OSNews

Actually, secunia reports only 21 vulnerabilities for Apple in 2006.

So that makes it 39-21 or for criticals: 15-10.

Also, telling figures are the unpatched vulnerabilities figures (a good sign of how much a vendor cares about its customers). Microsoft XPPro: 29. Apple OSX: 7.

Oops.

Again, it's useless comparing data from different sources, it almost never works.

"That means 15 for Windows XP in 2006 versus over 110 for Apple OS X."

2003, XP, 2000 and NT4 are all based on the original NT code base. I'm sure Vista does too for backward compatibility. I'm also quite sure it contains open sourced software that McSoft claims is innovated.

The number for fixes and patches should be counted as a `cumulative` for `all` NT releases together over the last number of years since NT was marketed.

I cringe when I must perform a McSoft update, patch, etc on one of my Oracle application server. The last crash of a 2003 server was March 2006 after installing a `patch`. The former DBA doesn't work here any longer.

Thank goodness the legitimacy code didn't fark the Oracle servers like it did other institutions.

Not again... throwing numbers to an issue that cannot be answered by those numbers, useful only to make some average joes somewhat dizzy. If you care enough to get numbers, then get real numbers of vulnerabilities, of their impact (those which need switching to root mode and willingly executing an unchecked executable don't really count), how many were exploited, how many even have some prrof-of-concept exploit, how many were fixed before being exploited, how many were local and how many remote, the time needed for the _working_ patch to come out, and yes count the need-to-be-patched-again patches as vulnerabilities too, and I could just go on endlessly with this, hopefully someone gets the point.

Modded back up, its a series of hard references to real facts, and an assertion that may or may not be based on them. No reason whatever to mod this down.

Edited 2006-11-30 11:35

"Get your facts first, then you can distort them as you please." - Mark Twain

12 found, 1000s left ... just like any major software project of this size.

Not sure why anybody still gets excited by these security reports for any platform.

Yeah, Linux is so much secure with its 102 security holes only in the kernel ...
http://secunia.com/product/2719/?task=statistics_2006

Just grabbing a sample (Red Hat), 311 security holes at the same time...
http://secunia.com/product/2536/?task=statistics_2006

So much secure ...

Woow, you're the first person that i've ever seen that don't have a scroll down feature on his browser.

links :
Vulnerability Report: Linux Kernel 2.6.x
http://secunia.com/product/2719/?task=statistics_2006

Vulnerability Report: RedHat Enterprise Linux WS 3
http://secunia.com/product/2536/?task=statistics_2006

Vulnerability Report: Apple Macintosh OS X
http://secunia.com/product/96/?task=statistics_2006

Yep, scroll down, and compare "unpatched" and "Extremely critical" values. I had never realised that linux were so much more secure than Mac OS X.

[Edit : typo fix]

Edited 2006-11-30 13:46

The only people who make any security decisions based on numbers (wichever way they may go) from companies like Secunia are people who don't understand security.

Man I am SO sick of people parroting "numbers of security vulnerabilities". You guys are a bunch of OS fanboys who know nothing about actual security research. Every time some article comes out about some OS having patches released there is a huge flood of posts about how "my OS is more secure than yours" with a bunch of links to secunia. Vulnerability statistics are just that, statistics, and they need to be interpreted by a neutral party who is skilled in security research, not an OS fanboy looking to discredit a competing OS. That's right, someone who knows what those vulnerabilities actually mean. Posting "numbers of vulnerabilities" is completely meaningless.

I'd also like to say that patching vulnerabilities is a good thing, despite what certain people might have you believe. It means that those vulnerabilities don't exist anymore..that they were fixed. It means that the vendor is trying to do the right thing by fixing their product. In this case it is an enormous software product with millions of lines of code. Anything that size is going to have loads of bugs no matter how well designed it is or how good their development practices are. It's just a fact. Apple users should be happy that the problems were identified and fixed.

Well at least that's probably true

Perhaps you should read my comment again. I don't think you understood what I was saying.

Because OS X contains a lot of Opensource packages, it may have more fixes than say Windows, which is mainly "In-House" coded.

And the point is...? You have your OS, you make it as you want and keep it updated as you want; bugs must be fixed, no matter if you include F/OSS packages or not. Not using those packages explains nothing, it's Microsoft who decided to make Windows this way. And ask Vistas's "new" network stack about OSS...

And ask Vistas's "new" network stack about OSS...
I sent the network stack a TCP packet, but after all the SYN/ACK'ing it refused to answer questions about F/OSS

:P

Yes, but bugs in OSS software are generally easier to find, as you can examine the Source. Therefore a higher patch count is expected in OSS-based software, this is a side-effect of more bugs being detected, not of the software actually having more bugs.

That's an amazing amount of equivocating, bravo!

I'm not sure that I see how.

"Therefore a higher patch count is expected in OSS-based software, this is a side-effect of more bugs being detected, not of the software actually having more bugs."

When it is Windows that has the most bugs, it's because of sloppy codinng and the closed source model, and that's a bad thing. When it is OSS, it's because more bugs are being found and fixed, because people can see the source, and that's a good thing.

Can't have it both ways, sorry

Can't have it both ways, sorry

I don't want it both ways. I never claim that microsoft has sloppy coding, because I don't know that. What I do know (it is unequivocal) is that if you give security experts your source code, the probability of them finding holes (and you then patching them) is MUCH higher.

Finding holes in microsoft software is a bit like solving one of those logic puzzles blindfold. You can stumble on a solution if you're lucky, but it is far easier if you can see what you're doing.

That is why such arguments are pointless. Because we can't see the Microsoft source, it is impossible to make claims about code quality. However becasue of NotParker's constant trolling, people have to fight constantly to prevent him from painting a squewed picture.

Stephen.

How many Security Vulnerabilities are there in...

There could be 1, there could be 1,000,000.

The point you're missing (most people miss this one too) is that the number of security vulnerabilities is a constant (until some are patched). Finding a vuln. doesn't make software less secure, it just advertises an existing hole. Just counting vulnerabilities is also bad, because, for example one MS Exchange POP server RCE vulnerability has a success rate of about 1 in 20 and is pretty difficult to inject code into, and crashes the service. Whereas some of the ActiveX vulnerabilities in IE are easy enough to be used by any skript-kiddie without you noticing.

Isn't the Linux kernel updated every month or two?

Yes, but a point release doesn't mean that every vendor should update their distro's kernel. I know that in the run-up to Vista gold, there were multiple releases of the Windows kernel as updates were added, and bugs fixed. It's the same with Linux, only the releases are public, which is better for everyone.

Isn't Firefox?

No, security updates are regularly released (as in Microsoft products) but major updates are only made at well-defined intervals. I think that FF 3 is planned for mid-2007, this puts FF at a yearly release schedule.

New vulnerabilities generated all the [time] in OSS.

I think you forgot the time there for a moment. Actually, new code doesn't automatically mean new bugs. As you're so proud to announce, SQL Server has no reported vulnerabilities this year after a re-write. A lot of the bugs that are being found today are hangovers from the code that was developed pre-security-climate.

Sometimes it advertises a new attack vector. It tells hackers where to look. What to try

That's why it's a good idea to keep your software up-to-date and why Software distributers should regularly provide patches. I would prefer public (or private) disclosure of vulnerabilities to unannounced, illicit usage of the hole.
Making a flaw public is also good because it forces the manufacturer to patch the software fast, something that otherwise companies would not have any real incentive to do. I think that the Microsoft current patch period of a month is too big.

I disagree

So you're saying that:
the infamous 'windows messenger' (net send ...) vulnerability that anyone could use to cause popups on any unpatched computer connected to the internet just by typing into the command line on any other computer.
is of the same importance as:
A memory corruption bug that requires users to visit a specific website and that requries a specially-crafted payload of compiled bytecode, that only works on one target operating system and always crashes the host software.? hmm.

Many do

I'm running debian and that's still at 2.6.16.

When does OSS and OS X enter the post-security climate like Microsoft has?

hahaha post-security. There is no such thing. Someone famous (forget who) said Security is a journey, not a process. If you believe that there will be a post-security climate then you are naive.

As mentioned many times above, there is no evidence that OSX or any other OSS software is less secure than ANY Microsoft product, unless you have access to the Microsoft source? If you do, then I would have serious doubts about your neutrality in the issue.

So your saying a popup message vulnerability from 2003 is worse than an "arbitrary code execution" vulnerability in OS X? 110 of them in 2006?

Firstly, time is irrelevant here. I assumed that you had the intellect to relise that I was talking about the impact when discovered of these bugs.

Actually I do. I used to be seriously pissed off by the popup messages (sometimes up to 10 at once) coming up on my Win98 computer from the internet. I've never had a single issue with my Apple mac-mini, mainly because these vulnerabilities are POTENTIAL RCE exploits and tend to be very difficult to actually exploit in real life, try downloading MetaSploit and seeing how many of the published vulnerabilities actually work reliably, or at all.

believe even andrew Morton said something similar

The question here is significance. If you live in a small rural village, then dropping a piece of litter can be a BIG issue. If you're in a big ugly city with lots of litter around, one more piece of litter won't really matter all that much. Get the picture?
Before you flame me to eternity, I'm not suggesting that Linux is better or worse than Windows. Just that what Morton was talking about was relative number of bugs over time, not comparative number of bugs between OSs.

and do the security review that Microsoft did

What security review? Windows Vista? hahahaha. Or is this the new security review codenamed Aero? I'm confused.

SLDC

SLDC?? Do you mean SDLC? If you do then, that you're just spouting buzzwords. Any worthwhile modern software project implements a Software Development Lifecycle. Hence all the timed releases etc...

If you mean SLDC, then provide a link, because I cant' find any info on it.


Its time OS X and Linux did the same.

I believe that the step from OS 9 to OS X was part of apples security review. The move to Mach was a big security boost. The fact that Microsoft did theirs later is of little importance.
As for Linux, It's never had a security problem, so doing a review is of little value.

XP SP2.

Yeah. Well...that worked. :p

Actually I remember quite clearly a virus on my Atari ST that transferred from floppy to floppy automatically and humorously(!) reversed the behavior of the mouse.

Yet, I've been using Mac OS X since 10.0 and have not had a single virus.

I'm not sure that your assertion that "Security is directly proportional to obscurity" has actually been proven, though a lot of people state it as though it is irrefutable.

Woe! Doesn't THAT bring back memories! The mouse-reversal virus! It was a boot-sector virus. It hit me, just once. I got rid of it using that program called VKiller, I believe it was... it popped up a skull and crossbones (when it saw the virus) and made this alarm sound... scared me seriously, the first time I heard it.

Ah, the memories of a simpler time... the late 80's...

Thanks!

"Security is directly proportional to obscurity"

good theory.... and you may find statistics to "proove" your point. but i beleive the theory is incorect!

the truth is... MS built there OSs with security being and afterthought! they called it being "developer friendly"..... and the side effect was that windows turned out to be the swiss cheese of the OS world.... and windows became the virus writer and script kiddy platform of choice! sure, its 95% marketshare helped.... but i am willing to bet, that is solaris, or BSD was the OS with 95% market share.... that there STILL would be an order of magnitue LESS "holes" in the OS.... and PC security would not be what it is to day... and Oxy-moron!

12 allow "arbitrary code execution". That is as severe as it can be.

IF this is true. However many of them are only potential remote code execution. It can be impossible to exploit a memory corruption bug, however they are all classified as RCE flaws because they *might* be able to run arbitrary code, this is another reason why quoting Flaw figures is not useful. This goes for Windows bugs AND Linux flaws AND Mac OSX vulnerabilities.

12 allow "arbitrary code execution". That is as severe as it can be.

Please, point me to the os-x boxes 0wned using these.

And I'm not sure what you're quoting, but any computer can execute arbitrary code, no?

Are you saying these are remote root exploits (or possibly, maybe exploitable bugs)?

And I'm not sure what you're quoting, but any computer can execute arbitrary code, no?

I'm quoting the article at the top of the page.

[/i]Are you saying these are remote root exploits (or possibly, maybe exploitable bugs)?[/i]

Yes. Thats what "arbitrary code execution" means.

Someone earlier posted this link:

http://www.frsirt.com/english/advisories/2006/4750

12 of the 22 referenced by the article we are discussing allow "arbitrary code execution".

-How much time does it take for Apple to patch them. Usually between 1 and 4 weeks.

Do you have some sort of reference for that?

Sep 28 2006 for the OpenSSL vulnerability.

Dec 2005 CVE-2005-3962 Perl

Mar 29 2006 CVE-2006-1490 PHP

Oct 23 2006 CVE-2006-5465 PHP

Jul 6 2006 CVE-2006-3403 Samba


The 1 to 4 weeks thing is looking kind of shakey.

The 1 to 4 weeks thing is looking kind of shakey.

As i said in another thread:"All software is vulnerable".
To give you an example:XP professional has 133+ vulnerabilities from which 17% is unpatched,even today.

http://secunia.com/product/22/?task=advisories

An unpatched example of a vulnerability rated highly critical and date realeased:2005-04-12.Isn't that kind of looking shaky too?

http://secunia.com/advisories/14896/

The oldest unpatched flaw is from 2002-09-18.

