Vulnerability statistics for Mac and Windows

In yesterday's article "Is Mac OS as safe as ever", Joris Evers poses the age old question if Mac OS security is myth or reality. I decided to settle this once and for all with some hard numbers from the independent security research group Secunia along with the number of CVE issues for Microsoft Windows XP and Mac OS X within the last two years.

Before I post the data, I want to make a few things clear since I keep getting the same questions and accusations every single time I post data on vulnerability statistics.

- When visiting the Secunia links I provide in this blog, please DO NOT quote me on the number of advisories for a particular OS and blast me for getting the numbers wrong. I am NOT counting advisories; I'm counting the actual number of vulnerabilities. There are many advisories that contain multiple vulnerabilities and CVE IDs. Sorry for the shouting, but I get about 10 of these "I don't count the same number of issues" every time.

- No matter what some people may say, vulnerability ratings from Secunia are a valid measurement of security risk. If we can't count the number of actual security vulnerabilities (with severity and patch status in mind), what can we count?

- There seems to be a cavalier attitude that a vulnerability is not a problem if it hasn't been widely hacked yet. The truth is that professional hackers don't want notoriety because it's bad for business. Before Microsoft's infamous WMF vulnerability was infamous because of all the press coverage, it sold on the black market for $4000. Nothing kills a money maker in the digital underworld faster than public exposure.

- There will always be those who say vulnerabilities are only "theoretical". Anyone who feels this way should leave their computers unpatched for all "theoretical" problems and post their email and IP address in talkback section and I'll be sure to forward a copy to the hacker forums. I'm sure it probably won't be a problem since the problem is only "theoretical".

- I make no claims on which operating system is better. You look at the data and you be the judge

- The three most severe levels of vulnerabilities from Secunia are analyzed in this chart.

- The two less critical categories from Secunia were left out so the significant data will fit better on the screen.

- The grayed out section represents the vendor with the worst security of the month.

- Red font text represents unpatched vulnerabilities correlating to the degree of vulnerability. For example in the month of February 2006, Apple's Meta data shell script execution flaw hasn't been fixed yet so it gets a red 1 in the extremely vulnerable column.

The data is clear, and Apple has a lot more vulnerabilities of every kind ranging from moderately critical to extremely critical. While Windows had some months with more security disclosures, they are more spread out while Apple tends to release mega-advisories with dozens of vulnerabilities at a time. There were seven months where Apple disclosed more a dozen or more highly critical vulnerabilities and August 2005 saw nearly three dozen of them. One of the most severe zero day exploits for Mac OS X disclosed this month with a working proof-of-concept has yet to be patched so we'll have to wait and see how long it takes Apple to release a patch.

Microsoft on the other hand seems to let some moderately critical and even one highly critical vulnerability go unpatched for more than a year. I've hammered Microsoft for this issue in the past and Microsoft has responded to me that they are clarifying some of these issues with Secunia because some of the unpatched vulnerabilities may be moot. I'm still waiting for Microsoft's detailed explanation on these unpatched vulnerabilities.

Thanks for all that. It was pretty informative.

I may have an incorrect conception of “firewall failure”. I was under the presumption that a firewall failure is when it’s configured to allow only traffic of specific types (port, IPs etc...) and if fails to do so. (That’s why I was taken aback by your 10-20 percent failure estimate.) But they’ve apparently grown more sophisticated than the one I tried to lock down 8 years ago, and now their anti-trojan anti-virus feature failures are considered a failure of the firewall. If I read you right, you’re also including management failure. If I understand you correctly, I’m not sure how hybridizing the network has a beneficial effect in and of itself. Good administration and tools intuitively seem to be an answer, not hybridization.

8 years ago I purchased a book on network security using MS Proxy Server. I forgot almost everything, but remember one line where the author said that people place too much emphasis on firewalls for network security. He said something to the effect that, “it’s better to not have a firewall at all and correctly configure each station and educate each user than to lock down a firewall and think the job’s complete”. With more sophisticated threats and personal firewalls, that's probably just as true today.

My original post was:

"The BEST Firewalls have a 10 -20% probability of stopping a sophisticated attack."

That statement remains true even if the firewalls are properly configured and don't fail (according to your definition).

As regards hybrid versus homogeneous networks:

If the network is homogeneous, the hacker can jump from box to box with a very high degree of confidence of the configuration of the hardware and software he will find. This greatly increases his chance for success and greatly decreases the probability of detection. A vulnerability found on one box in a homogeneous network is likely to be found on several (if not all) boxes. And once elevated privileges are established on one box in a homogeneous network, exploiting the trust relationship to other identical boxes is trivial. Also, homogeneous networks tend to have the same unnecessary ports and services running on identical configurations across the network. This tends to provide a convenient, reliable, (and largely covert) "transportation grid" across the network and allows for tuning automatic scans and tools to minimize detection. For an elite hacker, "compromise is failure."

Stumbling across a "non-standard" router, server, or computer can ruin a hacker's whole day (or months and weeks of work). The probability of detection just went way up, because this box will not be susceptible to the same methods that worked on all the other boxes, and because his careful efforts to mask his activity against the other identical boxes, may highlight his activity against this box.

Variety among firewalls and IDS is even more important. If several different brands and technologies are used in firewalls and IDS, their weaknesses tend to cancel out, especially if they are deployed in a non-uniform (ideally random) manner.

Predictability is the hacker's friend and unpredictability his enemy.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.