Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Mac OS X security myth exposed
Techworld UK ^ | 6/24/2004 | By Matthew Broersma, Techworld

Posted on 06/25/2004 2:13:36 AM PDT by Swordmaker

Windows is more secure than you think, and Mac OS X is worse than you ever imagined. That is according to statistics published for the first time this week by Danish security firm Secunia.

The stats, based on a database of security advisories for more than 3,500 products during 2003 and 2004 sheds light on the real security of enterprise applications and operating systems, according to the firm. Each product is broken down into pie charts demonstrating how many, what type and how significant security holes have been in each.

One thing the hard figures have shown is that OS X's reputation as a relatively secure operating system is unwarranted, Secunia said. This year and last year Secunia tallied 36 advisories on security issues with the software, many of them allowing attackers to remotely take over the system - comparable to figures on operating systems such as Windows XP Professional and Red Hat Enterprise Server.

"Secunia is now displaying security statistics that will open many eyes, and for some it might be very disturbing news," said Secunia chief executive Niels Henrik Rasmussen. "The myth that Mac OS X is secure, for example, has been exposed."

Its new service, easily acessible on its website, allows enterprises to gather exact information on specific products, by collating advisories from a large number of third-party security firms. A few other organisations maintain comparable lists, including the Open Source Vulnerability Database (OSVDB) and the Common Vulnerabilities and Exposures (CVE) database, which provides common names for publicly known vulnerabilities.

Secunia said the new service could help companies keep an eye on the overall security of particular software - something that is often lost in the flood of advisories and the attendant hype. "Seen over a long period of time,the statistics may indicate whether a vendor has improved the quality of their products," said Secunia CTO Thomas Kristensen. He said the data could help IT managers get an idea of what kind of vulnerabilities are being found in their products, and prioritise what they respond to.

For example, Windows security holes generally receive a lot of press because of the software's popularity, but the statistics show that Windows isn't the subject of significantly more advisories than other operating systems. Windows XP Professional saw 46 advisories in 2003-2004, with 48 percent of vulnerabilities allowing remote attacks and 46 percent enabling system access, Secunia said.

Suse Linux Enterprise Server (SLES) 8 had 48 advisories in the same period, with 58 percent of the holes exploitable remotely and 37 percent enabling system access. Red Hat's Advanced Server 3 had 50 advisories in the same period - despite the fact that counting only began in November of last year. Sixty-six percent of the vulnerabilities were remotely exploitable, with 25 granting system access.

Mac OS X doesn't stand out as particularly more secure than the competition, according to Secunia. Of the 36 advisories issued in 2003-2004, 61 percent could be exploited across the Internet and 32 percent enabled attackers to take over the system. The proportion of critical bugs was also comparable with other software: 33 percent of the OS X vulnerabilities were "highly" or "extremely" critical by Secunia's reckoning, compared with 30 percent for XP Professional and 27 percent for SLES 8 and just 12 percent for Advanced Server 3. OS X had the highest proportion of "extremely critical" bugs at 19 percent.

As for the old guard, Sun's Solaris 9 saw its share of problems, with 60 advisories in 2003-2004, 20 percent of which were "highly" or "extremely" critical, Secunia said.

Comparing product security is notoriously difficult, and has become a contentious issue recently with vendors using security as a selling point. A recent Forrester study comparing Windows and Linux vendor response times on security flaws was heavily criticised for its conclusion that Linux vendors took longer to release patches. Linux vendors attach more weight to more critical flaws, leaving unimportant bugs for later patching, something the study failed to factor in, according to Linux companies. Vendors also took issue with the study's method of ranking "critical" security bugs, which didn't agree with the vendors' own criteria.

Secunia agreed that straightforward comparisons aren't possible, partly because some products receive more scrutiny than others. Microsoft products are researched more because of their wide use, while open-source products are easier to analyse because researchers have general access to the source code, Kristensen said.

"A third factor is that Linux / Unix people are very concerned about privilege escalation vulnerabilities, while Windows people in general are not, especially because of the shatter-like attacks which have been known for six years or more," he said. "A product is not necessarily more secure because fewer vulnerabilities are discovered."


TOPICS: Business/Economy; Culture/Society; Extended News; Miscellaneous; Technical; Unclassified
KEYWORDS: computersecurity; lowqualitycrap; macintosh; microsoft; oswars; osx; windows; xp
Navigation: use the links below to view more comments.
first 1-2021 next last

1 posted on 06/25/2004 2:13:36 AM PDT by Swordmaker
[ Post Reply | Private Reply | View Replies]

To: Swordmaker
Mac, Linux, OS Wars ping. Secunia judges Mac OS X not very secure... and Windows XP better than thought.

If you want to be included on the Mac Ping list, please Freepmail me. If you want off, although I can't think of why you would, you can do the same

2 posted on 06/25/2004 2:15:36 AM PDT by Swordmaker (This tagline shut down for renovations and repairs. Re-open June of 2001.)
[ Post Reply | Private Reply | To 1 | View Replies]

OS X had the highest proportion of "extremely critical" bugs at 19 percent.<

These "extremely critical bugs" were only critical in Secunia's opinion. Most were Non-exploited and patched fairly quickly.

