Posted on 01/16/2005 12:04:57 PM PST by Bush2000
Windows is more secure than you think, and Mac OS X is worse than you ever imagined. That is according to statistics published for the first time this week by Danish security firm Secunia.
The stats, based on a database of security advisories for more than 3,500 products during 2003 and 2004 sheds light on the real security of enterprise applications and operating systems, according to the firm. Each product is broken down into pie charts demonstrating how many, what type and how significant security holes have been in each.
One thing the hard figures have shown is that OS X's reputation as a relatively secure operating system is unwarranted, Secunia said. This year and last year Secunia tallied 36 advisories on security issues with the software, many of them allowing attackers to remotely take over the system - comparable to figures on operating systems such as Windows XP Professional and Red Hat Enterprise Server.
"Secunia is now displaying security statistics that will open many eyes, and for some it might be very disturbing news," said Secunia chief executive Niels Henrik Rasmussen. "The myth that Mac OS X is secure, for example, has been exposed."
Its new service, easily acessible on its website, allows enterprises to gather exact information on specific products, by collating advisories from a large number of third-party security firms. A few other organisations maintain comparable lists, including the Open Source Vulnerability Database (OSVDB) and the Common Vulnerabilities and Exposures (CVE) database, which provides common names for publicly known vulnerabilities.
Secunia said the new service could help companies keep an eye on the overall security of particular software - something that is often lost in the flood of advisories and the attendant hype. "Seen over a long period of time,the statistics may indicate whether a vendor has improved the quality of their products," said Secunia CTO Thomas Kristensen. He said the data could help IT managers get an idea of what kind of vulnerabilities are being found in their products, and prioritise what they respond to.
For example, Windows security holes generally receive a lot of press because of the software's popularity, but the statistics show that Windows isn't the subject of significantly more advisories than other operating systems. Windows XP Professional saw 46 advisories in 2003-2004, with 48 percent of vulnerabilities allowing remote attacks and 46 percent enabling system access, Secunia said.
Suse Linux Enterprise Server (SLES) 8 had 48 advisories in the same period, with 58 percent of the holes exploitable remotely and 37 percent enabling system access. Red Hat's Advanced Server 3 had 50 advisories in the same period - despite the fact that counting only began in November of last year. Sixty-six percent of the vulnerabilities were remotely exploitable, with 25 granting system access.
Mac OS X doesn't stand out as particularly more secure than the competition, according to Secunia. Of the 36 advisories issued in 2003-2004, 61 percent could be exploited across the Internet and 32 percent enabled attackers to take over the system. The proportion of critical bugs was also comparable with other software: 33 percent of the OS X vulnerabilities were "highly" or "extremely" critical by Secunia's reckoning, compared with 30 percent for XP Professional and 27 percent for SLES 8 and just 12 percent for Advanced Server 3. OS X had the highest proportion of "extremely critical" bugs at 19 percent.
As for the old guard, Sun's Solaris 9 saw its share of problems, with 60 advisories in 2003-2004, 20 percent of which were "highly" or "extremely" critical, Secunia said.
Comparing product security is notoriously difficult, and has become a contentious issue recently with vendors using security as a selling point. A recent Forrester study comparing Windows and Linux vendor response times on security flaws was heavily criticised for its conclusion that Linux vendors took longer to release patches. Linux vendors attach more weight to more critical flaws, leaving unimportant bugs for later patching, something the study failed to factor in, according to Linux companies. Vendors also took issue with the study's method of ranking "critical" security bugs, which didn't agree with the vendors' own criteria.
Secunia agreed that straightforward comparisons aren't possible, partly because some products receive more scrutiny than others. Microsoft products are researched more because of their wide use, while open-source products are easier to analyse because researchers have general access to the source code, Kristensen said.
"A third factor is that Linux / Unix people are very concerned about privilege escalation vulnerabilities, while Windows people in general are not, especially because of the shatter-like attacks which have been known for six years or more," he said. "A product is not necessarily more secure because fewer vulnerabilities are discovered."
Honey, your attitude needs a lot more adjusting than mine.... You are consistently cranky.
Cheers, CC :)
"Windows fanboys cant get a grip on the fact that their OS is full of holes and backdoors for malicious coders."
I invite you to read the posted article and afterward tell me how your words taste. They sounded bitter the first time and I can only guess the second time they are much more bitter.
And for the record if you hadn't commented so arrogantly I wouldn't have reposted it in full.
You try to stick your nose into that compare Windows to a Porsche... Not only cant you follow a conversation, your also ignorant when it comes to technology..
That is one of the problems that are inherent with that largest market share. That could be argued with any product or industry that owns 90+ % of a given market, but there aren't any others.
One advantage is that the clueless most likely know someone, perhaps a family member or friend, that could hep them out with a problem issue.
They both have that thousand thing going.
I need new glasses, but it looked like "click" to me until I actually read it.
B: There are practically no Macs in the wild.
What a completely ignorant statement. Is that what you've been reduced to? Is that really the best you've got?
If you had to spend so much time defending the indefensible, you'd be cranky too.
LOL. Good point.
Perhaps that might be true of the current Mac OS, but it should be noted that under older versions of Mac OS in the 1990's, Macintosh viruses became common long before many people were using Windows 3.1 much less 95. To be sure, the Internet wasn't a threat back then (it didn't even exist as far as many people were concerned), and one can't be blamed for failing to include security features into a floppy-based OS that ran in 128K of RAM.
There was a QuickTime-based "Autostart" worm going around in 1998, but I never knew anyone affected by it.
As a service to Windows users, I'm running ClamAV to intercept inbound email viruses on my Linux servers. It's working great.
Yes, well thanks to the way PCs love to autostart code from any media that's inserted (how can I turn that off under XP!?) the same risks apply there as on the Macintosh. A funny thing about the WDEF virus, though: the same hook that allowed WDEF to spread also made it possible to make a floppy's windows show up in a different style from normal system windows. Probably not totally practical (especially since any properly-configured system would have a WDEF-squasher installed), but one could still use related (not virus-spreading) techniques for some other interesting effects. One of my favorite was putting wctl resources in applications or desktop files (these change default window coloring). It was at times very nice to be able to have a few key applications' windows easily recognizable by color.
Yes, WDEF was a useful driver back in the day. It could be used for odd things like round window regions, etc.
You're right, the first one's pretty nasty. Fortunately, that service is turned off by default.
Luckily, the rest don't give root.
14 million is the OS X number only. I have no idea how many old ones are out there.
I know these products. You might want to read the capabilites a little more carefully and get back to me.
Bush, I have not denigrated you by appelations such as "fan boy", why do you insist on ad hominem attacks?
AS to your direction to read the article... I have... when I posted it originally seven months ago and again when you unearthed it again from its well deserved grave. I have also read Secunia's web site and completely DISCOUNTED all but one of the 19 so-called "critical vulnerabilities" when I did read them. They are even less of a threat today, 2005, because ALL of them have been fixed. Incidentally, other computer security agencies noted those same 18 and rated them as far less than "critical". In fact, when Secunia released the self-serving article attempting to sell their security services, the others called them on their hyperbole... just as we Mac users call you on yours!
Another Bush2000 outright LIE.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.