Mac OS X security myth exposed

Windows is more secure than you think, and Mac OS X is worse than you ever imagined. That is according to statistics published for the first time this week by Danish security firm Secunia.

The stats, based on a database of security advisories for more than 3,500 products during 2003 and 2004 sheds light on the real security of enterprise applications and operating systems, according to the firm. Each product is broken down into pie charts demonstrating how many, what type and how significant security holes have been in each.

One thing the hard figures have shown is that OS X's reputation as a relatively secure operating system is unwarranted, Secunia said. This year and last year Secunia tallied 36 advisories on security issues with the software, many of them allowing attackers to remotely take over the system - comparable to figures on operating systems such as Windows XP Professional and Red Hat Enterprise Server.

"Secunia is now displaying security statistics that will open many eyes, and for some it might be very disturbing news," said Secunia chief executive Niels Henrik Rasmussen. "The myth that Mac OS X is secure, for example, has been exposed."

Its new service, easily acessible on its website, allows enterprises to gather exact information on specific products, by collating advisories from a large number of third-party security firms. A few other organisations maintain comparable lists, including the Open Source Vulnerability Database (OSVDB) and the Common Vulnerabilities and Exposures (CVE) database, which provides common names for publicly known vulnerabilities.

Secunia said the new service could help companies keep an eye on the overall security of particular software - something that is often lost in the flood of advisories and the attendant hype. "Seen over a long period of time,the statistics may indicate whether a vendor has improved the quality of their products," said Secunia CTO Thomas Kristensen. He said the data could help IT managers get an idea of what kind of vulnerabilities are being found in their products, and prioritise what they respond to.

For example, Windows security holes generally receive a lot of press because of the software's popularity, but the statistics show that Windows isn't the subject of significantly more advisories than other operating systems. Windows XP Professional saw 46 advisories in 2003-2004, with 48 percent of vulnerabilities allowing remote attacks and 46 percent enabling system access, Secunia said.

Suse Linux Enterprise Server (SLES) 8 had 48 advisories in the same period, with 58 percent of the holes exploitable remotely and 37 percent enabling system access. Red Hat's Advanced Server 3 had 50 advisories in the same period - despite the fact that counting only began in November of last year. Sixty-six percent of the vulnerabilities were remotely exploitable, with 25 granting system access.

Mac OS X doesn't stand out as particularly more secure than the competition, according to Secunia. Of the 36 advisories issued in 2003-2004, 61 percent could be exploited across the Internet and 32 percent enabled attackers to take over the system. The proportion of critical bugs was also comparable with other software: 33 percent of the OS X vulnerabilities were "highly" or "extremely" critical by Secunia's reckoning, compared with 30 percent for XP Professional and 27 percent for SLES 8 and just 12 percent for Advanced Server 3. OS X had the highest proportion of "extremely critical" bugs at 19 percent.

As for the old guard, Sun's Solaris 9 saw its share of problems, with 60 advisories in 2003-2004, 20 percent of which were "highly" or "extremely" critical, Secunia said.

Comparing product security is notoriously difficult, and has become a contentious issue recently with vendors using security as a selling point. A recent Forrester study comparing Windows and Linux vendor response times on security flaws was heavily criticised for its conclusion that Linux vendors took longer to release patches. Linux vendors attach more weight to more critical flaws, leaving unimportant bugs for later patching, something the study failed to factor in, according to Linux companies. Vendors also took issue with the study's method of ranking "critical" security bugs, which didn't agree with the vendors' own criteria.

Secunia agreed that straightforward comparisons aren't possible, partly because some products receive more scrutiny than others. Microsoft products are researched more because of their wide use, while open-source products are easier to analyse because researchers have general access to the source code, Kristensen said.

"A third factor is that Linux / Unix people are very concerned about privilege escalation vulnerabilities, while Windows people in general are not, especially because of the shatter-like attacks which have been known for six years or more," he said. "A product is not necessarily more secure because fewer vulnerabilities are discovered."

No, Bush you cannot. My computer is up-to-date and these "proofs of concept" demonstration will no longer work. YOU keep claiming how easy it is to invade a Macintosh and we keep challenging you to PROVE it... and then you obfuscate, back peddling and dancing. You claim you can own my box... DO IT!

