It’s the time of year again, folks. “The year 2007 has been an interesting year that brought us improved security with Windows Vista and Mac OS X Leopard (10.5). But to get some perspective of how many publicly known holes found in these two operating systems, I’ve compiled all the security flaws in Mac OS X and Windows XP and Vista and placed them side by side. This is significant because it shows a trend that can give us a good estimate for how many flaws we can expect to find in the coming months.” Do with it as you please.
I read the article and thought, ok. Yeah Apple is experiencing growing pains. BUT look at the number of comments. WOW!
The problem I see here is that Apple users are a bit too rabid…
Folks this is called growing pains. Apple is finally becoming a major OS provider and hardware provider. As such they will have more problems.
I know I have, since my Apple notebook is a lemon. While I could blame Apple, and I do, I do accept it as growing pains. Will I buy another Apple? No, or at least not at the prices they charge. If the prices come down (quite a bit) then why not….
Why do you get more bugs because you sell better?
Many of those bugs seems to be “oh this is a bug in program xxx which can also run on os x.”
First of all, I’m an Apple user, and I’m far from rabid – so please do not gross generalisations of a large section of consumers; for me, sure, I own an iPod, a MacBook and AEBS, but nothing else. They were purchased on the basis that it did what I want rather than any sort of slick marketing (considering that Apple’s marketing in NZ is almost non-existent).
As for too rabid, I don’t know what forums you hang out, but Apple users are persistently the first ones out there to launch a jihad on Apple if there is the slightest flaw in products. I mean, heck, there was a person whining because the sides of the MacBook weren’t bevelled enough! there was another complaining that the brightness isn’t perfect. If these were regular PC users they would moved on and thing, “oh well, its to be expected”.
Oh, and as for your laptop being a lemon – that’s a side effect of mass production, there will always been faults – ring up Apple and get it repaired or replaced. Yes they test it, but damage could have occurred during transit. Life moves, and the world continues spinning. Apple isn’t immune to the occasional lemon being shipped.
Come on. You know that’s not true. While you may not be quick to exhibit the famous “Apple fanboy” attitude, you really can’t deny that the majority (even on this site) are quick to be very vocal about anything that may put Apple even in the slightest bad light. They are fanatics, in every sense of the world, and it is intellectual dishonest for you to deny that.
You seem to be the one being “intellectually dishonest” here. Replying to something one feels to be not entirely correct does not make one a “fanboy”. If that were the case then everyone quick to reply to a negative comment about Vista would be a Vista fanboy.
I also use a Mac and I do reply to a number of assertions that I feel are not justified about Macs. I suppose you will call me a fanboy, but that does not make it the truth. I do like my mac, but I also like my other computer running BSD and Linux. This is being posted via my BSD installation. I spend a lot of time using it.
Anyway, to get to the point, while the article does provide some interesting statistics it only provides part of the information needed to determine how secure an OS really is. If you remember MS recently came out with a study that they said proved IE was more secure than Firefox. http://www.heise-security.co.uk/news/99955 They used the same metric to make that claim, the number of reported vulnerabilities. But interestingly, when you looked at the time that critical vulnerabilities went unpatched IE was not even close to being as secure as Firefox.
What we now need is the same information about the OS vulnerabilities. How long was each OS in an insecure state from the critical vulnerabilities and were there any exploits in the wild during this time? People believe what they want regardless of the facts. You will probably dismiss me as a fanboy for that very reason. All I can say is that it has been my experience that security on a Windows machine has been more of a problem than it has been on any other OS I have used in recent years.
On philmug.ph, the posters can be rather quick to turn mean and ugly for little to no reason. One of the head moderators, Adel Gabot, once wrote an article about how Mac users were morally superior to mere peecee users since they actually PAY for the software they use, unlike the unwashed masses who buy pirated CDs.
Like there aren’t any bootleg CDs for Mac software.
Much as I love Macs, I really can’t stand Apple, or other Mac users sometimes.
Edited 2007-12-21 15:24
How is that any different to the ‘open source zealots’ who post how they’re morally superior because they insist that all the software they use is open source?
Any zealot when taken to the extreme causes idiots to run amuck, but check out Macrumours, Appleinsider, Arstechnica – because philmug.ph means nothing in the grand scheme of things, its a small site with hardly any users – its the equivalence of someone pointing to my blog and making conclusions about a whole set of people off one website.
Look through the websites I’ve provided, check the Mac sections, and you’ll find that when things are anything but perfect, the most rabid of fanboys will come out and be the first to abuse Apple.
PS. Check who is saying that Leopard is broken – I can assure you, it isn’t the newly converted.
Edited 2007-12-22 00:50
They’re who I might have to deal with in real life, face to face. Maybe they just horrible netiquette or what not.
There’s a certain sMUGness some Mac users have, and yes it’s probably a vocal minority like Linux/BSD zealots. Doesn’t help with my headaches.
This is significant because it shows a trend that can give us a good estimate for how many flaws we can expect to find in the coming months.
What can you actually deduct from such numbers? It looks like OS X has gotten the most bugfixes but you can’t really deduct the reason for that from the numbers! It could be almost any reason whatsoever: they just might have more bugs that Windows, or they might just dedicate more people to fixing bugs, or people are more willing to report bugs to Apple or… Nah, completely useless numbers. Interesting? Perhaps to some. But useful? Not in any way except for those who try to spread FUD either way.
EDIT: Forgot to add that we CAN’T even estimate how many flaws will be fixed in the “coming months” either: maybe there will be just as many bugs found, or maybe they have fixed them all now and there won’t be so many bugs left to fix, or the difficulty of the upcoming bugfixes might change radically or.. Just come up with more if you please.
Edited 2007-12-20 22:08
Please. Nobody has put in better processes to ensure secure software – see Microsoft Security Development LifeCycle.
Microsoft learnt their lesson years ago and as the processes they have put in place have taken root so the security of their software has improved. Apple ignored the lessons of Microsoft until recently and is starting to pay for it despite their small market share. Apple only recently (1 year ago) advertised for a security expert i.e. someone to head up their security efforts. Hopefully Apple can get their quality up before their users start suffering because of their short sightedness.
I don’t CARE which one has better security frameworks or anything as I am a Linux user myself. All I was saying that one can’t realistically determine absolutely anything from those numbers for the reasons I already explained. You can’t prove me right with those numbers, but you can’t prove me wrong either..
I don’t CARE which one has better security frameworks or anything as I am a Linux user myself. All I was saying that one can’t realistically determine absolutely anything from those numbers for the reasons I already explained. You can’t prove me right with those numbers, but you can’t prove me wrong either..
From my own experience, both as a programmer having to deal with security issues and as a sysadmin in my high school days (ugh…), it simply begs for me to scream: the security frameworks, locks, cryptographic engines, armors, patches, security advisories and everything else are, in terms of measuring security, completely irrelevant. It’s exactly as it happens with planes: you can put eight engines on a pile of concrete. If they don’t get the right fuel, are all placed so that they face each other and the only thing the pilot can control is the altitude, it won’t fly.
We are talking basically about security on a desktop computer, or a small server, not a bank’s server, not FBI’s files (does anyone actually use OS X Server for huge datacenters and the like? I’m not calling OS X server dumb, I’m simply thinking in terms of where it’s really relevant). In this case, the only relevant security test is placing Random J Idiot in front of the keyboard and let him surf the net, watch porn or whatever else he wants. The more secure computer is the one that still boots after three months, without sending broadcasting and browser histories over the Internet.
Yes, from a statistical point of view, this is very gross: it’s a combination of how the system shields itself from dumb users, security by obscurity, low marketshare and so on. However, it still boils down to this: Mac users have very little malware to deal with.
Yes, in the long-term, they might (and, considering how OS X is more of a big hack than of a smart OS, there are serious chances that they will), but the future tense is essential to our discussion. Apple has to watch out for the bugs they might have — and from the amount of bugfixes, it seems like they are watching out — while Microsoft is still having to get rid of the bugs they already have.
