Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

More Mac Vulnerabilities Than Windows In 2007?

Zonk posted more than 6 years ago | from the dogs-and-cats-living-together-mass-hysteria dept.

Security 329

eldavojohn writes "A ZDNet blog reports stats from Secunia showing OSX averaged 20.25 vulnerabilities per month while XP & Vista combined averaged 3.67/month. Is this report card's implication accurate, or is this a symptom of one company turning a blind eye while the other concentrates on timely bugfixes? 'While Windows Vista shows fewer flaws than Windows XP and has more mitigating factors against exploitation, the addition of Windows Defender and Sidebar added 4 highly critical flaws to Vista that weren't present in Windows XP. Sidebar accounted for three of those additional vulnerabilities and it's something I am glad I don't use. The lone Defender critical vulnerability that was supposed to defend Windows Vista was ironically the first critical vulnerability for Windows Vista.'"

cancel ×

329 comments

Sorry! There are no comments related to the filter you selected.

/. Windows bashing makes me want to throw a chair (5, Insightful)

Anonymous Coward | more than 6 years ago | (#21741368)

They're just looking for excuses to downplay the results of the report.

News Flash: nothing has changed (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21742744)

I've been pointing this fact out for years. And been getting modded down for the inconvenient truth, as well!

OS X [securitytracker.com]
Windows XP [securitytracker.com]
I don't know why Vista doesn't have it's own category (maybe not enough to report?). But anyhow, you can check OS (Microsoft) [securitytracker.com] , and search for Vista. Only four things show up...

And the worst one of all, of course, is Teh Lunix [securitytracker.com] .

It's been a horrible, horrible year for MS haters. Moreso than usual. Those tail lights just keep getting farther, and farther, and farther away...

Security through obscurity will never beat actual security.

Ballmer? (0)

Anonymous Coward | more than 6 years ago | (#21742970)

Ballmer, is that you?

SLASHDOT SUX0RZ (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21741384)

_0_
\''\
'=o='
.|!|
.| |
more goatse for everybody [goatse.ch]

Counting shows nothing (4, Informative)

Ed Avis (5917) | more than 6 years ago | (#21741390)

How many times does it have to be repeated? Counting vulnerabilities is a stupid way to measure security. [com.com] Counting vulnerabilities is a stupid way to measure security. [iss.net] Counting vulnerabilities is a stupid way to measure security. [lwn.net]

Shouldn't Slashdot link to some more insightful analysis?

Re:Counting shows nothing (0)

Anonymous Coward | more than 6 years ago | (#21741440)

Not only that, but the math used in TFA is wrong. The total number of XP + Vista bugs should sum to 54, for an average of 4.5/month, instead of the reported 3.67/month.

Re:Counting shows nothing (2, Insightful)

dgatwood (11270) | more than 6 years ago | (#21741540)

How did they total the vulnerabilities on different versions of Mac OS X? They need to combine them in the same way for comparison to be fair.

Even that isn't necessarily fair, though. If they combine them by summing, then vulnerabilities that appear in more than one version of Mac OS X would make Mac OS X look disproportionately bad simply because there have been many more versions of Mac OS X than Windows in the same period of time.

The only truly fair way to do these comparisons is to compare the number of vulnerabilities on each version of the OS separately. Any combining will skew the numbers one way or the other.

Re:Counting shows nothing (4, Informative)

ByOhTek (1181381) | more than 6 years ago | (#21741556)

Actually he explained it, and it isn't wrong.

Any exploit that occured in both XP and Vista was only counted once for the total, not twice.
Just as any exploit that occured in both OS X.4 and X.5 was counted once, not twice.

As long as he did the same thing on both operating system pairs, it's ok. Though he should have given a breakdown of the X.4 and X.5 bugcounts as well.

Re:Counting shows nothing (1)

mr_rattles (303158) | more than 6 years ago | (#21742508)

True but the author also left out Windows Server but he did count the vulnerabilities in the server applications that come with Mac OS X. This was NOT an apples to apples comparison.

Re:Counting shows nothing (4, Funny)

theelectron (973857) | more than 6 years ago | (#21742738)

This was NOT an apples to apples comparison.
No, I believe this was an Apples to Microsoft comparison.

Re:Counting shows nothing (5, Insightful)

someone300 (891284) | more than 6 years ago | (#21742630)

If you read some of the OS X vulnerabilities, you'll see that they're often in non-Apple software, such as CVE-2007-5476 (Highly Critical) which describes a "vulnerability in Adobe Flash Player 9.0.47.0 and earlier, when running on Opera before 9.24 on Mac OS X". The Microsoft vulnerabilities tend to be referring only to the Microsoft software

Also, the way they rate vulnerabilities seems to be different. Microsoft "Highly critical" vulnerabilities seem to all be remote arbitrary code, and "Less critical" can be remote DoS, whereas "Highly critical" on OS X seems to sometimes include DoS. Infact, CVE-2007-4702 (less critical) doesn't even seem to be a security vulnerability. I thought it was discussed and found that the application firewall on OS X functioned as documented (though potentially not as a user would expect). CVE-2007-3036 and CVE-2007-0023 seem to describe similar vulnerabilities, but they're rated less critical on Windows than OS X.

Re:Counting shows nothing (1, Troll)

MrShaggy (683273) | more than 6 years ago | (#21742036)

Are they counting vista as one big huge one??

Re:Counting shows nothing (5, Funny)

slazzy (864185) | more than 6 years ago | (#21741480)

This just goes to show, nothing,not even exploits run on Vista...

Re:Counting shows nothing (0, Offtopic)

ByOhTek (1181381) | more than 6 years ago | (#21741696)

lacking modpoints, and annoyed ath that being called troll, I'd just like to add my +1 funny.

Even as a person liking Windows (2000/XP anyway), I find that a riot.

Re:Counting shows nothing (0)

Howitzer86 (964585) | more than 6 years ago | (#21741582)

The odds are so overwhelming that it should still matter to you.

