toggle

AAPL Stock: 565.32 ( -5.24 )

MacNN News

Techworld: "Mac OS X security myth exposed"

updated 01:50 pm EDT, Thu June 24, 2004

Mac OS X Security redux

A Techworld article on security says that Mac OS X is when looking at the number of vulnerabilities posted to the Secunia database during 2003 and 2004: "Each product is broken down into pie charts demonstrating how many, what type and how significant security holes have been in each. One thing the hard figures have shown is that OS X's reputation as a relatively secure operating system is unwarranted, Secunia said. This year and last year Secunia tallied 36 advisories on security issues with the software, many of them allowing attackers to remotely take over the system - comparable to figures on operating systems such as Windows XP Professional and Red Hat Enterprise Server."

by MacNN Staff

(28)

TAGS :

troubleshooting

Share the Article

Facebook Twitter Delious Slash Dot Digg

toggle

Comments

skribble
Fresh-Faced Recruit

Joined: Feb 2004

0

06/24, 02:22pm | report spam | close Reply |
Strange conclusion...

It seems that the article used percentages to make things seem more even then they really are. I mean Wow... 61% on the Mac vs 48% XP for remote vulnerability sound bad for OS X. Lets look at the real numbers though:

(OS: Flaws/Remote Vuln/Critical)

XP: 46 / 22 / 21
OS X: 36 / 22 / 12
RHAS3: 50 / 33 / 13

The *21* critical flaws on XP seems much worse the the 12 on Mac and 13 on RH.

boris_cleto
Fresh-Faced Recruit

Joined: Sep 2002

0

06/24, 02:29pm | report spam | close Reply |
Lies

There are three types of lies. Lies, Damn Lies, and Statistics.

boris_cleto
Fresh-Faced Recruit

Joined: Sep 2002

0

06/24, 02:30pm | report spam | close Reply |
66 advisories

Windows XP actually has 66 advisories. The 46 are just for the last year.

absmiths
Mac Elite

Joined: Sep 2000

0

06/24, 02:31pm | report spam | close Reply |
Good math.

I was just about to post the same thing. The article's title "Windows is more secure than you think, and Mac OS X is worse than you ever imagined" was unwarranted considering Windows had almost twice as many remote compromises. I think another thing which they failed to mention was that many of the Unix vulnerabilities are caused by the same code - E.G., the SSH vulnerability affected almost all modern unix systems.

I know that counting the number of critical updates that arrive on Windows versus OS X will really make a case for the reverse. One day I received 3 - all remote attacks - on Windows.

themotor
Registered User

Joined: Mar 2000

0

06/24, 02:32pm | report spam | close Reply |
And another thing...

one has to consider. Not many people are that interested in attacking a Mac. It really is the most lovable OS out there! ;-)
That, on top of being one of the most secure systems, provides little ill motivation.

absmiths
Mac Elite

Joined: Sep 2000

0

06/24, 02:33pm | report spam | close Reply |
Real-world exploits

Another factor was how many of those vulnerabilities resulted in real attacks. I am quite sure Windows would shine like a beacon on a hilltop in that category.

ncube
Fresh-Faced Recruit

Joined: May 2001

0

06/24, 02:34pm | report spam | close Reply |
Strange Logic

What if the numbers were like this?
XP: 46 / 22 / 21
OS X: 3 / 2 / 1

They would have said:

"OS X had the highest proportion of "extremely critical" bugs at 33 percent".

Now isn't that convenient!

Nostromo
Fresh-Faced Recruit

Joined: Oct 2001

0

06/24, 02:40pm | report spam | close Reply |
scared shitless

What I see in that article are IT drones who are scared shitless that OS X will take hold in their world, and they'll be out of a job, as there will then be no need to have a person on the payroll who does nothing by patch the gaping security holes in Windows, and track down the daily Microsoft worm/virus.

Make no mistake: corporate IT drones hate OS X, as it threatens their job security.

Sebastien
Dedicated MacNNer

Joined: Apr 2000

0

06/24, 02:42pm | report spam | close Reply |
This report indirectly...

brought to you by Microsoft (a la Jerks de Toqville 'papers')

Enough said.

hayesk
Professional Poster

Joined: Sep 1999

0

06/24, 02:48pm | report spam | close Reply |
Remote exploits?

What exploits allowed an attacker to gain control over MacOS X across the Internet? I can only think of a few trojans that would only give user directory access, and a couple that required to be on the same subnet as the Mac. Any other exploits were disabled by default in MacOS.

ecrelin
Junior Member

Joined: Oct 2000

0

06/24, 02:51pm | report spam | close Reply |
Who knew?!?

That I have been compromised and vulnerable?!? I guess I must have been unaware when I lost all that work/data/time due to my myopic self interest and unrealistically protective attitude about my OS X. Maybe they should list the number of machines that experienced downtime due to each "listing" of a vulnerability, the numbers would read more like millions to none. hee hee hee what #$%@$%holes!

_Rick_V_
Fresh-Faced Recruit

Joined: Mar 2003

0

06/24, 02:54pm | report spam | close Reply |
There's more to it

I can't really tell from visiting secunia.com website, but it doesn't look like those "vulnerabilities" include the hundreds of viruses that infect Windows, or all the spyware, malware (which many such sites don't classify as a vulnerbilty, yet adversely effect the machine anyway) that gets automatically downloaded and installed without the user knowing it.

MacOS X has, right now, zero viruses. And zero malware programs. And, the "vulnerabilities" it does (I mean, did, as in past tense) have, like OpenSSH, are off by default. And most Mac users never turn it on.

So, I would *still* argue that it's one of the safest in the world.

Makosuke
Fresh-Faced Recruit

Joined: Aug 2001

0

06/24, 03:20pm | report spam | close Reply |
Now That's Just Ignorant

Man, I've seen some garbage coming out of IT journals, but that's one of the most reeking piles yet.

Saying OSX is without security flaws is equally ignorant, but using flawed statistics and totally ignoring the actual exploitability of the holes to write an article claiming the opposite is just as bad, and smells of nothing but a lame attempt to either defend MS's entrenched nature by someone who profits by knowing how to fix it or direct MS backing.

Problem 1: By the same logic, not only does more security holes = "less problems" as others have pointed out, thanks to stupid math, but OS9, VMS, or BeOS are obviously superior to any of the above, because neither saw as single security patch in that time period! (Actually, at least OS9 actually IS more secure, but it's lacking elsewhere.)

Problem 2: Again, as pointed out, the number of these security holes that are effectively exploitable is drastically different. And the real-world effect of the Windows security holes compared to those on the Mac is night and day.

It's this simple: I take a Mac, install Panther on it from the install disks, and walk away from it to eat lunch. When I get back, it's waiting for me.

I do the same with a Windows install, and by the time I get back the remote vulnerabilities have already been exploited by worms and the computer is now running one (or more) viruses trying to infect other computers.

This is not a hypothetical story: I've seen it happen on my university network when people reinstalled Windows without asking and didn't immediately patch it. Took about an hour before the main IT center had us shut off the network because of a Blaster infection or its kin. That does NOT happen with OSX, period.

Stupid.

By the way: "And zero malware programs." Not true, depending on your definition of malware; there's at least one trojan and a few similar things floating around on filesharing networks. No viruses as of yet, though.

klinux
Senior User

Joined: Jul 2002

0

06/24, 03:26pm | report spam | close Reply |
Bah

"Man, I've seen some garbage coming out of IT journals, but that's one of the most reeking piles yet."

Yeah OK, someone somewhere is saying that whenever any article critical of OS X is released. Boring.

In any case, I am still POed that OS X can be so easily expoloited via the helper application problem. All it takes is one guy on Macnn, Appleinsider, Macentral, wherever to post a link called "iMac G5 photos" and see how many people click on it and get wiped out by rm -f! The fact that we do not have malicious kids doing is a plus but I am not aware of a similar exploit on XP and *nix that does a rm -f so easily.

swatson
Fresh-Faced Recruit

Joined: Nov 2000

0

06/24, 03:27pm | report spam | close Reply |
OS 9

That's it! I'm going back to OS 9.

yeah that will be the day

MacnTX
Fresh-Faced Recruit

Joined: Apr 2004

0

06/24, 03:45pm | report spam | close Reply |
Myth

The only "myth" I'm aware of is the myth that Windows has anything resembling the word "security." How about this Techworld, call us back when some real OS X machines out in the wild are compromised by even one of these "vulnerabilities" you speak so much of in this "article" of yours, because I certainly haven't seen one yet...

slboett
Grizzled Veteran

Joined: May 1999

0

06/24, 03:54pm | report spam | close Reply |
Oh no!

I spent a lot of money on this great big dead-bolt for my front door. The joke's on me - someone can break the little glass windows and crawl into my house!
Gimme a break!

SB

jreades
Fresh-Faced Recruit

Joined: Feb 1999

0

06/24, 04:00pm | report spam | close Reply |
MS Rating System

Also, if memory serves, didn't MS rejig their rating system so that an exploit could still cause root compromise but be classified a "Not Critical".

It's also worth pointing out that OSX has the firewall running by default and few extraneous services. So an exploit may have been possible (e.g. on SSH) but hardly exploitable since the people running SSH knew enough to patch and the clueless would never have been running the vulnerable service in the first place.

I contrast this with MS's firewall (none) and running services (all) approach.

NuVector
Fresh-Faced Recruit

Joined: Jan 2000

0

06/24, 04:04pm | report spam | close Reply |
Risk assessment.

As others have pointed out, to actually assess the security of a given platform you have to do more than count reports of possible vulnerabilities. You have to actually assess how many malware EXPLOITS there are in the wild that target known vulnerabilities.

On that score, Windows and Linux are far and away less secure than Mac OS X.

cyngus84
Fresh-Faced Recruit

Joined: Jun 2004

0

06/24, 04:07pm | report spam | close Reply |
Let the FUD Flow

First, 36 advisories is for 2002-2004 for Mac OS X, M$ has 68 in the same time period.

Next Secunia has six advisories for bug FIXES rather than flaw identifications. Secunia does grace M$ fixes with an advisory that it counts towards its statistics. So, for 2002-2004 Mac OS X appears to have 30 advisories, and Windows XP Pro 68. Numbers look a little different now, don't they?

delwalk
Fresh-Faced Recruit

Joined: Feb 2003

0

06/24, 04:17pm | report spam | close Reply |
Damned lies & statistics

One thing they forgot to mention is that Mac OS X 10.1, 10.2, and 10.3 and Mac OS X Server 10.1, 10.2 and 10.3 are all lumped under the cateogry "Mac OS X" whereas Windows is broken out to each version, even to the extent of distinguishing between Windows 2000 Server, Advanced Server, and DataCenter Server.

Comparing three (or six!) versions of Mac OS X to a single version of Windows seems an eggregious mistake.

Cantaloup
Fresh-Faced Recruit

Joined: Apr 2003

0

06/24, 04:30pm | report spam | close Reply |
Some things to consider

I've checked out Secunia's web site, and here's what I think...

First, the numbers that are being tossed around are for ADVISORIES, not specific security flaws or exploits. Some advisories can (and do) list multiple problems, so the numbers for both systems could actually be higher if we count specific security issues. But as far as Mac OS X goes, it looks to me like 6 of the 36 advisories are actually just notices that Apple has fixed some stuff with an update; they do not appear to be new flaws being discovered. To get an accurate count of the number of specific defects involved, we can't go by the number advisories alone. We would need to dissect each advisory individually.

Second, Secunia does not seem to measure the exposure/risk level for the problems, only their nature and potential severity. Take, for example, this advisory about Mac OS X:

http://secunia.com/advisories/8194/

This advisory is for sendmail, and is marked as "extremely critical." However, sendmail isn't enabled by default on Mac OS X (it even says this on the advisory). Without measuring an exposure/risk dimension, which would reveal that most Mac OS X systems are not vulnerable to this problem, it comes across as much worse than it is. Since Apple has most/all services off by default, I think measuring risk/exposure would show Mac OS X to be superior in some respects; even if more of the problems on OS X are "critical", they may only affect a very small portion of the user-base.

Third, they did not include reports from any additional components that come installed with the OSes, such as web browsers. For example, here's Secunia's page for Safari:

http://secunia.com/product/1543/

Here's the page for IE 6:

http://secunia.com/product/11/

Which one do YOU think is more secure? (For those of you who don't want to follow the links, Safari has 5 advisories, none of which are above "moderately", while IE 6 has 53 of all levels).

Given the above, I think the information presented in the article is very dubious and misleading, and in no way warrants the "sky is falling" attitude presented therein.

Roehlstation
Fresh-Faced Recruit

Joined: Aug 2001

0

06/24, 04:40pm | report spam | close Reply |
Real World

I'm sorry, but I still don't see it, I manage a medium sized business's IT and have found that Windows has so many more things to configure just to lock out the security holes that are by default locked out on the 3 XServes we use. Last week our auxilariy domain controller was corrupted on the Windows server and it took down our entire group of Windows users not allowing any Windows user to log into their computer. Seeing the numbers is one thing but seeing the real world is totally different. None of these "critical flaws" in OS X have actually been exploited.

Jablabla
Fresh-Faced Recruit

Joined: Jan 2000

0

06/24, 07:00pm | report spam | close Reply |
My experience

I have an XP and mac os X box right next to each other. Just have the XP box because some sites require it..

In a month, with default preferences, the xp box was loaded with spyware. Yes, the firewall was on. Default XP settings. All it takes is one mistake by clicking ok on some random active x control from a pop up add. I had to run spybot to get all the c*** off and edit the registry by hand. Spybot detected dozens of different things. Total mess. In the end, after reinstall, the only solution was to install Mozilla and disable internet explorer at the beginning. Make sure pop ups were off. Meanwhile, my mac just ran without a hitch. Time and money saved again on the mac.

klinux
Senior User

Joined: Jul 2002

0

06/25, 01:03am | report spam | close Reply |
Well

"In a month, with default preferences, the xp box was loaded with spyware. Yes, the firewall was on."

Talk about misplaced blame. Sure, Windows make it easy and has its share of blames. But when it comes down to it, and it has nothing to do with firewall, it takes someone to install the spyware. You've got idiot users who are to blame. MS, our favorite whipping boy here, deserves only part of the blame.

HeatherEcsedi
Fresh-Faced Recruit

Joined: Oct 2001

0

06/25, 01:38am | report spam | close Reply |
Smear campaign ?

I'm not an expert and I cannot objectively say whether this is accurate or not but I've always been told that one should look at many sources of information before making a judgement. So, I'll remain skeptical about this one.

Anyway, the fact that I don't use any anti-virus software permanently and not knowing of any actual report of OS X weakness that would have been used, I'll keep think OS X is less likely to face this kind of problem, even though I'll keep tracking any possible threat.

olePigeon
Clinically Insane

Joined: Dec 1999

0

06/25, 02:52am | report spam | close Reply |
He forgot to include...

He forgot to include the vulnerabilities in Internet Explorer, Windows Media Player, ActiveX, and IIS, all of which are integrated into the operating system.

Remember? Explorer and WMP are just embedded features, right? So why does this "analyst" neglect to include vulnerabilites of these FEATURES in the OPERATING SYSTEM.

Apparently, 11.88 vulnerabilities were critical. 11.88. Remember, 22/25 of a program can be vulnerable... I guess.

z10n
Fresh-Faced Recruit

Joined: Oct 2003

0

06/25, 01:04pm | report spam | close Reply |
A waste of time

This article is barely worth mentioning. It doesn't take a whole lot of effort to figure out from even the first few sentences that the article designed solely to attack mac users and not to provide any useful information. "Security myth EXPOSED"? "OS X is worse than you EVER IMAGINED"? What a bunch of rediculus sensationalism. Is techworld.com now the STAR magazine of tech reporting? What's the next article going to be? "IT Industry Votes iMacs As Ugly"? "G5 2 GHz Machines Slower then Intel 3.5 GHz"? Give me a break.

"OS X's reputation as a relatively secure operating system is unwarranted." I shouldn't even bother to respond to this trash, but...

1) Macs are secure by default, whereas windows isn't. Thus, few mac vulnerablities are ever expoited.

2) Apple response to vulnerablities has been excellent. Patches show right up when they need to be downloaded, and one click downloads them. Not a single time since installing OS 10.1 have I ever had an issue where a vulnerablity patch cause a problem. In contrast, most people are warry about installing windows patches because they typically s**** up their computer.

3) OS X is based on unix and open source. It's been proven over and over again that the open source community is faster and better at correcting vulnerablities then a closed source environment.

4) OS X was created with security built at it's foundation, whereas windows was not. This is why microsoft is having so many problems, because they are trying to patch vunerablities that are deeply written in their code.

5) The statistics are flawed, based on the above (excellent) posts.

There's no point in even talking about this anymore, the article is complete c*** and not worth getting worked up over.

Show More Comments

Login Here

toggle

Network Headlines

05/24	Apple submits surprise optical stylus...
05/24	Yahoo releases Axis 'visual search'...
05/24	Apple airs two new Siri commercials...
05/23	Google launches redesigned Search app...
05/23	IBM blocking iPhone's Siri on internal...

Show All

05/24	Apple submits surprise optical stylus...
05/24	Yahoo releases Axis 'visual search'...
05/24	Google�s 7-inch tablet ships next month...
05/24	Apple airs two new Siri commercials...
05/23	Google launches redesigned Search app...

Show All

05/23	Google launches redesigned Search app...
05/22	Leaked next-gen iPod touch part hints...
05/22	Hulu Plus updates with iPad Retina...
05/22	TiVo Stream to push TV to iPhones,...
05/22	Hands on: TouchType case for iPad,...

Show All

03/02	Save $330 on refurb. 15.4-inch, 2.4GHz...
03/01	Pre-owned 8GB iPod touch 2G, drops...
02/29	$150 off Nikon Coolpix S80 Compact...
02/28	Plantronics BackBeat 903 Bluetooth...
02/27	Refurb. Seagate 1.5TB GoFlex Portable...

Show All

toggle

Techworld: "Mac OS X security myth exposed"

updated 01:50 pm EDT, Thu June 24, 2004

Mac OS X Security redux

Related Articles

Recent Articles

Strange conclusion...

Lies

66 advisories

Good math.

And another thing...

Real-world exploits

Strange Logic

scared shitless

This report indirectly...

Remote exploits?

Who knew?!?

There's more to it

Now That's Just Ignorant

Bah

OS 9

Myth

Oh no!

MS Rating System

Risk assessment.

Let the FUD Flow

Damned lies & statistics

Some things to consider

Real World

My experience

Well

Smear campaign ?

He forgot to include...

A waste of time

Login Here

Register for our weekly email newsletter:

Connect tools:

Subscribe

to our RSS

Follow us

on Twitter

10 Most Read

10 Most Discussed

MacNN Marketplace