On the other hand, I can’t help seeing the mandatory receivers of the fsck off prize. This isn’t Microsoft FUD, no conspiration, and certainly not a mind-twisting invention — OS X has holes, which are more or less relevant, more or less critical and so on, which is really to be expected from something that comes loaded with a pile of open source software. What these people don’t seem to understand is that a patched bug is no longer a security issues. An unpatched, yet-to-be-discovered bug is, however, a security issue.
I don’t know how much security experts does Apple have and how good their security processes are.
But they certainly have brilliant engineers that know how to design good software that is not crap. They don’t give root privileges to everybody like Microsoft did in XP. They don’t determine if a file is executable just by looking at the extension of the file.
I’ll take a Apple system over one from Microsoft any day, I’ve more confidence in the Apple engineers. Sure, they’ve security mistakes like anyone else, but their software is better suited to avoid “by-design” attacks.
Hahahahahahahahahahahahahaha
haven’t laughed like that in ages!
Someone claiming that MS must have more secure software because of their “security policy”??! They’ve had a security policy since they started producing windows…what difference does it make? Even with this new policy, we still see products like Vista hitting the shelves. Not saying its bad but it has just as many vulnerabilities as XP.
I agree that this report means nothing. zilch.
MS dont report all their known vulnerabilities. I thought everyone was aware of this. Apple likely DO report them because they also likely FIX them too. MS fix their bugs but dont release them until the next service pack, which just happens to introduce a ton of new “features” and with it, new bugs.
Nothing new here. Funny that these numbers are still being posted even though the last 999999 times they were put on here, people said the same thing. its irrelevant, so Thom, please stop linking the same crap over and over.
“MS dont report all their known vulnerabilities. I thought everyone was aware of this.”
Not that I’m saying you’re lying or anything, but please provide proof for what you just said.
The fact the you think everyone is aware of it does not constitute proof. When source is not there, we just don’t know what is in the patches/service packs.
All that matters and we know is assessing security by counting vulnerabilities is not a valid approach.
Edited 2007-12-21 16:50
yup, so the fact that you can now brick a laptop through activeX
http://computerworld.com/action/article.do?command=viewArticleBasic…
is a good example of MS improved security practices?
Yes. It is significant. Too many of the `arm chair` systems administrators on this website, from observation, believe in the all-in-one basket way of thinking.
Imagine an entire state college or university system, which generally locks into a single hardware provider or manufacturer, that has purchased HP servers and desktop systems. They come in one morning to find all the HPs have been bricked by a design flaw in the hardware, software or both.
Yes, it can happen to Apple and other hardware providers. I am not in denial.
The next thing you know the CIO, vice presidents, presidents, deans, department heads, faculty and a huge population of students want to roast your `Chest Nuts` over an open fire, a torch or anything else they can find. Your job is now history just because some engineer failed in quality control at a corporation; and you did not have the vision to use more than one brain cell.
The solution?
Try not lock yourself into just a single hardware or software provider. If everyone is thinking alike, then someone isn’t thinking. Simplicity does not reduce vulnerabilities in the IT trade. Diversity increases success and sustainability.
Edited 2007-12-21 17:46 UTC
The OP was on the subject of improved MS practices WRT security. The fact that an avenue like activeX allows for the bricking of a machine would suggest that not much has changed in practical terms concerning the security of MS based systems.
“Apple ignored the lessons of Microsoft until recently”
what are you talking about! apple built osx on top of BSD…. that along proves they DID learn for MSs mistakes! (did’nt MS build NT on top of a variant of cheese?)
What can you actually deduct from such numbers? It looks like OS X has gotten the most bugfixes but you can’t really deduct the reason for that from the numbers! It could be almost any reason whatsoever: they just might have more bugs that Windows, or they might just dedicate more people to fixing bugs, or people are more willing to report bugs to Apple or… Nah, completely useless numbers. Interesting? Perhaps to some. But useful? Not in any way except for those who try to spread FUD either way.
The reasons, quite frankly, are irrelevant. I could care less why the security exploits exist. What I care about is whether Apple is doing anything to mitigate against similar risks in the future. But, clearly, getting defensive about quality issues — as you’re clearly doing here — is counter-productive. You can pretend that quality problems don’t exist but, in the end, the quality problems do exist. So, just acknowledge that Apple needs to focus more closely on this problem. That isn’t FUD. It’s simple common sense.
The reasons, quite frankly, are irrelevant. I could care less why the security exploits exist. What I care about is whether Apple is doing anything to mitigate against similar risks in the future. But, clearly, getting defensive about quality issues — as you’re clearly doing here — is counter-productive. You can pretend that quality problems don’t exist but, in the end, the quality problems do exist. So, just acknowledge that Apple needs to focus more closely on this problem. That isn’t FUD. It’s simple common sense.
Umm…Why would I get defensive? I have said it several times that I am a Linux user and I don’t even own a Mac.. Duh. I just said that one can’t deduct anything conclusive whatsoever from such numbers: not against Mac OS X nor Windows. And no, I don’t like Microsoft but I still do defend Windows too when someone tries to bend the truth or just plain spreads FUD. I just wish everyone did that regardless of what OS they run.
Duh. I just said that one can’t deduct anything conclusive whatsoever from such numbers: not against Mac OS X nor Windows.
What you can deduce (not deduct) is that Apple has experienced a rapid increase in security advisories year-over-year and, consequently, it needs to focus on quality to reverse the trend.
, consequently, it needs to focus on quality to reverse the trend.
Nope, it doesn’t say anything about the quality of the underlying platform itself. There are just too many factors to consider when counting the numbers that it’s impossible to just claim that one OS is better than the other just because it has had less security updates.
Nope, it doesn’t say anything about the quality of the underlying platform itself. There are just too many factors to consider when counting the numbers that it’s impossible to just claim that one OS is better than the other just because it has had less security updates.
Did you bother to read my previous comment — or did you just go into kneejerk mode? I didn’t say that “one OS is better than the other”. I said that “Apple needs to focus on quality to reverse the trend” toward higher numbers of reported exploits. Step off the zealot soapbox for a minute, nod your head, and agree with common sense. It’s not that difficult.
Have you considered that maybe they have a higher number of reported vulnerabilities now (which means more stuff being fixed) precisely because they might be actually focusing more on quality?
Have you considered that maybe they have a higher number of reported vulnerabilities now (which means more stuff being fixed) precisely because they might be actually focusing more on quality?
Patches for security vulnerabilities tend (primarily) to be reactive in nature; that is, they aren’t found through proactive means (ie. code reviews, static & dynamic analysis tools, Pareto analysis, etc). The best point in time to find an exploit is before you ship the code. But, since Apple is not only experiencing bugs in its own shipped code but in code which shipped (and ships) with OS X, it means that Apple is behind the curve on finding exploits. As market share increases and more people start to exercise the code, I would expect things to get worse before they get better. Nonetheless, no one should construe my comments to be criticism of Apple. Apple is a great technology company with a lot of interesting products. I think that quality does matter to Apple, and I’m sure that they’ll respond accordingly. Microsoft experienced similar problems in past years, and it wasn’t really until XP SP2 that things started to improve.
does that mean, they list the founded and patched ones? that would be a good result for Mac OS X.
If this are just the founded but unpatched one, this is bad
For one macbook hacked (rewarded $10000) how many plain PCs got hacked in the real world for free ???
How long will your windows XP box can survive crusing the internet without third party tools (anti-sypware, anti-virus, real firewall…) ???
I saw the case many times at work, it’s a question a minute before your screen is full a pop-up…
Is OS X more secure than windows ??? I don’t know and I don’t care and the author’s article doesn’t answer this question, instead it uses numbers to give his point of view some credit.
Sorry but I don’t buy.
I use several OSes on a daily basis (mostly UNIX based) and though they all have flaws ( and related patchs, bugfixes) they are stronger (out of the box) than their windows counter parts…
I saw the case many times at work, it’s a question a minute before your screen is full a pop-up..
Sure, maybe pre-SP2.
For an unpatched XP vanilla machine placed on the internet, without opening Internet Explorer, the average time before the machine is exploited, is much less than a minute.
Thank you for your reply but sure I see SP2 boxes that have the same issues… (again without any third party tools). Don’t get me wrong, Windows XP (never really used Vista) can be used in a secure way and can be a great system but it needs either some tweakings and/or third party tools and an educated users.
SP2 systems don’t get hijacked “in minutes” is what I meant. Most people running SP2 systems that are infected are so because they blindly click things.
I ran my XP box without firewall for quite some time, nothing happened, but then my ISP blocks port 135 and maybe a couple of others for what that is worth. I’ve also ran without antivirus and antispyware for even longer with no huge issues, but then I don’t download questionable programs of which I haven’t heard earlier and so on..
Anyway it doesn’t matter, people run with firewall and antivirus, and just because a bunch of people haven’t decided to automaticate the process of owning macs doesn’t make them more secure. It still suck if you are at a risk. I would actually much rather be turned into a drone of millions used to blackmail corporations or for DDoS attacks than having someone who actually cared about my machine and data own me.
Thank you for your response.
1) you had issues (your words “no huge” implies issues).
2)more important you seem to be some kind of educated user since you can detect “questionable programs”.
Now you use an XP box without firewall, without AV nor AM and your not behind a router (we all now that when using a router this gives attackers more troubles) and still you never had issues… I’m sorry I don’t believe you and even if you’re right you certainly don’t represent the vast majority of windows user I was refering to.
The vulnerability stats in the OS X side include:
– OS X *server* vulnerabilities: Apache, PHP, mysql, bind, squirrelmail
– 3rd party software like Java or flash
– Really old OS X versions
– CVE duplicates
I discovered this by just clicking a few CVEs. Didn’t the author even look to some of his own links? Obviously not. Or worse: He did, but he wanted to generate controversy to get more visit. Oh well, he has succeeded.
Hey, and OS X may certainly have more vulnerabilities than Vista/XP, but you won’t guess that from that list.
Edited 2007-12-20 22:26
I’d noticed that too. The fact is, I have a virtually untouched (i.e. very little 3rd party software) OS X installation. I’ve enabled the Apache server, Windows and FTP file sharing and run both Safari and Firefox, and have never experienced any issues at all.
To be honest, I have not had too many issues with Windows XP SP2 either.
Java and flash comes with the OS on a mac thought… But yes, should probably be counted on Windows aswell since people use them anyway.
“Java and flash comes with the OS on a mac thought… But yes, should probably be counted on Windows aswell since people use them anyway.”
Accept that Mac’s JVM is made by Apple and includes extras like the Java-Cocoa bridge (now unsupported) that provides a larger attack surface. Windows JVM is made by Sun and contains no extra code regarding Windows API (which is what Sun sued MS over in the first place). So flaws in Mac’s JVM can’t be assumed to be present in JVMs of other OSes, since those flaws could be Apple’s doing. And fixing the Mac JVM is Apple’s responsibility, and Apple does fix their JVM via their Security Updates, while Sun is responsible for shipping updates for the Windows JVM.
(Side note: Windows doesn’t ship with a JVM, though OEMs normally do bundle Sun’s. And IIRC, XP has always shipped with Flash, though it’s whatever the current version was as of 2001, so normally new XP users have to upgrade the Flash component to a modern version.)
then it will be complete comparison
Which Linux distro? Starting from which version number? Do we include all the server software also or just the default “desktop install”? Nuh-uh. That still wouldn’t be comparable or fair towards any of the OSes in question.
“Which Linux distro? Starting from which version number? Do we include all the server software also or just the default “desktop install”? Nuh-uh. That still wouldn’t be comparable or fair towards any of the OSes in question.”
Well, let’s just go with Red Hat.
http://www.redhat.com/security/updates/
OK, to be more specific, let’s go with Red Hat Enterprise Linux:
http://www.redhat.com/security/updates/errata/
There’s a lot of distros listed on this page, so let’s get even more specific, and go with RHEL Desktop Workstation (v. 5 client), which was released this year.:
https://rhn.redhat.com/errata/rhel-client-workstation-errata.html
Wow! Security updates a-plenty! And that’s in less than one year. Makes both Windows and Mac look like Fort Knox by comparison. :p
Just for grins, let’s look at an older distro, Red Hat Enterprise Linux WS (version 4), released in 2005 just to see how many security updates there have been over a longer period of time.
https://rhn.redhat.com/errata/rhel4ws-errata.html
Good Gravy!! I thought Linux was “Secure By Design”. :p
Relax, Linvocates, just having a bit of fun.
Edited 2007-12-20 23:34
Windows and Mac look like Fort Knox by comparison. :p
That sounds interesting. In what universe, does number of security updates equate to security?
So, for example: Fort Knox installs/updates its security measures once a month (lets say). My garden shed has never changed its security. Ergo (using your reasoning) my garden shed is more secure than Fort Knox.
hmmm, I see your sarcasm detector was switched off when you read Mollyc’s comment.
Why, the MS PR universe, of course…
Now, I don’t see Linux mentioned in the article. Gee, I wonder how come we ended up on this off-topic subject? Oh, yeah, we were brought here by some infamous anti-Linux FUDsters who don’t even understand that there is *much* more non-OS software installed with a default Linux desktop/server than there is on a Windows install.
Have no fear: the brave members of the Microsoft Defense Brigade won’t let a mere technicality as truth stand in the way of their message…
Who? The article author, or MollyC?
Oh, I’m not answering that question! 🙂
That sounds interesting. In what universe, does number of security updates equate to security?
So, for example: Fort Knox installs/updates its security measures once a month (lets say). My garden shed has never changed its security. Ergo (using your reasoning) my garden shed is more secure than Fort Knox.
That’s simply the best analogy I’ve ever read regarding this issue!
It’s rare that I crack up laughing when reading comments but that sure made my day ^^ Damn, I guess I gotta start keeping all my valuables in a cardboard box since it’s so much more secure than any bank or vault available :3
Wow! Security updates a-plenty! And that’s in less than one year. Makes both Windows and Mac look like Fort Knox by comparison. :p
Of course there’ll be lots of security updates if you include the updates for _everything_… Besides, is lots of updates a good or a bad thing? I’d actually go for good thing cos IMHO that shows that atleast there’s a lot of people all the time working to make sure that it is and stays up-to-date and secure. But that still is just an opinion, it’s not a fact as such just can’t be drawn from any number of updates. And as I said, it’s unfair towards all the OSes in question to even compare them based on their number of security updates: it’s perfectly clear that there will be quite a slew of updates all the time for OSS software just simply cos there’s so much people working on them! Also the whole development model of those proprietary OSes vs. Linux is so fundamentally different that one can’t really say anything definite when comparing them.
Geesh, I’d wish people would stop this utter BS of comparing OSes based on the number of security updates…IT SIMPLY PROVES NOTHING EITHER WAY! If one really _must_ compare OSes, do it based on their merits and features supported..
Sarcasm works best when you put real snark into it.
Just a helpful hint from me to you.
More BS FUD from a company posing as independent but actually working for Microsoft. Obviously they are getting us to fall for posting on here about this extremely lame article.
I have several Macs which my wife and I use with no AV or AM (anti-mallware) and have never had a problem with anything successfully attacking my Mac. Heck, I never even see something attacking my Mac. But then something could be there doing nothing and waiting for Jan 7th at 10:03 am on 2036 to do something bad to my Macs.
Probably not. Just more FUD.
Exploits are malware are two different things. If you want to wreak maximum damage (which is the goal behind most virii) or want to set up a botnet for more commercial reasons, you are going to go after the operating system with the most users. Why would you make worm to attack 11% of the computers on the net, when you could make a worm that could hit 80%? This is not the first time someone has taken the time to point out to us how insecure the platform is (remember MOAB?) The fact of the matter is that at this point, Apple doesn’t NEED to be secure. It is when the marketshare hits 20-30% that they need to start taking security seriously
The fact of the matter is that at this point, Apple doesn’t NEED to be secure.
That’s a cop-out and you know it. All OS software needs to be secure in the net-centric age.
Edited 2007-12-20 23:23
What’s more, all security should be built from the ground up, by design, not by trial and error. If it’s not meant to be broken into it should not be possible to do it.
“What’s more, all security should be built from the ground up, by design, not by trial and error. If it’s not meant to be broken into it should not be possible to do it.”
In principle, you’re right. Trial and error is not a orogramming concept.
But on the other hand, security is not a state, it’s more a process. Complete security can only be achieved in disconnecting a PC from Internet connections and extraction of external media drives.
As you know from the UNIX world, OS developers did great jobs creating systems that are very safe by default. One concept here is “all closed by default, enable what you need” instead of “all open by default, close something when problems occur”.
The ewakest part inside the security chain resides between the chair and the mouse. 🙂
And I have had a number of Windows computers since the release of XP and none of them have run Anti-Virus or Anti-Malware software and I’ve never had a problem with them… all this proves is that I’m a sensible user and know about the various security threats that exist.
In the real world however there are people (lots of people) who think “Oh, cool, look at this video player that lets me watch porn… I’ll just type in my administrator password, my bank account number, my national insurance number…”.
No, it proves that you have little green leprechauns guarding your household. Because I fail to see how the fact that you are “a sensible user” and “know about the various security threats” (wow) magically manages to protect your computers. Do you actually do something to protect them yourself? Do you take measures of some kind? What do you do, stand in front of the UTP wire with a baseball bat and look mean? Did you perhaps forget to mention that your ISP runs a tight firewall? Or that your computers are behind a router? Because otherwise, a naked XP SP2 on a public IP, no antivirus, no firewall, equals not your box anymore. If that’s not the case, consider giving the little green men their due credit, dude.
Or that your computers are behind a router? Because otherwise, a naked XP SP2 on a public IP, no antivirus, no firewall, equals not your box anymore. If that’s not the case, consider giving the little green men their due credit, dude.
Won’t you people stop bashing XP when you yourself don’t clearly have a clue? I am a Linux user first and foremost but I do use XP to play games (Linux sucks for gaming). I installed XP SP2, it had firewall on by default so no problems there..There is a router in my network but it was acting as a plain bridge so it means there was no NAT involved. I didn’t install any security software on the machine either. It worked just fine for half a year before the hardware itself malfunctioned. Now, you’re either saying I’m a liar or that I had some green leprechauns too? Nope, XP isn’t as insecure as you claim. Sure it has it’s issues but most of them are caused by the USER!
Well I sure stand corrected. If you say so it must be true. I must have dreamed about all those times I’ve seen XP boxes infected with my own eyes, after being connected directly to the net without a firewall and antivirus.
without a firewall
That’s the keyword: XP SP2 installation by default enables the firewall..
Study first, spread FUD later 
And no, I mean the full installation, not the original XP with SP2 installed on top of it. I’m not sure if that enables firewall or not by default.
My point is that an OS that needs a firewall to be secure is not secure by design and by definition. If all the services and the software it comes with (IE, Outlook) was secure, there wouldn’t be any need for firewall.
Contrary to what you may have heard, firewalls are not supposed to be used for security, except as a last resort, a backup, a paranoid tightening of security applied on top of real security measures. The real security comes from a secure, unhackable, OS and applications. Yet, sadly, nowadays almost everybody and their cousin lets the OS and applications full of holes and tries to “fix” everything with firewalls and anti-malware.
That’s the approach you praise Microsoft so much for. Think for a second. It’s been a decade. If their approach was working it would’ve worked by now. And yet we still hear news of botnets and stuff like that daily. Don’t you think it’s about time we ditched a defective security model for a working one? UNIX and Linux have shown us how it can be done in viable products. The BSD, Linux distro’s and Mac OS X are proof of that. It’s not them that have tens of thousands of known viruses and worms and trojans and malware crawling around. It’s not them that need to run antiviruses and anti-malware and firewalls.
Yep, behind a router performing NAT. I do have a particularly good ISP however and they probably do run a very tight firewall… I wouldn’t consider paying £20 a month to anyone that didn’t.
Again though… what is it with people on this site and their attitudes? Are they just unable to put together a coherent argument or comment without being demeaning or acting like children? Pathetic!
Let me get this straight. You came out in public and said clueless things and still you are upset that someone would put you down for it? Why is that?
Look. Just because you believe something does not make it true. In this wonderful world in which we live people can have differing opinions. If you disagree with mine, fine, then post yours, you don’t need to be an asshole about it.
The fact of the matter remains. With nothing more than a router performing NAT between your computer and the internet you *REALLY* are pretty damn safe WHATEVER operating system you’re running. So long as you’re sensible with what code you allow to run on your machine you have little to worry about.
I’m not saying that XP was perfect, and pre-SP2 it did have some *ASTONISHING* security holes… yes, of course I’ve seen XP machines infected within SECONDS of connecting to the internet, it just never happened to me thanks to my NAT router.
I don’t know what I’ve said that you think is clueless. All I’ve told you are my experiences.
Which clearly show you don’t know much about security, and yet you think you do. Of course we’re all entitled to our opinions, but some of them are based on fact and knowledge and others are not.
If you believe that using NAT is pretty good security then there you are. Firewalls fall under the same category. They can be bypassed using vulnerabilities in installed software, which is allowed to traverse the blockage, such as browsers, instant messengers or email programs.
No firewall or NAT will fix security design faults in the software that already runs on a machine. They are useful in very particular circumstances and should be used mostly for paranoid purposes, or for reasons not related to security (NAT and iptables masquerading).
Using firewalls and routing for security is horrible patchwork and those who rely on them alone will get what they deserve. A secure system is one that can be connected directly to the net with a public IP, with no firewall or NAT or router in between, and will still not be compromised, neither by remote attacks nor by faults in the running software. Windows does not qualify. Not even Vista.
You think your ISP is running a firewall for you? Boy, are you delusional.
“And I have had a number of Windows computers since the release of XP and none of them have run Anti-Virus or Anti-Malware software and I’ve never had a problem with them…”
Sorry, I may tell you that this claim does not have any value because you simply cannot tell if you have any problem. Most malware works in the background so the user of the compromized PC does not notice anything – this is intended for the malware running in the background and doing its job.
Formalized: Security issue = { yes | no | can’t tell }
Trinary logic.
Because “Windows” usually does not provide sufficient means of diagnostics you cannot gain any knowledge abozt what’s goiing on inside your system. So it’s not very educated to state “I have no problems” while you really don’t know.
Compare it to a traffic light that you cannot see. It is either red or green, but without looking at it, you don’t know in which state it is.
And man, viruses don’t say “echo Looking for Sybille” anymore. 🙂
” all this proves is that I’m a sensible user and know about the various security threats that exist.”
No, this doesn’t prove this statement, allthough it’s completely possible that you are a sensible user with knowledge about security issues.
It proves that you cannot tell.
But it could also imply that you are a irresponsible user that does not care about how he is a threat to others on the Internet.
“I don’t care. I have my dancing elephants, my porn video playing and I can download MP3 for free. Viruses? No, I don’t have any.” *ring* *ring* “Hello, Sir, this is the FBI. You’ve been conveyed to have running a file server that shares child pornography. May we have your PC for evidence please?” Oops…
In Germany, users of “Windows” got convicted because they did run an illegal file sharing system. They claimed to have no knowledge about this, but they were sure they had no virus or malware issues, because they didn’t care.
I’m sure you know what I’ve tried to say.
As I said above, I am behind a router performing NAT, the only conceivable way a virus could take control of my computer is if I was to download a trojan or some ActiveX control. I use Firefox, and I rarely download any software.
I do know a little bit about network traffic analysis however, and my router does provide extensive logs… I am confident that there is no malware on my computer.
Regardless your point is valid… but even with Anti-Malware software installed you still don’t KNOW that your system isn’t infected. How long did Sony’s rootkit hide out before someone discovered it? Your point also applies to ANY computer system attached to a puplic network… that means Linux and OS X too. So unless the users of those platforms are running Anti-Malware software even they can’t be sure that their systems aren’t infected. (And even WITH Anti-Malware software you STILL CAN’T be SURE).
“As I said above, I am behind a router performing NAT, the only conceivable way a virus could take control of my computer is if I was to download a trojan or some ActiveX control.”
Of course, routers and NAT do provide a gain of security. In such settings, attack success usually comes from the local network where a user might be that unaware of a danger that he lets malware take control over certain parts of the security subsystem.
“I use Firefox, and I rarely download any software.”
Another point for security.
“I do know a little bit about network traffic analysis however, and my router does provide extensive logs… I am confident that there is no malware on my computer.”
You could use a packet analyzer like Ethereal to check your PC with another PC from the same net (monitor LAN traffic). Just to be sure. If you have the respective knowledge, you will be able to detect any strange traffic elements very quickly.
http://www.ethereal.com/
Using such a tool properly can enable you to say something about not having malware running (for the moment) with reliable certainity. If your repeat checking periodically, you can make very definite statements.
<ii>”Regardless your point is valid… but even with Anti-Malware software installed you still don’t KNOW that your system isn’t infected.”[/i]
Yes, this is true. I didn’t claim any opposite, so you’ve seen the implication correctly. Anti-malware software and Anti-virus software give you extra points for security, but of course they do not privide 100% certainity.
Regarding checking those applications can only check what for what they know. Very new kinds of attacks can still have an impact on a system that is invulnerable to the “usual” stuff.
“How long did Sony’s rootkit hide out before someone discovered it?”
I think this a “Windows” only problem. When an OS privides means that make it easy for an attacker do develop a “plug” that is able to get into the system and abuse it, then nobody needs to wonder about it.
“Your point also applies to ANY computer system attached to a puplic network… that means Linux and OS X too.”
Yes, it does. But I think you know that it’s MUCH more complicated to compromize a UNIX system, especially when it’s been set up correctly by someone with sufficient knowledge.
Maybe this situation would be more interesting if Linux would have the same oh joy oh market share as “Windows” has today, and if it would be pre-installed on PCs with a configuration that abandons all means of security in the first place. 🙂
“So unless the users of those platforms are running Anti-Malware software even they can’t be sure that their systems aren’t infected.”
UNIX systems provide very limited facilities that an attacker can use. And due to the openness of the source code (i. e. for BSD OSes and Linux), constructors of malware would see that it’s nearly useless to try to break through the default means of security. The only chance is a sloppy administrator or a malign installation.
For example, one could argument that MICROS~1 integrates means of uncontrolled, unauthorized and unlogged data transfers from and to a PC intendedly, and so there’s no reason why a criminal should not use these means, just because they do exist and are quite easy to use.
It’s very easy to gain access to a machine that has no passwords installed. If you have a UNIX box with an empty root password, or a UNIX box in a network that communicates via telnet, you can be sure that the box is yours in a few minutes. On the other hand, it can be very complicated to compromize a “Windows” PC with passwords and a firewall that resides behind a router with NAT. This is where the attack has to come from the weakest parts – the user. And I think you don’t count here: Most attacks that work this way target unexperienced and, sorry to say it this way, plain stupid users – sadly with success, and that’s why more than 90% of the worldwide mail traffic is spam.
“(And even WITH Anti-Malware software you STILL CAN’T be SURE).”
As I said before, it increases certainity, but a 100% protection is only possible if you unplug the NIC and extract the drives. 🙂
But then something could be there doing nothing
Isn’t that what Mac users generally do, since there’s only like 10 apps for the Mac anyway?
Zing!
(yes, I’m joking)
Oh! Well if you’ve never had a problem then Mac’s must be perfect, I’ll switch now.
Counting how many security bulletins or exploits are discovered in a given time frame does not go very far in proving anything.
When I see the front page news declaring that millions of OS X machines were rendered completely unusable due to an exploit running wild I’ll be more inclined to say they might have security issues.
This has happened multiple times in the past with Windows. Granted the last big one I remember was Code Red or Slammer in 03 which tells me that MS has improved security.
However counting security bulletins is not going to rewrite history or change the perception that Windows is more exploit prone than OS X.
What I don’t understand is why MS seems to be held accountable for every stupid thing they have ever done. Pre-DoJ anti-trust MS and post DoJ anti-trust are very different when it comes to corporate practices. Pre XP SP2 MS and Post XP SP2 MS have been very different when it comes to security. Pre IE7 MS and Post IE7 MS have been very different when it comes to web standards.
Its not like these things are opinion or anything, they are documented and show up as news stories on sites like this all the time.
“What I don’t understand is why MS seems to be held accountable for every stupid thing they have ever done. Pre-DoJ anti-trust MS and post DoJ anti-trust are very different when it comes to corporate practices. Pre XP SP2 MS and Post XP SP2 MS have been very different when it comes to security. Pre IE7 MS and Post IE7 MS have been very different when it comes to web standards.
Its not like these things are opinion or anything, they are documented and show up as news stories on sites like this all the time.”
Well, as I’ve said before (and been flamed for it), many Microsoft haters don’t *want* Microsoft to improve security, and go out of their way to deny any evidence there-of, because they’d prefer to have security remain a reason to bash the company as well as a talking point to tempt people to switch to their OS of choice.
I’m not saying that Bit-Rapist is one of these, since he acknowledges that the last major Windows malware outbreak was years ago, before XP SP2, which tells him that MS security has indeed improved. But others would ignore such evidence altogether.
Now I am a Linux user myself and I do agree with you that MS Windows has come a long way in becoming more secure, although I still wouldn’t put in on the level with Linux and Mac only because I find the Unix model a better one, But none the less Improvement is good. But if you really want to stop the Zelots on the Mac and Linux side (and make no mistake they annoy me too) you might wanna start with pointing your finger at some of the Windows folk that still pull out Gems like this article as a real measure of security. Cause as much as the Linux and Mac zelots spit out half truths MS zelots toss back more then an equal amount of fud.
Also just to be clear I have said it many times use the best tool for the job you are doing and secure it as need be for the users that will be on it.
Yes, and many MS supporters are paid mucho $ to stand up for Bill and Steve’s Excellent Profiteering, as well as libel and defame “MS haters” (normal people).
Edited 2007-12-21 16:45
Yes, and many MS supporters are paid mucho $ to stand up for Bill and Steve’s Excellent Profiteering, as well as libel and defame “MS haters” (normal people).
Who is being paid? If you’re so convinced of this, then name names. I’d really like to know who these people are.
M-Colly is all about the Benjamins. Word.
“M-Colly is all about the Benjamins. Word.”
Oh, go “play artist: Tiffany” and get off my back! :p
M-Colly is all about the Benjamins. Word.
Care to back that up with proof? Or is this just a hit-and-run?
Man, if you can’t see the truth with your own eyes, I can´t help you none, son.
Pre XP SP2 MS and Post XP SP2 MS have been very different when it comes to security. Pre IE7 MS and Post IE7 MS have been very different when it comes to web standards.
Around June last year, you would have said:
Pre XP SP1 MS and Post XP SP1 MS have been very different when it comes to security. Pre IE6 MS and Post IE6 MS have been very different when it comes to web standards.
Yes, MS have been pulling their act together, but it has been a long process, and it isn’t finished yet.
“Around June last year, you would have said:
Pre XP SP1 MS and Post XP SP1 MS have been very different when it comes to security.”
XP SP2 was released over three years ago, so I doubt he would’ve been making claims about SP1 in 2006.
The fact is, SP2 *was* a major shift in Microsoft’s security mindset and implementation. SP1 wasn’t.
And? Vista was released over a year ago, and still he is making claims about XP SP2
“And? Vista was released over a year ago, and still he is making claims about XP SP2”
Um, could that be because XP SP2 was when the major security improvements started? And therefore the release of XP SP2 serves as a milestone, regarding Microsoft security policies? Which is why he talked of the significance of pre-XP SP2 vs post-XP SP2?
Good grief, man.
I said XP SP2 because before that point, they didnt seem to really take security seriously. After that point, they have shown that they are. SP1 still didn’t. Vista does.
IE6 still sucked
Edited 2007-12-21 05:02 UTC
No, actually, I wouldn’t have. SP1 was still a joke, SP2 gave a measurable improvement. IE6 actually introduced MORE rendering bugs, IE7 got rid of most of the big ones.
THAT we can agree on.
Because they have proven time and time again that you can’t take your eyes of them, and that they need a bat to keep them in check. Did they change by themselves, saw the error of their ways so to speak? Hell no. It took (and takes) lawsuits, an enraged public, fear of losing profits, governments speaking up against them. And the moment you cut them some slack they raise their head and bite you in the ass again. At some point everybody will say “enough”.
Oh, and remember the wonderful gift that Microsoft made the world: the absolute crappy situation with personal computer security in the world today. You know why there are worms, exploits, antiviruses, botnets, a large underground industry of malware and a large parasitic industry of anti-malware? Because Microsoft created them by crappy security in the OS they nearly succeeded in putting on all computers on the planet. Next time you hear about billions of dollars lost to attacks and how security on the net is such a big issue, remember who to thank.
I’m sorry, but you just really proved my point here. I agree that they have done alot of crappy things (and still do). I don’t think we should re-write history, or ignore the things they are still doing (like OEM pressure games)
For about a year and a half before XP SP2, I used to hear about that around once a month. After SP2? Barely ever. They are taking security seriously, and have made big improvements. Unless you are complaining because you enjoy complaining, your memory shouldn’t stop at the point when things started getting better.
Im not saying they are perfect, I am not even saying they are not evil. My only point in this comment is that people are still nailing them to the wall over things that they have obviously listened to, and shown significant improvement on.
Question 1: Can you put a fresh Windows XP SP2 install on the net without firewall and antivirus, browse the Web for a while with IE, and be 99% sure the computer won’t be compromised?
Question 2: What do all those botnets we hear about every week run on?
I think that’s enough to tell you where security and Microsoft stand. Their approach to security is bad, has always been bad, and they show slight signs of improvement only when forced to do so. Same goes for their respect for standards, anti-competitive practices and attempts to treat consumers like cattle.
Showing signs of improvement just because you’re being beaten over the head and screamed at is not how a normal company should behave, it’s how a dumb beast is expected to behave.
We know how security is supposed to be like. UNIX and Linux derivates do it properly. So do many other OS’s. Windows doesn’t, and Microsoft refuses to take responsability, but is happy to spread Windows as wide as possible. We know what respecting standards should be like, yet Microsoft has pissed on that with the recent OOXML business. We know what respect for consumers should be like, and yet they keep pushing more DRM and playing nice with the media companies while stabbing even them in the back when they get a chance (see the PlaysForSure saga and the Zune).
I’m sorry, but until they show some real signs of improvement of their own will, I continue to treat Microsoft as a poisonous snake, will only approach it at a stick’s lenght, won’t turn my back on it, definitely won’t close my eyes and pet it. What I see every day about them does nothing to improve that feeling.
Oh Please. Their efforts to fix their security mess have been Herculian.
How about enumerating how Unix/Linux does security property compared to Windows. I’ll grant you the administrator as default in XP, but this is something prior to XP SP2. UAC is brilliant.
You seem to be blinded by their politics e.g. OOXML and DRM the way they treat their customers DRM and past security problems. Microsoft is a big company and Balmer is certainly someone not to be trusted but when it comes to security Microsoft’s current security practices can only be commended.
Here you go:
http://www.ranum.com/security/computer_security/editorials/dumb/
Administrator as default is just one of many things that are wrong there. And UAC is a good idea, but a bad implementation, because it makes users disable it, at which point it’s useless.
The core problems with Windows security are not just Microsoft’s problem, they have infected the very way Windows users think about security. They seem to take it for granted that the solution to malware, for instance, is anti-malware software.
In other words, that it’s normal to just let malware in the computer and try to catch it afterwards, when it makes a lot more sense to not let it in in the first place. Anti-virus vendors love this idea because it allows them to sell their stuff. They’re also the ones that issue reports about how big of a problem security today is and every once in a while they try to peddle their stuff for Linux and Mac OS X too, only to be laughed out of the building every time.
This wrong way of thinking is so pervasive that I see it everywhere, even in National Geographic documentaries, for God’s sake. They ran one recently that talked about how a “hacker” penetrated a random US government agency’s network and did stuff to it. And they showed how an expert was brought in and started looking around and so on. And never in the entire show was anything sensible was said about computer security, such as what the hell was a sensitive network doing connected to the Internet in the first place, or why the first reaction to the threat wasn’t taking it offline.
Which brings us to the sane way of handling security: if it’s not meant to be hacked or vulnerable, it shouldn’t be. You need to design it from the start as secure, NOT just release it and worry about security later. Because that’s what gave us stupid “solutions” like getting infected first and trying to clear it later. By contrast, BSD, Linux, Mac OS X, go to the source of the problem. They go for the vectors of infection and propagation. It’s much more feasible to not let malware in then worry about what to do once it does get in.
Agreed.
The thing is, Vulnerability Stats show us nothing.
If there was a List showing us the time from when an exploit was discovered to the time when the vulnerability was fixed, it would show us a lot more.
The more bugfixes there are the better! it shows us that the people responsible for the software do something about it and fix it.
Edited 2007-12-21 19:25
Most of those vulnerabilities are not OS X itself but rather software than comes with them. Also they assume you have them services running or are even using them is rather over the top.
The biggest problem we have is peoples compilation of stats rather than actual accurate vulnerabilities that apply.
Edit: Someone already seen it, see Complete bullshit.
Edited 2007-12-20 22:43
If Apple put it in the OS, it’s part of the OS.
“That’s not OS X itself, it’s software that comes with it” is a weak, weak argument.
You could extend that further and apply it to virtually any line of code in OS X except what’s in the kernel: “That’s not OS X, that’s just a library it comes with!”
This has nothing to do with what Apple ships with OS X. It has to do with making fair comparisons. For example, they included a security flaw in the Flash plugin as an OS X flaw. This same flaw also applies to XP and Vista (Flash is just as universal on Windows, even though MS didn’t include it with the OS) to the same extent, but it was not counted.
In any case, the number of flaws discovered isn’t exactly a great measure of security. The number of days from disclosure to fix is probably a better measure.
As mentioned above. I noticed that a lot of the issues in non-OS software on the OS X side. There are patches for things like Flash, MySQL, et cetera. Look at the December list for example. I count six bugs that are truly OS, base library problems. That bumps up to seven if you count the one Mail.app bug, but we don’t have the corresponding list for Outlook Express in the tabulation, so I’m not going to. The overwhelming majority of the bugs were in Perl, Python and Java. That means those probably exist in those components on both Windows and OS X (and Linux). That month there were seven Windows exploits listed too. So that’s break even.
This is all beside the point. OS X is going to have the same security issues that any other OS is going to have. It is nearly impossible to design software of this order of magnitude that doesn’t have these sorts of problems. The marketing message does provide a false sense of security. All that is true. However this article’s methodology is simply not as rigorous as he likes to pretend it is by throwing up big charts.
It’s a ZDNet blog, what do you expect?
Seriously though, perl and java are libraries maintained by apple and that ship with apple. They could easily be platform specific. Not as sure about python, but I wouldn’t be suprised there either. Stuff like Flash and MySQL definately shouldn’t be counted though
Seriously though, perl and java are libraries maintained by apple and that ship with apple.
I’m sorry but that’s not the case. If you go over the issues you will see that they appear in security advisories for many other OS’s as well. It is not in OSX specific code.
Edited 2007-12-20 23:23
Even so, Perl, Java, and Python are all language interpreters that ship with OS by default. If there is an exploit, it is an exploit. Whose fault is rather academic, it is still an exploit that appears on every apple machine, and its apples responsibility to either fix it, or not ship it. Im sure you would agree that .net exploits should be counted, for all practical purposes it is the same thing.
.NET exploits should be counted as .NET exploits not Windows exploits. It is moot when we talk about overall system security. It is not moot when someone tries to write some sort of anti-MS or anti-Apple hit piece, like this hack writer did.
.NET exploits should be counted as .NET exploits not Windows exploits. It is moot when we talk about overall system security. It is not moot when someone tries to write some sort of anti-MS or anti-Apple hit piece, like this hack writer did.
I don’t have any problem with rolling up all of the constituent exploits (ie. .NET, Java, etc) if those components are shipped with the OS, because it gives a better overall picture of the security of the OS. A platform is only as secure as its weakest link, people! If OS makers don’t want to be accountable for shipping crappy software, then they shouldn’t ship crappy software.
But the point is that it is disingenuous to claim that these are purely Mac OS X bugs alone. That is what the poster you were replying to is trying to say. The report claims that these are some how ‘Mac OS X only bugs’, and some how Apple is to blame for it. Yes, they incorporated it, yes, they maintain it, but at the same time, this is code which is shared, the vulnerabilities are not purely a Mac OS X.
What we’re saying if you compare Mac OS X *ONLY* exploits, that is, exploits which only exist on Mac OS X, its a lot lower than Windows – we don’t deny that shared projects like perl might have vulnerabilities but they don’t sit under the banner of Mac OS X; it would be considered a multi-platform vulnerability.
Ignoring the ridiculous nature of the original article trying to justify things by using pointless (IMO) statistics, if software ships with the product and is enabled by default, then for all intents and purposes any bug should be classed as a bug within that software. A lot of the code that is included in OSX that isn’t written by Apple is openly available, so Apple engineers can and should inspect that code to make sure that *their* OS is secure. Blaming 3rd parties doesn’t solve anything.
Lets see how many actual cases of infections happened in the wild between the two platforms and compare that against their respective total populations. So I’d say it’s something like 0.00% vs 20%… I’m not sure about the latter but I’m pretty sure the former is accurate.
For those who don’t know who he is, here are a few other unbiased articles he has written in relation to Apple:
http://www.macalope.com/2006/08/30/george-ous-greates-apple-hits/
That guy is a Mac hating tool. Especially funny was the article where he said the PSP was a better alternative to an Ipod… hmmm Apples to Oranges there…
Although, I do use (and Love) my PSP, I did not get it as a replacement for an Ipod, or instead of an Ipod, I got it as a PSP…
I don’t have any real point to make, I’m just posting as an excuse to mention how awesome I am (because I don’t use Microsoft products). Especially not the product that is the topic of this post. Wait, what’s the article about? Huh, maybe I should have read past the word “Microsoft” before hitting the “Post comment” link…
No matter – how about I just list off *all* the Microsoft products I don’t use? Just to be safe.
you misspelled microsoft
Whoops, you’re right. I meant “MS” and “MICROS~1.”
it appears that osnews auto-edited what I originally typed for the joke: “micro-$-oft”
ZDNet is still engaging in irresponsible journalism about vulnerability counts from Secunia. News at 11.
Why do we even bother with this stuff? They pull the same old tricks with Linux and OSX over and over. It’s a page-hit troll. Articles like this have been so debunked it’s ridiculous
While I think security is extremely important, I don’t put a lot of stock in this list. It seems like a lot of the OS X security issues listed are in 3rd party applications like Apache. OpenBSD, which is arguably the most secure OS available today is still at risk if you are running Apache on it and there is an exploit open in Apache, as is Windows, Linux, and so on.
Basically, I rely on a lot of self-implemented security measures, and not just on a particular OS, because I know all OSs running any kind of applications can have holes in them. Security should be a set of actions you take and not so much an OS you run, I think.
I am not sure that publishing something made by George Ou is a good idea. Ou is an Apple hater, but more than anything else, an idiot. This guy has lost his credibility several times this year, how it comes that osnews give credits to the shit that he writes on the web.
Concerning, what they wrote, they claim that they use statistics from Secunia but they actually used the data from the CVE-MITRE. Secunia on their own web sites says:
” NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE.”
So we have the fist sign of their incompetence, don’t we? They claim to use Secunia statistics but in fact they did not, well…..
If we look to the Secunia data, we see that for Windows XP home edition during 2007 they are listing 182 advisories, with 7% of them being extremely critical (Windows Xp pro had 199 advisories, 7% critical)
For OS X and for the same period Secunia has 113 advisories with no critical holes (so tell me which system is more secure. OSX:0 extremely critical holes; XP:12 extremely critical holes)
So again they claim to use Secunia data, but Secunia data completely contradict those fools results.
Also, if we look at the web browsers, Safari 2.x got 6 advisories for 2007. and IE7 got 21 (12% extremely critical) for the same period. The last one found in IE7 is also extremely critical by the way (http://www.digwin.com/view/mac-versus-windows-vulnerability-stats-f…).
So my point is that anyone can use different statistics and get different conclusions. In the case of zdnet guys, they don’t even seem to understand what they are actually using.
This peace of crap written by those guys is just aimed at bashing Apple for big hits on their forums, it does not serve as an informative purpose. This is why i am surprised to find this linked on osnews.
I am not sure that publishing something made by George Ou is a good idea. Ou is an Apple hater, but more than anything else, an idiot. This guy has lost his credibility several times this year, how it comes that osnews give credits to the shit that he writes on the web.
First, I could really care less about the guy’s biases; in fact, I take it for granted that just about everything I read on the Web about technology has a slant on it, so saying that things shouldn’t be published because the author has a bias is ridiculous. You have biases. I have biases. We ALL have biases. So, get over it and accept that you’re not always going to agree with things that people think and write.
Second, what’s interesting to me is that your objections seem to rest on “attribution” of the data (Secunia vs CVE MITRE) and on comparisons between the latest version of OS X to a 7 year-old operating system (XP). If you want to compare trends in quality between the OSes, I would suggest that it’s better (and more fair) to look at OS X vs Vista.
Third, if you ignore the comparisons between OSes and think objectively, you realize that Apple needs to focus its efforts to improve quality. A lot of exploit advisories have been issued, at a time when Apple’s market share is increasing. What this suggests to me is that Apple could be in for a bumpy ride, if it doesn’t turn this trend around.
This is significant because … they say so ? I can find no other reason to call this crap significant. Anyone who’d call it such should need to take those pills on the double. Not because of the subjects of the “comparison”, but because of the comparison itself. Useless would be better suited to describe this one.
This is significant because … they say so ? I can find no other reason to call this crap significant.
No, it’s significant because the numbers suggest that Apple’s quality isn’t where it should be and, apparently, Apple’s supporters seem to want to ignore poor quality.
You can’t compare the numbers.. I had a look at the details of some of the bugs, and while Apple classifies bugs like “allows remote attackers to obtain sensitive information via a crafted web page” and similar glitches as critical, the MS ones usually ARE critical, and even deserve a higher ranking (“Stack-based buffer overflow in the Microsoft Message Queuing (MSMQ) service in Microsoft Windows 2000 Server SP4, Windows 2000 Professional SP4, and Windows XP SP2 allows attackers to execute arbitrary code via a long string in an opnum 0x06 RPC call to port 2103. NOTE: this is remotely exploitable on Windows 2000 Server.”)
So you can’t compare the numbers one to one and say Apple has bigger security problems.. they might just have more of the high-level stuff gone wrong, while MS has the low-level backdoors scattered over all their binaries.. remotely exploitable.. am I happy I don’t use that sh1t no more.
You’re rationalizing things to fit your preconceived notions.
But I agree, one shouldn’t compare the number of vulnerability reports of one OS vs another, since the reporting mechanism for different OSes might have different metrics.
But what one CAN look at is the trend lines for a particular OS. It’s like the pre-election political polls that we in the US are being inundated with right now. Comparing the results of say, a Zogby poll of last week with a NY Times poll of this week and using that to determine which candidates are gaining or fading is foolhardy because Zogby uses different polling methodology than NY Times. But comparing Zogby poll of today, vs Zogby poll of two weeks ago, and with Zogby poll of 4 weeks ago provides a trend line that is valid since you are then comparing the results of a single poll with a single methodology over a partuclar time period.
So, while comparing Windows vulnerability reports with Mac may be meaningless, it does seem that Windows vulnerability reports are trending down, while OSX’s are trending up, which is not meaningless at all.
Well, it might be meaningless for Macs anyway, since nobody bothers to attack Macs even with the holes it has. But Windows vulnerability reports trending down is good for everyone (except for those MS haters that would rather retain “security” as a talking point).
Edited 2007-12-21 20:13
But comparing Zogby poll of today, vs Zogby poll of two weeks ago, and with Zogby poll of 4 weeks ago provides a trend line that is valid since you are then comparing the results of a single poll with a single methodology over a partuclar time period.
But that is not the same thing.. Sure, if one compared the number of _Windows-specific_ patches now and in the past then one would draw some hints from that and that might actually be useful. But comparing two totally different OSes like this is not fair for either one. It misses totally all the strong points of Windows and the not-so-strong points of OSX.. and vice versa.
But then about the OS security itself.. Well, I can’t say much but to me it seems that a default install of XP does get infected faster than OSX installs but IMHO that’s just mostly because there exists more XP machines and software for it. That still doesn’t say anything about the Windows security vs OSX security. Who knows, maybe OSX would be in quite a tight situation if the market share was equal?
You did poke a hole in my pre-election poll analogy (coming up with flawless analogies is a skill that few possess), but I agree with what you’re saying, as that was the point I was trying to make.
Edited 2007-12-21 20:31
You did poke a hole in my pre-election poll analogy (coming up with flawless analogies is a skill that few possess), but I agree with what you’re saying, as that was the point I was trying to make.
I’m sorry
Though, it is difficult to come up with a good analogy in this case cos there really is nothing comparable to software other than software itself..
And now that I got your attention: I usually read your comments with lots of interest. It’s quite clear you’re pro-Microsoft (but I’m not saying zealot, you don’t seem to go that far), but you still often have good points in your posts and you’re clearly a thinking person
Just felt like saying, been drinking quite a bit and I’m feeling talkative xD
OSNews should have a breath test pre-posting. For my own sake, too.
TFA tells us:
19+12=23
Who’s the retard now?
did not expect any other statistic from ZDNet.
I am surprised that MS is that much afraid of Apple!
Q. Do these statistics show which OS is safer to use?
A. No.
Q. Does these statistics show which operating system is more likely to be attacked?
A. No.
Q. Do these statistics indicate which OS has fewer security related flaws and hence who’s code is of a higher quality from a security point of view?
A. Yes.
Q. Are these statistics a perfect measure of the above?
A. No.
Q. Do these stats show who patches faster and more effectively?
A. No.
These statistics are indicative of software quality from a security point of view and the results are so overwhelming they leave us with little doubt as to who’s operating systems are better in terms of security quality. But if you are a Mac user take heart no one seems to be after you yet.
Edited 2007-12-21 21:47
Q. Do these statistics indicate which OS has fewer security related flaws and hence who’s code is of a higher quality from a security point of view?
A. Yes.
Umm, actually no. It only shows the number of flaws fixed this far. And even then those numbers are not really comparable: for example Flash is included those OSX related patches whereas those are not counted for Windows. And I’ve repeated this several times: you just can’t estimate a system quality or security based on the number of patches just because there are too many factors around. Which one has more people dedicated to searching for and fixing bugs, which one receives the most bug reports from outside, which one has more man-hours on fixing known bugs and which one spends more time anticipating not-yet-found bugs etc. And as I’ve said: is it a positive thing that the manufacturer pushes out a lot of security-related patches or is it a bad sign? You just can’t say anything about that based on these numbers. Also as noted these OSX related bugs include not only Flash et al but also WWW-server related patches and all whereas they aren’t counted for Windows. This said, as Windows and OSX are fundamentally different it just is not possible to compare them like this, it’s like comparing apples and oranges. Sure, they are both OSes but they handle EVERYTHING so much differently that comparing OSes based on the number of their secyrity patches is not only useless, it’s also inherently stupid.
Looking for the perfect metric is stupid. Looking at everything available qualitative, quantitative, and the comparing how the organisation is setup to cope with security issues is what every software company should be doing. But ignoring order of magnitude differences – despite flaws in the methodology – and trend lines is pretty stupid.
Why is it that when I click his Secunia link it only lists 26 OS X advisories for all of 2007? Where is he getting this 200+ number, because I’m just not seeing it.
That name’s a certain sign for flawed “research” methods.
I’m not particularly fond of Apple (as a company), but George Ou is pretty good at turning things upside down.
Fixing the highest number of bugs is not a measure of software quality.
There is no correlation between fixed bugs and remaining bugs in any software product
There is no correlation between fixed bugs and remaining bugs in any software product
Well..there can only be a finite amount of bugs in any app. It’s more like there is no correlation between the number of fixed bugs and the quality of the software product. If _all_ the bugs in the product were known in detail then one could say something about the quality but , alas, that is simply an impossibility..
Sort of. Lets take an OS like SkyOS it does not really have anyone looking for security related bugs. Maybe the author and 1 or 2 others but they are focused on developing the software not finding security flaws. So in this scenario we can say nothing about the code from a security point of view because no one is looking for flaws.
No at the other end of the spectrum you have Microsoft OS’s (XP SP2 and greater). This software has thousands – if not more – highly skilled people looking for flaws. The number of people looking for flaws is strongly correlated to the number of flaws found i.e. it does not explain all the variability in flaws found but is explains a lot of it. It therefore follows that if the number of flaws found is decreasing and if the number of people looking for flaws is constant or increasing then the quality from a security point of view is increasing.
Now lets look at MacOS. The number of people looking for MacOS related security flaws has increased dramatically as the market share has increased. Still it is likely that they don’t have anywhere near the number of people looking for flaws as Windows does. Now MacOS includes a lot of software they didn’t write but still based on the oder of magnitude difference in flaws it is highly probable the the quality for software from a security point of view is far better in Windows than MacOS currently.
Of course you are still safer using MacOS than Windows beause MacOS is not a target yet. So I am sure Apple will get their house in order in time.
Here is an interesting article which shows why people at zdnet get it wrong and what they wrote is flawed. Some sort of truth in this world of BS.
http://www.roughlydrafted.com/2007/12/21/vista-vs-mac-os-x-security…
I tried to submit this article as a news to osnews but it was not published. I guess Holwerda prefers to publish stupid and poor researched article from zdnet for the purpose of flaming wars in osnews forums, right?