I would consider only the latest of the 36 "advisory security concerns" as "extremely critical." That advisory demonstrated a proof of concept where a hostile website could actually install an executable on a Mac OS X computer AND execute it through the .dsk URI protocol handler. That door has been closed by Apple without a known exploit.

3 posted on 06/25/2004 2:36:11 AM PDT by Swordmaker (This tagline shut down for renovations and repairs. Re-open June of 2001.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
Is this a Microosft-funded "study"? Sounds just like the study where Windows TCO was lower than Linux (funded by MS).

Yes, there were some security issues.

They were never exploited, before being patched.

Compare the exploits. Compare the damage done. Compare the hassle.

4 posted on 06/25/2004 2:44:45 AM PDT by Izzy Dunne (Hello, I'm a TAGLINE virus. Please help me spread by copying me into YOUR tag line.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000; antiRepublicrat; LasVegasMac; Action-America; eno_; N3WBI3; zeugma; TechJunkYard; ...
Whow! Something happened to Freerepublic that resulted in my ping post being posted without the pasted in Ping List! FR was off line for about 5 minutes.

Needless to say, this is a Mac Ping.

If you want to be included or deleted from the Mac Ping List, please freepmail me.

Secunia declares Mac OS X not that secure and Windows XP more secure.

5 posted on 06/25/2004 2:49:43 AM PDT by Swordmaker (This tagline shut down for renovations and repairs. Re-open June of 2001.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Swordmaker
From the SECUNIA home page:

Secunia Highlights

Internet Explorer Local Resource Access and 
Cross-Zone Scripting Vulnerabilities

 -
Extremely critical - 2004-06-08


Two vulnerabilities have been reported in Internet Explorer, 
which in combination with other known issues can be exploited
by malicious people to compromise a user's system.

IBM Access Support ActiveX Controls Various Insecure Methods
 -
Highly critical - 2004-06-16


eEye Digital Security has reported some vulnerabilities in two
IBM Access Support ActiveX controls, which potentially can be
exploited by malicious people to compromise a user's system.
No mention of OS X...
6 posted on 06/25/2004 2:50:18 AM PDT by Izzy Dunne (Hello, I'm a TAGLINE virus. Please help me spread by copying me into YOUR tag line.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
Take a look at their last 10 virus alerts.

No OS X there, either.

7 posted on 06/25/2004 2:51:36 AM PDT by Izzy Dunne (Hello, I'm a TAGLINE virus. Please help me spread by copying me into YOUR tag line.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Red Hat is not going to look good on this kind of testing. They tend to ship with all the services turned on and wide open. They leave is up to a savy admin to button things down.

A few reports like this and they may change their packaging policy.


8 posted on 06/25/2004 2:51:45 AM PDT by the_Watchman
[ Post Reply | Private Reply | To 1 | View Replies]

To: Izzy Dunne
It is interesting to compare Secunia's charts and graphs... All the Windows' graphs report ZERO (0%) exploits that can result in hijacking... but somehow Mac OS X has a 2% impact due to hijacks... other impacts are similarly absurd. Example charts:

Another chart shows claims that 19% of OS X advisories are "extremely critical" yet all Windows combined have ZERO (0%) extremely critical advisories! Unbelievable.

9 posted on 06/25/2004 2:52:46 AM PDT by Swordmaker (This tagline shut down for renovations and repairs. Re-open June of 2001.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: Swordmaker
Take a look at their Security Advisories:
2004-06-25
 -
giFT-FastTrack Unspecified Denial of Service Vulnerability
 -
Sun Solaris Kerberos Client Clear Text Password Logging
 -
Fedora update for kernel

2004-06-24
 -
Red Hat Linux Broadcom 5820 Cryptonet Driver Integer Overflow
 -
Sun StorEdge ESM Unspecified Privilege Escalation Vulnerability
 -
3Com SuperStack Switches HTTP Request Denial of Service
 -
Fedora update for dhcp
 -
Mandrake update for kernel
 -
Linux Kernel IEEE 1394 Driver Integer Overflow Vulnerabilities
 -
php-exec-dir Command Execution Bypass Vulnerability
 -
Lotus Domino/Notes Cross-Site Scripting and Arbitrary Code Execution


2004-06-23
 -
Sun Solaris Basic Security Module Denial of Service Vulnerability
 -
SuSE update for dhcp/dhcp-server
 -
Mandrake update for dhcp
 -
rssh File Existence Information Disclosure Weakness
No OS X there...
10 posted on 06/25/2004 2:54:42 AM PDT by Izzy Dunne (Hello, I'm a TAGLINE virus. Please help me spread by copying me into YOUR tag line.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
Each product is broken down into pie charts demonstrating how many, what type and how significant security holes have been in each.

