see are the core components, with the glaring omission of Internet Explorer [secunia.com] (which these days is in fact a core component of the operating system).

  • This study is bogus (Score:3, Interesting)

    by cowbutt (21077) on Monday July 05, 2004 @01:58PM (#9614452) Journal
    a) it doesn't take account of the window of vulnerability between discovery (or, at the very least, public disclosure) and a working patch being made available. This study [csoinformer.com] does. Google [google.com] finds more details for those that want 'em.

    b) All Linux distros ship far more software than Microsoft does with Windows, and rarely will all of it be installed and running on a given system. If a vulnerable package isn't installed on a given system, then that system isn't vulnerable. To compare like with like, you'd need to take Windows' stats and add them to IIS, Exchange, Mozilla, Office/OpenOffice.org, Cygwin/SFU, SQL server, a bunch of free and shareware IRC clients and so on.

    If folks are going to play these silly pissing contests, then the only fair way to do it is to take account of the period of vulnerability and base comparisons on "role profiles" (e.g. PHP web server, anti-spam MTA, static web server, graphical desktop).

    --

  • by rdean400 (322321) on Monday July 05, 2004 @02:01PM (#9614478)
    as with other flawed "surveys," this one doesn't seem to account for features that are disabled by default, or that can't be exploited if the vunerable package isn't installed.

What this country needs is a good five cent microcomputer.

Working...