Security Statistics and Operating System Conventional Wisdom 556
kev0153 writes "Microsoft Windows is more secure than you think, and Mac OS X is worse than you ever imagined. That is according to statistics published for the first time this week by Danish security firm Secunia. "Secunia is now displaying security statistics that will open many eyes, and for some it might be very disturbing news," said Secunia chief executive Niels Henrik Rasmussen. "The myth that Mac OS X is secure, for example, has been exposed." "
Missing Stats? (Score:5, Interesting)
right?
Hmmm... (Score:1, Interesting)
The leadline makes it sound like XP is more secure than OS X, and then you read down to find its more like that OS X isn't much more secure than XP.
Now if the comparison included the length of time that exploits were left unpatched we would get an entirely different picture...
what does it prove? (Score:3, Interesting)
Mac OS X does not stand out as particularly more secure than the competition, according to Secunia.
The proportion of critical bugs was also comparable with other software - 33% of the OS X vulnerabilities were "highly" or "extremely" critical by Secunia's reckoning, compared with 30% for XP Professional and 27% for SLES 8 and just 12% for Advanced Server 3. OS X had the highest proportion of "extremely critical" bugs at 19%.
Oh, okay, well, by MY reckoning, none of the OS X vulnerabilities were "highly" or "extremely" critical, therefore by MY reckoning, OS X is the most secure of them all!
These studies analyze the statistics of the security advisories and attempt to draw conclusions. I don't see the value of it.
Here's what I do: I just *assume* that all operating systems and software is insecure (unless djb wrote it, heh). After all, I'm constantly updating FreeBSD, Gentoo, and Windows, all the time, anyway.
Since it only takes ONE show-stopper bug to let in an attacker, it really doesn't matter to me how *many* bugs each OS has.
In my experience, the easiest OS to upgrade is OS X. However I don't manage any production OS X servers, just my own computers, so take that with a grain of salt.
Next easiest is Gentoo. You can upgrade just the components you need, BUT it's a little hard to separate the security fixes from the non-security fixes (they are working on that though).
Next is FreeBSD. Like Gentoo, it's hard to pick out just the security updates, but they are working on that too. Rebuilding the base OS is time-consuming and risky, so FreeBSD gets a mark for that.
Next is Windows. Too GUI-oriented, and service packs are too complex and cause breakage.
However we do manage to keep all machines up to date and implement layered security (firewall, network IDS, host IDS [tripwire], remote syslog, log monitoring.......)
Counting advisories is skewed (Score:5, Interesting)
One problem with counting only advisories is simply that there are different levels of transparency to users and developers among Windows XP, Linux, Solaris, and Mac OS X. One thing the study doesn't mention (which is unknowable, so they conveniently brush it off as unimportant) is how many covered-up or known-only-by-crackers vulnerabilities exist in each platform.
Also, why didn't the study mention OpenBSD? What about default configurations? Where the documented vulnerabilities always relevant or were they very obscure (e.g., service X used by three people in Greenland)?
I think this article smells biased.
Re:Follow the money. (Score:4, Interesting)
Not true. Secunia is its own private concern and judging from correspondence they have with the [theinquirer.net] inquirer [theinquirer.net] I very much doubt they'll be swayed by "contributions" as easily as our R&D friends at Adti.
That said, there are some omissions from the article such as which applications in the Linux distros were vulnerable and how long it took for each vuln to be patched.
lies, damned lies and statistics (Score:3, Interesting)
I would be far more interested to hear, on the MacOs example for instance, how Apple responded to its security holes and how that compared to those of Microsoft or the Linux community.
Still not accurate (Score:5, Interesting)
Let's have one of these companies do a real test. Where they take a Windows install, and then a RedHat (or SuSE) install crafted to match it as closely as possible. No servers, Mozilla installed on the Linux system. Just the basics. Then count the vulnerabilities. It will tell a much different story.
-Todd
These guys can't count. (Score:2, Interesting)
They count security patches from MS as 1 when they were actually patching 14 vulnerabilities.
They also didn't include the vulnerabilities in IE - which alone had nearly as many as OS X.
Their conclusion would be very different if they actually knew how to count.
It is nothing more than FUD dressed up as research.
