Posted on 01/16/2005 12:04:57 PM PST by Bush2000
Windows is more secure than you think, and Mac OS X is worse than you ever imagined. That is according to statistics published for the first time this week by Danish security firm Secunia.
The stats, based on a database of security advisories for more than 3,500 products during 2003 and 2004 sheds light on the real security of enterprise applications and operating systems, according to the firm. Each product is broken down into pie charts demonstrating how many, what type and how significant security holes have been in each.
One thing the hard figures have shown is that OS X's reputation as a relatively secure operating system is unwarranted, Secunia said. This year and last year Secunia tallied 36 advisories on security issues with the software, many of them allowing attackers to remotely take over the system - comparable to figures on operating systems such as Windows XP Professional and Red Hat Enterprise Server.
"Secunia is now displaying security statistics that will open many eyes, and for some it might be very disturbing news," said Secunia chief executive Niels Henrik Rasmussen. "The myth that Mac OS X is secure, for example, has been exposed."
Its new service, easily acessible on its website, allows enterprises to gather exact information on specific products, by collating advisories from a large number of third-party security firms. A few other organisations maintain comparable lists, including the Open Source Vulnerability Database (OSVDB) and the Common Vulnerabilities and Exposures (CVE) database, which provides common names for publicly known vulnerabilities.
Secunia said the new service could help companies keep an eye on the overall security of particular software - something that is often lost in the flood of advisories and the attendant hype. "Seen over a long period of time,the statistics may indicate whether a vendor has improved the quality of their products," said Secunia CTO Thomas Kristensen. He said the data could help IT managers get an idea of what kind of vulnerabilities are being found in their products, and prioritise what they respond to.
For example, Windows security holes generally receive a lot of press because of the software's popularity, but the statistics show that Windows isn't the subject of significantly more advisories than other operating systems. Windows XP Professional saw 46 advisories in 2003-2004, with 48 percent of vulnerabilities allowing remote attacks and 46 percent enabling system access, Secunia said.
Suse Linux Enterprise Server (SLES) 8 had 48 advisories in the same period, with 58 percent of the holes exploitable remotely and 37 percent enabling system access. Red Hat's Advanced Server 3 had 50 advisories in the same period - despite the fact that counting only began in November of last year. Sixty-six percent of the vulnerabilities were remotely exploitable, with 25 granting system access.
Mac OS X doesn't stand out as particularly more secure than the competition, according to Secunia. Of the 36 advisories issued in 2003-2004, 61 percent could be exploited across the Internet and 32 percent enabled attackers to take over the system. The proportion of critical bugs was also comparable with other software: 33 percent of the OS X vulnerabilities were "highly" or "extremely" critical by Secunia's reckoning, compared with 30 percent for XP Professional and 27 percent for SLES 8 and just 12 percent for Advanced Server 3. OS X had the highest proportion of "extremely critical" bugs at 19 percent.
As for the old guard, Sun's Solaris 9 saw its share of problems, with 60 advisories in 2003-2004, 20 percent of which were "highly" or "extremely" critical, Secunia said.
Comparing product security is notoriously difficult, and has become a contentious issue recently with vendors using security as a selling point. A recent Forrester study comparing Windows and Linux vendor response times on security flaws was heavily criticised for its conclusion that Linux vendors took longer to release patches. Linux vendors attach more weight to more critical flaws, leaving unimportant bugs for later patching, something the study failed to factor in, according to Linux companies. Vendors also took issue with the study's method of ranking "critical" security bugs, which didn't agree with the vendors' own criteria.
Secunia agreed that straightforward comparisons aren't possible, partly because some products receive more scrutiny than others. Microsoft products are researched more because of their wide use, while open-source products are easier to analyse because researchers have general access to the source code, Kristensen said.
"A third factor is that Linux / Unix people are very concerned about privilege escalation vulnerabilities, while Windows people in general are not, especially because of the shatter-like attacks which have been known for six years or more," he said. "A product is not necessarily more secure because fewer vulnerabilities are discovered."
Macs are suprerior.
The article deliberately does not deal with empirical occurences. Theoretical designs to crash Mac OS X exists but are not practically implemented.
I have a standing challenge to my graduate students. Show me a PC notebook that you successfully maintain and keep for two years of grad school.
In ten years, no PC notebooks have survived. All my Mac notebooks still work (including Pre OS X).
I don't have a dog in the current discussion, but that's funny. Mind if I steal it sometime?
You may.
"Try administering them properly chief . . ."
Ahh, there it is-- the PC world in a nutshell. With enough IT support, PCs are awesome. Believe me, I have noticed at my university the extravagant resources dedicated to propping up your view.
Unfortunately-- probably due to my limited mental capacities as a mac user-- I would like the computer to work with ease comparable to any other technological device I work with. This is most certainly not the case with PCs. I work in labs with PCs and Macs. The Macs work better.
Were it not for IT personnel insistence and preference for PCs (at least at my work site), the monopoly would be hard to maintain. I wonder why the IT people like PCs so much? I am not smart enough as a Mac user to figure this out.
Maybe you have some insight.
Have I ever claimed that Linux is ready for general home use? I'll be the first to say that it sucks for almost all home users. But if you are in the enterprise, a standard install, after making basic user accounts, is generally more locked-down than a Windows install.
You don't know SQUAT about what OEMs are allowed to do with Windows today.
I do know they apparently follow Microsoft's example in how to configure Windows. First you want the users to make up for Microsoft's shortcomings, now you want to lay that on the OEMs?
No, do yourself a favor and don't extrapolate -- because extrapolation wouldn't be an accurate reflection of what happens in retail software markets. Software has a very short shelf life. It will only provide sales within the first 6 months. After that, sales turn into a trickle.
That figure was from before retail sales of XP even hit their high, still being second to a years-old OS. It would be extremely illogical to assume that these sales dropped to nothing immediately after this article, and therefore sales were not able to reach the millions of copies sold that I claimed.
Admit it, there are millions of retail copies of XP out there, all configured by Microsoft, all approximately the same as the OEM configs. I have one of these retail installs, an upgrade for that machine that started as a 486/66.
You mean the one that by default doesn't even enable the root account (= "Administrator" in Winodws)?
Untested? Dude, the core of that "untested" OS is the extremely tested BSD, which has been working in a networked environment since before Bill's OS even realized you could hook two computers together.
I'd like something in between. Where you're still able to get your work done like you could as Administrator, but without Administrator's abilities to hose the entire system.
You could create that with a lot of group permissions tweaking in XP, or you could get it with a standard install of OS X. Hmmm, I wonder which is easier for 99.99% of users out there?
Two words: job security.
I sit before you admitting my guilt of having previously been a beneficiary of the needless Microsoft/IT Tech job security racket.
I did lock down those machines, and even with a lockdown script I had (closed ports, shutdown services, etc.) it still took quite some time to admin all those Windows boxes. Dealing with constant critical updates was a pain. I rarely had to touch the Linux boxes though.
And don't go on about auto updates. Every update had to be tested before it could be installed, both to check for incompatibilities and to make sure the update didn't restart any services or something. That did happen -- without telling me, Microsoft started a service I had previously disabled for security reasons. Would you call that good security practice by Microsoft?
Don't blame your poor admin skills on the OS.
I'm blaming the OS for making me use too much of my time administering it.
As far as initial accounts go, no. That's one reason why I don't think it's ready for home use, just like Windows isn't in that respect.
They therefore need to take responsibility for the state of the box before it gets delivered to you.
Why don't you become an OEM then, and be the first to offer this service? It's actually a pretty good idea. And what about the millions of copies of XP shipped by Microsoft at retail? Do they have a responsibility to configure it well?
It would be illogical to conclude that the sales rate climbed after the first six months of release.
That 650,000 was the two months following the initial release. Microsoft also claimed stores couldn't keep retail copies stocked. Plus, the XP retail install is the same as the XP corporate license install except for the need for activation, so add all those corporate licenses.
Less than 1% of all installs are retail. It's an insignificant number.
There you go, millions. Whether its an insignificant number doesn't matter. What matters is that Microsoft's practice is to ship poorly configured Windows installs. Are you incapable of admitting that Microsoft can do wrong?
But what is does do is force services not to run as root/administrator. A default apache install will not run as root, nor will most Linux applications..
Nope. PC problems are more serious than administrator settings. PCs are cheaper. They generally use parts that fail more easily. I have seen many more screen failures, power packs, and battery failures on PCs than on Macs.
The notebooks I am referring to are not lab computers-- though I am familiar with that setting as well. The personal notebook computers of students do not work. Answers to my post show that if PCs are shared they become even more vulnerable. Macs have administrator settings which I do use. But even when Macs lack administration authorizations, they tend to fail and be corrupted less (in my 10 years of experience at this university).
IT support is in a racket with Windows/Microsoft-- let's admit it.
I am not even talking about software here. Microsoft Word is probably the only slightly interesting software that is generally useful. iTunes and various multimedia softwares from Apple blow the PC away or force it into anemic emulations.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.