PDA

View Full Version : Mac versus Windows vulnerability stats for 2007


MacBytes
Dec 21, 2007, 10:30 AM
http://www.macbytes.com/images/bytessig.gif (http://www.macbytes.com)

Category: Mac OS X
Link: Mac versus Windows vulnerability stats for 2007 (http://www.macbytes.com/link.php?sid=20071221113023)
Description:: none

Posted on MacBytes.com (http://www.macbytes.com)
Approved by Mudbug

crazedbytheheat
Dec 21, 2007, 10:57 AM
I await the well reasoned discussion to follow.

JSchwage
Dec 21, 2007, 11:05 AM
Ouch. Well, at least there's almost nobody creating viruses or spyware for OS X.

ImageWrangler
Dec 21, 2007, 11:22 AM
Those figures don't lie, but those liars sure figure.

mkrishnan
Dec 21, 2007, 11:23 AM
I await the well reasoned discussion to follow.

Hopefully it will stay civil (evil moderator grin) ... but to be honest, I think most of us were quite aware of these statistics for some time now. This summary should not come as too much of a surprise to anyone who's been watching IT security in 2007...

dvkid
Dec 21, 2007, 11:46 AM
Snore.

Who cares if my house has more broken windows than yours if nobody is trying to climb in them?

Besides, *NIX underpinings, responsible computing, and a decent backup structure (thanks to Time Machine) have me not so worried about this.

Mydel
Dec 21, 2007, 11:50 AM
We all know that "secure system" doesnt exist. Macs for now has not enough market share and are mostly in private hands to be an important target for hackers. But that will change, soon I think. We can only hope that Apple will step up and take care of the security flaws....at least to some extent.
But its also up to consumers. I have the feeling that Mac users are more "qualify" in computers than average PC user. But reading MR clearly indicate that its changing. The questions asked by many people, (switchers mostly) points to total ignorance and lack of basic skills, common sense. I read MR for years and would call it an important trend.

jephrey
Dec 21, 2007, 11:52 AM
I'm curious how these vulnerabilities affect the common user. Is this basically saying that mysteriously, nobody is exploiting any mac vulnerabilities? Do we not hear about it? Is there something else at play that makes the Mac's vulnerabilities not as serious?

J

mkrishnan
Dec 21, 2007, 11:59 AM
I'm curious how these vulnerabilities affect the common user. Is this basically saying that mysteriously, nobody is exploiting any mac vulnerabilities? Do we not hear about it? Is there something else at play that makes the Mac's vulnerabilities not as serious?

I didn't look through this specific list of vulnerabilities, but I think the difference is that generally most of the Mac vulnerabilities (but not all of them) are local exploits, meaning that the local user (you) has to give the hacking agent (program or person) access to the computer. So you are vulnerable to things like trojan horses, but many of these exploits are insufficient grounds on which to build a virus. In contrast, in Windows, more of the exploits traditionally have associated vectors that allow an intrusive agent to gain access without the user having to do anything obvious -- e.g. files are either obtained automatically and executed silently from the internet while doing something innocuous or else the exploit can be packaged into a virus (i.e. it can infect the host computer and use the host computer's resources to replicate from file to file, thereby spreading).

Without the virus or worm formulations, it's hard for an exploit, even in the wild, to achieve a high penetration.

That doesn't mean Mac users are safe. It's just part of the explanation as to why Windows can have a smaller number of new exploits and a larger number of actual affected installations, while OS X has a lot of new exploits and no one is being affected by any of them.

pgwalsh
Dec 21, 2007, 12:18 PM
Regardless of the seriousness of the exploits, Apple needs to close them off asap and really be proactive. They really becoming popular and it would be a shame if they started losing face from a security standpoint.

It's easy for us to poo poo this article or any other, but in all do respect, it would be much better if we pressed Apple to fix the problems and double or tripple their effort to prevent future vulnerabilities.

longofest
Dec 21, 2007, 12:37 PM
Snore.

Who cares if my house has more broken windows than yours if nobody is trying to climb in them?

Besides, *NIX underpinings, responsible computing, and a decent backup structure (thanks to Time Machine) have me not so worried about this.

Personally, I like to live in a house without broken windows. Call me snooty, but I just think its kind of trashy to have broken windows lie around unfixed...

Which is pretty much what is happening with the current state of Mac security. Apple may have based OSX on UNIX, but they don't update it worth crap. Any OS is only as secure as it is patched.

