Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Statistics and Operating System Conventional Wisdom

CmdrTaco posted more than 10 years ago | from the you-ain't-kiddin dept.

Security 556

kev0153 writes "Microsoft Windows is more secure than you think, and Mac OS X is worse than you ever imagined. That is according to statistics published for the first time this week by Danish security firm Secunia. "Secunia is now displaying security statistics that will open many eyes, and for some it might be very disturbing news," said Secunia chief executive Niels Henrik Rasmussen. "The myth that Mac OS X is secure, for example, has been exposed." "

cancel ×

556 comments

Sorry! There are no comments related to the filter you selected.

Flamebait (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#9613611)

in the form of an article... we have been through this crap already.

MOD GRANDPARENT POST FLAMEBAIT (1, Funny)

Anonymous Coward | more than 10 years ago | (#9613666)

It had to be said

Re:MOD GRANDPARENT POST FLAMEBAIT (0)

Anonymous Coward | more than 10 years ago | (#9613725)

Wouldn't the grandparent to your post be the article itself since you are the child of the fr0st pist?

Re:MOD GRANDPARENT POST FLAMEBAIT (0)

Anonymous Coward | more than 10 years ago | (#9613775)

that's the point. the article is flamebait. that's what the grandparent to you said.

Welcome to Bizzaro World! (5, Funny)

Zorilla (791636) | more than 10 years ago | (#9613612)

...where MS wants you to use Firefox and Mac OS X is less secure than Windows!

Until LM authentication is gone... (4, Insightful)

pegr (46683) | more than 10 years ago | (#9613644)

Until LanManager authentication is totally removed (not just turned off) from Windows, Windows will not be secure. There are just too many exploits involving LM authentication to take Windows seriously.

Re:Until LM authentication is gone... (2, Insightful)

x0n (120596) | more than 10 years ago | (#9613830)

Not sure I understand you. You seem to be implying that when LM auth is disabled (via local/group policy), it is still exploitable? This is news to me.

Please elaborate.

- Oisin

Re:Until LM authentication is gone... (3, Insightful)

julesh (229690) | more than 10 years ago | (#9613861)

Until telnetd is totally removed (not just turned off) from Linux, Linux will not be secure. There are just too many exploits involving telnet to take Linux seriously.

What's wrong with having insecure features that are disabled by default? Many people operate in secure environments where such features (which they need for interoperability reasons) offer a "good enough" degree of security. There's no point in making these people's life harder.

Security or obscurity (0, Troll)

Anonymous Coward | more than 10 years ago | (#9613626)

I don't think too many people have said MacOS X is especially secure just that no one cares enough to exploit it.

Re:Security or obscurity (-1, Troll)

Anonymous Coward | more than 10 years ago | (#9613660)

OMG UR SO FUNNY HA HA THAT HAS NEVER BEEN THOUGH OF HAHA OH MAN WTFBBQ! you suck. really. aoetaonheanaensaotensaotnhatnaohitnsahutnouhtnahut noauhtnoahtnauhtasonuhtaonzoaeoae

Re:Security or obscurity (0)

Three Headed Man (765841) | more than 10 years ago | (#9613714)

I remember reading about them discovering and patching a "remote root access exploit" at Apple. Reread that phrase in quotes. Remote root access exploit. Nobody really cared. It was because, for the numbers of boxen you could hack and "pwn", the bug wasn't all that useful because it had limited use.

Re:Security or obscurity (0)

Anonymous Coward | more than 10 years ago | (#9613765)

No, it's because hackers can't afford Macs.

Re:Security or obscurity (0)

Anonymous Coward | more than 10 years ago | (#9613826)

Script kiddies may not care, but I assue you that there are governments and criminals that do.

On a side note... (5, Funny)

Anonymous Coward | more than 10 years ago | (#9613627)

We would all like to thank the millions of dollars Microsoft invested in our research to bring it to the successful conclusion.

It took us a couple of tries to get the results so that they would give us the right answer, but eventually we figured out a way. Microsoft kept funding us all along the way.

Thank you!

Straight from the horse's mouth (5, Informative)

paranode (671698) | more than 10 years ago | (#9613717)

These are the statistics that really matter:

Secunia Virus Statistics [secunia.com]

Of course you'll notice the common Win32. in front of all of them.

Debian. Who cares? (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9613628)

Not the developers, that's for sure. GNU/Hurd will be ready long before the next debian-stable. You watch.

Re:Debian. Who cares? (0)

Anonymous Coward | more than 10 years ago | (#9613640)

You mean Debian GNU/Hurd, the only real Hurd distribution?

Re:Debian. Who cares? (0, Offtopic)

RAMMS+EIN (578166) | more than 10 years ago | (#9613663)

Actually, I think the next stable release won't be that long now. And Hurd is definitely not going to be ready for all platforms Debian supports by that time.

And whom funded this 'article' (3, Funny)

nurb432 (527695) | more than 10 years ago | (#9613643)

If you trace the money, there wont be much suprise in who it leads back too.

Re:And whom funded this 'article' (0)

Anonymous Coward | more than 10 years ago | (#9613683)

Not to be a grammar Nazi, but it's "who funded this article," not "whom."

Re:And whom funded this 'article' (0)

Anonymous Coward | more than 10 years ago | (#9613801)

Zig Heil, very true.

Re:And whom funded this 'article' (0)

Anonymous Coward | more than 10 years ago | (#9613755)

Micorsoft

Re:And whom funded this 'article' (0)

Anonymous Coward | more than 10 years ago | (#9613852)

The Stonecutters!

Billy Gates and Stevie Jobs are both members they are playing us for saps. Linus couldn't join because they already had one Torvalds...

I will not be silen...[TRANSMISSION ERROR]

Missing Stats? (5, Interesting)

BearJ (783382) | more than 10 years ago | (#9613649)

Ok, from my read of the article everything is roughly equally insecure, give or take. Question then becomes, how quickly are these problems responded to. Surely Microsoft as the largest company out there would be the quickest right?

right?

Re:Missing Stats? (1, Insightful)

stratjakt (596332) | more than 10 years ago | (#9613750)

They really do respond quickly, usually the first time I hear of a new exploit is when automatic update prompts me to download and isntall it. Usually a few days before it's posted on Slashdot for the second time.

You can't compare to the OSS project directly. You have to compare to the distro. How long does it take for patched fixed code to be available by an emerge or apt-get? I know the OSS community is pretty good too.

Frankly though, typing emerge -u samba (if say, it was a samba bug) takes about 6 months to complete on some of my less capable machines.

I'm called a troll, and will be modded down again. But the plain truth is there is no perfect OS out there. Windows isn't perfect, linux isn't perfect, BSD isn't perfect, BeOS isn't perfect, OSX isn't perfect, Solaris isn't perfect.. Etc, etc.

I tire of all the idiocy around OS's bandied about on slashdot. For a "news for nerds" site, people here sure don't know what the fuck they're talking about. It blows my mind how little they know about computers or the industry at times.

Oh well.

All modern OS's suck from a security standpoint. Why? Because we've only really GIVEN A FUCK about security for the last half a decade or so. Before that 99% of the worlds PCs were by themselves on a desk, or on some small 10mbit lan with a couple others.

When a virus hit, it'd spread like wildfire across the sneakernet.

Noone worried about remote exploits, because there was no "remote", for the most part. Now, in the age of the internet, it's a big deal. But everyone's still learning. Hell, the internet began with completely insecure protocols (http, ftp, smtp, telnet). Our security was basically mutual trust and good faith.

Anyways, the end.

Re:Missing Stats? (5, Insightful)

radicalskeptic (644346) | more than 10 years ago | (#9613792)

The stats don't make sense to me. Here's what I see:

Windows XP Professional saw 46 advisories in 2003-2004, with 48% of vulnerabilities allowing remote attacks and 46% enabling system access, Secunia said.

So that would mean, multiplying 46 by 48% would give you the number of remote attacks, and multiplying 46 by 46% would give you the number of attacks enabling system access. So for Windows:

  • 22.08 remote attacks.
  • 21.16 system access attacks.


Don't ask me why they are not integers. I suppose that some advisorys covered more than one bug?

Now, for OS X:Of the 36 advisories issued in 2003-2004, 61% could be exploited across the internet and 32% enabled attackers to take over the system.

Using the same system as before, I got:

  • 21.96 remote attacks.
  • 11.52 system access attacks.


So they're saying OS X allows HALF of the number of attacks that can gain access to a system as XP, but their conclusion is that "The myth that Mac OS X is secure, for example, has been exposed"???Hmmm....

Follow the money. (3, Funny)

user no. 590291 (590291) | more than 10 years ago | (#9613651)

I wouldn't be the least bit surprised to find that this "Secunia" derives funding from a common source with SCO.

Re:Follow the money. (4, Interesting)

fuzzix (700457) | more than 10 years ago | (#9613758)

I wouldn't be the least bit surprised to find that this "Secunia" derives funding from a common source with SCO.

Not true. Secunia is its own private concern and judging from correspondence they have with the [theinquirer.net] inquirer [theinquirer.net] I very much doubt they'll be swayed by "contributions" as easily as our R&D friends at Adti.

That said, there are some omissions from the article such as which applications in the Linux distros were vulnerable and how long it took for each vuln to be patched.

no of vulnerablilities vs actual exploits (4, Insightful)

martin (1336) | more than 10 years ago | (#9613652)

Would be nice to see how many of these *potential* exploits resulted in actual malware/hackers using them.

Just because the potential is there doesn't mean these holes have exploits running in the wild.

It's a risk thing...Windows exploits are *more* likely to be exploited than Solaris ones, but that doesn't mean the Solaris ones won't be exploited (cf a couple of super computer centers getting hacked!)

Correlation vs Mechanism (5, Insightful)

laudney (749337) | more than 10 years ago | (#9613815)

In research, it's vital to differentiate between correlation and mechanism. Stating that Linux and Mac OS/X are less secure than Windows based on kindergarten-level integer comparison is correlation: i.e. following/duplicating superficial attributes of known objects in hope of getting the same results in other objects. This is almost always baseless and useless. It's more important to undertand the underlying hidden reasons, or mechanisms: Windows security problems stem from awful designs in OS, such as integration of all sorts of applications into kernel space for speed acceleration. Whilst Linux and Mac OS/X security problems are mostly from mis-configurations.

Before we all jump on the AdTI bandwagon... (4, Informative)

Xshare (762241) | more than 10 years ago | (#9613654)

...and everyone says that Microsoft is paying Secunia to do this, etc. (like with AdTI, though AdTI really is getting funding from MSFT, different story), read this: http://www.linuxinsider.com/story/32370.html [linuxinsider.com]
It seems that it was Secunia which released lots of IE bugs, and that Microsoft has had scuffles with them before. Unless someone here has evidence that they got funding from MSFT since then, don't say that.

Re:Before we all jump on the AdTI bandwagon... (1, Funny)

Anonymous Coward | more than 10 years ago | (#9613685)

Who invited you to the party?

Re:Before we all jump on the AdTI bandwagon... (0)

Anonymous Coward | more than 10 years ago | (#9613692)

Everyone has its price. Perhaps MSFT sent some money their way to, um, redirect the emphasis of its research a little. I agree that without evidence, this can't be proven, but it's certainly plausible.

~~~

Re:Before we all jump on the AdTI bandwagon... (4, Insightful)

robogun (466062) | more than 10 years ago | (#9613705)

Explain then the FUD from these guys, and why they ignore, in terms of everyday use, why only Windows/IE users can get r00ted by simply browsing a website, and OSX users can't. How come when I re-install Win2K SP# it takes 63 security updates over nine reboots before I can even consider plugging in directly to the net.

This article is so beyond common sense and everyday experience, I cannot see how it can possibly hold up to examination.

Re:Before we all jump on the AdTI bandwagon... (1)

operagost (62405) | more than 10 years ago | (#9613739)

I assume '#' = '3'.

The answer is, you should be installing SP4. SP3 came out almost three years ago. Of course there are security updates missing. And there aren't 63 of them. I don't believe there are even 63 updates of any kind after SP3.

Re:Before we all jump on the AdTI bandwagon... (1)

robogun (466062) | more than 10 years ago | (#9613809)

Yep it's SP3. I don't feel like buying another copy of 2000. There are 63 by actual count, a couple weeks ago. There have been two new critical updates since then.

What is strange is when doing this, you finally get down to only 2 or 3 left, which must be installed separately, after the reboot, there are five more. Which tells me some critical security updates must receive their own later security updates. For instance, this latest one is only a partial solution by msft's own admission.

This is with Windows Update via IE. Possibly by manually installing the security updates, the actual count will be less.

Re:Before we all jump on the AdTI bandwagon... (1)

GlassUser (190787) | more than 10 years ago | (#9613766)

That's usually because the user chooses to install software. That software then runs in the security context of the user. Since most windows users are lazy, they have admin rights on all their accounts. The software then "gains root".

It's a combination of laziness and failing to enact a sensible policy.

Re:Before we all jump on the AdTI bandwagon... (2, Insightful)

MoonBuggy (611105) | more than 10 years ago | (#9613837)

I'd also take exception with the statement that "The myth that Mac OS X is secure, for example, has been exposed.". Reading the article it seems to show that OSX was infact the most secure, even by their criteria. Why does the fact it is apparently more secure than the competition lead them to say it is not secure? (or have I missed something important here?)

Re:Before we all jump on the AdTI bandwagon... (1)

Xshare (762241) | more than 10 years ago | (#9613720)

Also, yet another article about Secunia, very interesting: http://www.internetnews.com/dev-news/print.php/217 0381 [internetnews.com]
It seems they have a very "free as in freedom" view on security, etc.
"We believe that security information should be free, so that administrators can patch their systems and software developers can learn from the mistakes made by others. All the security researchers and experts who posts to Full-Disclosure, VulnWatch and Secunia wants their research to be free and available we owe them that much," Kristensen declared.

Re:Before we all jump on the AdTI bandwagon... (2, Insightful)

mj01nir (153067) | more than 10 years ago | (#9613793)

But isn't it interesting that now when ever anyone appears to support Microsoft, they're automatically suspect of being a MS sock puppet? Years of string-pulling by Bill and Monkeyboy have put wireheads everywhere on alert. Looks like yet another underhanded tactic is backfiring on them.

Mac OSX and Linux - face the facts (5, Funny)

Anonymous Coward | more than 10 years ago | (#9613659)

The Mac and Linux communities need to accept the fact that Windows, however much you might HATE Microsoft, is more secure.

How many independent reports have we seen that come to the same conclusion? 10? 20? The head in the sand approach won't work. The "Microsoft Shill" theory doesn't hold water.

No, it is time for the Linux community to address these issues and bring Linux back up to the level of Windows.

And by the way, I'm a cybersecurity consultant, so I know what I'm talking about.

Re:Mac OSX and Linux - face the facts (5, Insightful)

mangu (126918) | more than 10 years ago | (#9613776)

How many independent reports have we seen that come to the same conclusion?


I once read that Hitler ordered a report made, signed by a hundred scientists, proving that Einstein was wrong. When they asked Einstein about it, he answered "if I was wrong, one scientist alone would be able to prove it".

Re:Mac OSX and Linux - face the facts (1)

skroz (7870) | more than 10 years ago | (#9613782)

"Cybersecurity consultant" huh? The only people I know of that use that title are PHBs looking for catchphrases on resumes, jackasses with A+ certifications that read a book on security once, my boss, and Kevin Mitnick. And I wouldn't let ANY of those people anywhere near a secure system unless they were menacing me with some kind of weapon that I was sure would actually work.

Cyber is an idiot prefix/word for soundbites, the fear mongers at DHS, and William Gibson

Re:Mac OSX and Linux - face the facts (0)

Anonymous Coward | more than 10 years ago | (#9613800)

And by the way, I'm a cybersecurity consultant, so I know what I'm talking about.

Rule Number One: Never trust anyone with "cyber" in their job title.

How respectable are these guys? (1)

CaptainPinko (753849) | more than 10 years ago | (#9613661)

Does anyone know of this company? Are they another AdTI? Any known connections to SCO or Microsoft? Is it tinfoil hat time or is it time to reconsider our prejuidices about stability and security?

Re:How respectable are these guys? (4, Insightful)

maximilln (654768) | more than 10 years ago | (#9613756)

Secunia, IMHO, is a respectable security source.