Re:Counting shows nothing (1, Insightful)

cyphercell (843398) | more than 6 years ago | (#21741706)

you didn't read a single link in the parents post, did you?

Re:Counting shows nothing (1)

unPlugged-2.0 (947200) | more than 6 years ago | (#21742780)

Read the link?

You must be new here.

Re:Counting shows nothing (5, Informative)

bunratty (545641) | more than 6 years ago | (#21741608)

Re:Counting shows nothing (0)

Anonymous Coward | more than 6 years ago | (#21742730)

Unless using it to bash Microsoft. Then it's always a-ok.

Reminds me of the Firefox & IE Topic (1)

jessiej (1019654) | more than 6 years ago | (#21741684)

There was a discussion about firefox and explorer security [slashdot.org] that this topic reminded me of.

Re:Counting shows nothing (4, Insightful)

dgatwood (11270) | more than 6 years ago | (#21741800)

Absolutely. Vulnerability counts are worthless. Here's the simplest example I can think of:

My friend and I both maintain a tool of some sort. We both get ten security vulnerability reports sent to us each year. I patch ten security bugs ten minutes after they are reported and my friend sits on the first ten bugs for a year, then the next year, we both fix ten vulnerabilities in the second year. However, for a user that keeps their system patched, I have an average of slightly over zero exposed vulnerabilities, while my friend's software exposes slightly over ten. According to the vulnerability count, however, I had 20 and my friend had 10.

Re:Counting shows nothing (4, Interesting)

ByOhTek (1181381) | more than 6 years ago | (#21742242)

Another issue would be severity.

1) Your friends flaws only allowed an administrator of the systm, on the local system to accidentally delete (but not read or otherwise modify) secur data of the users.
2) Your flaws allowed anyone to connect to the machine remotely and read/write/modify all of the secure data on the server.

Which is worse? It's severity and time of exposure. MacOS X didn't have any extremely critical vulnerabilities, but Windows had four, MacOS X had a lot more highly critical, and slightly more moderately/less critical. This makes the vulnerability count look even less meainingful (if every level counts 100x more than the previous level in terms of overall risk, and the average fix time was the same, Windows would be more vulnerable than MacOS X, even with only 15% the bug count.)

Re:Counting shows nothing (2, Insightful)

nschubach (922175) | more than 6 years ago | (#21742422)

You forgot another aspect as well. What if your friend sits on the problems, but doesn't report then as vulnerabilities, but instead reports them as bugs.

Maybe I can't count... (2, Interesting)

stonertom (831884) | more than 6 years ago | (#21742052)

How many times does it have to be repeated? Counting vulnerabilities is a stupid way to measure security.
Aside from this TFA says: Windows 44 / MacOS 243. When I looked on Secunia it says 30 for Windows and 26 for MacOS. When I looked at some of the mentioned reports LOADS are "reserved" (I'll list some at the end). If counting is worthless how good is counting incorrectly?

CVE-2007-5850 H
CVE-2007-5851 H
CVE-2007-5853 H
CVE-2007-5854 H
CVE-2007-5855 H
CVE-2007-5856 H
CVE-2007-5857 H
CVE-2007-5859 H
CVE-2007-5860 H
CVE-2007-5861 H
CVE-2007-5863 H
CVE-2007-6077 H

Re:Counting shows nothing (0, Troll)

man_of_mr_e (217855) | more than 6 years ago | (#21742490)

Counting vulnerabilities is a stupid way to measure security.

So why is it, then, that for so many years those against Microsoft and Windows used every vulnerability as a chance to proclaim how much Windows sucks? Isn't that counting vulnerabilities as well?

Macs cannot be critiqued (0, Flamebait)

athloi (1075845) | more than 6 years ago | (#21741434)

They are not Microsoft.

Therefore

They are beyond criticism.

Anything that is not Microsoft, and makes us feel like the hipper kids in the street, is automatically beyond criticism. We all wish we were the rich kids in Redmond, but since we're townies instead, we will speak ill of them any time we can. Macintosh is not from Redmond. True, they are greedy and wealthy. But they are not our enemy so they are us.

(See also Apple's identity problem [chrisblanc.org] .)

Re:Macs cannot be critiqued (4, Insightful)

bealzabobs_youruncle (971430) | more than 6 years ago | (#21741710)

There is quite a bit of false premise here, but I'll give this a shot. I don't use OS X or Linux to be special or different, but because they are better operting systems. I make a healthy living supporting MS products and have for years, I've used MS products when it made sense and dodged them when it doesn't (like now with Vista). For many people Windows has always been "good enough" but that doesn't appear true any longer (and applies to more than just the OS, Office 2007, IIS, the Zune, etc...). That doesn't make Apple or OS X beyond criticism, although as others in this topic will mention, counting vulnerabilities has never made sense for Windows or OS X/Linux/Unix/etc...

I know you put a lot of work into what you feel is a clever post, but all you did was come across as the exact kind of poster you are describing. And your link is really irrelevant as it was Apple supporters (mostly) who over-played the outsider status, not Apple itself. What kind of half-baked value system do you employ when you decide who is cool by what OS they use? An OS is a tool and you should use what fits your needs best. I'm a media junky and like to dabble in editing, that makes OS X my best choice. If I were still a PC gamer, you can bet I would use Windows. But that doesn't excuse the long history of Windows security issues, and an article that spins a a year where Windows finally has fewer vulnerabilities than another OS as proof of progress is really just proof how many people don't get it. The bigger question is how those vulnerabilities were handled, from point of discovery to solution, and that is where MS always breaks down.

Re:Macs cannot be critiqued (1)

Altus (1034) | more than 6 years ago | (#21742268)

What kind of half-baked value system do you employ when you decide who is cool by what OS they use?

Yea man, everyone knows you decide who is cool by what kind of car they drive.