Take Mac OS X Server... Squirrelmail (the default web mail client) is still at 1.4.10a... that was released in May of 2007. PHP is still in version 4. Etc...

zombitronic
Dec 21, 2007, 12:39 PM
Why does the Mac Bytes link for Vista vs Mac OS X Security: Why George Ouís ZDNet Vulnerability Numerology is Absurd on the Mac Rumors home page take me to the same exact page as Mac versus Windows vulnerability stats for 2007?

ToneFREQ
Dec 21, 2007, 12:47 PM
I, for one, am happy to see reports like this because it puts pressure on Apple to fix the issues. Sometimes the squeaky wheel gets the grease.

mkrishnan
Dec 21, 2007, 12:50 PM
Why does the Mac Bytes link for Vista vs Mac OS X Security: Why George Ouís ZDNet Vulnerability Numerology is Absurd on the Mac Rumors home page take me to the same exact page as Mac versus Windows vulnerability stats for 2007?

Thanks for the information. For what it's worth, this Macbytes seems to point to the correct place, but there appears to be an error in the other Macbytes article (the "Why George Ou..." one). I'll contact the admin and see if I can't get it fixed.

whlteXbread
Dec 21, 2007, 01:03 PM
Seems to me that most of the windows level H exploits are execution of arbitrary code - I didn't read through all the X exploits but most of the H exploits are much more mild than executing arbitrary code...

also most of the X security holes result in holes from 3rd party programs, be they open source, otherwise free (flash) or M$ - the holes that result from apple software (that i found) don't usually allow for buffer overflows or arbitrary code execution, and that makes up the majority of M$ app holes in XP + Vista.

In all reality though, it would be nice if Apple were faster to push updates from OSS that has been patched external to apple.

I say that it's still much harder to fully compromise (gain root access to) X than vista or XP. That is probably true for just about any distribution of *NIX.

zombitronic
Dec 21, 2007, 01:12 PM
Thanks for the information. For what it's worth, this Macbytes seems to point to the correct place, but there appears to be an error in the other Macbytes article (the "Why George Ou..." one). I'll contact the admin and see if I can't get it fixed.

I did notice that. From MacBytes.com, you do get a link to a different article when clicking on the Why George Ou... link. Unfortunately, there's nothing there except the lucky number 404.

I just Googled that article title and found it. It's right here (http://www.roughlydrafted.com/2007/12/21/vista-vs-mac-os-x-security-why-george-ous-zdnet-vulnerability-numerology-is-absurd/) for anyone interested in reading the retaliation. I'm gonna read it right now...

johny5
Dec 21, 2007, 01:22 PM
Hands up all of those that would like to see "exploits" already addressed and fixed SWAPPED for new daily viruses!?

My 4 xp boxes have been dormant for over 5 months now, shame really as 2 of them are pretty powerful beasts, but i have not use for them.

dvkid
Dec 21, 2007, 01:25 PM
Regardless of the seriousness of the exploits, Apple needs to close them off asap and really be proactive.

Somebody smack me if I'm wrong here, but I do believe that Apple is already doing this. Security Updates come out pretty regularly it seems.

Also, when looking at the numbers users should take into account the higher number of times Apple has released a major upgrade to their OS. With every major upgrade comes a whole slue of vulnerabilities. The higher number of upgrades, the higher the number of problems.

I also found this point especially interesting in one of the comments to the above linked post. Apple's base code is open source. Meaning that there are a whole lot more eyes staring at it from a bunch of different projects. Thus when Apple finds a vulnerability it has likely already been seen or will soon be seen by somebody else. Not sure if that really plays into it much, but who really knows?

Consultant
Dec 21, 2007, 01:38 PM
I'm curious how these vulnerabilities affect the common user. Is this basically saying that mysteriously, nobody is exploiting any mac vulnerabilities? Do we not hear about it? Is there something else at play that makes the Mac's vulnerabilities not as serious?

J

The accounting methods are biased.

"Only XP Pro and Vista were counted on the Windows side, whereas all versions of Mac OS X were factored in, including server editions. There are also said to be a number of warnings mislabeled by Ou, ones which either affected all operating systems, third-party software, or Apple programs running on Windows or the iPhone. It is suggested that if all factors were properly weighed, a user of Mac OS X Tiger or Leopard would likely encounter far fewer risks than someone using Windows XP, and possibly Vista."

http://www.electronista.com/articles/07/12/20/mac.security.vs.windows/&startNumber=0


Additional info:
http://blogs.zdnet.com/Burnette/?p=496
http://www.roughlydrafted.com/2007/12/21/vista-vs-mac-os-x-security-why-george-ous-zdnet-vulnerability-numerology-is-absurd/

whlteXbread
Dec 21, 2007, 01:57 PM
AND, oh yeah, the list of 200+ exploits included iPhone exploits...SOMEONE is flamebaiting!!

doh, beat to the punch...

jayducharme
Dec 21, 2007, 02:44 PM
This article from July seems to give a more thorough analysis of how OSX and Windows differ in security features. Although written about the iPhone, it does make several interesting points about how Windows handles embedded code.

http://www.roughlydrafted.com/2007/07/13/iphone-os-x-architecture-the-mach-kernel-and-ram/

The article is long and technical, but interesting.

