Posted on 01/16/2005 12:04:57 PM PST by Bush2000
Windows is more secure than you think, and Mac OS X is worse than you ever imagined. That is according to statistics published for the first time this week by Danish security firm Secunia.
The stats, based on a database of security advisories for more than 3,500 products during 2003 and 2004 sheds light on the real security of enterprise applications and operating systems, according to the firm. Each product is broken down into pie charts demonstrating how many, what type and how significant security holes have been in each.
One thing the hard figures have shown is that OS X's reputation as a relatively secure operating system is unwarranted, Secunia said. This year and last year Secunia tallied 36 advisories on security issues with the software, many of them allowing attackers to remotely take over the system - comparable to figures on operating systems such as Windows XP Professional and Red Hat Enterprise Server.
"Secunia is now displaying security statistics that will open many eyes, and for some it might be very disturbing news," said Secunia chief executive Niels Henrik Rasmussen. "The myth that Mac OS X is secure, for example, has been exposed."
Its new service, easily acessible on its website, allows enterprises to gather exact information on specific products, by collating advisories from a large number of third-party security firms. A few other organisations maintain comparable lists, including the Open Source Vulnerability Database (OSVDB) and the Common Vulnerabilities and Exposures (CVE) database, which provides common names for publicly known vulnerabilities.
Secunia said the new service could help companies keep an eye on the overall security of particular software - something that is often lost in the flood of advisories and the attendant hype. "Seen over a long period of time,the statistics may indicate whether a vendor has improved the quality of their products," said Secunia CTO Thomas Kristensen. He said the data could help IT managers get an idea of what kind of vulnerabilities are being found in their products, and prioritise what they respond to.
For example, Windows security holes generally receive a lot of press because of the software's popularity, but the statistics show that Windows isn't the subject of significantly more advisories than other operating systems. Windows XP Professional saw 46 advisories in 2003-2004, with 48 percent of vulnerabilities allowing remote attacks and 46 percent enabling system access, Secunia said.
Suse Linux Enterprise Server (SLES) 8 had 48 advisories in the same period, with 58 percent of the holes exploitable remotely and 37 percent enabling system access. Red Hat's Advanced Server 3 had 50 advisories in the same period - despite the fact that counting only began in November of last year. Sixty-six percent of the vulnerabilities were remotely exploitable, with 25 granting system access.
Mac OS X doesn't stand out as particularly more secure than the competition, according to Secunia. Of the 36 advisories issued in 2003-2004, 61 percent could be exploited across the Internet and 32 percent enabled attackers to take over the system. The proportion of critical bugs was also comparable with other software: 33 percent of the OS X vulnerabilities were "highly" or "extremely" critical by Secunia's reckoning, compared with 30 percent for XP Professional and 27 percent for SLES 8 and just 12 percent for Advanced Server 3. OS X had the highest proportion of "extremely critical" bugs at 19 percent.
As for the old guard, Sun's Solaris 9 saw its share of problems, with 60 advisories in 2003-2004, 20 percent of which were "highly" or "extremely" critical, Secunia said.
Comparing product security is notoriously difficult, and has become a contentious issue recently with vendors using security as a selling point. A recent Forrester study comparing Windows and Linux vendor response times on security flaws was heavily criticised for its conclusion that Linux vendors took longer to release patches. Linux vendors attach more weight to more critical flaws, leaving unimportant bugs for later patching, something the study failed to factor in, according to Linux companies. Vendors also took issue with the study's method of ranking "critical" security bugs, which didn't agree with the vendors' own criteria.
Secunia agreed that straightforward comparisons aren't possible, partly because some products receive more scrutiny than others. Microsoft products are researched more because of their wide use, while open-source products are easier to analyse because researchers have general access to the source code, Kristensen said.
"A third factor is that Linux / Unix people are very concerned about privilege escalation vulnerabilities, while Windows people in general are not, especially because of the shatter-like attacks which have been known for six years or more," he said. "A product is not necessarily more secure because fewer vulnerabilities are discovered."
Oops, wrong thread. here
Very rough day. here
That's actually pretty bad. Their network architecture is so bad that they can't find a solution to fragmented packets?
Otherwise, you seem to believe their "critical" ratings for OS X, but excuse "extremely critical" ratings for Windows since they can be somewhat mitigated by shutting off possibly needed things or buying extra stuff.
Okay, show me the chain of exploits that would enable a remote computer to gain root access (or something effectively root access) on an OS X system with root turned off. I'm not saying it can't theoretically be done (I know it's been accomplished locally), I'd just like to see how it's been done remotely.
Which will change, if Mac ever gets a respectable market share. Even among those who are not religiously motivated (as many anti-MS hackers appear to be), most hackers are smart enough to put their efforts toward the systems that are best able to propagate their work.
With over 90% of the user market, Windows is by far the most desirable target.
But again, we cannot neglect the religious aspects of this: there are those -- and I suspect there are/will be several on this very thread -- whose antipathy toward Microsoft is rather resembles militant Islam.... ;-)
Dang, I just paid $9,000 for my custom designed Apple G6¼ dual processor with cinema display. I'm going to cancel my order. Dell has something on special that can do the same for $500... I saw a spacial on Viewsonic 19" LCDs for $299.
I don't know what's funnier: You spending $9,000 on a Mac boutique toy or AntiRepublicrat/Swordmaker's delusions that Macs are secure.
LCD displays vary quite a bit in quality, and Apple's are among the best. One of their unusual features is their aspect ratio, which is good for watching (or editing) movies.
There are a few wide aspect LCD monitors out there.
http://accessories.us.dell.com/sna/productdetail.aspx?sku=320-4111&cs=19&c=us&l=en
Yet you blew off things Microsoft hasn't fixed in months.
I think there are two kinds of securities we're talking about. One's theoretical, which systems have more discovered flaws and/or have built-in mitigating or denigrating features, and what's been patched. For this I'd say Mac is a little ahead, even by Secunia's list.
The other is practical: If I run this, what are my chances of getting nailed? Due to a complete lack of anything in the wild, Mac definitely is, in a very practical sense, far more secure than Windows.
Close, but I didn't see anything about the attacker being able to activate and gain control of root using the second exploit.
"Two vulnerabilities have been reported in Mac OS X, allowing malicious web sites to compromise a vulnerable system.1) The problem is that the "help" URI handler allows execution of arbitrary local scripts (.scpt) via the classic directory traversal character sequence using "help:runscript".
2) It is also possible to silently place arbitrary files in a known location, including script files, on a user's system using the "disk" URI handler. Files on disk images can be executed without using the "help" URI handler."
Both of these UNEXPLOITED vulnerabilities were fixed, long ago. Did you read the part about local scripts? This may have worked if there was a script already on the computer that could be called to do something malicious. Of course, you hypothesize, there IS a malware script installed on the user's computer because the malicious script downloaded a disk image file as described in vulnerability number 2 which then installed the script that would download the disk image that install the script that would download the disk image... oh, wait, that's a circular argument with no beginning. Unless the user has been tricked into previously downloading and mounting the disk image with the malicious script, then the script would NOT EXIST for the help handler to call it.
Both of these "vulnerabilities" were demonstrated only as "proofs of concepts" and were expeditiously fixed.
"OS X contains a buffer overflow vulnerability that might allow attackers to cause a denial of service condition or possibly gain sensitive information. The vulnerability is due to improper bounds checking performed on long command line arguments supplied by the user. Local and remote attackers can exploit this vulnerability to cause the kernel to crash, or to possibly view portions of kernel memory."
It is a long way from "cause the kernel to crash," to "owning the box". If the Kernel crashes, the computer stops working... bummer for the user currently on the system... but it also stops working for the hacker trying to invade it. They then postulate the ability "to possibly view portions of kernel memory". This vulnerability DID allow random bits of the Kernel to be accessed and viewed... but it was just that random bits... very small bits. That is also a long way from "owning the box".
We Mac users welcome people finding and reporting vulnerabilities in OSX and its underlying UNIX core. If the vulnerabilities are not found and fixed, then THEY MIGHT BE EXPLOITED. Apple doesn't ignore the vulnerabilities... it fixes them. In addition, it is not just Apple who is hard at work finding and fixing vulnerabilities... it is all the other providers of the Open Source Applications and Libraries that make up the package called BSDUnix.
It is because YOU intend it to be. YOU use it to belittle your opponents and to make others think less of their positions. It is a form of ad hominem attack.
It correctly states that you are a boy (true) and a fan of Apple (also true).
I stopped being a "boy" over 35 years ago. I will admit to being a person who has selected to use a computer using Apple's Macintosh OSX operating system. I made this selection from the position of being a professional in the computer industry with over 30 years of experience and a very good knowledge of several operating systems including the various incarnations of Windows. In other words, Bush, I made an informed selection based on experience... lots of it.
You know, it used to be fun to work on Windows computers for my clients... I can no longer say that. It is tiresome and not a bit boring to once again clean out spy-ware, ad-ware, and other crap that can and does infest those boxes.
When I want to use my computer, I prefer to go home and use my computer without worrying about such malicious sh!t, nor do I want my computer to have to spend MY productive time checking for various forms of spy-ware, intercepting pop-ups, downloading virus specifications, ad-ware definitions, and spy-ware cleaners. I just want to safely surf the web, receive any email that comes to me that might include JPEG images or even other attachments, and do my work without worry that some SPY is logging everything I do. It is my well qualified opinion that the Macintosh using the latest updated and yes, patched, version of OSX offers the best way to do that. In my experienced opinion, the Mac offers the best opportunity for computer users to WORK with a computer and not work ON IT. I want other computer users to have the same experience.
What I cannot understand is why YOU have appointed yourself as the guardian intent on preventing anyone from using a Macintosh and computing safely... so much so that you invade any and every thread on FreeRepublic that even hints of the capabilities of the Mac and start spewing insults and knocking everything about the Mac.
You call us LIARS, you generalize everyone who uses a Mac, you make ridiculous claims like "No businesses use Macs" when thousands, if not hundreds of thousands, do. We repeatedly refute your assertions yet you never go away. You ALWAYS come back with the same tired and often outdated arguments.
Frankly, Bush, you resemble a particularly tenacious ad-ware... one that is impossible to remove.
Let's see, he got a computer that can run with all but the fastest Intel desktop systems out there, one of the fastest video cards on the market, and about the best flat panel monitor on the market (which was 1/3 of his purchase price). $9K isn't much to spend if you make money off the machine.
Considering you're smart and buy your RAM for both cheaper than either Dell or Apple will sell it to you, the G5 fully configured to run with the big monitor won't cost you any more than a Dell workstation of approximately the same performance. And with Tiger you'll get an instant performance upgrade when most of the image and video processing can be offloaded onto the video card.
Add to that the fact that you won't have a loud wind tunnel on your desktop and it's a pretty good deal.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.