Try to give some examples of unpatched vulnerabillities
in OSS software that has been unpatched after such a long time period.

To give you an example:XP professional has 133+ vulnerabilities

And RedHat 4 has 240 according to Secunia.

XP is 5 years old. RedHat is 2.

An unpatched example of a vulnerability rated highly critical and date realeased:2005-04-12.Isn't that kind of looking shaky too?

"This can be exploited to execute arbitrary code by tricking a user into opening a specially crafted ".mdb" file in Microsoft Access."

The truth is, if you've opened any kind of mdb file that you don't know where it came from, your system is compromised. It doesn't have to be "specially crafted".

Its kind of like saying "This can be exploited to execute arbitrary code by tricking a user into opening a specially crafted ".exe" file."

If you've opened the exe, you are at the mercy of what the exe does.

Try to give some examples of unpatched vulnerabillities
in OSS software that has been unpatched after such a long time period.

The two at the bottom of this page are from 2004:

http://secunia.com/product/4227/?task=advisories

Edited 2006-12-02 17:47

The two at the bottom of this page are from 2004:

http://secunia.com/product/4227/?task=advisories

Of which one needs you to click on a untrusted link in order to function.I refer to the same logic you used namely:

If you've opened the exe, you are at the mercy of what the exe does.

Would mean if you open the untrusted link you are at the mercy of the server who sends you data.

And RedHat 4 has 240 according to Secunia.

I had a look at the list, of the top 20, 3 were related to system functionality. The other 17 were vulnerabilities in software that also runs on Windows. Things like PHP and firefox and wireshark.

If only Windows came with this level of functionality

Its not just how vulnerable you are. Its also the environment you are living and working in.

The same network we are all connected to?
That rules out the environment factor.On the contrary taking the factor insider in to account and the environment even gets worse.I mean how many corporate desktops have a firewall?

I mean how many corporate desktops have a firewall?

In our K12 organization, we have a firewall on the perimiter and each XP SP2 install runs the firewall with certain ports open to our server subnet so we can do remote admin etc. The firewall is administered by group policy.

The firewall is administered by group policy.

Active directory.

Ugh. bad memories

The firewall is administered by group policy.

Active directory.

Group Policy (which predates Active Directory).

Active Directy does determine which Group Policy Objects are applied.

Its rather similar, as a matter of practice, your chances of infection fall dramatically if you move away from Windows.

Maybe. But on the other hand Debian servers have been hacked several times in the last 3 years. It may be that the hacking going on in Linux and OS X isn't discovered as often.

Most Windows users are not infected.

Use the firewall, IE7 (preferably on Vista) don't click on jpg's emailed to you, run an anti-virus.

I believe the number of Linux users is so small it hasn't been worth it for many hackers (except for Debian).

On the other hand, concept virus's for OS X do indicate a trend.

A lot of WIndows hacking is because of a few virus/hacking kits being available and a lot of users not doing a few simple things to kep themselves safe.

Concept virus's for OS X indicate work is being done.

Go ahead, be blase about it. I'm kind of blase about my chances of being attacked. With the firewall on nothing can get to my PC if I don't want it. Its also being a DSL router. And I run an anti-virus.

I don't think OS X users are taking precautions.

I do think the Debian server administrators were taking precautions. But they were still hacked twice. As was the GNU Savannah server. And it took them a month to notice.

"On December 1st, 2003, we discovered that the "Savannah" system, which is maintained by the Free Software Foundation and provides CVS and development services to the GNU project and other Free Software projects, was compromised at circa November 2nd, 2003."

http://gcc.gnu.org/ml/java/2003-12/msg00058.html

I wonder how many other Linux servers are compromised and no one ever notices.

The argument might be, Linux and Mac systems are already compromised in large numbers, we just don't know it. Seems unlikely. Surely if that were true we would find it being reported, because we know what kind of systems spam origniates from? It seems really unlikely that all the security organisations would just have missed it.

I can think of four reasons to explain why Linux/Mac users are less exploited, despite the existence of vulnerabilities.

One, Mac users are considerably older on average. Linux users are more knowledgeable. That implies more experience, more care, less gaming, less ringtones etc.

Two, there are fewer of them, so there is likely to be less targetting.

Three, they do not generally sign on as root/admin. So the targets available are smaller and better hardened.

Four, they don't have this infernal combination of Explorer, ActiveX & Outlook to all interact and feed off each other.

Might not that account for the observed phenomena better than the hypothesis that infections are numerous but unnoticed?

I agree with you that there is a worrying level of complacency particularly among Mac users, or at least those who contribute to these forums. You have the usual chorus of determinedly ignorant rage when any threat is suggested. One would far rather hear them saying yes, we are not immune because no-one is, we need to be careful despite the good record so far.

However, so far, and it may change, their complacency if not their rage is justified by experience. You can't point to any record of exploits out in the wild infecting Macs, even with this level of complacency. It may not be due to the platform being wonderfully secure, and the material you cite does cast doubt on whether it really is, but whatever the reason, its a fact that isn't seriously disputable.

Guys, this is a serious argument and deserves consideration. You should not, no way, be modding this down. I don't know whether its right or wrong, but it is in no way abusive.

Guys, this is a serious argument and deserves consideration. You should not, no way, be modding this down. I don't know whether its right or wrong, but it is in no way abusive.

The modding system, for the most part, is used by FOSS supporters to try and hide anything they disagree with.

The vast majority of your flamebait posts are off-topic, and calling FOSS advocates "cultists" is abusive.

This has nothing to do with trying to suppress your drivel, but rather with trying to keep the debate elevated. You obviously cannot achieve that, hence your very low "Trust" rating.

I see that you have now resorted to the tacting of reposting your ad hominem attacks, strawman arguments and just plain off-topic posts once the stories are over three days old, so that they cannot be modded down. Of course, now one cares much about reading the comments for these old stories, and so you're basically wasting your time speaking to a metaphorical wall. That's fine with me: as long as you waste your time here, you don't pollute the newer threads.

In the present case, regardless of some of his previous comments which have indeed been provocative, he is making an interesting and perhaps valid argument.

The first thing he did was point to real evidence of very large numbers of vulnerabilities on MacOS and Linux. He gave links and cited sources. The evidence tended to show that in number and severity they were enough to present users with the same orders of problems, if they were exploited with the same zeal and the same sucess the Windows ones are.

He was then challenged on why, if there are so many and so severe vulnerabilities, the actual infection rate is so low. Because this is undisputed, that it is very low indeed.

He has now given evidence, with sources cited, that the reason may be in large part that the Mac and Linux desktops are simply not being targetted.

Never mind how we all feel about this. This is an empirical scientific question, and his position is logically consistent.

I have to say, the last part of his argument does not fully convince me.

I accept that the attack rate is low, as shown. I am not however persuaded that a set of machines where no-one is running as root and everyone is running a firewall by default is going to be as vulnerable as the Windows base, even were it targetted as enthusiastically. I would like to see cases not of theoretical vulnerability, but of actual penetration of real machines run by their real owners. It is also still clear that if you move away from Windows, you stop being targetted, and that alone reduces your risk. The analogy would be, stay away from bad water areas, and your susceptibility to cholera remains while your risk of illness falls. So he has not refuted that argument at all; he has only at best shown that the protection is perhaps due to lack of exposure rather than immunity. But lack of exposure is also protective.

I'm not sure how this is going to be tested empirically. Presumably the only test is going to happen if Linux and MacOS get enough share to be worth targetting, and for people to start routinely identifying and targetting them. Then we'll see.

But that is his point....

"Never Mind the Bollocks, Here's the Sex Pistols"
;-)

Blue Pill types (Win x86) of *kits are real threats, as Ms. Rutkowska has illustrated, rather expertly.

They're not just a threat for Win and Linux, you need to be thinking a little more "inside the box" here.

http://www.securityfocus.com/news/11372

http://it.slashdot.org/it/06/11/18/1351229.shtml

http://www.osnews.com/permalink.php?news_id=16374&comment_id=178043

http://slashdot.org/comments.pl?sid=207252&cid=16899958

We, as a community (IT) are - way, far, behind, not to be dramatic, but you can imagine what lurks silently in, (for example) disk drivers, and bios' on some computers connected to (outward facing) infrastructures (Utility Companies, Banks, key ISPs)?
Logic bombs are not just for pissed off SysAdmins.

I mean, really ... Spammers are kicking our asses.
What would (could) happen if an enemy had half a plan?
Why do we, as a nation (USA) always have to be reactionary, rather than vigilant?

Tell me folks, does "DoS" *just* mean "packet flooding"?
I'll play Chicken Little.
You ... think about it.

Edited 2006-12-05 04:33