John-S
Dec 21, 2007, 02:50 PM
yeah, this guy if so full of crap. I've spent the last hour going through that website he got the statistics from.

1st - The odvious, he is only comparing xp pro and vista '07 to EVERY VERSION of OS X made.

2nd - He is basically only listing the "advisories" # on those pages for XP Pro and Vista. In that case, with every version of OS X there are only 26 advisories while XP Pro alone has 30. Although he was nice enough to only include the "advisory" #'s plus one or two with Windows he didn't with OS X. He actually went in to each advisory and added up everything included with each advisory. If he did that with Windows it would have added to more.

3rd - He included other software in OS X OTHER then OS X. Flash player, SAFARI BETA (thats right... he included every flaw in a BETA program) etc.

4th - He didn't even bother to mention the EXTREMELY CRITICAL - Internet Explorer Multiple Code Execution Vulnerabilities - listed on Secunia's website on the 11th. If your going to mention Safari BETA then shouldn't this be inlcluded?

5th - In the way he provides info from Secunia's website, the world will be happy to know that XP Home has only had 182 advisories in its HISTORY of that website. Guess XP is pretty UN-Flawed...

6th - This includes every flaw plus some that you can find on Apples website. I would like to see why 234 are listed as "Highly Critical". Anyways, I have gone onto Microsoft's website and found SEVERAL vulnerabilities not even listed in this report.

7th - This guy states that "Secunia" is impartial and that may be true... but his article CLEARLY isn't.

8th - We don't need Apple to "step up" on security because of articles like this. This is proof that Apple has always stepped up because almost every vulnerability listed there has a link to apple website and a patch that was created before anything ever got into the wild.

9th - SP3 is due very soon. Wonder how much is listed there? Apple is listing all their vulnerabilities everytime they issue an update. If windows would put out more security updates then maybe these guys would read them more when doing reviews and use that info.

10th - I just wanted to make it to 10 since I had no idea why I #rd my comments. Thats the second time I've done this on a forum in a week... Weird, dumb new habit.


The writer of this article is in NO WAY credible. He just wanted headlines and to "appear" he knew what he was talking by adding links about HOPING nobody would actually do any footwork on those links.

As for that contest he referred too. Nobody won fair and square. Nobody got root-privileges so they changed the rules so someone could win. Read this article:

http://www.heise-security.co.uk/news/88631

I still like what sophos recommends. But I'm sure they are not as credible ; )

"In addition, the continued dominance of Windows-based threats has prompted Sophos to suggest that many home users should consider switching to Apple Macs, to shield themselves from the malware onslaught."

http://www.sophos.com/pressoffice/news/articles/2006/07/securityreportmid2006.html
(article written in 2006)

walnuts
Dec 21, 2007, 04:21 PM
Snore.

Who cares if my house has more broken windows than yours if nobody is trying to climb in them?

Besides, *NIX underpinings, responsible computing, and a decent backup structure (thanks to Time Machine) have me not so worried about this.

Yes, but, we as a mac community, and certainly apple as a company, shouldn't be touting/marketing that mac is so much secure than windows. A pile of firewood isn't fireproof just because someone hasn't lit it on fire.

Brianstorm91
Dec 21, 2007, 04:47 PM
My hate for Windows grows stronger day by day, I physically cannot wait any longer than MacWorld, if I don't get a new MBP then I will probably kill myself.
Windows is so unbearable, I can't stand it. I've spent an hour trying to get 1 video into iTunes because of about 700 different Windows-related DRM or Codec or DivX or general tight-arseness, I. Loathe. Windows.
I'm going to throw this laptop out of my window I swear.

cwt1nospam
Dec 21, 2007, 05:05 PM
Regardless of the seriousness of the exploits, Apple needs to close them off asap and really be proactive.
These are not exploits. They're vulnerabilities that Apple closed. That's one of the things that makes the article so absurd! He's essentially saying that because Apple closed more vulnerabilities, the Mac OS must be more vulnerable. Of course, he's ignoring the fact Windows is successfully exploited thousands of times per day while a few Mac users have had some relatively minor trouble with a trojan. That's a crucial point because if the Mac is rarely exploited now, and Apple is closing lots more vulnerabilities than Microsoft is, then if we're going to come to any conclusion it would have to be that the Mac OS is becoming even more secure than Windows.

