Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Security Firm: Apple Has More Security Holes Than Microsoft
PC World ^ | 22 Jul 2010 | Preston Gralla

Posted on 07/22/2010 7:40:23 AM PDT by for-q-clinton

Here's another blow to those insist that Apple products are rock solid and unhackable: The security company Secunia reports that Apple products have more vulnerabilities than those of any other company. Oracle came in second place, with Microsoft in third.

Secunia just issued a report that covers vulnerabilities for the first half of 2010, and it's not good news for Apple. The report (which you can download here) shows that Apple last had the most vulnerabilities of all vendors in 2005, before Oracle took over the top spot. And now Apple is on top again. You can see the chart, below.

The chart shows that Apple products consistently have more vulnerabilities than do Microsoft ones.

...

However, there will certainly be one surprise for those who believe that Microsoft products are particularly vulnerable --- Secunia reports that they're not. The primary vulnerabilities on PCs are not due to Microsoft programs, but rather third-party programs, it says:

...

The report then concludes:

Users and businesses must change their perception that Microsoft products pose the largest threat in order to allocate security resources effectively. General awareness on the risk of 3rd party programs must be established.

(Excerpt) Read more at pcworld.com ...


TOPICS: Business/Economy; Computers/Internet
KEYWORDS: apple; ilovebillgates; iwanthim; iwanthimbad; mac; microsoftfanboys; osx; windows
Navigation: use the links below to view more comments.
first previous 1-20 ... 141-160161-180181-200201-216 last
To: antiRepublicrat

I think we are done on this.

I asked you to post one virus that was wide-spread to a smaller user base that required user intervention. You have failed to do so, instead you posted a self-replicating worm which would be lucrative since it is so easy to do if you have a known exploit that will allow it self replicate.

I guess by your logic Windows 7 is rock solid and even better than OS X since it hasn’t had a self replicating worm and has a larger install base.


201 posted on 07/23/2010 11:13:47 AM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 188 | View Replies]

To: antiRepublicrat

I did not suggest apple didn’t patch the exploited vulnerabilities. I claimed they didn’t patch all the vulnerabilities that Charlie Miller has known about for quite a while. And that they knew he was going to attack OS X with one of those exploits he had at his dispossal.


202 posted on 07/23/2010 11:32:57 AM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 190 | View Replies]

To: for-q-clinton
>i

I don't. I explained that. I also explained defense-in-depth, which you apparently can't comprehend. You're also trying to distract with one example instead of addressing the issue.

Since ASLR can be bypassed, should Microsoft stop using it? You seem to think SSID hiding shouldn't be used since it can be bypassed.

203 posted on 07/23/2010 11:46:24 AM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 200 | View Replies]

To: for-q-clinton
I asked you to post one virus that was wide-spread to a smaller user base that required user intervention. You have failed to do so

I have decided not to give in to your attempt to redefine the issue.

204 posted on 07/23/2010 11:47:45 AM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 201 | View Replies]

To: antiRepublicrat

Ok...if you’re fine with that. I think it speaks volumes and validates my point.


205 posted on 07/23/2010 11:53:54 AM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 204 | View Replies]

To: antiRepublicrat

I am talking about YOUR example where YOU said hiding the SSID is one layer of security and it’s a good thing to do. I’m saying you’re naive in regards to security if you think that is any layer of security. And in fact it will break many computers and prevent them from even talking to the WAP even if you want that device to talk to your WAP.

Now security in depth is a good practice, but it requires real security throughout the chain. I bet you think changing your http port on a server is a layer of security too. I mean if you think hiding your SSID is a layer of security you might as well say changing your port is another layer. We will all get a good laugh from that too :-)


206 posted on 07/23/2010 11:57:34 AM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 203 | View Replies]

To: for-q-clinton
I did not suggest apple didn’t patch the exploited vulnerabilities.

You: "But what you are ignoring is that these exploits have been known for a long time and yet Apple has not fixed them. "

False. Apple fixed every one of the exploits, as shown. When first caught on your false claim you said you were talking about a different contest, but now we know we're talking about the same contest. Pick which defense you want to use and stick with it.

