Security Firm: Apple Has More Security Holes Than Microsoft

PC World ^ | 22 Jul 2010 | Preston Gralla

[for-q-clinton]

Here's another blow to those insist that Apple products are rock solid and unhackable: The security company Secunia reports that Apple products have more vulnerabilities than those of any other company. Oracle came in second place, with Microsoft in third.

Secunia just issued a report that covers vulnerabilities for the first half of 2010, and it's not good news for Apple. The report (which you can download here) shows that Apple last had the most vulnerabilities of all vendors in 2005, before Oracle took over the top spot. And now Apple is on top again. You can see the chart, below.

The chart shows that Apple products consistently have more vulnerabilities than do Microsoft ones.

...

However, there will certainly be one surprise for those who believe that Microsoft products are particularly vulnerable --- Secunia reports that they're not. The primary vulnerabilities on PCs are not due to Microsoft programs, but rather third-party programs, it says:

...

The report then concludes:

Users and businesses must change their perception that Microsoft products pose the largest threat in order to allocate security resources effectively. General awareness on the risk of 3rd party programs must be established.

[for-q-clinton]

Again you are looking at a very narrow situation. This is not a problem for Mac users. You would do everyone a better service if you focused on the security flaws of 3rd party software on Windows machines. Those are the real security threats that people are falling victim to in the everyday use of computers, not some obscure geek competition.

It depends. Yes I agree windows has a much larger install base and has a lot more 3rd party products that can expose the user to issues. But one of the "selling" points of Macs is it's perceived as more secure than windows. But as proven by things such as the pwn2own contest it's not. So for users looking for a more secure platform they are better off learning secure practices and not relying soley on OS marketing hype.

If you feel that 3rd party apps on windows needs more security attention, have at it and post all day long. I'll focus on the FUD being spred by macbots.

[dayglored]

My god, don't you people know when you're being scammed???

Windows has become solid enough with Win7 that the so-called "security vendors" and anti-virus salesmen are desperate for revenue. Some (like Symantec) are diversifying into other services... some are saying, "Well, who else can we scare into buying our products??"

And the Mac is just the next one down the list after Windows.

Show me the Mac viruses.

Not the generic human-engineered malware that can affect any computer with a gullible operator. The Mac viruses, self-replicating, the ones that a human can't defend against with simple common sense.

Don't prevaricate. Show me the Mac viruses.

Otherwise, take these anti-virus products and shove 'em, until such time as there's something to protect against.

[for-q-clinton]

If everyone in the world drove a Yugo except 5% that drove a Humvee would the lower body count in Humvees be due to the number or the engineering? or, likely, Both.

Correct. That's why we have to look at even playing fields like pwn2own where OSX was the first one hacked for the past 3 years. And last year OSX gave read and write acess whereas windows only gave up read access. Both are serious but there's no doubt that read/write is much worse than just read.

We'll never settle the issue between how many viruses are due to install base so let's focus on common ground tests.

[for-q-clinton]

This is SECUNIA posting this not Symantec or McAfee.

It took a while but someone finally came in and cried bias against SECUNIA.

[antiRepublicrat]

That is flat out wrong and couldn't be further from the truth about security.

Which one has more successful malware in the wild? What's the ratio, like a hundred thousand to one for distinct viruses?

We can do the starbucks test and see which system is able to get online without issues

In my experience with both, it is much easier to get a Mac on a wireless network than Windows.

But seriously security by obscurity is not any type of real security. ... Anyone who understands security will laugh at your statement.

We're laughing at you since you misunderstand the concept of security through obscurity. Obscurity in this sense means secrecy, that to keep an attacker from knowing something will stop him (passwords and such don't count). For example, to rely on disabling the SSID broadcast (obscurity of the SSID) or MAC address filtering (obscurity of the allowed MAC addresses) on your wireless network for security would be foolish. Once a hacker figures those out, and any decent one can, you're hosed.

However, notice "rely" in bold. Obscurity not solely relied on is not necessarily bad, even good accepted security practice. It's called defense in depth. It is still suggested to disable SSID broadcast and enable MAC filters on your wireless network. You make the hacker's life harder by enabling them, maybe he'll hit the neighbor's wireless network instead since they are broadcasting SSID and don't filter MAC addresses. In the end though you don't rely on them, but on the security of the WPA2 encryption you've enabled.

It's like a wall safe behind the picture. Security experts will say that you shouldn't hide your money in a cubby hole behind a picture, relying on the obscurity of its location for security. But they aren't going to say it's a bad thing to hide your wall safe behind that same picture, relying on the safe for security, with the added layer of protection of the obscurity of its location.

What you are talking about is security through minority, and its existence is debatable. The counter-argument is that all else being equal, a long-standing, widely-popular system by now should have had most of the vulnerabilities found and thus be currently more secure than a less popular system that has not been through its trial of fire.

[stripes1776]

But as proven by things such as the pwn2own contest it's not.

You are talking about an artificial situation that has nothing to do with the way people use computers.

Google now has a policy of not letting people use Windows machines because that is how their network was hacked, through Windows machines. All the programmers were already on Mac on Linux. So this affects the non-technical people at Google. That is a real-world situation.