OS... please, thats not cool at all :-)

Re:Macs cannot be critiqued (2, Insightful)

DwarfGoanna (447841) | more than 6 years ago | (#21742548)

What's really funny about this sort of thing is how, not all that long ago*, Macs were anything but cool here on slashdot. Granted, the OS was flaky, but even talking up the neato hardware or rock solid interface would get you laughed out of here. It's been an amazing transformation to watch Mac derision turn into Mac backlash.


*okay, maybe I'm dating myself there.

It's all academic. (5, Insightful)

phoebusQ (539940) | more than 6 years ago | (#21741450)

No artificial metric really matters in the security landscape.

In the end, what matters is the real-world security performance of these systems. Sure, it's not so easy to quantify and measure, but stories like this ZDNet fodder are just pageview generators, and nothing more.

Re:It's all academic. (4, Insightful)

vertinox (846076) | more than 6 years ago | (#21742712)

No artificial metric really matters in the security landscape.

One thousand exploits that allow someone to wipe a users home directory is nothing compared to single exploit that allows an unauthorized person to gain root access to the machine remotely.

Re:It's all academic. (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21742938)

Hmm... no, actually, I don't think so. Yes, in fact I'm quite sure that 1,000 remote non-root exploits is pretty fucking shitty. I'd much rather clean up after just one rooting.

Glad /. will be discussing this (1)

hrbrmstr (324215) | more than 6 years ago | (#21741460)

but I'd hate for MacNN to get any ad revenue or new, regular visitors from the traffic this will generate.

I posted my retort on this just before the /. post : http://www.rudis.net/content/2007/12/18/macnn-editors-egg-nog-consumption-increases-disastrous-results [rudis.net]

I wish non-security folks would stop reporting on security "stuff"... I can't wait for NPR, CNN and Fox to run with this "breaking news!" tonight or tomorrow.

Repeat something false often enough... (1, Flamebait)

pieterh (196118) | more than 6 years ago | (#21741474)

Linux costs more than Windows.

Open standards are bad for the economy.

Software patents are good for the economy.

Microsoft is a nice company.

Windows Vista is more secure than Mac OS/X.

OOXML is better than ODF.

Buying votes is a good way to build new standards.

People remain with Windows because they like it.

Firefox is less secure than Internet Explorer.

They're not really people, anyway...

Re:Repeat something false often enough... (0, Troll)

justfred (63412) | more than 6 years ago | (#21741624)

You mean like:

War is peace.
Freedom is slavery.
Ignorance is strength.
We have always been at war with Eastasia.

Seems like it's working out pretty well for the current (US) government.

Re:Repeat something false often enough... (0, Troll)

mr_mischief (456295) | more than 6 years ago | (#21742412)

The US are a bunch of Facists.
The US was not previously at war with Iraq.
Iraq did not violate the terms of the ceasefire.
Saddam did not buy homes for families that sent teenage boys to blow themselves up on Israeli buses.

Yeah, repeat it often enough and people will believe it. I like how you quote 1984 for its geek cachet and then go on to repeat your particular hatred without justification.

Regardless of your feelings about the US in general, the US federal government in particular, or specifically the George W. Bush administration, if you're going to argue against a tactic (in this case empty repetition) don't turn around and use it in the same post. If you have a gripe, gripe. Don't just repeat your conclusion.

Are we not done yet? (3, Insightful)

junglee_iitk (651040) | more than 6 years ago | (#21741476)

Who has counted the bugs and security holes that were fixed without prior disclosure? It is like counting footsteps of two dinosaurs from their fossils and then comparing them for their health.

flamebait (2, Insightful)

ryujiwarui (1205010) | more than 6 years ago | (#21741494)

this whole article should be modded flamebait, counting vulnerabilities is a useless way to compare operating systems

Re:flamebait (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21741840)

I pity you. You're suffering from some advanced form of dementia, caused by a sexually transmitted disease, most likely AIDS, that's all to prevalent in the Mac community. I guess Steve Jobs will have to sell more Red iPods until there's a cure.

Re:flamebait (0)

Anonymous Coward | more than 6 years ago | (#21741902)

flamebait? that's exactly what it is.

these discussions about vista and mac and "SECURITY VULNERABILITIES" and "DRM" and all the other stupid shitty REPETITIVE articles on here is killing Slashdot.

Unpossible! (0, Funny)

Anonymous Coward | more than 6 years ago | (#21741496)

Apple is the light, the truth and the way.

Not really objective (3, Informative)

UnknowingFool (672806) | more than 6 years ago | (#21741502)

First, reporting on the number of flaws disclosed and fixed says nothing about the relative security of either platform. Both MS and Apple could be holding back on patches to their own software. Second, many of Apple's security patches address 3rd party open source software like Samba, Kerberos, etc, that are being patched when flaws are discovered.

Re:Not really objective (1)

blazerw (47739) | more than 6 years ago | (#21742398)

I did RTFL, and for the fun of it decided to click on a few of the OS X vulnerabilities. The first 3 out of 4 I clicked on in December were for the Perl Compatible Regular Expression library. Each appeared to be a way of causing a crash, DOS, or remote execute when using patterns involving character classes. Why are these 3 unique vulnerabilities? My guess is because the vulnerabilities are dumps of the project's bug database.

Just my 5 second research into these results.

Nonsense (4, Informative)

Cally (10873) | more than 6 years ago | (#21741504)

I'm absolutely not an Apple fanboi but this is bollocks. Apple (who are indeed significantly slowerthan other distributors in releasing patches) ship an awful lot of Free software - application software that is - with OS X, whilst Microsoft generally only patch the core OS (and Office, if you go to https://microsoftupdate.com/ [microsoftupdate.com] rather than https://windowsupdate.com/ [windowsupdate.com] .) Hmmm, one day I must get round to doing that chart tracking who, of the main distros shipping common code such as (say) Zlib, releases what patches, when. Some of the Linux distys are particularly lax on this front.

Re:Nonsense (2, Insightful)

Joe U (443617) | more than 6 years ago | (#21742176)

If it ships with the OS it should be patched by the OS company. If Apple shipped something with a flaw, Apple gets to patch it. Same for Microsoft.