I claimed they didn’t patch all the vulnerabilities that Charlie Miller has known about for quite a while.

That is a null-meaning sentence. Nobody can know what vulnerabilites he knows about but hasn't disclosed, if any. And if he hasn't disclosed them, then of course Apple wouldn't have patched them, not knowing they exist in the first place.

So far you have refused to back up your claim that Miller disclosed vulnerabilities to Apple, which Apple has refused to fix.

207 posted on 07/23/2010 12:04:37 PM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 202 | View Replies]

To: itsahoot

I got it, one piece at a time,
and it didn’t cost me a dime,
You’ll know it’s me,
when I come through your town.

Say, what year is that?

Why it’s a 51, 52, 53, 54, 55, 56, 57, 58, 59 automobile
Yeah it’s a 60, 61, 62, 63, 64, 65, 66, 67....

= )


208 posted on 07/23/2010 12:13:44 PM PDT by RachelFaith (2010 is going to be a 100 seat Tsunami - Unless the GOP Senate ruins it all...)
[ Post Reply | Private Reply | To 198 | View Replies]

To: antiRepublicrat

Go ahead and quote me out of context and show your lack of credibility or comprehension. I was referring to the exploits that he had lying in wait. Apple wasn’t aggessive in finding those issues and fixing them. They were continuing with there ad campaign that they are secure, when clearly they weren’t.


209 posted on 07/23/2010 12:59:21 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 207 | View Replies]

To: for-q-clinton
And in fact it will break many computers and prevent them from even talking to the WAP even if you want that device to talk to your WAP.

All of MY systems work with SSID turned off. All the better if the hacker's system can't. You are helping me make my point. But in reality by its technical security it mainly only stops casual newbie wardrivers. For real-world security it lets attackers know you've done something for security, and if you did that you probably went all the way for your WAP. This makes your neighbor's WAP a more promising target, likely to waste less of the attacker's time.

Like the saying goes, you don't have to run faster than the bear that's chasing you. You only have to run faster than the guy running with you.

I bet you think changing your http port on a server is a layer of security too.

If it doesn't interfere with anything. A good example from the past is Code Red, that famous, damaging worm. The first step of the attack scanned TCP port 80. You were safe if you weren't running on 80. For Linux guys, the Slapper variants first checked TCP port 80 for a response saying it's running Apache, then tried TCP port 443 to run the SSL exploit. There, changing ports or responses could stop the worm. There you go, two absolutely proven cases where changing the port would have resulted in improved security.

And I'm about to get a good laugh from you admitting that your position would logically require to you to say that Microsoft shouldn't have implemented address space randomization. Well, a laugh at that or whatever tortured logic is required to weasel out of that corner.

210 posted on 07/23/2010 12:59:32 PM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 206 | View Replies]

To: for-q-clinton
Go ahead and quote me out of context and show your lack of credibility or comprehension. I was referring to the exploits that he had lying in wait.

So why did you have to use the excuse that we must be talking about different contests? Which one is it? Different contests or referring to other exploits?

You still haven't shown me those exploits you claim he had lying in wait, that he disclosed to Apple, and Apple refused to fix them.

211 posted on 07/23/2010 1:01:52 PM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 209 | View Replies]

To: antiRepublicrat
You still haven't shown me those exploits you claim he had lying in wait, that he disclosed to Apple, and Apple refused to fix them.

Ah I see it's a comprehension issue. I never said he disclosed them to Apple. I said Apple refused to engage and try to find exploits in their code. They aren't being active about finding them.

212 posted on 07/23/2010 1:27:46 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 211 | View Replies]

To: antiRepublicrat
All of MY systems work with SSID turned off. All the better if the hacker's system can't.

And here I thought you were being purposely obtuse. It's clear you don't know what you're talking about. First, you are actually hiding your SID thinking it gives you protection. That is funny.

Second the hacker system I'm sure will work with a non-broadcast SSID. I have one system on my home network that works for a while but then stops after a while. I later found out this was because of a hidden SSID. Yes I too used to hide the SSID years ago, before WPA was even out. Then I found out it's not really doing anything since my machine has to broadcast the SSID to talk to the WAP. I realized it wasn't doing anything of value and made me a bigger target to hackers. It's better to blend in with the heard with REAL security then to flag to the hackers that I have something to hide. Hiding the SSID is not hiding one thing. The channel is still being broadcast and can be snooped over the air.