Just to be clear: I'm not saying the Mac is 100% secure. NOTHING ever is. Not even Fort Knox. But relative to the corner store that is Windows, OS X looks as strong as Fort Knox.

DMann
Dec 21, 2007, 05:13 PM
Yes, but, we as a mac community, and certainly apple as a company, shouldn't be touting/marketing that mac is so much secure than windows. A pile of firewood isn't fireproof just because someone hasn't lit it on fire.

Neither does calling something flammable mean that it will continue to burn once it has been lit on fire - the report is 98% flawed. Extremely Critical = crying wolf.

yeah, this guy if so full of crap. I've spent the last hour going through that website he got the statistics from.

[...]

Thank you for revealing the smoke and mirrors of this biased endeavor....

Mudbug
Dec 21, 2007, 05:27 PM
Thanks for the heads-up, mkrishnan...
Methinks RoughlyDrafted changed their link after I linked it, so it made my original link dead. (I've just now fixed that one) As to the two links sharing the same thread, that only made sense to me given that if there were actually two threads, they would have contained the same arguments. I made it only one thread to spare myself the thread merge later on. :)

Happy Thankschristmahannukwansicasmasgiving to everyone. :D

Eraserhead
Dec 22, 2007, 05:34 AM
Thanks for the heads-up, mkrishnan...
Methinks RoughlyDrafted changed their link after I linked it,

The Google link got a 404 not found error on their site so this is likely.

MikeTheC
Dec 22, 2007, 09:38 AM
I guess the only thing which continues to amaze me is not the continuing large number of vulnerabilities in Windows, but the continuing large number of people defending it.

However, as a rule I've learned not to have too particularly much respect for people in the tech industry.

solvs
Dec 23, 2007, 12:12 AM
Who cares if my house has more broken windows than yours if nobody is trying to climb in them?
Actually, it's more akin to being in an otherwise secure building or safe area, but forgetting to lock a window, or even a door. Windows on the other hand, has openings, some of which are broken and/or huge, are in horrible neighborhoods, and they're everywhere, some of them even with better stuff inside. Some people have alarms and bars on their windows, or just put up some tape and hope no one bothers them, but the houses themselves are full of holes. But in the last year they've had slightly fewer, so despite being decrepit stucco built on years of old sticks and straw, somehow they're better than the brick houses some of us forget to lock up because we're so smug because most of them time, no one ever tries to break in.

stuff99
Feb 7, 2008, 06:14 PM
so does that mean mac users are living safely because virus writers still can't be bothered to write a virus for us yet?

clevin
Feb 7, 2008, 06:26 PM
so does that mean mac users are living safely because virus writers still can't be bothered to write a virus for us yet?

in part

hugodrax
Feb 7, 2008, 07:11 PM
I find it hard to believe that viruses do not exist because of the userbase size.

#1 A hacker would love to be the first on the block to show off his/her Mac Sploit' and get super l33t street cred for it and end up appearing on all kinds of Blogs,magazines etc..


My internet porn surfing has not resulted in any issues on my mac. Nice to be able to check out the babes without worrying about spyware :)

DMann
Feb 7, 2008, 08:54 PM
so does that mean mac users are living safely because virus writers still can't be bothered to write a virus for us yet?

Writing a successful virus capable of propagation for OS X is still a pain no matter how you look at it - there is really no place for it to hide, or to execute, without the administrator's permission.

stevegmu
Feb 7, 2008, 09:01 PM
I find it hard to believe that viruses do not exist because of the userbase size.

#1 A hacker would love to be the first on the block to show off his/her Mac Sploit' and get super l33t street cred for it and end up appearing on all kinds of Blogs,magazines etc..



Exactly. A Mac virus would be front-page news. I would think it would be the holy grail of hacking. Windows viruses are a dime a dozen, but the 1st Mac virus...

dejo
Feb 8, 2008, 11:02 AM
Exactly. A Mac virus would be front-page news. I would think it would be the holy grail of hacking. Windows viruses are a dime a dozen, but the 1st Mac virus...
Agreed. What would garner a professional thief more notoriety and infamy? Claiming: 1) I broke into a whole block of houses that left their doors and windows open, or 2) I broke into Fort Knox? :)