I admonish the following:

Security databases are largely fed with information from people working on open source code. It is much easier to find a logic fault in source code than to notice a bug and reverse engineer its origin in proprietary code. When I mangle entries for security databases the majority are for open source code. By and large the security databases are weighted in such a fashion that makes open source code look less secure.

When I last looked at my Windows Update history on my machine at work, there were no fewer than 10 security patches and, going to the MS website, each one patched several security holes in this/that/the other. None of these will ever be documented in databases like Secunia because MS doesn't release the technical information. Secunia only lists the exploits which users in the field have found and submitted.

So relax, people. The article may be inflammatory and perhaps the head of Secunia should be shoulder-checked for 3 hours straight on the soccer field, but the Linux OS is still outperforming the competition.

Hmmm... (2, Interesting)

morgdx (688154) | more than 10 years ago | (#9613665)

  • Lies
  • Damn lies
  • ....
  • Profit!

The leadline makes it sound like XP is more secure than OS X, and then you read down to find its more like that OS X isn't much more secure than XP.

Now if the comparison included the length of time that exploits were left unpatched we would get an entirely different picture...

FUD? (2, Funny)

Anonymous Coward | more than 10 years ago | (#9613667)

Each product is broken down into pie charts demonstrating how many, what type and how significant security holes have been in each.

FINALLY, someone who knows about pie charts, its so clear now, absolutlely no fud can be present in pie charts..

Lets be positive. I'm trying to rtfa but I keep having to do my 'chants' to get over the fud-ish language.

Maybe there's something in this,.. when I find some actually 'stuff' I'll get back to you.

Re:FUD? (1, Funny)

Anonymous Coward | more than 10 years ago | (#9613747)

Reminds me of a good quote from Mike Gordon of Phish: "It is kind of silly when they're making pie graphs about set list openers. But then, I always liked a good graph."

Re:FUD? (0)

Anonymous Coward | more than 10 years ago | (#9613770)

I've read the article and I still don't understand why someone would think, "The Micorsoft Windows application is more secure than you think".

Its a blank statement and says nothing.

I believe the Micorsoft Windows Application is secure, since it doesn't exist. Its the Microsoft Windows (tm) OS I'm worried about.

The Microsoft Windows .... what? (1)

julesh (229690) | more than 10 years ago | (#9613671)

The article opened with the words "The Microsoft Windows application".

I'm not sure I want to read any further.

Re:The Microsoft Windows .... what? (1)

julesh (229690) | more than 10 years ago | (#9613693)

The company in question have an "advisory" on the front page of their site ... that a web site that uses frames might be able to display content from another site inside it.

I think we all knew that one.

Re:The Microsoft Windows .... what? (1)

Knuckles (8964) | more than 10 years ago | (#9613728)

You are giving them too much credit: it opens with the words The Micorsoft Windows application. Inspires confidence, doesn't it?

Re:The Microsoft Windows .... what? (0)

Anonymous Coward | more than 10 years ago | (#9613733)

Dude, I think they're just poking fun at MS calling this bloatware an operating system, when it is laden with so much cruft that has nothing to do with it being an OS.

Windows really is an application with an operating system burried somewhere deep inside.

Re:The Microsoft Windows .... what? (1)

mrnobo1024 (464702) | more than 10 years ago | (#9613821)

Windows doesn't have any more "cruft" than the average Linux distribution. Would you rather have just a kernel, a shell, and coreutils; or would you want a system where things can be done out of the box without the hassle of installing it all?

Micorsoft? (3, Funny)

philkar77 (752923) | more than 10 years ago | (#9613677)

from the article: "The Micorsoft Windows application is more secure than you think..."

A statistic is like a whore... (2, Funny)

rainer_d (115765) | more than 10 years ago | (#9613686)

...everybody can fuck around with her, while paying.

Gah! (1, Offtopic)

CaptainAlbert (162776) | more than 10 years ago | (#9613687)

Didn't see the actual report, but I hope it's better than this incredibly inaccurate article!

> The Micorsoft

erm, Microsoft?

> Windows application

Which one? Oh, you mean the Microsoft Windows "Operating System".

> is more secure than you think,

What do I think? Go on, what? Tell me!

> and Mac OS X is worse than you ever imagined

So what exactly did I imagine, dear writer?

Amateurs. :)

Patches do not equal problems. (3, Insightful)

djh101010 (656795) | more than 10 years ago | (#9613690)

Looking at my email inbox, I see a ton of junk generated by the Windows virus/worm of the week. Looking at my firewall logs, I see very little probing for any of the Unix exploits.

When the difference in use of exploits is an order of magnitude or two higher for the 'doze stuff, it's hard to see how a mere "count of vulerabilities fixed" means much at all. The basic design differences between unix and 'doze are profound, which is why the 'doze exploits do so well.

Article is an irrelevance (4, Insightful)

eamacnaghten (695001) | more than 10 years ago | (#9613695)

The article is an irrelevance and does not deal with the real issues of security.

If a sysadmin is lazy and security unaware, he will ALWAYS be cracked into and exploited regardless of the OS system used, Windows Linux whatever. At the same time if he is vigulant and security aware he will unlikely to be seriously cracked and his systems will be stable, again regardless of the OS involved.

What I have found is that managing Linux properly is a lot easier and cheaper than managing the Windows OS's properly due to the better OS design in philosophy and security, and attitude of the OS maintainers.

THAT to me is what is relevant.

Re:Article is an irrelevance (1)

AliasTheRoot (171859) | more than 10 years ago | (#9613746)

What the heck are you doing posting?!? Unplug your computer from the network and pur concrete into the case now!

Don't dismiss this (3, Insightful)

ObsessiveMathsFreak (773371) | more than 10 years ago | (#9613696)

The facts are hard to look at, yet we all know that Linux, despite opinions to the contrary, has suffered from system holes. And to be quite frank, the fact that Mac OSX is leaking like a swiss cheeze should not come as a surprise to anyone.

Linux is fallaible, but at least with open source we can find bugs and get rid of them quick, without waiting for patches. Windows is not as bad as OS X in this regard either.
I find the statement Linux suppliers took longer to release patches. Is that true? I know security consious admins will patch themselves but is it true that vendors will igorne minoe bugs?

Perhaps this is what the MS reps meant when they said Linux was becoming morew like windows.

Re:Don't dismiss this (2, Funny)

Accipiter (8228) | more than 10 years ago | (#9613791)

Leaking like swiss cheese?

Did you perhaps mean to say "leaking like a sieve" or "full of holes like swiss cheese?"

Again Windows only vs. RedHat/SuSE plus apps? (5, Insightful)

Knuckles (8964) | more than 10 years ago | (#9613697)

I can't see it metnioned in the article, and neither can I find the relevant stuff at secunia.com, but this is the first question I want to answered before I spend another 10 seconds on this: do the numbers actually compare Windows with RedHat/SuSE stripped down to what a plain Windows install does, or do they yet again include all the security advisories for the 3.000 (or whatever) packages included with the distros?

Re:Again Windows only vs. RedHat/SuSE plus apps? (1)

julesh (229690) | more than 10 years ago | (#9613789)

Tell me, what do you think?

Even if it was a stripped down build, how would you, for example, determine which of the several FTP servers that ship with (eg) SuSE is the one to substitute for the IIS FTP server? Which browser do you substitute for IE? Which chat program for MSN messenger? Which web server? Which e-mail server? These are all important questions that are quite hard to answer.

OK, it might be a little simpler with OSX, I've never installed it myself so don't know how many packages come with it, and what kind of variety there is.

Re:Again Windows only vs. RedHat/SuSE plus apps? (1)

schotty (519567) | more than 10 years ago | (#9613846)

Plus with the OSS world, you have people ACTIVELY trying to find problems just so they can be plugged up. Almost every issue with Linux and *BSD is resolved in a VERY short period of time. How long is the average Microsoft lag between find and repair? Much longer than Red Hat, SuSE, FreeBSD, OpenBSD, etc.

And yes, parent post : That is a great point -- if Windows XP Home doesnt include DNS, Web, Email, and DHCP servers -- why test it on Red Hat?

what does it prove? (3, Interesting)

Anonymous Coward | more than 10 years ago | (#9613700)

Mac OS X does not stand out as particularly more secure than the competition, according to Secunia.

The proportion of critical bugs was also comparable with other software - 33% of the OS X vulnerabilities were "highly" or "extremely" critical by Secunia's reckoning, compared with 30% for XP Professional and 27% for SLES 8 and just 12% for Advanced Server 3. OS X had the highest proportion of "extremely critical" bugs at 19%.

Oh, okay, well, by MY reckoning, none of the OS X vulnerabilities were "highly" or "extremely" critical, therefore by MY reckoning, OS X is the most secure of them all!

These studies analyze the statistics of the security advisories and attempt to draw conclusions. I don't see the value of it.

Here's what I do: I just *assume* that all operating systems and software is insecure (unless djb wrote it, heh). After all, I'm constantly updating FreeBSD, Gentoo, and Windows, all the time, anyway.

Since it only takes ONE show-stopper bug to let in an attacker, it really doesn't matter to me how *many* bugs each OS has.

In my experience, the easiest OS to upgrade is OS X. However I don't manage any production OS X servers, just my own computers, so take that with a grain of salt.

Next easiest is Gentoo. You can upgrade just the components you need, BUT it's a little hard to separate the security fixes from the non-security fixes (they are working on that though).

Next is FreeBSD. Like Gentoo, it's hard to pick out just the security updates, but they are working on that too. Rebuilding the base OS is time-consuming and risky, so FreeBSD gets a mark for that.

Next is Windows. Too GUI-oriented, and service packs are too complex and cause breakage.

However we do manage to keep all machines up to date and implement layered security (firewall, network IDS, host IDS [tripwire], remote syslog, log monitoring.......)

Re:what does it prove? (3, Insightful)

IamTheRealMike (537420) | more than 10 years ago | (#9613816)

Oh, okay, well, by MY reckoning, none of the OS X vulnerabilities were "highly" or "extremely" critical, therefore by MY reckoning, OS X is the most secure of them all!

How can you not find arbitrary remote code execution from a web browser [incutio.com] highly critical? It meant that if a bad guy hacked a website popular with Mac users, they could take control of many machines potentially without their users noticing - just like the problems Windows has.

The solution is clear ... (3, Funny)

operagost (62405) | more than 10 years ago | (#9613709)

Use VMS! [openvms.org]

Bought and Paid for By Microsoft (1)

Master Bait (115103) | more than 10 years ago | (#9613715)

...most likely. Though I'm not going to bother investigating ties between M$ and Secunia.

In the real world, Windows machiness are real sinkholes for real exploits, while Mac and Linux machines aren't.

But Macs have secuity through obscurity! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#9613719)

Security thorugh obscurity does work in this case. Almost nobody owns a freaking Mac. Hell, you have to use the exploits on others systems to break into banks so can afford a Mac to be able to write exploits for it!

Junk Science (4, Insightful)

Hatta (162192) | more than 10 years ago | (#9613730)

The statistics, based on a database of security advisories for more than 3,500 products during 2003 and 2004

The proportion of critical bugs was also comparable with other software - 33% of the OS X vulnerabilities were "highly" or "extremely" critical by Secunia's reckoning, compared with 30% for XP Professional and 27% for SLES 8 and just 12% for Advanced Server 3. OS X had the highest proportion of "extremely critical" bugs at 19%.


This research tells you nothing about how secure an OS is. The number of security advisories has a lot to do with how diligent the OS manufacturer is in informing the public about security problems. For all we know Apple could just be a lot better about airing its dirty laundry than microsoft. I would assume that due to the open source model, the statistcs on SUSE were fairly accurate.

Re:Junk Science (0, Offtopic)

stratjakt (596332) | more than 10 years ago | (#9613825)

Spin it however you want, you're just as wrong as anyone in MSFT's marketting dept.

There is no secure OS. The word "security" wasn't even brought up with regards to OS design until 5-10 years ago. Not until we hooked all the computers together on the internet was a "remote exploit" a worry. The focus was on ease of use, and making the computer do useful things.

Now, cryptology is a booming field, people are looking hard into replacing old insecure protocols. FTP and telnet were "good enough" for a long, long time.

The message here is "all you fanboys shut the hell up, none of you know what you're talking about. All OS's suck from a security viewpoint."

The biggest security hole on any machine is the person administrating it. No OS is immune to a moron.

Counting advisories is skewed (5, Interesting)

upsidedown_duck (788782) | more than 10 years ago | (#9613734)


One problem with counting only advisories is simply that there are different levels of transparency to users and developers among Windows XP, Linux, Solaris, and Mac OS X. One thing the study doesn't mention (which is unknowable, so they conveniently brush it off as unimportant) is how many covered-up or known-only-by-crackers vulnerabilities exist in each platform.

Also, why didn't the study mention OpenBSD? What about default configurations? Where the documented vulnerabilities always relevant or were they very obscure (e.g., service X used by three people in Greenland)?

I think this article smells biased.

They neglect to mention.. (5, Insightful)

EMR (13768) | more than 10 years ago | (#9613742)

That OS X doesn't have any network service running when first installed!!.. Nothing, nada, zilch, zippo.. In order to get exploited you need to have something running that accepts connections.. The default install of the Mac OS X doesn't have a thing. Where as Windows has way too much enabled and exposed.. Most linux systems now days, while they may have some things running, most are only listenting to the internal host (not accessible outside the computer) and they default enable the firewall.

Re:They neglect to mention.. (0)

Anonymous Coward | more than 10 years ago | (#9613867)

Wasn't there a gaping security hole in DHCP on OS X? Something about it allowing the DHCP server to make configuration changes...

Somebody explain to me... (4, Insightful)

RAMMS+EIN (578166) | more than 10 years ago | (#9613745)

Somebody explain to me how this article supports the claims that have been based on it.

``Windows XP Professional saw 46 advisories in 2003-2004, with 48% of vulnerabilities allowing remote attacks and 46% enabling system access, Secunia said.

<snip>

SuSE Linux Enterprise Server (SLES) 8 had 48 advisories in the same period, with 58% of the holes exploitable remotely and 37% enabling system access.

<snip>

Mac OS X does not stand out as particularly more secure than the competition, according to Secunia.

Of the 36 advisories issued in 2003-2004, 61% could be exploited across the internet and 32% enabled attackers to take over the system.''

So, Windows XP and SLES had about the same number of vulnerabilities, but SLES manages to keep them out of the vital parts better. Mac OS X has had significantly (about 30%) fewer vulnerabilities, with the percentage of vulnerabilities leading to system level access on par with SLES.

What this says to me is that _if_ the detection ratio for all systems is the same (which I don't believe, but without this assumption, you can't say anything), WinXP is the worst, and OS X the most secure. This is exactly opposite to what is claimed.

Doesn't change the facts... (4, Informative)

nattt (568106) | more than 10 years ago | (#9613752)

Statistics don't change the facts that after running Mac OS X since it's inception, I've not had one OS X virus, or any of these exploits used against my machines. And the stats don't take into account not just how quickly a patch is released, but how quickly the users of that OS patch it.

Re:Doesn't change the facts... (1)

Izeickl (529058) | more than 10 years ago | (#9613850)

Doesnt change the fact that i have never had a virus or exploit against me on any windows machine Ive had for the past 9 years either. I think this study points out that just because you run OS X your not immune and just because you run windows you attract virus and exploits like a plague rat. The user/admin can be the biggest deciding factor whether or not a virus or exploit affects you.

Windows is for everyone (1)

Doc Ruby (173196) | more than 10 years ago | (#9613760)


Microsoft products are researched more because of their wide use, while open-source products are easier to analyse because researchers have general access to the source code, Kristensen said.

"A product is not necessarily more secure because fewer vulnerabilities are discovered," he added.


In other news, ebola is much more lethal than cancer. And the Commodore VIC-20 OS is much less secure than Windows.

Black and White (4, Informative)

INeededALogin (771371) | more than 10 years ago | (#9613764)

as a Mac OSX user I have to defend my lil OS that could.

This poll does not take into affect the time to resolution, effect of exploit, and how hard it was to actually perform the exploit. Honestly, all software has bugs, all software has exploits it is the result of those exploits that I am more concerned with. Quite often Apple finds and fixes exploits before their are programs in the wild to exploit them. The same goes for Open-Source software which I am sure that some of the OSX advisories were a result of given Apples embrace of OSS.

Ask an Apple user how many Viruses, pop-ups, and unexplained daemons they have had on their system. The number will almost always be 0.

Potential study problem (5, Insightful)

Synn (6288) | more than 10 years ago | (#9613772)

The study compares security alerts between OSes, but one problem with that is that at least under Linux vendors not only release alerts for the core OS, but for applications as well.

If The Gimp has a security issue a Linux vendor will issue an alert for it.

If Photoshop has a security issue, MS won't inform you.

Also most alerts I see for Linux are pro-active, someone finding a bug that may be exploitable. Most alerts I see for MS are reactive, pluging a hole that has been exploited. That's the primary difference between open and closed source software. Not the number of bugs found, but when they're found and how fast they get fixed.

lies, damned lies and statistics (2, Interesting)

carndearg (696084) | more than 10 years ago | (#9613773)

I think this research misses the point. They deal with the number of security advisories, not with how quickly or effectively (or even if) the holes were fixed.

I would be far more interested to hear, on the MacOs example for instance, how Apple responded to its security holes and how that compared to those of Microsoft or the Linux community.

How is 36 48 ? (1)

Butterwaffle Biff (32117) | more than 10 years ago | (#9613777)

I glanced through the article and they seem to say that MacOS X had 36 vulnerabilities while XP had 48 over the same period. They then claim that this is not significantly less. Even if you discard all but the "serious" of the vulnerabilities (of which they claim MacOS X had more, but I disagree, not having seen any exploits for them) the two come out even at best. Why, then, are they so happy about XP?

Re:How is 36 48 ? (1)

stratjakt (596332) | more than 10 years ago | (#9613868)

They aren't "happy about XP". I didnt read this as an "XP is awesome! buy it!" piece at all. I read it as a "wake up you zealots, you could be every bit as vulnerable as anyone else" piece.

A false sense of security is not your friend. Especially if it's only based on fanaticism and not any sort of facts.

Its not the system, its the admin (3, Insightful)

nurb432 (527695) | more than 10 years ago | (#9613783)

90% of security is the administrator. So it really doesnt matter how secure the 'system' is as a good admin can make most anything secure.

That said, most 'windows admins' are home users ( by percentage ) that have NO clue what they are doing...

Home *nix admins tend to have more clue..

Re:Its not the system, its the admin (1)

stratjakt (596332) | more than 10 years ago | (#9613841)

I'd say most Mac owners know nothing whatsoever about computers, and bought a Mac based on it's reputation for being easy to use and that it "just works".

Home *nix admins, btw, think they know everything. Most are complete morons if you peek under the veil - hell, just read slashdot objectively and tell me what you think the IQ of the average gentoo (debian, whatever) zealot is.

Mirror (1)

Shachaf (781326) | more than 10 years ago | (#9613788)

The website was pretty slow, so here's a mirror:

Mirror [spymac.net] .

Just counting (3, Insightful)

miraclemax (702629) | more than 10 years ago | (#9613798)

They're just counting bug fixes. And counting how many are labeled critical. Well, that still doesn't factor in, at all, how easy it is to exploit. Fact is, if you try to run a system level program on Mac OSX, it STILL will ask for admin password. So a program can't be run on your machine in kernel space without your knowledge. Windows seems to have been made for just this purpose. This study is laughable. It's just a count the bug fixes garbage. Linux has more fixes and updates because open source is more honest. How often have we heard of M$ waiting six months to release fixes that they knew about? How many holes are there that the public doesn't know about?

Still not accurate (4, Interesting)

signe (64498) | more than 10 years ago | (#9613804)

Once again, we have someone comparing Windows with RedHat, while not taking into account that RedHat is comprised of many many additional applications that don't have equivalents in the Windows install. Not to mention many server applications (Apache, bind, sendmail, rsync, etc.) that enable the remote access that many of the security vulnerabilities use. I would wager that OS X is in a similar situation (when compared with Windows).

Let's have one of these companies do a real test. Where they take a Windows install, and then a RedHat (or SuSE) install crafted to match it as closely as possible. No servers, Mozilla installed on the Linux system. Just the basics. Then count the vulnerabilities. It will tell a much different story.

-Todd

The most important question for me (1)

Zork the Almighty (599344) | more than 10 years ago | (#9613810)

How many vulnerabilities result in unauthorized access ?

WinXP 21
Suse 18
OS X 12

Security reporting worse than you ever imagined (5, Insightful)

Frater 219 (1455) | more than 10 years ago | (#9613823)

The reported study discusses the number and claimed severity of official security advisories for different systems. The factitious claims being made do not address the following problems:

Different suppliers report vulnerabilities differently. Consider every "cumulative update" you've seen, and every "multiple vulnerabilities in $product" advisory from CERT. A supplier which is more honest and meticulous about vulnerability reporting may have more advisories but better security -- while one which batches up several bugs in a single advisory will underreport.

A system which includes more software may have more advisories, even though most advisories do not affect most computers running that system. In Windows, a database server is a separate product whose advisories would not be counted against "Windows". Many Linux systems include at least two database servers, but they are not turned on by default. If a hole in MS SQL doesn't count against Windows, should one in mySQL count against Red Hat?

Unpatched vulnerabilities may go for months without the release of an official advisory. For instance, a number of holes in Internet Explorer have been known and discussed within the security community well in advance of any official advisory from Microsoft.