Anyone find it strange? (Score:5, Interesting)
Peace
This is the "we're-not-zealots" FUD troll (Score:3, Interesting)
Even on an administrator account, you can't screw up the operating system without a chance to bail out at a password prompt. Try that on Windows.
Here are the numbers. (Score:4, Interesting)
48% remote attack
46% granting system access
SuSE Linux Enterprise Server (SLES) 8 had 48 advisories in the same period,
58% remote attack
37% granting system access
Red Hat's Advanced Server 3 had 50 advisories in the same period - despite the fact that counting only began in November of last year.
66% remote attack
25% granting system access
Mac OS X 36 advisories
61% remote attackers
32% granting system access
Interesting wording (Score:3, Interesting)
Emphasis mine.
Were not talking solid numbers, but numbers made by personal opinion. What is 'critical'?
MS can butter up the numbers so none of their holes are 'critical' if they so desire. So can anyone else.
Re:The summary is missleading (Score:4, Interesting)
But the article doesn't mention that Secunia is stocked primarily with vuln information which comes from the open source sector. Vuln information from the proprietary sector is reliant on the proprietary company releasing all of the properly arranged information to make a proper entry in Secunia's database. In the OSS community, every single vuln in every single patch which you got from Windowsupdate would receive a separate entry. It doesn't because MS doesn't collaborate to create these entries. By default the Secunia database is light on actual vulns for MS-Windows. Primarily the vulnerabilities in Secunia's database which are relevent to Windows will focus on third-party software manufacturers.
Lies, Damn Lies, and Statistics (Score:4, Interesting)
Proof that the results are BS (Score:3, Interesting)
That set off a few bells... Know what BullGuard is? It's spyware that happens to come bundled with Kazaa. Amusingly, you can see BullGuard on Kazaa's *cough* No Spyware Policy [kazaa.com] Page, where they try to pretend that their bundled software isn't spyware.
This study is bogus (Score:3, Interesting)
b) All Linux distros ship far more software than Microsoft does with Windows, and rarely will all of it be installed and running on a given system. If a vulnerable package isn't installed on a given system, then that system isn't vulnerable. To compare like with like, you'd need to take Windows' stats and add them to IIS, Exchange, Mozilla, Office/OpenOffice.org, Cygwin/SFU, SQL server, a bunch of free and shareware IRC clients and so on.
If folks are going to play these silly pissing contests, then the only fair way to do it is to take account of the period of vulnerability and base comparisons on "role profiles" (e.g. PHP web server, anti-spam MTA, static web server, graphical desktop).
--
Re:Here are the numbers. (Score:3, Interesting)
can someone please enlighten me as to what exact services in linux have been exploitable in the last few years? i mean, a completely anonymous attacker gaining root access to a machine over a network?
these 'statistics' apparently show some 20 holes in linux that are remotely exploitable by anonymous attackers. i call shenanigans.
The market share argument ... (Score:3, Interesting)
The fact that they continue to hold such a low market share makes it really unnecessary for a virus writer to target them, when they can infect 100000 times the amount of machines on a Windows OS.
There's the market share argument again!
Look, I won't bore you with the usual Apache has over 2/3 of the web server market share and all that. No, luckily (in this case?!), we can now highlight Mozilla as a product which still has a low market share in the browser market - as we all know - you see, recently we've seen malware target this particular browser, trying to trick users to installing a malicious extension via XPI [mozillazine.org].
Mind you, this is not a bug being exploited, but the usual "let's hope the gullible user clicks the 'OK'-button" type of trick. It will not install without user intervention!
Anyway, the bottom-line is that the market share argument is getting old, IMHO. But more importantly, this problem has been handled excellently by the Mozilla developer and user communinity. Blocking of onload-activated XPI installations has been implemented promtly as well as an extension website whitelist (though this one is not activated by default as of yet).
zRe:Missing Stats? (Score:3, Interesting)
This means that protocols and helper apps that the desktop uses are also available to the browser, with various "hardening" done to try and keep you from neing able to (for example) creatse a "sh://rm -rf
Any application that uses LaunchServices (on Mac OS X) or the HTML control (on Windows) is susceptible. On OSX there is at least some intention that apps should be hardened if they register in LaunchSrevices, but still there's stuff you wantto be able to use from the desktop (like help:) that you would never need to use in a browser.
In any event, it turned out you could use "help:" to trick the help viewer into running a shell command.
Ironically, the same thing ahppened with the CHM hole in Microsoft's help viewer the same month.
Either way, it's a broken design and I hopeApple fixed it faster than Microsoft (ten years, almost, and they're still doing it).
Re:Missing Stats? (Score:3, Interesting)
And some protocols or file types may even benefit from different helper applications depending on the context: structured office documents, for example, might have a 'viewer' application like Word Viewer on Windows.
Re:Until LM authentication is gone... (Score:3, Interesting)
In the past the hash was still stored, that was because you only disabled the service rather than the component which has a few services associated with it. You can also shut off LM hashing in the local security policy or domain security policy.
As far as updates, I'm not sure of your point, considering the linux platform also has daily updates.Might also be worth mentioning that 98 and below are no longer supported by MS hense the willingness to cut them out of accessing Windows 2003 boxes which was previously unheard of.
Of course, if they'd have stopped with the whole AD thing and licensed NDS from Novell none of this would be an issue. Even NDS has its issues but they can be dealt with far more easily.They're using Oakland School Administration math. (Score:3, Interesting)
Indicates the percentage of scans that resulted in a found infection (e.g. 1% means that in 10.000 virus scans, 1.000 of these scans resulted in found infections).
They did this twice, too. So does 1% equal one percent of machines infected, or ten percent?
(I refer to this as "Oakland School Administration math" because a high administrator of the Oakland California schools, while testifying before the state legislature, cited the percentages of black teachers in Oakland schools vs. black people in the US population, with the percentage far lower for the teachers. But in the same testimony she gave the actual numbers of black teachers and total teachers, and in fact the percentage of black teachers in their schools was far HIGHER than blacks in the general population. She'd blown the percentage computation. Doubly funny, since she was testifying about how the new teacher certification tests were unfair because they required far too much arithmetic.)
Re:Before we all jump on the AdTI bandwagon... (Score:3, Interesting)
Losing /Applications, or all the data on your 250GB external Firewire LaCie drive is pretty bad.
Even before the exploit, I always made sure that safari's "open safe files" checkbox was off, not for security reasons, per se, but rather because I frequently download things that I don't want to look at right away, and can sort through my downloads folder easier when I know what I looked at already (ie- it isn't unstuffed).
the biggest problem with computing today is that everyone wants their computer to do so much, yet are unwilling/unable to learn enough to actually do so. When you have a multi-user system and you don't know how to secure it... to KNOW there's a problem is one thing, but to not know is something completely different. Most people think that as long as they don't transfer their personal data over the internet (ordering online, email, etc), that it's safe. It's not; especially if you don't know jack about how to secure your system. Encryption is worthless if you leave it unlocked all the time (like in one of those encrypted database programs...), and leaving an administrator login session active while you're not physically at the computer is like leaving your home's front door wide open.
Re:Mac OSX and Linux - face the facts (Score:3, Interesting)
Hans Bethe had a Jewish mother (she became a Lutheran but I don't know if this would have done any "good" for Hans). Among the eminent scientists forced to flee from Gottingen were Max Born, James Franck, Eugene Wigner, Leo Szilard, Edward Teller, and John von Neumann. I'm not sure how many of them were Jewish but you can't dismiss scientists of this caliber and expect good results.
I think there is reasonable speculation that Heisengerg thought the prospect of an atomic bomb was too horrible because that was what many American scientists thought. Perhaps most notably Oppenheimer who was later treated very poorly as a result of his position and the increasing tension due to the rise of the Soviet Union. Given the military realities of post WWII Europe I think that the case could be made that without the volatile presence of nulear weapons there seems little chance that Soviet military ambitions could have been contained in Europe. Perhaps this doesn't disturb you so much but I don't think there was anything guaranteed about the eventual crumbling of Soviet power.
An interesting story about David Hilbert from {http://www.childrenofthemanhattanproject.org}:
About a year after the great purge of Gottingen he [Hilbert] was seated at a banquet in the place of honor next to Hitler's new Minister of Education, Rust. Rust was unwary enough to ask: "Is it really true, Professor, that your institute suffered so much from the departure of the Jews and their friends?" Hilbert snapped back, as coolly as ever: "Suffered? No, it didn't suffer, Herr Minister. It just doesn't exist any more!"