Beware the pox, beware the ides, beware the man with the colored slides...

11 posted on 06/25/2004 3:02:13 AM PDT by Woahhs (the choice is not between peace and war, only between fight and surrender.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
Click on their Online Antivirus Scan and all I get is a PAGE NOT FOUND error.

Also notice that they publish A VULNERABILITY IN PANDA's ANTIVIRUS SCAN.

Yeah, I'm inclined to think well of these people...

12 posted on 06/25/2004 3:10:09 AM PDT by Izzy Dunne (Hello, I'm a TAGLINE virus. Please help me spread by copying me into YOUR tag line.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
Hell, do a SEARCH for "OS X" on Secunia's site:
Search Advisory, Vulnerability, and Virus Database
Search: [Advanced Search]
 All Content  Secunia Advisories   Virus Information
Did you search for information regarding a specific product?

- Apple Macintosh OS X
- Panicware Pop-Up Zapper for Mac OS X 2.x
- Admin Access With Levels 1.x (osCommerce plugin)
- Adobe Photoshop 5.x
- Adobe Photoshop 6.x
- Adobe Photoshop 7.x
- Aestiva HTML/OS 2.x
- APC AOS 1.x
- APC AOS 2.x
- APC AOS 3.x
- ArGoSoft FTP Server 1.4.x

Found: 0 Secunia Security Advisories, displaying 1-0

Sort by: Match, Title, Date

Title
Date


Found: 0 Viruses, displaying 1-0

Found: 0 Vendors

Vendor Name


Found: 2 Products

Product Name
 
Apple Macintosh OS X

Panicware Pop-Up Zapper for Mac OS X 2.x




Found: 1 Secunia Webpage

Page Title
 
Press
It found ZERO security advisories, and ZERO viruses.

I can't even find the report that Techworld cites...

13 posted on 06/25/2004 3:16:29 AM PDT by Izzy Dunne (Hello, I'm a TAGLINE virus. Please help me spread by copying me into YOUR tag line.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
From the TECHWORLD article:
A third factor is that Linux / Unix people are very concerned about privilege escalation vulnerabilities, while Windows people in general are not

Well, duh.

Windows runs at root level all the time, anyway. There is no "escalation" possible, because YOU'RE ALREADY AT HIGHEST PRIVILEGE LEVEL out of the box.

Unix (and OS X) run at user level, therefore escalation is possible, since you are NOT at highest privilege level, most of the time.

14 posted on 06/25/2004 3:21:23 AM PDT by Izzy Dunne (Hello, I'm a TAGLINE virus. Please help me spread by copying me into YOUR tag line.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
That door has been closed by Apple without a known exploit.

... other that the proof-of-concept exploits, which WERE real. Even so, all they could do was destroy the user's home directory, not trash the system. (Still scary enough).

15 posted on 06/25/2004 3:25:09 AM PDT by Izzy Dunne (Hello, I'm a TAGLINE virus. Please help me spread by copying me into YOUR tag line.)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Izzy Dunne
Windows runs at root level all the time, anyway. There is no "escalation" possible, because YOU'RE ALREADY AT HIGHEST PRIVILEGE LEVEL out of the box.

...Really what's at the heart of all these virus/worm problems... XP 'Home' is really a travesty from a user privilege standpoint.

16 posted on 06/25/2004 3:30:10 AM PDT by hedgie
[ Post Reply | Private Reply | To 14 | View Replies]

To: Swordmaker

Good scoop, Techworld UK. A security firm announces that all operating systems are insecure. Can we get an article about more dangerous viruses from an anti-virus company study too?


17 posted on 06/25/2004 4:50:09 AM PDT by anonymous_user (Life is like a crap sandwich. The more bread you got, the less crap you gotta eat.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
From a manager perspective, I'd just ask "Which one of these is less likely to cause me problems?" Windows is obviously not the answer.

You know it's getting bad in Windows world when lots of people are complaining that when they do a fresh install of XP they get owned before they can finish downloading all the security updates.

Wake me up when it gets that bad in the Linux/Apple world.

18 posted on 06/25/2004 6:36:10 AM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
My first problem with this article, RedHat ships an incredible amount of software with their enterprise product, much of which is not installed by default. The RedHat advisories cover a spectrum of software packages. A more accurate report would not compare this to "Windows XP Professional" but rather to Microsoft's entire product line. And even then, Microsoft does not offer some of RedHat's capabilities, for which a Windows user will require third-party software.
19 posted on 06/25/2004 12:18:50 PM PDT by John Robinson
[ Post Reply | Private Reply | To 1 | View Replies]

To: antiRepublicrat; Swordmaker
What's so difficult to understand?

Your disbelief is a symptom of your zealotry. This isn't any kind of surprise. Every OS has these flaws.
20 posted on 06/26/2004 11:46:21 AM PDT by Bush2000
[ Post Reply | Private Reply | To 18 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson