Posted on 01/16/2005 12:04:57 PM PST by Bush2000
Windows is more secure than you think, and Mac OS X is worse than you ever imagined. That is according to statistics published for the first time this week by Danish security firm Secunia.
The stats, based on a database of security advisories for more than 3,500 products during 2003 and 2004 sheds light on the real security of enterprise applications and operating systems, according to the firm. Each product is broken down into pie charts demonstrating how many, what type and how significant security holes have been in each.
One thing the hard figures have shown is that OS X's reputation as a relatively secure operating system is unwarranted, Secunia said. This year and last year Secunia tallied 36 advisories on security issues with the software, many of them allowing attackers to remotely take over the system - comparable to figures on operating systems such as Windows XP Professional and Red Hat Enterprise Server.
"Secunia is now displaying security statistics that will open many eyes, and for some it might be very disturbing news," said Secunia chief executive Niels Henrik Rasmussen. "The myth that Mac OS X is secure, for example, has been exposed."
Its new service, easily acessible on its website, allows enterprises to gather exact information on specific products, by collating advisories from a large number of third-party security firms. A few other organisations maintain comparable lists, including the Open Source Vulnerability Database (OSVDB) and the Common Vulnerabilities and Exposures (CVE) database, which provides common names for publicly known vulnerabilities.
Secunia said the new service could help companies keep an eye on the overall security of particular software - something that is often lost in the flood of advisories and the attendant hype. "Seen over a long period of time,the statistics may indicate whether a vendor has improved the quality of their products," said Secunia CTO Thomas Kristensen. He said the data could help IT managers get an idea of what kind of vulnerabilities are being found in their products, and prioritise what they respond to.
For example, Windows security holes generally receive a lot of press because of the software's popularity, but the statistics show that Windows isn't the subject of significantly more advisories than other operating systems. Windows XP Professional saw 46 advisories in 2003-2004, with 48 percent of vulnerabilities allowing remote attacks and 46 percent enabling system access, Secunia said.
Suse Linux Enterprise Server (SLES) 8 had 48 advisories in the same period, with 58 percent of the holes exploitable remotely and 37 percent enabling system access. Red Hat's Advanced Server 3 had 50 advisories in the same period - despite the fact that counting only began in November of last year. Sixty-six percent of the vulnerabilities were remotely exploitable, with 25 granting system access.
Mac OS X doesn't stand out as particularly more secure than the competition, according to Secunia. Of the 36 advisories issued in 2003-2004, 61 percent could be exploited across the Internet and 32 percent enabled attackers to take over the system. The proportion of critical bugs was also comparable with other software: 33 percent of the OS X vulnerabilities were "highly" or "extremely" critical by Secunia's reckoning, compared with 30 percent for XP Professional and 27 percent for SLES 8 and just 12 percent for Advanced Server 3. OS X had the highest proportion of "extremely critical" bugs at 19 percent.
As for the old guard, Sun's Solaris 9 saw its share of problems, with 60 advisories in 2003-2004, 20 percent of which were "highly" or "extremely" critical, Secunia said.
Comparing product security is notoriously difficult, and has become a contentious issue recently with vendors using security as a selling point. A recent Forrester study comparing Windows and Linux vendor response times on security flaws was heavily criticised for its conclusion that Linux vendors took longer to release patches. Linux vendors attach more weight to more critical flaws, leaving unimportant bugs for later patching, something the study failed to factor in, according to Linux companies. Vendors also took issue with the study's method of ranking "critical" security bugs, which didn't agree with the vendors' own criteria.
Secunia agreed that straightforward comparisons aren't possible, partly because some products receive more scrutiny than others. Microsoft products are researched more because of their wide use, while open-source products are easier to analyse because researchers have general access to the source code, Kristensen said.
"A third factor is that Linux / Unix people are very concerned about privilege escalation vulnerabilities, while Windows people in general are not, especially because of the shatter-like attacks which have been known for six years or more," he said. "A product is not necessarily more secure because fewer vulnerabilities are discovered."
Which unpatched mac exploit am I ignoring? The oonly person here ignoring unpatched exploits (20 on XP prof, 17 on XP home) is you..
and either willfully deluded into thinking that your POS operating system of choice is bug-free
Naaa my os of choice laptop is windows, I dont think for a second my POS operating system is bug free..
OSX patched *ZERO* problems, XP patched *20* problems... is empty promises and unpatched bugs the best Bill can do..
Let's see. The argument here seems to be that IF a Mac user operated his computer in ROOT, and IF this hypothetical Mac user never updated his OS installation, and IF this user turns off the built-in, on-by-default firewall, and IF he turns off all other security measures, THEN an OSX Macintosh might be as risky an environment to operate under as Windows. Right. OK.
You Windows bots keep claiming that "Security by Obscurity" is the reason no one writes mal-ware for the Mac. Of the 14 million plus (and growing) OSX users, exactly how many do you think would do all fo the above and make themselves vulnerable to a hacker/programer? And how many hackers/programers would spend the time to infect four or five idiots who might do such ill advised things???
IF a Windows user has no anti-virus ware, and IF a Windows user has no anti-adware, and IF a Windows user has no anti-spyware, and IF he fails to TURN ON his firewall (or secure one from a third party), and IF he surfs the net with the OS provider's prefered browser, and IF this hypothetical Windows user uses the OS provider's supplied email client program, and IF this user has not yet updated his OS with the latest security update, THEN is his computer secure?
Oh, wait, I just described the average NEW to computers user with his first computer with Windows installed... and as he attempts to download what he needs to GET SECURE, his computer is infected within the FIRST TWO MINUTES!!!
No, it doesn't... but how many unpatched and un-updated Windows computers are there, Bushie?
No, I don't think you would be prosecuted or sued. Because I don't believe that YOU could do it. However, simply provide a proof of concept that:
1) Self propagates.
2) Self installs without user intervention in a NON-ROOT mode
3) Spreads to any Mac OSX computer
4) Is not easily detectable or removable by an average user
5) Demonstrate how it can do damage to the System files of OSX.
Announce your effort in advance and provide test copies.
The statistics that Secunia provides are unambiguously objective.
Are they? I put it to YOU that it was Secunia that was spinning their "objective" statistics by declaring obscure and minor security issues as "Critical" at the same time they were attempting to scare Mac users into buying their security protection services! Gee, they make their security package available and release the article you posted... that really shows they are altruistic collectors of information, doesn't it.
Keep spinning FUD.
Do you know what FUD means? It is defined as "Fear, Uncertainty, and Doubt". By that definition, it is YOU, my dear Bush2000, who is spinning "Fear, Uncertainty, and Doubt"!
Bush2000: "OSX is easily compromised by hackers and other mal-ware writers." FEAR
Bush2000: "You can't really know how many Macs have been attacked." UNCERTAINTY
Bush2000: "OSX is not as safe as users might think." DOUBT
Let's see. WHO posted this out-of-date and self-serving article attacking other people's OS??? Hmmmmmm... the name of the poster seems to be Bush2000. Does that make YOU someone an average person would believe is "full of shite"? I leave that determination to the average reader of this thread.
I have seen NO ONE CLAIM that OSX is "bug-free". In fact, I have personally announced security updates, OS improvements, and "fixes" for OSX in posts on FreeRepublic when they become available. It is you who claim our operating system is a "POS Operating system"...
Now, exactly WHERE ARE THE EXPLOITS???
"Exploit", by definition, implies something that has been USED. I see security issues and vulnerabilities in OSX that need to be addressed and fixed... but not ones that have been exploited and are currently, or ever have been, present in the wild.
<patience>
Yes, and the same would hold-true for windows patches. OR do you, for some reason, think windows users are more conscientious about applying security patches than Apple users are? Granted, they've had more opportunities...
Apple's built-in 'software updater' checks for new updates and versions on regular scredules and informs the user - whether they decide to avail themselves of the updates or not is their business.
The core of the argument is still the fact that patches/security_updates are available for 100% of the Apple security problems but only 75% of the windows problems. And while the gross numbers are only 41 versus 80 I'm sure microsoft has more than twice as many software engineers as Apple does; except they seem to be "sitting on their thumbs" since they've only accomplished 75% of their task.
</patience>
You had to search long and hard for this piece of crap article.... It made me laugh.
The proof is in the pudding. You don't hear Mac users complaining in a neverending fashion about the bugs and failed service packs....
I've said it before and I'll say it again: Mac users are happy and PC users are cranky.
Cheers, CC :)
Yet you use "they patched that" as a defense when Microsoft has its weekly exploit.
Heh... I guess there's still a lot of anger because all us Mac users are socialists who use communist software to undermine America. ;')
you're an employee of bill gates?
I did a quick calculation a while ago of marketshare and viruses. Apparently, the Mac should have about 1,200 viruses for it considering its marketshare. I don't seem them out there, not even a considerable fraction of the number. 14 million systems leaves lots of room for lots of people to have unpatched systems to take advantage of.
Just show us an example of an auto-propagating worm that will work on a default-configured system without direct user intervention. You won't be sued, you'll be famous.
I suspect that for most Mac users, they are the same thing. Why? Because (A) my mother-in-law, who is by no means computer savvy, told me that she's just been patching the iMac I left with her whenever it asks her to, which is within a week of any patch becoming available and (B) Mac users don't fear Apple's patches the way Windows users fear Microsoft's patches. They just clock "OK" and install it without worry. I applied the recommended Windows 2000 patches to my work desktop and the IT guy not only looked at me like I was insane but suggested that I don't do that in the future and don't use any patch until it's been well tested by other first adopters.
I worked in an organization where auto-update was not allowed. All patches were first downloaded by our lab and released when testing showed it didn't break anything or re-enable something like a port or a service that our security baseline scripts had shut off (it's happened). I'm willing to bet that they still haven't approved XP SP2 for release.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.