Systems which have better default system-wide security settings (e.g. packet filtering, services turned off by default) may have all kinds of "vulnerabilities" that can't actually be exploited. For instance, Mac OS X includes OpenSSH, but it's turned off until the user asks for it. A hole in OpenSSH cannot be exploited on a default-install Mac system.

Leaving it up to the supplier to decide if something is a "vulnerability" or a "feature" leads to underreporting. Take CD autorun, for instance, which allows the installation of spyware when a (mostly-)audio CD is inserted into a Windows PC. A security-conscious user regards this as a vulnerability, but the supplier regards it as a beneficial feature.

Some of the most common attacks -- such as viruses -- rely on social engineering, and on "features" that are not classed as "vulnerabilities". However, these attacks are also more prominent on some systems than on others. Any comparative assessment of security which discounts the most common attacks blinds itself to a wide segment of the security landscape.

Seeing is believing.... (0)

Anonymous Coward | more than 10 years ago | (#9613824)

Windows XP Professional and Windows XP Home Edition are listed separately. Windows XP Professional has 66 advisories total and 45 in the last year. Windows XP Home Edition has 58 total and 43 in the last year. For all versions of Mac OS X there are 36 total and 33 in the last year.

Windows XP Professional
http://secunia.com/product/22/

Windows XP Home Edition
http://secunia.com/product/16/

Mac OS X
http://secunia.com/product/96/

forget about who's funding it... (1)

peteforsyth (730130) | more than 10 years ago | (#9613832)

...this article reads like it was written by a PR person for Secunia. It's basically an advertisement for their service, with a bit of sensational news about OS X and Windows as the hook.

Looks to me like a case of a swiftly approaching deadline and a lazy editor at Computer Weekly. They just took a PR puff piece for Secunia, chewed it up, changed around a couple sentences, and spat it back out.

These guys can't count. (2, Interesting)

minator (744625) | more than 10 years ago | (#9613842)

This came up on OSNews a while back.

They count security patches from MS as 1 when they were actually patching 14 vulnerabilities.
They also didn't include the vulnerabilities in IE - which alone had nearly as many as OS X.

Their conclusion would be very different if they actually knew how to count.

It is nothing more than FUD dressed up as research.

PLEASE RESPOND (0)

Anonymous Coward | more than 10 years ago | (#9613843)

Please post your comments about this article to columns@computerweekly.com [mailto]

In contrast... (1)

mratitude (782540) | more than 10 years ago | (#9613851)

I don't know that it matters the purpose for rating security problems nor is the emphasis on head-to-head number of events matter a great deal either. For instance, I didn't note in the article a comparison of how quickly firms or organizations responded with security fixes or notices of the security problem. We all know that the Linux community would lead any such comparison.

It is interesting to note though that an OS or apps "perceived" security relies heavily on the community using it. That Windows is insecure is well known mostly because a lot of people take much delight in exploiting the flaws (and no doubt, there are a lot of flaws). However, with the flaws in *nix flavor OS, they're there but they are fixed quicker and there aren't a lot of people taking great delight in exploiting the flaws. The perception derives from this nuance.

On the issue of "who does or doesn't" get exploited - I installed RedHat 6.1 and before I could get the system updated and general security in place, someone had gained root access and left a funky UID behind as a "nya-nya". It had been connected to broadband for only 30 minutes. I installed RH 7 and there wasn't a repeat of the incident (although the attempts were numerous - once an exploitable IP gets found, it makes the rounds among certain folk).

Patching, patching, patching! (1)

JamesR2 (596069) | more than 10 years ago | (#9613856)

Does this not really all boil down to sheer effort of continuous patching? Seems that all OS's and major applications have patch lists these days. Sure, the MS haters are actively exploiting the MS stuff, so the risk is higher. But if I had a Linux box, would I rest, not patch, because of this? I think not. Not to mention SSH, Apache, etc. I fear the junk that has no patches ... like printers and stuff that have web servers in them. Nice place for a Trojan to hide.

Anyone find it strange? (4, Interesting)

midifarm (666278) | more than 10 years ago | (#9613860)

...that in their super critical statistical analysis that he never actually gave a number of OS X incidents, just some vague percentages? No real specifics at all. I mean sure if OS X had 10 security holes and 6 were critical that you be 60%, whereas if XP had 100 holes with only 37 of those as critical it'd only be 37%. By that logic XP would be rock solid secure! This just seems like Apple bashing, and had they mentioned what percentage of the OS X holes were in common open source programs that may have been across the board amongst Linux/Unix systems? At least I can gather that if there's a hole in Windows that M$ is to blame for the bad code, not a class project from MIT!

Peace

Effective security (1)

iamdrscience (541136) | more than 10 years ago | (#9613863)

Of course, like all statistics though, these numbers only show part of the story. There are more holes (and more serious holes) in OSX, but does that really affect your systems security (i.e. the chances of your system being compromised)? There are less people (effectively zero) people who are writing worms for Mac OS, so you've got a very small chance of that happening and there are far less people who are experienced at targeted compromises of OSX systems (and most of those few are white hats) so again your chances of your system getting compromised are probably lower than a Windows user.

I'm not trying to minimize this though, this is something that I hope will be taken very seriously by Apple and is a real eye-opener for myself.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>