The challenge wasn't to break into YOUR PATCHED computer. It was to break into an UNPATCHED computer. After all, you've been saying that the exploits patched by Apple weren't a big deal and couldn't give somebody else root privileges -- which I disproved. Getting root privileges through one or more stepping-stone attacks isn't that difficult.

... then we should say that every Windows vulnerability, exploited or not, is an exploit because someone, somewhere is still operating a box that is vulnerable.

Yeah -- and that same rule applies to Macs -- as I've been saying repeatedly.

The challenge wasn't to break into YOUR PATCHED computer. It was to break into an UNPATCHED computer. After all, you've been saying that the exploits patched by Apple weren't a big deal and couldn't give somebody else root privileges -- which I disproved. Getting root privileges through one or more stepping-stone attacks isn't that difficult.

No, you said you could own MY computer... you keep moving the goalposts. As for "disproving" that it is very difficult to escalate user priveledges to ROOT, you proved nothing... you CLAIMED it but offered no demonstration of such a feat being accomplished. Coulda, woulda, might have... don't an escalation make.

As to it not being an OS problem... Windows cannot be safely put on the internet without running several third party programs to keep it safe. Spyware blockers, pop-up blockers, ad-ware blockers, anti-virus scanners, firewalls turned on... all necessary before it is safe to take your OS for a spin around the World Wide Web. This is like buying a car and having to install windshields, brakes, safety belts, airbags, and oil, all provided by someone other than the automaker, BEFORE setting out to the grocery store!

The only thing a prudent Mac OSX user needs to do is turn on the built in Firewall... oh, sorry,that's wrong, it's already turned on.

No, you said you could own MY computer...

Look, if you lack the ability to conjure abstract thought, that's your problem, not mine.

As for "disproving" that it is very difficult to escalate user priveledges to ROOT, you proved nothing... you CLAIMED it but offered no demonstration of such a feat being accomplished.

You're hopeless. I could hand over the code and you still wouldn't believe it.

As to it not being an OS problem... Windows cannot be safely put on the internet without running several third party programs to keep it safe. Spyware blockers, pop-up blockers, ad-ware blockers, anti-virus scanners, firewalls turned on... all necessary before it is safe to take your OS for a spin around the World Wide Web.

Nonsense -- and spoken like a guy who doesn't know how to administer a Windows box. First of all, running with restricted privileges (aka not Administrator) will prevent any adware crap from installing itself and modifying the registry. You don't realize this because you allow your clients to run as Administrator. I doubt whether you've even tried to run in anything other than Administrator under Windows. Second, XP SP2 has an exceptional built-in firewall. Third, you can choose any web browser you want. You don't have to use IE.

The only thing a prudent Mac OSX user needs to do is turn on the built in Firewall... oh, sorry,that's wrong, it's already turned on.

Another idiotic statement. If you really knew what you're doing, you'd realize that XP SP2's firewall is ENABLED by default.

So, following this line of thinking, if a burglar breaks into my house and steals my silverplate teapot, it's MY fault because I didn't lock it in the vault, didn't build my house out of 2" plate steel, and didn't hire a 24 hour guard to watch the teapot.

Nice try -- but how about if we use a more reasonable analogy, ok? If you left your doors open and a burglar broke into your house, you would be partially culpable for not taking some reasonable precautions to prevent a break-in.

If we just prevent people from using these poor OSes, then the problems would not exist... Solution, let the computers compute without human intervention!

Yeah, imagine my audacity: I actually have the temerity to suggest that you use the same standards for administering Windows that you'd use for OS X. Such as restricted user accounts. Oh, the horror! You didn't quite expect that response, did you? You thought that you could simply get away with bashing Windows security without taking any responsibility for your own shoddy administration.

You're hopeless. I could hand over the code and you still wouldn't believe it.

You keep claiming things, Bush. You prove nothing. You don't have the code to "hand over". Where is the code that will compromise an up-to-date OSX installation, Bush. You postulate a Rube Goldberg series of events that must occur before your "exploit" can be exploited and then claim that is proof of anything. It isn't.

Second, XP SP2 has an exceptional built-in firewall.

But, but, but... Bush, you said we were talking about UNPATCHED boxes here... gosh. How many XP users have upgraded to SP2? 100%? 50%? 10%?

You might also realize that millions of Windows users are NOT using XP... I have clients who are still using 98, ME, or 2000. Why? Because they have been told by their software suppliers NOT TO UPGRADE... and I have seen some enterprise software break under unauthorized upgrades.

If you really knew what you're doing, you'd realize that XP SP2's firewall is ENABLED by default.

Of course I know it. How many years did it take Microsoft to figure out to turn the XP SP2 firewall on as a default????

But XPs wasn't... and where was the built-in Firewall in Windows before XP? Third parties suppliers had to jump into that vacuum.

Nonsense -- and spoken like a guy who doesn't know how to administer a Windows box. First of all, running with restricted privileges (aka not Administrator) will prevent any adware crap from installing itself and modifying the registry. You don't realize this because you allow your clients to run as Administrator. I doubt whether you've even tried to run in anything other than Administrator under Windows.

AGAIN you call me incompetent. Yet YOU make negative claims about a system with which you have little experience... OSX.

My clients are INDEPENDENT businesses... THEY call the shots, not me. I can tell them, I can set up the computers, I can limit employees' access... but they always want someone to be able to install software and usually it is the owner or a manager. They tell me what they want, I provide it. Then, later when it gets screwed up, I fix it and TELL THEM AGAIN HOW TO BE SAFE. Those who follow my instructions stay safe... those who don't get to pay me to fix it.

Often, it is their enterprise software tech who turns off the protections, elevates the priveleges, and occassionally even installs something that is compromised. I HAVE to leave them the passwords for administrator level.

Third, you can choose any web browser you want. You don't have to use IE.

Getting back to the car analogy... you can drive your car, but you really don't have to use the engine it came with... you can get an engine from another maker.

Nice try -- but how about if we use a more reasonable analogy, ok? If you left your doors open and a burglar broke into your house, you would be partially culpable for not taking some reasonable precautions to prevent a break-in.

So if the contractor who built my house neglected to provide doors, I have to go out and get doors from another source... just to FIX the incompetence of the builder who did not provide them. When I buy a house I expect a certain degree of safety, privacy, and utility... if the builder constructed a house that did not provide those things, it is HIS incompetence... especially if he led me to believe that these things were there necessary.

Windows is like that disappointing toy... the one that has got all these neat things it can do... that you open on Christmas morning only to read those three damning words: "Batteries Not Included." Before you can play with your new toy, you have to get something more that wasn't provided. In the toy's case, batteries; in Windows' case, security software.

You keep claiming things, Bush. You prove nothing. You don't have the code to "hand over". Where is the code that will compromise an up-to-date OSX installation, Bush.

You just can't get it, can you? The original argument was over the criticality of bugs. You claimed that the Mac bugs -- even if UNPATCHED -- couldn't provide remote root access. That's what the discussion was about. I described precisely how a series of attacks could give somebody remote root access. Now, you want to move the goalposts and demand how the same can be done with a PATCHED machine. Sheez. Forget it. I can't discuss anything rationally with somebody who wants to change the rules constantly.

But, but, but... Bush, you said we were talking about UNPATCHED boxes here... gosh. How many XP users have upgraded to SP2? 100%? 50%? 10%?

The same holds true for any OS X patch, fan-boy.

Of course I know it. How many years did it take Microsoft to figure out to turn the XP SP2 firewall on as a default????

Too long.

AGAIN you call me incompetent.

Only YOU truly know whether you're incompetent. I don't know you, personally. I can only pose possibilities.

Yet YOU make negative claims about a system with which you have little experience... OSX.

OS X is nothing more than BSD Unix. I've got plenty of experience with BSD. So lay off the BS.

My clients are INDEPENDENT businesses... THEY call the shots, not me. I can tell them, I can set up the computers, I can limit employees' access... but they always want someone to be able to install software and usually it is the owner or a manager. They tell me what they want, I provide it. Then, later when it gets screwed up, I fix it and TELL THEM AGAIN HOW TO BE SAFE. Those who follow my instructions stay safe... those who don't get to pay me to fix it.