I think we are done. If you think hiding the SSID is any type of security then you're hopeless.

Too funny. I thought I was talking to someone that knew a little bit about security and in reality it's at best a script kiddie.

I see I've been wasting my time and now actually feel like I lost a few IQ points.

213 posted on 07/23/2010 1:33:35 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 210 | View Replies]

To: antiRepublicrat

BTW: We keep going round and round with the same stuff. All the facts are in this thread for anyone bored enough to follow them.

So I’ll let you get the last word in. good day.


214 posted on 07/23/2010 2:04:17 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 211 | View Replies]

To: for-q-clinton
Confirmed: The concept of security-in-depth has completely flown over your head. You still fail to grasp the meaning of the term. When security people say you shouldn't use "security through obscurity" they mean you shouldn't use "security SOLELY through obscurity." The bad security practice is in the latter, not the former.

For you again the basic concept: It is a BAD idea to hide your money in the wall behind the picture because you rely SOLELY on obscurity for protection. It is NOT a bad idea to put your safe behind the picture. Now obscurity is only an extra layer -- you force the thief to spend more time in the room to find the safe, but you know he will eventually find it. You RELY on the actual security mechanism of the safe for your security.

Then I found out it's not really doing anything since my machine has to broadcast the SSID to talk to the WAP. I realized it wasn't doing anything of value and made me a bigger target to hackers.

Confirmed: You don't know jack about WiFi hacking. The better wireless hacking tools don't sit around and wait (possibly for days) for your computer to re-associate with the WAP in order to grab the SSID. They spoof a disassociate request from the computer and catch the SSID that it then broadcasts to try to reassociate. But note this only works with your computer is on. You can't make a WAP disassociate where there's no association.

But okay. Remember, we were discussing the general concept of your claim: that security through obscurity isn't security. Since you are trying to take it off on a tangent of one example of many, I will make a concession in order to move this forward: Do not turn off SSID broadcast.

So to continue, do you think the following examples of security through obscurity should not be used?

The problem is you made a generalized statement about security, and that's usually a bad idea. For example, while I support many uses of security through obscurity as part of a layered approach, there is one place where I believe obscurity should almost never be used: encryption and hash algorithms.
215 posted on 07/23/2010 2:58:13 PM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 213 | View Replies]

To: for-q-clinton
Ah I see it's a comprehension issue. I never said he disclosed them to Apple. I said Apple refused to engage and try to find exploits in their code.

Ah I see it's an honesty issue.

More context for you

"I was wondering how the Mac OSX is more secure crowd was going to respond to being the first hacked several times in a row. But what you are ignoring is that these exploits have been known for a long time and yet Apple has not fixed them."
You were talking about OS X being hacked in the contest in the first sentence, referring to those exploits again in the second sentence with the claim that they have been known for a long time. There is also the general context of you criticizing Apple. Since one cannot logically criticize Apple for not fixing exploits Apple does not yet know about, the context remains that Apple was told of these exploits. If they had been told and did nothing, that would be rational criticism. You go on to say
If so the person who hacked the mac listed several exploits in ADVANCE telling Apple they have serious issues and they failed to fix it. SO he used one of those hacks to win the contest.
Again counter to reality, the exploits were disclosed to Apple AFTER the contest. Also counter to your statement. Here you clearly, in context, refer to him disclosing the exploits to Apple "in ADVANCE" of the contest. Then this sentence:
While Apple is patching after the fact you think they would fix it BEFORE hand.
This sentence would make NO sense unless you had claimed he disclosed them to Apple "in ADVANCE" of the contest. They could only fix the bugs "BEFORE hand" if the the vulnerabilities had been disclosed BEFORE the contest.

My comprehension is just fine. It's your "facts" that are a problem.

216 posted on 07/23/2010 9:12:49 PM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 212 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-20 ... 141-160161-180181-200201-216 last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson