It’s time for another security report. You know, those reports that tally vulnerabilities, and then plot or graph them in such a way that their benefactors or clients come out most favourably. Ok, that might be a bit cynical, but fact remains that there is usually something wrong with such reports. The one that’s making its rounds across the internet today is certainly one of them. According to IBM, AIX is the most secure operating system, and Mac OS X the least secure. Not only is the report rather slim on details when it comes to operating system vulnerabilities, it seems like most websites reporting on this story have misunderstood what it was about.
The table making its way onto various websites can be found on page 40 of the report. Websites copying this table state that it lists the percentages of unpatched known vulnerabilities in each operating system (here or here) – but reading the accompanying text blob, I can’t help but think that’s not what the table lists. If I’m reading it correctly, the table lists the percentages per platform of the total amount of disclosed vulnerabilities. The text blurb:
X-Force tracks vulnerabilities by platform and has produced metrics this year
to show the operating systems with the most disclosed vulnerabilities. The following chart shows the operating systems with the most vulnerabilities documented in 2008. The top ten operating systems account for nearly 75% of all vulnerability disclosures affecting operating systems.
That seems pretty clear to me; they are looking at the share each operating system has of the total amount of reported vulnerabilities. Still, that doesn’t mean this report has any significant meaning on this specific subject. As has been said many times before – just counting vulnerabilities isn’t a good measure of security.
At the end of the day, what matters is not only quantity, but also quality. Any report on security that does not take severity into account is a little hard to take seriously when it comes to making general statements about a platform’s security record. The report does tell that 1% of the total amount of reported issues has the critical severity rating, but it doesn’t break it down per platform.
This report by IBM sates that AIX is the most secure, but by not having any information on severity, this conclusion reeks of “We from IBM recommend IBM…”, greatly reducing confidence in this report.
Also, let’s not forget that MacOS is much more complex with many vulnerability magnets such as QuickTime and Safari included in its distribution. That is obviously not the case with AIX, but whatever. It’s strange marketing.
Like the fact that by default, telnet is open on an AIX installation and ssh needs to be installed separately.
At the end of the day, I would not consider a system that automatically leaves a bunch of ports open secure and although AIX is a great UNIX, it is not designed to sit out in the open. In fact, unless your admin knows the system back to front, you really want it sitting behind at least one firewall.
If I was really pushed, there are only a few systems I would literally have open to the net and those are all open source. Linux and the BSDs off the top of my head.
Agreed. Its hilarious to suggest AIX is the most ‘secure OS’. PAM is a recent addition, RBAC could only be considered a joke and only works properly in AIX6, CSM requires remote root logins to work. Add to the mix that Tectia SSH is buggy crapware in its AIX incarnation and that OpenSSH seems to always be light years behind, I wouldn’t leave an AIX box outside a firewall.
Oh and to finish… you only need to hack the ASMI or HMC running some fudged Linux based system to bring the box down and restart in maintenance mode.
IBM says their own operating system is the most secure. Shocking, really. I would’ve never seen that happening. </sarcasm>
Silly comparison, really. AIX is a tank, compared to OS X as a Porsche. You wouldn’t purchase a Porsche to do the work of a Tank.
Before go disparaging various operating systems, lets make sure we are comparing apples to apples. In the case of AIX and OSX, it is comparing apples to oranges. AIX is an enterprise level OS and OSX is a desktop level OS. They have very different goals. I am not saying that either one of them is better than the other – they are just designed for different purposes. However, when comparing which one is more secure, that becomes a huge can of worms. First of all, using a metric like “disclosed vulnerabilities” is a silly measure. It heavily favors small market share operating systems. Attacks on computers is a function of market share. Malware writers and people who attack systems are in it for the money these days, not necessarily the glory. They are not going to waste their time on small market share OS.
In addition, the vendor is disinclined to fix problems that they know about with this kind of metric.
However, with no other information I am inclined to agree with SReilly in the fact that an OS that installs Telnet by default instead of SSH isn’t painting a picture of confidence.
“AIX is an enterprise level OS and OSX is a desktop level OS.”
RTFPDF. They are clerly naming Mac OS X Server.
They name both OS X and OS X Server.
you would if it was a WW1 tank….
Lol! Very good! I forgot all about that 🙂
Why not? If your only purpose is to get from point A to point B, either will work. In fact, in a tank you’d just have to blow s*** up or run it over, possibly saving you time. In a Porsch you would need to know the location you’re driving through, watch out for traffic and traffic lights, and just have to worry about a lot more stuff overall. That leaves only one major decision between the two: price difference. And they’re both so expensive, you might as well buy the tank.
If it was my decision, I’d go for the tank, or just go straight for a Ferrari.
Edited 2009-02-13 01:22 UTC
AIX costs the same as OS X? Really?
but it looks to me like aix is the 10th most insecure os out there
oh, and lets not forget that openvms 8 only had 1 bug in 2008
wow, just 1?
I really liked OpenVMS when I used it for awhile. I don’t get why so many people just can’t stand it.
ME TOO
better marketing for other OS in general and a kind of boycott by DEC Managers in Germany (certainly with agreement by Robert Palmer) who declined pushing SAP in porting their applic onto OpenVMS. (my view)
Ken Olsen would be upside down in his grave if he had knowledge of them all.
Ultrix disappeared from the market Tru64 as well and OpenVMS periods his being in hp as long as there are customers who will pay.
CIOs don’t really take care about the workload and downtimes mostly required after applying patches to fix the monthly security vuls in *x.
I still use it and love it!
Uh, KO’s still alive… 8)
… unplugged windows workstation even more secure!
The blinking lights on the front told them!
That said, OS X’s security does have a lot of potential holes. You’ve got legacy holes from Carbon, everything from the FreeBSD/NetBSD parts that make up the BSD subsystem, then its own special ObjC/Mach vulnerabilities.
when 4 of the 5 lines of caption text start with “operating system”.
It reminds me of when IBM stated that Power6 CPU has a bandwidth of ~250GB/sec. And it turned that IBM had added all the bandwidth in the chip, L1 cache, L2 cache, etc. That is clearly wrong to do. If there is a bottle neck on 1GB/sec, then the bandwidth will not be greater than 1GB/sec, no matter what.
It reminds me of when IBM stated that a small IBM mainframe is able to consolidate 232 x86 servers. It turned out that IBM assumed the x86 servers idled at ~3% and the Mainframe was 100% utilized! This is also clearly wrong. I could state that my laptop can consolidate 10 IBM mainframes. If the mainframes are idling. This is wrong, dont you think? In fact, you can emulate a 20 MIPS Mainframe on a laptop using the free software “Hercules”. It turns out that 1 IBM Mainframe MIPS == 4 MHz x86 i practice. A IBM mainframe CPU can be 1000MIPS. which corresponds to 4GHz x86 CPU.
It reminds me of when IBM stated that one Power6 core is faster than a SUN Niagara core, and therefore the Power6 cpu is faster than Niagara CPU. This is clearly wrong. If a core is faster than another core, it tells nothing about the entire CPU. In fact, 3 of the large IBM Power servers with 12 Power6 CPUs at 4.7 GHz scores half of the SIEBEL benchmarks, as one SUN T5440 machine with 4 Niagara CPUs at 1.4GHz. This is according to official benchmarks.
This is just some of the examples Ive encountered of IBM’s aggressive marketing. And therefore I really doubt this report.
1) they counted REPORTED bugs…. guess who is open and reports lots of bugs. Linux and even Apple….guess who DOES NOT report anything keeps secret most of their work.. Microsoft.
Open Source projects ALWAYS have more ‘reported’ security fixes because they are more open about reporting….DUH.
2) I bet they counted Redhat separate from Suse, and separate from Ubuntu….so every Linux event gets counted 3 times+.
So true… proprietary software vendors in general, not just MS, will not report any bugs they find internally.. Bugs being reported publicly are bad for business. Only bugs discovered by third parties will ever go public, because those are unavoidable, and they will still try to spin the publicity as best they can…
Open source on the other hand, is developed in public… So even very early alpha and beta versions, which are usually full of bugs, will have those bugs discussed in public.
What happened to NetBSD or OpenBSD (I can’t remember which) the one with the audited code and only 2 vulnerabilities ever recorded?
Where does that rank?
my snail is more secure. it has has less reported vulnerabilities during the period 1995-2008.
count 10.0 to the latest version as one
How absurd to count the total number of vulnerabilities, when from a security perspective, the truly important number is that of unpatched vulnerabilities! According to Secunia, OS X (all flavors) had 3% unpatched ( http://secunia.com/advisories/product/96/?task=statistics ). To put that number in perspective, Windows XP (14% http://secunia.com/advisories/product/22/ ) and Vista (10% http://secunia.com/advisories/product/13223/ ) both are worse. Better was IBM AIX 6.x at 0% ( http://secunia.com/advisories/product/16995/ ) and HP OpenVMS v8.x (0% http://secunia.com/advisories/product/6052/ ).
BTW, if you add up all the versions of Windows listed in that top 10 chart, you get 24.7%…
I find it fascinating that the one chart pulled out of this report is that OS X has more vulns than any other OS, when the majority of the report discusses ActiveX, IE, IIS, and other MS-only attack vectors. Whoever is spreading this chart around appears to have ulterior motives for ignoring the other 105 pages of the document.
I wonder if IBM is just trying to hit back for the Papermaster fiasco? lol & jk…
I fail to see how just the “number of DISCLOSED vulnerabilities” has any relation to how secure an OS is?
Say I’m developing my own OS but never disclose any vulnerabilities – does that make it the most secure OS out there?
Is it therefore surprising that an Open Source OS has the most disclosed vulnerabilities? I’d be more interested in knowing how many of these are still outstanding as we speak. And how serious are these vulnerabilities? Do they affect software that is installed by default? Is it something anyone can hack into or does it require a professional “hacker”?
Linux typically has hundreds if not thousands of packages installed by default, increasing the potential for vulnerabilities in the software…most of which a good firewall (also installed by default in most linux distros, but sadly not all) will block.
But in Windows or Mac OS’s, how do you determine the vulnerabilities from all of the installed software? (I’m talking about after you’ve installed countless free apps you’ve downloaded, game demos, games, flash, java etc).
No apples-apples comparison exists for OS security and it would be a difficult thing to do.
I think a more fair comparison is to count the number of times each OS has actually been compromised and note the severity of each case. It still wont tell you which is more secure but it will let you know how likely you are to have security issues if you run that OS.
The real point for us should be how many severe vulnerabilities were discovered, how long it took for workarounds to become available, how long it took for proper patches to become available, and whether the nature of the problems says much about the quality of the code.
There aren’t many vulnerabilities reported for Mac OS X, but those that are reported are bloody shocking – and there are a lot that have been banging around for years without being fixed. The nature of OS X’s problems appear to be design and architecture, not implementation – which makes “fixing” the problem much more difficult, and makes a lot of people worried about the design of the rest of the operating system.
By this measure, Mac OS X (even OS X Server) is probably less secure than Windows Enterprise.
I’d be curious to know where IBM’s other operating systems ranked, especially their AS/400 OS and z/OS. Any guesses?
The OS IBM sells for the most money comes out top…
An OS they don’t support at all comes out last…