Re:Nonsense (4, Insightful)

99BottlesOfBeerInMyF (813746) | more than 6 years ago | (#21742586)

If it ships with the OS it should be patched by the OS company. If Apple shipped something with a flaw, Apple gets to patch it. Same for Microsoft.

Agreed, although not all the "vulnerabilities" listed in this so-called study do ship from Apple, many are third-party applications that just run on OS X. Also, OS X includes a lot of cool tools with their OS, because they are free. 99.99% of the time, these tools are never used, let alone exposed to the outside world. For example, almost a third of the first 30 CVE's listed in this study apply to the same Perl, regular expression evaluator. Now how many users do you suppose turn on Apache and this module and make use of it on a Web page they're hosting from their home computer? I mean these tools are great for Web developers that want to test stuff on their workstation, but that is likely about all they are used for, in the very rare cases that they are used. That particular module accounts for 8 of the "vulnerabilities" in OS X listed.

It is fine to list these as vulnerabilities, but for a comparison to vulnerabilities in Windows, well they're pretty useless because of the use case as well as the dozens of other things wrong with this study. I mean, the OSS team developing this module lists each and every potential hole they an find on a public Website and it is counted by Secunia. Their list for MS includes only holes that have been discovered by the public and which MS has acknowledged. Since MS does not publish most of the bugs they find, none of those are counted against MS, including the ones they don't bother to fix (more than 50% according to an ex-MS developer I know).

Secunia knows this. Every respectable security expert knows this. The only problem is, random bloggers don't seem to know this, and write "articles" about it which get widespread readership, misinforming large numbers of people and leading them to make incorrect decisions that end up causing problems for everyone.

It's not size that counts... (5, Funny)

Tom (822) | more than 6 years ago | (#21741530)

Ah, the usual "X has more Y than Z, so it must be better" strawman. With all the usual flaws. Didn't we have this discussion at least 50 times already?

So let me see, we will have:
  • The windos fanboys drooling "told you so"
  • The Mac fanboys screaming "it ain't so"
  • The math fanboys going on about how you should trust statistics unless you've forged them yourself
  • The nitpicker faction revealing that they are comparing different kinds of bugs
  • The wannabe-blackhatters outlining that these vulnerabilities were more vulnerable than those vulnerabilities and should count more
  • The I-read-the-web-all-day group pointing out a contradicting article in some other magazine
  • The tinfoil-hat wearers telling us that it's all bullshit anyways and the article is only meant to get us upset and create ad impressions
  • The meta-commentators who point out that we've already been through all this and do we really need to re-hash this discussion again? :-)

Re:It's not size that counts... (4, Funny)

BarryJacobsen (526926) | more than 6 years ago | (#21741644)

Ah, the usual "X has more Y than Z, so it must be better" strawman. With all the usual flaws. Didn't we have this discussion at least 50 times already?

So let me see, we will have:
  • The windos fanboys drooling "told you so"
  • The Mac fanboys screaming "it ain't so"
  • The math fanboys going on about how you should trust statistics unless you've forged them yourself
  • The nitpicker faction revealing that they are comparing different kinds of bugs
  • The wannabe-blackhatters outlining that these vulnerabilities were more vulnerable than those vulnerabilities and should count more
  • The I-read-the-web-all-day group pointing out a contradicting article in some other magazine
  • The tinfoil-hat wearers telling us that it's all bullshit anyways and the article is only meant to get us upset and create ad impressions
  • The meta-commentators who point out that we've already been through all this and do we really need to re-hash this discussion again? :-)
You seem to have forgotten two:
  • The list makers who will show everyone (using a list) exactly what will appear in the comments.
  • The annoying jerks who point out things the list makers missed.

Re:It's not size that counts... (5, Funny)

Anonymous Coward | more than 6 years ago | (#21742038)

One more:

- People who don't know how to make bullet points

Re:It's not size that counts... (0)

Anonymous Coward | more than 6 years ago | (#21741648)

Isn't this the pattern for ALL slashdot comments?? I thought a memo had gone and out and this was the decided protocol to replaces the TPS report protocol??

Re:It's not size that counts... (1)

john83 (923470) | more than 6 years ago | (#21741704)

Didn't we have this discussion at least 50 times already?
Yes. I'm going home. It's dinnertime where I'm from.

Myths (0)

Anonymous Coward | more than 6 years ago | (#21741538)

Things like this perpetuate the Mac/gay metaphor.

Why can the world accept Mac users for who we are? Stop spreading misinformation about the dangers of network intercourse!

Understandable; (-1, Redundant)

Anonymous Coward | more than 6 years ago | (#21741548)

XP has less flaws because it has been around so long. If they counted the number of UNPATCHED flaws, XP would definitely be on top.
Vista has no one using it, so no flaws are being sought.
Mac is middle-of-the-road, so it has a few.
News at 11...
Move along

The Real Problem (1)

drewmoney (1133487) | more than 6 years ago | (#21741550)

I'm not a Mac user at all, but I'm will to bet, there is a substantial number of pirated, unpatched copies of Windows out there that you can count each one as a vulnerability in itself.

Re:The Real Problem (1)

Bryansix (761547) | more than 6 years ago | (#21741932)

The real problem is that Microsoft doesn't allow the pirated copies to be patched thereby supporting terrorism.

Yawn (3, Insightful)

JimDaGeek (983925) | more than 6 years ago | (#21741568)

I own two Intel Macs, an iMac and a Macbook. I own two desktops that run XP and two desktops that run Linux.

I am personally tired of the stupid "insecure" talk. My iMac runs my servers with ports 80, 443, 22, 5900 open. I watch my logs and have not seen any bad stuff.

On the other hand, I once opened my XP boxes IIS server and saw a crap load of hits in the web logs trying to break it within 48 hours. Thankfully I was running IIS lockdown which really helps.

