That I have been compromised and vulnerable?!? I guess I must have been unaware when I lost all that work/data/time due to my myopic self interest and unrealistically protective attitude about my OS X. Maybe they should list the number of machines that experienced downtime due to each "listing" of a vulnerability, the numbers would read more like millions to none. hee hee hee what #$%@$%holes!

I can't really tell from visiting secunia.com website, but it doesn't look like those "vulnerabilities" include the hundreds of viruses that infect Windows, or all the spyware, malware (which many such sites don't classify as a vulnerbilty, yet adversely effect the machine anyway) that gets automatically downloaded and installed without the user knowing it.

MacOS X has, right now, zero viruses. And zero malware programs. And, the "vulnerabilities" it does (I mean, did, as in past tense) have, like OpenSSH, are off by default. And most Mac users never turn it on.

So, I would *still* argue that it's one of the safest in the world.

Man, I've seen some garbage coming out of IT journals, but that's one of the most reeking piles yet.

Saying OSX is without security flaws is equally ignorant, but using flawed statistics and totally ignoring the actual exploitability of the holes to write an article claiming the opposite is just as bad, and smells of nothing but a lame attempt to either defend MS's entrenched nature by someone who profits by knowing how to fix it or direct MS backing.

Problem 1: By the same logic, not only does more security holes = "less problems" as others have pointed out, thanks to stupid math, but OS9, VMS, or BeOS are obviously superior to any of the above, because neither saw as single security patch in that time period! (Actually, at least OS9 actually IS more secure, but it's lacking elsewhere.)

Problem 2: Again, as pointed out, the number of these security holes that are effectively exploitable is drastically different. And the real-world effect of the Windows security holes compared to those on the Mac is night and day.

It's this simple: I take a Mac, install Panther on it from the install disks, and walk away from it to eat lunch. When I get back, it's waiting for me.

I do the same with a Windows install, and by the time I get back the remote vulnerabilities have already been exploited by worms and the computer is now running one (or more) viruses trying to infect other computers.

This is not a hypothetical story: I've seen it happen on my university network when people reinstalled Windows without asking and didn't immediately patch it. Took about an hour before the main IT center had us shut off the network because of a Blaster infection or its kin. That does NOT happen with OSX, period.


Stupid.

By the way: "And zero malware programs." Not true, depending on your definition of malware; there's at least one trojan and a few similar things floating around on filesharing networks. No viruses as of yet, though.

"Man, I've seen some garbage coming out of IT journals, but that's one of the most reeking piles yet."

Yeah OK, someone somewhere is saying that whenever any article critical of OS X is released. Boring.

In any case, I am still POed that OS X can be so easily expoloited via the helper application problem. All it takes is one guy on Macnn, Appleinsider, Macentral, wherever to post a link called "iMac G5 photos" and see how many people click on it and get wiped out by rm -f! The fact that we do not have malicious kids doing is a plus but I am not aware of a similar exploit on XP and *nix that does a rm -f so easily.

That's it! I'm going back to OS 9.

yeah that will be the day

The only "myth" I'm aware of is the myth that Windows has anything resembling the word "security." How about this Techworld, call us back when some real OS X machines out in the wild are compromised by even one of these "vulnerabilities" you speak so much of in this "article" of yours, because I certainly haven't seen one yet...

I spent a lot of money on this great big dead-bolt for my front door. The joke's on me - someone can break the little glass windows and crawl into my house!
Gimme a break!

SB

Also, if memory serves, didn't MS rejig their rating system so that an exploit could still cause root compromise but be classified a "Not Critical".

It's also worth pointing out that OSX has the firewall running by default and few extraneous services. So an exploit may have been possible (e.g. on SSH) but hardly exploitable since the people running SSH knew enough to patch and the clueless would never have been running the vulnerable service in the first place.

I contrast this with MS's firewall (none) and running services (all) approach.

As others have pointed out, to actually assess the security of a given platform you have to do more than count reports of possible vulnerabilities. You have to actually assess how many malware EXPLOITS there are in the wild that target known vulnerabilities.

On that score, Windows and Linux are far and away less secure than Mac OS X.

First, 36 advisories is for 2002-2004 for Mac OS X, M$ has 68 in the same time period.

Next Secunia has six advisories for bug FIXES rather than flaw identifications. Secunia does grace M$ fixes with an advisory that it counts towards its statistics. So, for 2002-2004 Mac OS X appears to have 30 advisories, and Windows XP Pro 68. Numbers look a little different now, don't they?

One thing they forgot to mention is that Mac OS X 10.1, 10.2, and 10.3 and Mac OS X Server 10.1, 10.2 and 10.3 are all lumped under the cateogry "Mac OS X" whereas Windows is broken out to each version, even to the extent of distinguishing between Windows 2000 Server, Advanced Server, and DataCenter Server.

Comparing three (or six!) versions of Mac OS X to a single version of Windows seems an eggregious mistake.

I've checked out Secunia's web site, and here's what I think...

First, the numbers that are being tossed around are for ADVISORIES, not specific security flaws or exploits. Some advisories can (and do) list multiple problems, so the numbers for both systems could actually be higher if we count specific security issues. But as far as Mac OS X goes, it looks to me like 6 of the 36 advisories are actually just notices that Apple has fixed some stuff with an update; they do not appear to be new flaws being discovered. To get an accurate count of the number of specific defects involved, we can't go by the number advisories alone. We would need to dissect each advisory individually.

Second, Secunia does not seem to measure the exposure/risk level for the problems, only their nature and potential severity. Take, for example, this advisory about Mac OS X:

http://secunia.com/advisories/8194/

This advisory is for sendmail, and is marked as "extremely critical." However, sendmail isn't enabled by default on Mac OS X (it even says this on the advisory). Without measuring an exposure/risk dimension, which would reveal that most Mac OS X systems are not vulnerable to this problem, it comes across as much worse than it is. Since Apple has most/all services off by default, I think measuring risk/exposure would show Mac OS X to be superior in some respects; even if more of the problems on OS X are "critical", they may only affect a very small portion of the user-base.

Third, they did not include reports from any additional components that come installed with the OSes, such as web browsers. For example, here's Secunia's page for Safari:

http://secunia.com/product/1543/

Here's the page for IE 6:

http://secunia.com/product/11/

Which one do YOU think is more secure? (For those of you who don't want to follow the links, Safari has 5 advisories, none of which are above "moderately", while IE 6 has 53 of all levels).

Given the above, I think the information presented in the article is very dubious and misleading, and in no way warrants the "sky is falling" attitude presented therein.

I'm sorry, but I still don't see it, I manage a medium sized business's IT and have found that Windows has so many more things to configure just to lock out the security holes that are by default locked out on the 3 XServes we use. Last week our auxilariy domain controller was corrupted on the Windows server and it took down our entire group of Windows users not allowing any Windows user to log into their computer. Seeing the numbers is one thing but seeing the real world is totally different. None of these "critical flaws" in OS X have actually been exploited.

I have an XP and mac os X box right next to each other. Just have the XP box because some sites require it..

In a month, with default preferences, the xp box was loaded with spyware. Yes, the firewall was on. Default XP settings. All it takes is one mistake by clicking ok on some random active x control from a pop up add. I had to run spybot to get all the c*** off and edit the registry by hand. Spybot detected dozens of different things. Total mess. In the end, after reinstall, the only solution was to install Mozilla and disable internet explorer at the beginning. Make sure pop ups were off. Meanwhile, my mac just ran without a hitch. Time and money saved again on the mac.

"In a month, with default preferences, the xp box was loaded with spyware. Yes, the firewall was on."

Talk about misplaced blame. Sure, Windows make it easy and has its share of blames. But when it comes down to it, and it has nothing to do with firewall, it takes someone to install the spyware. You've got idiot users who are to blame. MS, our favorite whipping boy here, deserves only part of the blame.

I'm not an expert and I cannot objectively say whether this is accurate or not but I've always been told that one should look at many sources of information before making a judgement. So, I'll remain skeptical about this one.

Anyway, the fact that I don't use any anti-virus software permanently and not knowing of any actual report of OS X weakness that would have been used, I'll keep think OS X is less likely to face this kind of problem, even though I'll keep tracking any possible threat.

He forgot to include the vulnerabilities in Internet Explorer, Windows Media Player, ActiveX, and IIS, all of which are integrated into the operating system.

Remember? Explorer and WMP are just embedded features, right? So why does this "analyst" neglect to include vulnerabilites of these FEATURES in the OPERATING SYSTEM.

Apparently, 11.88 vulnerabilities were critical. 11.88. Remember, 22/25 of a program can be vulnerable... I guess.

This article is barely worth mentioning. It doesn't take a whole lot of effort to figure out from even the first few sentences that the article designed solely to attack mac users and not to provide any useful information. "Security myth EXPOSED"? "OS X is worse than you EVER IMAGINED"? What a bunch of rediculus sensationalism. Is techworld.com now the STAR magazine of tech reporting? What's the next article going to be? "IT Industry Votes iMacs As Ugly"? "G5 2 GHz Machines Slower then Intel 3.5 GHz"? Give me a break.

"OS X's reputation as a relatively secure operating system is unwarranted." I shouldn't even bother to respond to this trash, but...

1) Macs are secure by default, whereas windows isn't. Thus, few mac vulnerablities are ever expoited.

2) Apple response to vulnerablities has been excellent. Patches show right up when they need to be downloaded, and one click downloads them. Not a single time since installing OS 10.1 have I ever had an issue where a vulnerablity patch cause a problem. In contrast, most people are warry about installing windows patches because they typically s**** up their computer.

3) OS X is based on unix and open source. It's been proven over and over again that the open source community is faster and better at correcting vulnerablities then a closed source environment.

4) OS X was created with security built at it's foundation, whereas windows was not. This is why microsoft is having so many problems, because they are trying to patch vunerablities that are deeply written in their code.

5) The statistics are flawed, based on the above (excellent) posts.

There's no point in even talking about this anymore, the article is complete c*** and not worth getting worked up over.