If you are looking for a secure computer, I have one for you. It's an old Dell laptop running Windows 95. It's secure because it's in my storage room, it's not hooked up to a network, and you will have to get the key to the room from me. At last, we have found a secure Windows machine.

[for-q-clinton]

Actually you are the one that used obscurity in first. And the only applicable way to apply it was in that OS X is obscure to the hacker movement. Meaning out of the millions of hits they get per day only a few are from OS X...so it’s obscure. True you can change the definition to minority, but you are the one that chose to use obscurity as the word first.

[for-q-clinton]

So tell me how the past 3 years where OSX was hacked easiest and quickest can’t be applied to real world scenarios.

I can see it happen very easily in the real world. Typically just requires a user to navigate to a website.

[antiRepublicrat]

Ok now post a link to a virus that attacked the OS and not an application.

Irrelevant. The issue is whether a small install base of software (an OS is software) will prevent malware writers from taking interest in and exploiting that software. If they'll look at 12,000 ISS products and say "I'm going to take the time and effort to write malware for this," they're definitely going to do the same for 50+ million installs of OS X. And they have. They just haven't been very successful.

[for-q-clinton]

BTW: You should read this
http://blogs.technet.com/b/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx

Basically laughs at the idea of hiding the SID is any level of security what-so-ever.

[for-q-clinton]

Irrelevant. The issue is whether a small install base of software (an OS is software) will prevent malware writers from taking interest in and exploiting that software.

There you go again changing the facts and issues. You posted self-replicating viruses. Which means they can just run from one machine and then attach and then spread like wildfire. Then you admit the issue is over malware which Mac does have malware that does exist today and they even block it from the OS level once they find out about it with the built-in anti-malware software.

So quit trying to change the meaning of the words you use to suit your argument du jour. Let's focus on each point.

1) Name one self-replicating virus on windows 7 2) Show me one malware virus requiring user interaction that targets a tiny install base that was widely spread.

[antiRepublicrat]

So do you see what is in common amongst all those? They were self-replicating viruses.

Irrelevant. The question is whether they would bother to write any malware at all for it. And, yes, I do consider Windows 7 to be a very good OS.

[stripes1776]

I can see it happen very easily in the real world. Typically just requires a user to navigate to a website.

You can "see", that is to say, image anything you want. Please give one real-world, everyday situation where this is happening.

A real-world situation is Google. They won't be using Windows machines because in the real world, the everyday world, Windows machines have too many exploits.

[antiRepublicrat]

Ok now post a link to a virus that attacked the OS and not an application.

And keep those goalposts moving!

[dayglored]

> This is SECUNIA posting this not Symantec or McAfee. It took a while but someone finally came in and cried bias against SECUNIA.

Don't play naive, Secunia is a business selling security software, and it's expensive, too:

http://secunia.com/vulnerability_scanning/corporate/pricing

Geez, wake up. These companies aren't in it for their health, they're there to make a profit off your fear.

Not that there's anything wrong (or new) about that.

[for-q-clinton]

Irrelevant. The question is whether they would bother to write any malware at all for it.

it's not irrelevant at all as it goes to the second part of my statement on why OS X hasn't had many viruses/malware in the wild. It's tiny userbase PLUS it's secure enough to keep most users safe. Meaning you need to get the dumbest of the dumb OS X users tricked into going to your site. Why bother when there are way more windows users. That's WHY you don't see much malware on OSX. So it is very relevant.

Changing the argument to say worms have attacked smaller installs is just asinine. They are completely different. A worm will self-replicate making it easier to target and attack machines that are vulnerable to the attack. Malware getting installed by dumb users is a lot more involved and take a lot more time to hit many users especially when you are targeting only 5% of the computer market.

[for-q-clinton]

Irrelevant. The question is whether they would bother to write any malware at all for it.

it's not irrelevant at all as it goes to the second part of my statement on why OS X hasn't had many viruses/malware in the wild. It's tiny userbase PLUS it's secure enough to keep most users safe. Meaning you need to get the dumbest of the dumb OS X users tricked into going to your site. Why bother when there are way more windows users. That's WHY you don't see much malware on OSX. So it is very relevant.

Changing the argument to say worms have attacked smaller installs is just asinine. They are completely different. A worm will self-replicate making it easier to target and attack machines that are vulnerable to the attack. Malware getting installed by dumb users is a lot more involved and take a lot more time to hit many users especially when you are targeting only 5% of the computer market.

[for-q-clinton]

I don’t see their Mac product. Everything appears to be targeting windows or am I not undestanding their product?

[Swordmaker]

Ignoring the fact that Apple reports all the vulnerabilities for the UNIX components included with its OSX distributions, as well as the applications included such as Safari and iWorks, Secunia reports that Apple Mac has more vulnerabilities than Microsoft Windows—PING!

Please note that vulnerabilities DO NOT EQUAL exploits.

Please don't feed the anti-Apple Trolls,
it just encourages them!

Apple security Ping!

If you want on or off the Mac Ping List, Freepmail me.

[Tribune7]

But but but....I was told just the opposite from all the macbots.

But but but those of us who use Macs also have used PCs quite a bit and, well, we really don't see any room to debate as to which is less of a mal magnet.

I will grant that I have no experience with 7, which by the accounts I have seen is decent.