Comparing XP in 2007 to OS X 10.4 or 10.5 is just stupid. XP has been around for a long, long time. Do a fresh install of XP home SP0 and see how many security updates you need to download.

As a programmer with more than a decade of experience, I don't care about the number of releases for an OS. I care about the timely releases. From my experience, Apple and especially Linux will release a fix as soon as they have it. MS on the other hand seems to go through a PR machine.

Microsoft, I don't care if your product XYZ has a flaw, trust me as a programmer, there will always be flaws. Just release the damn info on the flaw and the URL to the fix. I don't think XP is "crap" because I have had to download more than a GB of updates since SP0. Really, I don't care. As a geek, I actually get excited about a new update from MS. I usually hope for new features, etc.

So, please MS, just publish and release the fixes. 95%+ of people out there don't care if you have 150 "vulnerabilities" or 20. We just want the fix. Give us our "fix" bro!

Cool (1, Funny)

Anonymous Coward | more than 6 years ago | (#21741730)

Yeah, I just checked -- your logs don't show any bad stuff coming through the Macs. Still, I was surprised by what I got just by typing "Oracle Password" into Spotlight.

Re:Yawn (4, Insightful)

IamTheRealMike (537420) | more than 6 years ago | (#21741852)

I don't get it. You opened port 80 on different machines, and saw different traffic, none of which managed to exploit the web server.

I'm sceptical this tells us much about anything, beyond maybe the set up of your NAT/DMZ. Otherwise you should have received exactly the same traffic on both web servers. Bots don't check the OS before sending their exploitable GET requests.

Re:Yawn (1)

barbam (1134455) | more than 6 years ago | (#21741874)

You're right! OS/X is totally secure b\c you didn't see any 'bad stuff'. You must be a security guru -- Keep burying your head in the sand --

Re:Yawn (1)

dezert_fox (740322) | more than 6 years ago | (#21741986)

In other news, I am positive that there are no elephants in my house because of the elephant dust I sprinkled on the floor!

Your contention that your OS is secure because you don't see people attacking you is patently ridiculous. That only proves that you're not a prime target. It's just like presidential candidates claiming the PATRIOT act has prevented terrorism; we haven't been attacked so it must be working, right!? The primary security characteristic of a Mac is that it's a low market share OS, so it's not targeted as often.

Re:Yawn (2, Informative)

ILongForDarkness (1134931) | more than 6 years ago | (#21742030)

True you can't compare a new OS to an old OS. Vista to OS 10.4 or 10.5 should be reasonibly fair. As people have already said there is a bunch of open source stuff in the OS that Apple doesn't control, however, they chose to include it in their product so IMHO they own the bugs (if you don't like it then code your own functionality, or let the end user download it).

Microsoft has come up with the idea of "Patch Tuesday" to control the update process. While your systems might be vulnerable for an extra few days (30 at most in a worst case), you also gain better control over the scheduling of staff to test and deploy the patches. You don't have to go to their website every morning to see if something came out (or have some service that does, a la auto update or what ships with linux distros). Is it better? Well for the security paranoid, no. However, being an IT manager myself, I can appreciate a company trying to make things predicable as much as possible for me. If my site has autoupdate enabled, and things stop working the day after patch Tuesday, the first thing I'll do is roll back a box to the day before and see if things start working again. If so, push the roll back to everyone, then hit the test servers/workstations, and localize the patch problems, to the specific patch/app combo that is the issue. Much, much better than having random crap pushed at random times.

Re:Yawn (4, Insightful)

RzUpAnmsCwrds (262647) | more than 6 years ago | (#21742502)

I am personally tired of the stupid "insecure" talk. My iMac runs my servers with ports 80, 443, 22, 5900 open. I watch my logs and have not seen any bad stuff.


This kind of cavalier attitude is what gets people hacked. Clearly you aren't watching your logs very carefully (or you're blocking those ports externally with some kind of firewall), because anyone who runs an SSH server (which is presumably what you're doing on port 22) knows that you get TONS of dictionary attacks. Before I disabled password authentication (and switched to using key-based authentication exclusively), I would sometimes get 20-30MiB of logs, all failed PAM logins with common usernames and from a variety of hosts. Clearly I'm not alone [google.com] either.

As a programmer with more than a decade of experience, I don't care about the number of releases for an OS. I care about the timely releases. From my experience, Apple and especially Linux will release a fix as soon as they have it.


From your experience? How do you even know when Apple has a fix? How do you know when the vulnerability has been reported? Are you basing this opinion on fact, or is it your "feel" that Apple is better than Microsoft about this?

Microsoft releases most patches during the Tuesday release cycle.

As someone who works in IT, I can tell you that we don't want patches released "as soon as they are ready". Patches need to be tested, and they need to be tested with other patches. You may not think that Apple patches cause issues, and usually they don't - but even one incompatibility could result in thousands of our users being down for hours or even days. 1000 employees being down costs us $1000000 per day. That's a damn big incentive to get it right.

With the Tuesday cycle, we can test ALL of the critical patches at once, together (about 2 weeks of both automated and manual testing). Then we can roll them ALL out to a pioneer group for a week, and see if any problems arise. If they don't, everyone gets the patch on the 4th week - and the process restarts. Our IT department has people dedicated to doing this cycle.

Guess what? We use the same Tuesday cycle for Mac and Linux patches. So what does Apple's "when it's ready" release process buy us? More time for the script kiddies to reverse-engineer the patch and exploit the vulnerability.

Comparing XP in 2007 to OS X 10.4 or 10.5 is just stupid


Agreed. Why don't we compare something like Windows Vista? Oh, wait, they did. Vista has fewer reported vulnerabilities than XP now, and far fewer than XP had in its first year of release. Not to mention far, far fewer than Mac OS X.

So, what does this mean? Do these numbers mean that Vista is more secure than Mac OS? No. The number of vulnerabilities is a poor measure for how secure an operating system is.

