More Mac Vulnerabilities Than Windows In 2007? 329
eldavojohn writes "A ZDNet blog reports stats from Secunia showing OSX averaged 20.25 vulnerabilities per month while XP & Vista combined averaged 3.67/month. Is this report card's implication accurate, or is this a symptom of one company turning a blind eye while the other concentrates on timely bugfixes? 'While Windows Vista shows fewer flaws than Windows XP and has more mitigating factors against exploitation, the addition of Windows Defender and Sidebar added 4 highly critical flaws to Vista that weren't present in Windows XP. Sidebar accounted for three of those additional vulnerabilities and it's something I am glad I don't use. The lone Defender critical vulnerability that was supposed to defend Windows Vista was ironically the first critical vulnerability for Windows Vista.'"
Several problems (Score:3, Interesting)
In the end, it is impossible to analyze the security of software by means of analyzing second-hand or third-hand reports, and extremely difficult to do so by means of black-box testing by means of probably incomplete documentation. However, I cannot seriously imagine Apple or Microsoft conducting a thorough security audit and software analysis. For that matter, I don't believe either could afford to do so. Microsoft may be rich, but Vista is big and the kind of skills required to conduct a comprehensive audit wouldn't come cheap, certainly not in the volume needed to conduct such an audit fast enough to get the results before software changes invalidated said audit.
(Having said that, given that the world economy is so utterly dependent on the reliability of the IT infrastructure these days, there is also the question of how long it will be before it is uneconomic at a global level for there not to be such an audit. If an audit would cost a trillion dollars over the course of a year, then it only requires the total direct and indirect cost to business and government over the entire globe from such flaws to be a trillion and one dollars over the course of a year for it to be worth it almost instantly. However, the costs of flaws will always add up with interest but a single audit might easily be sufficient for the lifetime of an OS, if it's good enough. Given a long enough shelf-life and a high enough interest rate, how unreliable can we afford to have any software these days?)
Broken study? (Score:3, Interesting)
I clicked through a bunch of the vulnerabilities, and a lot of them are marked as reserved for future use. What's up with that? I think whatever script the dude used to compile this table, didn't work - either that or I don't understand the CVE process being used, because I don't see any indication of which systems are affected by them.
Anyway. Such a study is ultimately pointless, we already know that MacOS X and Windows are both seriously insecure. A single vulnerability in the tangled morass of code making up modern web browsers is typically enough to compromise the entire machine (Vista being an exception to this). A single vulnerability in *any* app which talks over the network is usually enough to get your code onto the machine, and from there you have free reign to do more or less whatever you want. Requiring root is no panacea, you don't need root to do the things modern malware wants to do anyway. As that's the entire OS X desktop security system right there, we can surmise that the primary advantage it has security-wise is just obscurity. (yeah, i know 10.5 is supposed to have MAC for some basic daemons etc .... wake me up when it is properly and widely applied to desktop apps).
Maybe I can't count... (Score:2, Interesting)
CVE-2007-5850 H
CVE-2007-5851 H
CVE-2007-5853 H
CVE-2007-5854 H
CVE-2007-5855 H
CVE-2007-5856 H
CVE-2007-5857 H
CVE-2007-5859 H
CVE-2007-5860 H
CVE-2007-5861 H
CVE-2007-5863 H
CVE-2007-6077 H
Re:Counting shows nothing (Score:5, Interesting)
1) Your friends flaws only allowed an administrator of the systm, on the local system to accidentally delete (but not read or otherwise modify) secur data of the users.
2) Your flaws allowed anyone to connect to the machine remotely and read/write/modify all of the secure data on the server.
Which is worse? It's severity and time of exposure. MacOS X didn't have any extremely critical vulnerabilities, but Windows had four, MacOS X had a lot more highly critical, and slightly more moderately/less critical. This makes the vulnerability count look even less meainingful (if every level counts 100x more than the previous level in terms of overall risk, and the average fix time was the same, Windows would be more vulnerable than MacOS X, even with only 15% the bug count.)
Re:News Flash: nothing has changed (Score:1, Interesting)
dont forget linux is more attractive to target for "cool" things like IRC daemons, XDCC bots and whatever. What else has a compiler and a great remote interface (the shell)? Windows are great for a botnet, but nothing else really.
Once you toss PHP into the mix, Linux is a very insecure operating system. I'll take FreeBSD any day. Much more professional development team, better documentation, very stable (as in config management stable) and ports rule.
Of course, I have to post anonymously because if you say anything bad about linux, you'll get modded into the ground no matter how right you are.
Re:Nonsense (Score:3, Interesting)
They're not including it as a "core part" though, just as some free developer tools.
Umm, for the example I listed, the OS does not depend upon it at all. You can remove it with no problems at all and even among developers who know what this is, very few would use it especially exposed publicly. The only way I see this being exposed is if a Web developer was writing a really complex tool with a Web interface that needed users to input regular expressions for complex sorting of data, and they hosted a development copy on their workstation and then exposed the Web server so some people in a remote location with a malfunctioning VPN could try it out.
They did get the fix from the vendor and patched it in the next update. The issue is: should a bug that is a potential hole in a free tool, which they happen to include and which will realistically never even be exposed let alone exploited, be considered with the same weight as a hole in a service actually running and exposed on Windows? What about a hole in IE, which MS includes, but whose vulnerabilities were not included in this "study' as counting against Windows?
Oh boy, a car analogy. How about if it was something a bit less critical than the tires, say some misspellings on a map that came in the emergency kit. Should that be listed and given the same of more weight than a leaky gas line in competing product? Should each misspelling count the same as a mechanical fault in the competitor's vehicle? There were 8 "Highly Critical" vulnerabilities counted against OS X because the OSS project that writes the module listed every bug in it as a potential security problem, despite the fact that there is no evidence anyone on OS X ever actually exposed that component to hackers, no exploit was ever found, and it is not even certain it is exploitable.
Would you care to bet there are thousands of analogous bugs in IIS components that MS has not bothered to fix, let alone report to the public?
Re:Counting shows nothing (Score:1, Interesting)
The recipe to get shit loads of readers: randomly select security vulnerabilities and add them to column C instead of B.
At least one should read the description of the vulnerabilities before making any comparisons.