LIKE I SAID ... you have a HUMAN problem, NOT AN OS PROBLEM! If I told you that I wanted my entire business to run as root under OS X -- and then all of my computers were screwed by malware -- you would scream if I then criticized your OS, wouldn't you? Can't you admit the obvious? That the source of the problems is poor administration? The fact remains that it isn't your fault. It's your customers' fault. Because they opted for poor administration over security and reliability. But you can't turn around and criticize the OS for HUMAN failures. Get it?

Often, it is their enterprise software tech who turns off the protections, elevates the priveleges, and occassionally even installs something that is compromised. I HAVE to leave them the passwords for administrator level.

Again, a HUMAN failure. Bad administration. You haven't said anything which identifies the OS as the source of the problem. Can't you see that simple fact? Can't you admit the obvious?

Getting back to the car analogy... you can drive your car, but you really don't have to use the engine it came with... you can get an engine from another maker.

Yet another flawed analogy. A web browser is not REQUIRED in order to make the computer function. An engine is required. Try again. A web browser is just another software application. Not critical to the operation of a computer. You can install Opera, Mozilla, Firefox, or a dozen other browsers without impacting the operation of the computer.

So if the contractor who built my house neglected to provide doors, I have to go out and get doors from another source... just to FIX the incompetence of the builder who did not provide them.

Another bad analogy. Windows does provide doors. IHVs choose to leave them open by default. That's not Microsoft's problem.

Windows is like that disappointing toy... the one that has got all these neat things it can do... that you open on Christmas morning only to read those three damning words: "Batteries Not Included." Before you can play with your new toy, you have to get something more that wasn't provided. In the toy's case, batteries; in Windows' case, security software.

More FUD. Windows easily prevents all of the problems you claim can't be prevented. But you're not allowed by your customers to turn on the protections.

Look, you're the one who continues to bash Windows --

Let's see... who posted a seven month old article on FreeRepublic knocking the Mac? Whose posts in this thread have CONSISTENTLY bashed the Mac OS? Who has used ad hominem attacks against those in this discussion who take the opposing view?

ANSWER: Bush2000.

Here are a sampling of the bashing that YOU have done in this thread against the Mac OS.

-------------------

"Bump and weep..."
-------------------
Mac OS X ~~worms, viruses and spyware~~ market share: near zero.
"Fixed it for you."
-------------------
"-- and ignore the Mac Moonies."
-------------------
"'Bu-bu-bu-bu... Macs don't crash!' /sarcasm"
-------------------
"They're too busy recovering from crashes ..."
-------------------
". . .which really pisses you Mac zealots off because it interferes with your reality distortion field."
". . . OS X had the highest percentage of critical vulnerabilities. Try spinning that away, fan boy."
--------------------
". . . because companies simply don't use Macs.
---------------------
" Right, companies don't use Macs. Hence... figure it out. Apple would looooooooove to have the problem of companies applying patches -- because that would mean that companies actually using Macs. But that's just a Mac bigot's pipe dream."
----------------------
"There are practically no Macs in the wild."
----------------------
"Mac market share in companies is MINISCULE. You know it. I know it. Don't pretend otherwise."
----------------------
"Which means you belong to the Cult of Mac."
----------------------
". . . or AntiRepublicrat/Swordmaker's delusions that Macs are secure."
----------------------
". . . And the day that OS X and Linux ever have as many desktop users as Windows, they'll have to actually focus on real usability problems.
----------------------

I challenge you, Bush, to find anywhere near that many number of my posts in this thread where I have "bashed Windows"... I think you will find I spoke of my experiences with that operating system. It is YOU who posts gratuitous slurs against OSX and Apple. In almost every post of mine in this thread you will find that I am providing a rebuttal to your calumnies and false information.

Thanks Sword.

I've said it before.

What the hell kind of life must it be to try to justify the unjustifiable - who would die on Bill Gates' hill? What does that say about a person?

Who could be for Microsoft, or more to the point, who would defend their software/crapware/marketing/usability?

B2k is a sad and bitter person, uninformed at best, willfully mispoken at worst, more to be pitied than shamed.

I think it's hilarious that B2k gets pinged to every bad-news-Gates thread and still drinks the KoolAid.

Like mama used to say, ain't some folks never gonna learn...

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.