What it does mean, though, is that all is not well in Wonderland. Security is a process, and that process needs to be well-developed regardless of the software used. Mac OS X is not a silver bullet. Neither is Linux.

Re:Yawn (1)

db32 (862117) | more than 6 years ago | (#21742638)

In their world remote code execution seems like it should be considered a feature. I can't imagine why they would ship so many of their products with that feature and then patch to "fix" it.

Steve Jobs and Security (-1, Flamebait)

BigHungryJoe (737554) | more than 6 years ago | (#21741592)

Steve Jobs sneers at security, he does not take it seriously. Therefore, Apple does not take it seriously.

I was watching this real-time documentary called Pirates of Silicon Valley, and Jobs actually made fun of a guy in a job interview for being a virgin! He is a total a-hole.

Re:Steve Jobs and Security (0)

Anonymous Coward | more than 6 years ago | (#21741692)

You must be a virgin.

Re:Steve Jobs and Security (1)

Selfbain (624722) | more than 6 years ago | (#21741836)

If it appears in a movie, it must be true.

Re:Steve Jobs and Security (1)

falcon5768 (629591) | more than 6 years ago | (#21741884)

you realize that was a movie right? Even moreso you realize it was a FICTIONALIZED TAKE on Jobs and Gates, in the same vein that Titanic was true?

Right?

And people wonder why our country is going to hell....

Depends on the severity (2, Insightful)

Roger W Moore (538166) | more than 6 years ago | (#21741610)

The simple number of vulnerabilities is not a good metric of security. I seem to remember that one of the Windows ones last year was one where displaying a picture in a web browser, ANY web browser, could compromise your machine. I don't remember seeing close to that severe for a Mac.

In fact you could make the argument the other way around: the reason there are so few fixes with Windows is because the problems are so big and far reaching that it takes a lot longer to patch them. This conclusion is also probably wrong but is just as valid as the one in the original post.

heh? (1)

rice_burners_suck (243660) | more than 6 years ago | (#21741642)

Let's assume that the software engineers working at all companies are equally qualified. On average, that will probably turn out to be true. Assuming that all programmers are equally qualified, let's assume, only for the sake of argument, that all software is released with a similar quantity of security flaws; say, X amount of flaws per Y amount of code. Now ask yourself this: Does having lots of fixes released on a constant basis imply something about the security of the company's product? Or does it imply something that is totally unrelated to software, which speaks not of the software's initial security status, but of the company's policy towards servicing flaws as they're found? I think that ultimately, all software will contain some level of bugs; the company's policy towards fixing them is what determines security.

Flaming Article (5, Funny)

kaoshin (110328) | more than 6 years ago | (#21741664)

I invented my own OS, which I call F.U. (Frackin Unix). My OS has only one bug (Bug #1 - Operating System Not found). Clearly my OS is more superior than any competitors due to its extremely low number of bug reports.

Re:Flaming Article (0)

Anonymous Coward | more than 6 years ago | (#21742906)

That's a feature. Not a bug.

Reissue only counts once? (3, Informative)

TheSkyIsPurple (901118) | more than 6 years ago | (#21741672)

He shows CVE-2007-3896 only in July, but it was reissued in November as well... why wasn't that counted in November?

The July patch closed that CVE, and the November patched more of it... It should count both times, since they said it was closed.

I'd be interested to analyze them all next to each other, but not interested enough to actually dig into it myself =-)

What's the point? (1)

thousandinone (918319) | more than 6 years ago | (#21741676)

Vista was a lost cause from the get-go, and OSX is still largely a 'niche' operating system. Is comparing the number of exploits in either truly noteworthy?

Patching is good... duh (1)

Foofoobar (318279) | more than 6 years ago | (#21741686)

So when people acknowledge bugs and fix them, the windows crowd bashes them?? So we should all be like Microsoft and just say that something isn't a bug until something critical happens and THEN issue a patch? Or wait until consumers are so pissed about it that it requires the company to issue a patch?

Frankly, I would LIKE a product to ship flawless but realize I dont live in a fantasy world so prefer them to fix their flaws in a timely fashion as they find them and am happy that the Mac, Linux and BSD communities respond in such a fashion.

Obligatory (0, Troll)

Malevolent Tester (1201209) | more than 6 years ago | (#21741708)

But Microsoft are a CONVICTED MONOPOLY!111!11

Sounds like a population problem to me... (0)

Anonymous Coward | more than 6 years ago | (#21741740)

If you're looking at vulnerabilities on new installations, in particular. In that case, you'd be comparing the thousands of licenses sold for OS X this year to the dozens of licenses for Vista that were purchased voluntarily this year.

Well.... (1)

gandhi_2 (1108023) | more than 6 years ago | (#21741746)

Even a blind squirrel gets a nut now and then. (:

In other news.. (4, Insightful)

Selfbain (624722) | more than 6 years ago | (#21741764)

Bush is the best President in history because he has fixed fewer problems.

Security advisories (1)

courteaudotbiz (1191083) | more than 6 years ago | (#21741780)

I receive daily many security advisories about patches, updates and vulnerabilities discovered in most IT spheres. If I was to count flaws on every products, I would say that Linux and Unix products are the poorest products regarding vulnerabilities. Obviously it's not the case!

It is far more critical to have a Microsoft Windows flaw than a Mac or a Linux flaw, since the product is more widespread, so more likely to be actively and successfully exploited. Dumbly counting the numbers is a strange way to say that a product is more secure. Do I have to remember anybody that most viruses and spywares are .EXE files???

Wonder why... (1)

labmixz (932177) | more than 6 years ago | (#21741810)

Ya... doesn't take a genius to figure out, the more something is widely used by the public the more flaws/security holes will be discovered. Mac's are much better than Windows in handling security, however it's kind of a new brainer when Mac's haven't been so much in the "public" eye for years to not hear much about security flaws, yet when the public is now jumping on the bandwagon... more people are going to discover more things and this will peak the malicious interests... so big fat... "DUH"...

Several problems (2, Interesting)

jd (1658) | more than 6 years ago | (#21741890)

First, most announcement services won't/can't announce until the vendor approves. If Microsoft doesn't approve any announcements, then they will always be "perfect" by counting announced flaws. Second, the exploitability of a flaw matters. A hundred flaws that could never actually leave a system vulnerable in practice would obviously be superior to even one single flaw that leaves a system wide open to attack. Third, not all announcement services will cover all reported flaws. There are too many OS' and too many bugs being discovered to report everything. As a result, there is bound to be some degree of cherry-picking. It's not to say anything bad about any given service, it's just a consequence of the volumes involved. Lastly, there is the quality of the bugfixes. I can't remember the last time anyone actually recommended the first Microsoft service pack for an OS, although that's by no means unique to them.

In the end, it is impossible to analyze the security of software by means of analyzing second-hand or third-hand reports, and extremely difficult to do so by means of black-box testing by means of probably incomplete documentation. However, I cannot seriously imagine Apple or Microsoft conducting a thorough security audit and software analysis. For that matter, I don't believe either could afford to do so. Microsoft may be rich, but Vista is big and the kind of skills required to conduct a comprehensive audit wouldn't come cheap, certainly not in the volume needed to conduct such an audit fast enough to get the results before software changes invalidated said audit.

(Having said that, given that the world economy is so utterly dependent on the reliability of the IT infrastructure these days, there is also the question of how long it will be before it is uneconomic at a global level for there not to be such an audit. If an audit would cost a trillion dollars over the course of a year, then it only requires the total direct and indirect cost to business and government over the entire globe from such flaws to be a trillion and one dollars over the course of a year for it to be worth it almost instantly. However, the costs of flaws will always add up with interest but a single audit might easily be sufficient for the lifetime of an OS, if it's good enough. Given a long enough shelf-life and a high enough interest rate, how unreliable can we afford to have any software these days?)

Only 3.67 a month? (1)

LuminaireX (949185) | more than 6 years ago | (#21741910)

I don't know which Windows Update you're counting, but I download 10 (on average) every month.

required (-1)

Anonymous Coward | more than 6 years ago | (#21741970)

THAT'S NOT TRUE! THAT'S IMPOSSIBLE!

This text is only here to help circumvent the lameness filter which would not let me post the above yelling.

Microsoft SDL is making a difference (1, Flamebait)

mrkitty (584915) | more than 6 years ago | (#21741990)

bash microsoft all you want however their new SDL is really making a difference in securing their products. of course they will continue to have issues it won't remove all the issues, however it has reduced their bug count big time. Take IIS 5/6/7 as a great example of how their process is making a difference. Bash away MS bashing zealots.

Broken study? (2, Interesting)

IamTheRealMike (537420) | more than 6 years ago | (#21742034)

I clicked through a bunch of the vulnerabilities, and a lot of them are marked as reserved for future use. What's up with that? I think whatever script the dude used to compile this table, didn't work - either that or I don't understand the CVE process being used, because I don't see any indication of which systems are affected by them.

Anyway. Such a study is ultimately pointless, we already know that MacOS X and Windows are both seriously insecure. A single vulnerability in the tangled morass of code making up modern web browsers is typically enough to compromise the entire machine (Vista being an exception to this). A single vulnerability in *any* app which talks over the network is usually enough to get your code onto the machine, and from there you have free reign to do more or less whatever you want. Requiring root is no panacea, you don't need root to do the things modern malware wants to do anyway. As that's the entire OS X desktop security system right there, we can surmise that the primary advantage it has security-wise is just obscurity. (yeah, i know 10.5 is supposed to have MAC for some basic daemons etc .... wake me up when it is properly and widely applied to desktop apps).

What a joke! (5, Insightful)

99BottlesOfBeerInMyF (813746) | more than 6 years ago | (#21742050)

So I took a look at a few sample vulnerabilities and it leaves me Flabbergasted. The person who wrote this article and composed the data should be beaten. The ones listed as OS X vulnerabilities are primarily holes in software that runs on OS X, much of which does not even ship with OS X by default. A lot of it is holes in various Web server modules, some of which do ship with OS X, but are disabled by default. Some of them are NOT EVEN VULNERABILITIES... like CVE-2007-3876 which is a number reserved for use by an organization for the next time they report a vulnerability, but they haven't assigned it to anything yet. Whole ranges of numbers listed are like that. I mean did the author even click on the links he's providing? I tried, I was more than twenty items into the list of "highly critical OS X vulnerabilities" before I found one that actually affected a default install of OS X, and it was a potential denial of service for SSL Web sites if you have a machine in the middle. Of the first 30, 12 were reserved for future use and not real vulnerabilities, 7 were holes in the same Perl library, and 5 were holes in tcpdump. Only one was a real, hole that could be exploited on a default install without additional software being added, or it being reconfigured as Web server or something.

Another question is, for the real vulnerabilities to the OS's, how do they decide what the danger level is for a vulnerability? For example, one low rated one for WinXP (CVE-2007-2228) was a possible remote exploit, whereas a Highly cCritical one for OS X (CVE-2007-0267) was a denial of service on a machine, requiring a local user account. Does this make any sense to anyone?

I'm all for pointing out security problems in OS X and other OS's and doing comparisons of relative security, but this is just a sad joke. Please, can we at least get articles by someone with the tiniest bit of a clue instead of the number game from someone who might be able to count, but apparently can't be bothered to read his subject matter.

I know that OS X is more secure (1)

AccUser (191555) | more than 6 years ago | (#21742070)

I know that OS X is more secure, because I use it every day, and I can rely on it. I am a Mac fan boy, but only because Windows continued to let me down.

Re:I know that OS X is more secure (1)

Jackie_Chan_Fan (730745) | more than 6 years ago | (#21742990)

i used osx recently on a final cut edit station and my head blew up. Its an ok OS, but theres a lot of stupid in there :)

OSX has more open source (1)

gilesjuk (604902) | more than 6 years ago | (#21742098)

OSX has lots of open source commands and daemons. It will be subject to more patches.

The fact there are more security holes being patches can also indicate there's more pro-active review.

Two Words (1)

Swift2001 (874553) | more than 6 years ago | (#21742120)

George Ou.

Ya but. (2, Insightful)

Halmos (464196) | more than 6 years ago | (#21742134)

I haven't used virus/"vulnerability" software on my Mac since OS 7. Still don't in OS X Leopard. All's well.

Are there Vista exploits in the wild (1)

Yergle143 (848772) | more than 6 years ago | (#21742168)

Comrades, I am a mac/ubuntu user who sort of tunes out Microsoft OS. So I don't really know this: In terms of practical security, is Vista a success? In other words as a haven for: the zombie army of spambots, viral/worm propagation, malicious spyware has Vista fixed the problem compared to XP? Forget theoretical exploits, has the tide turned? (Or does user ignorance negate any advances?) ---537

Re:Are there Vista exploits in the wild (1)

OXOTHNK (1178531) | more than 6 years ago | (#21742474)

I'm so frustrated with Vista that I've been debating coming over to Macs/Mac OS now (even though it would put me into debt) ever since I got my new laptop (Tohisba Satellite series).

I find that Vista's "security" features are no more than irritating pop-ups, which people tune out after a while, since so many come up. As far as I can tell, they basically just make you sign off on all of your stupid decision three times as much as they used to - so that when something happens, the user is fully responsible.

Vista gives my machine - which has ample processing power - terrible processing speed problems. Its Big-Brother-esque elements, which I won't even get into, are straight-up frightening. It's Office application compatability issues are PATHETIC. The new "Word" is a mockery to educated consumers worldwide. It's like, they added some totally trivial bells and whistles, like the stupid sidebar (see the RSS reader offering for the definition of "stupid"), and a couple of window-to-window Windows Exlporer features, and pumped it out in haste. Basically, on the front end of things, Vista is the worst thing that's ever happened to me (I work from home, and have had terrible issues with work due to Vista vs. XP issues). On the back end, I'm actually frightened by some of the things I've read. Frightened, if not horrified.

Stick with Linux. A friend of mine, who runs "Free Geek Vancouver" (Google it), introduced me to Ubuntu a few weeks ago, when I was having Vista issues. Not only did it get onto my computer and tell me that there was nothing wrong with my computer - just Vista - it told me that my computer had a battery recall, which I never would have found out about otherwise. Again, Vista is the worst thing ever to happen to me. It's a joke, that isn't funny.

Sure, Bill Gates is crusading for good, and seems to have good values, but many of his employees should be shot over this disgrace called Vista.

Re:Are there Vista exploits in the wild (1)

coryking (104614) | more than 6 years ago | (#21742824)

It will be an interesting 2008, that is for sure. Vista is the first Microsoft OS that will not have ordinary users running as root. If spyware or botnet software wants to sink into Vista, it either has to go through a UAC dialog first, or do it the old fashioned way through a root exploit.

Idiots will always click through UAC dialogs unthinkingly (or worse dumb geeks will turn UAC off completely and run as root like on XP). UAC pops up only when you expect it to, the button or icon will have a shield on it. UAC should never pop up out of the blue, which would happen with a evil program trying to do bad things. I suspect even the greatest of idiot will think twice before hitting okay on a random UAC dialog.

The interesting question is how many privilege escalation exploits will be found on Vista? How long will it take to get those patched? How wide will any botnet program spread using the exploit?

The other interesting thing to track is if there will be a decline in botnet size equal to the rise in Vista installs.

Good times ahead!

Front Loaded (1)

CruddyBuddy (918901) | more than 6 years ago | (#21742196)

This is ridiculous.

The Windows security problem count is front loaded by several years.

A similar argument can be made that there are more Mac security flaws this last year than Windows 95.

Instead of counting the number of security flaws over the last year, what happens to the number if the count is over that last two years. Three years. (You get the idea.)

"inherently insecure" (1)

Toreo asesino (951231) | more than 6 years ago | (#21742322)

So I put the question to the crowd then...

Is Windows inherently more insecure than OSX for example?

True, you can say "security holes fixed != number of security holes", but then to even be equal on the score cards, Windows, as entire eco-system (Vista + XP) would still need 5 times more the number of vulnerabilities.

I put it to you my techie friends, Windows security isn't so bad after all and has evolved from non-existent to at least on the same footing with it's rivals (that's to say, I agree that I don't think this study can conclude much at all ultimately).

Obvious (1)

the100rabh (947158) | more than 6 years ago | (#21742374)

If it is not usable...It wont have any flaws

No point in comparing 'vulnerabilities'... (4, Insightful)

subl33t (739983) | more than 6 years ago | (#21742432)

... until there is a self-replicating Mac virus in the wild.

It's just Secunia again. Proceed with the ignoring (2, Insightful)

Onan (25162) | more than 6 years ago | (#21742616)

Ever since they showed up a few years ago, Secunia seems to have been nothing but a pro-Windows, anti-everything-else trolling group. They've published countless "studies" claiming that Windows is more secure than god, every one of which involves some extremely skewed definitions of what constitutes a vulnerability and how one classifies its severity.

Some glorious day, perhaps slashdot will learn to ignore this variety of trolling (I'm looking at you, Cringely and Dvorak.). But until then, we'll all just need to ignore them individually.

Secunia advises against what he did (2, Insightful)

General Lee's Peking (954826) | more than 6 years ago | (#21742962)

It was pointed out in one of the responses [zdnet.com] that the writer of the article did exactly what Secunia advised people not to do. From Secunia's Mac OS X vulnerability report [secunia.com] :

The statistics provided should NOT be used to compare the overall security of products against one another.
So it seems there are three reasonable conclusions to draw here. The first is that the author is incompetent and should be disregarded. The second is that the author is dishonest and manipulative and should be disregarded. The third is both the first and the second.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>