“Windows is more secure than you think, and Mac OS X is worse than you ever imagined”. That is according to statistics published for the first time this week by Danish security firm Secunia. The stats, based on a database of security advisories for more than 3,500 products during 2003 and 2004 sheds light on the real security of enterprise applications and operating systems, according to the firm.
Mac OS X Security Myth Exposed — According to Stats
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
“There are three kind of lies, Lies, Damn Lies, And statistics.”
A number of vulnerabilities does not really tell how easy it is to compromise a system. It depends on the conditions that must be met for a successfull compromise, the amount of vulnerable systems with these conditions, and the percentage of these systems that has installed counter measures such as firewalls and intrusion detections systems. Also, the amount of systems upgraded over time, you could graph that i guess if you had the data. The thing is, Linux/BSD/MacOS X exploits often require some obscure versions of particular libs/apps installed – and not counting the macs, the odds any two boxes out of ten is running the same versions of the software is extremely low, because these OSes typically comes in many flavors or versions (openbsd, netbsd, freebsd, different versions and patchleves), or the hundreds of linux distroes in different versions and patchleves aswell.
On the otherhand we have MacOS X and Windows, which typically come in one package, with precompiled binaries, which means a higher percentage of boxes is running the same insecure code, if discovered. Which also means, it would be easier to target these machines.
The “from where” pie chart for OS X only adds up to 99%. How can we trust any of their numbers? 🙂
Just kidding…I think we all know that any OS isn’t 100% secure, I’m more concerned about the response from the OS vendor. I think Apple has a pretty good track record esp. compared to others.
let me see, Techworld are not those who said that linux is more expensive that Windows, they are not those who said to be independant but who are grant by microsoft?
Humm i think they need to rename their enterprise/web site to TrollWorld…
— “A product is not necessarily more secure because fewer vulnerabilities are discovered.”
That quote says it all.
The fact of the matter is, I spend hours on the phone w/ various family members and friends trying to help them dig their Windows boxes out of spyware/vulnerability hell. Two weeks later, they call me with all of the same problems again. I have some slight hope that SP2 will help remedy this, but I’ll believe it when I don’t get anymore “How come my computer takes five minutes to load IE” phone calls.
My friends with Linux and OS X just don’t have these problems. A fresh install still works a year later.
Which vulnerabilities, how many of them, etc blah blah etc are unimportant. All I know is that Windows is becoming more trouble to administer than it’s worth.
News at 11:00
Product marketing pitch at 11:05
— “A product is not necessarily more secure because fewer vulnerabilities are discovered.”
False, if an OS have less vulnerabilities, you will find less security holes than another one…
So if i understand him, the most vulnerabilities are discovered, the most the OS is secure, lol…
As a general trend in the secunia advisories for Mac0S X
they count even fixes as an advisory. Here is an example:
2004 – 9 Secunia Security Advisories
– Mac OS X Multiple Unspecified Vulnerabilities
– Mac OS X Volume URI Handler Registration Code Execution Vulnerability
– Mac OS X URI Handler Arbitrary Code Execution
– Apple Filing Protocol Insecure Implementation
– Mac OS X Local Denial of Service Vulnerability
Total real issues 5
Fixes counted as advisories for 2004
– Mac OS X Security Update Fixes Multiple Vulnerabilities
– Mac OS X Security Update Fixes Multiple Vulnerabilities
– Mac OS X Security Update Fixes Multiple Vulnerabilities
– Mac OS X Security Update Fixes Multiple Vulnerabilities
Total fixes 4.
However for XP
2004 – 11 Secunia Security Advisories
– Microsoft DirectPlay Packet Validation Denial of Service Vulnerability
– Microsoft Windows “desktop.ini” Arbitrary File Execution Vulnerability
– Microsoft Windows Help and Support Center URL Validation Vulnerability
– Windows Explorer / Internet Explorer Long Share Name Buffer Overflow
– Microsoft Windows 14 Vulnerabilities *****<<<<<<<
– Microsoft Jet Database Engine Buffer Overflow Vulnerability
– Microsoft Windows RPC/DCOM Multiple Vulnerabilities
– Microsoft Windows Enhanced/Windows Metafile Handling Vulnerability
– Microsoft Windows ASN.1 Library Integer Overflow Vulnerabilities
– Windows XP Malicious Folder Automatic Code Execution Vulnerability
– Microsoft Data Access Components Broadcast Reply Buffer Overflow
All real issues 11 in total, it’s worse for 2003. How is it that thier advisories have different modus oprendi for different OSes. Here is the clincher, one of the advisories for XP has 14 Vulnerabilities and is counted as one !!!!
To me it looks like OS X is much much more secure given the discrpencies in the data used for the statistics. I don’t have time to delve into this in detail.
A number of vulnerabilities does not really tell how easy it is to compromise a system.
If you would’ve actually read the article, they also stated that.
Come on people, serious cases of “I read what I want to read here”
And, on another note, whenever an article says: “more exploits in windows than in linux” y’all do believe it…
Hypocracy, really.
there are some important values missing.
is the security related programm enabled by default?
is the security related feature compiled in by default?
or at least a affected rate, because if 90% don’t use cvs server, even the biggest issue won’t bring down many machines.
but same goes for windows, i think a geek wouldn’t be infected by blaster either.
the biggest security issue is the user though…
But the Mac OS X is based on the very secure BSD foundation. How can it possibly not be secure? Everyone knows how secure BSD is. Besides, Mac OS X keeps getting better and better, so with time it will become even more secure than it is today.
Remember: A large number of possible exploits in MacOS X are in services not enabled by default (meaning it’s not enabled by regular users) such as exploits in samba, sshd and apache. This is one key difference between MacOS X and the various Windows variants.
I work as first line support for an ISP and it’s a huge problem for people that Sasser gets them often less than a minute from when they are first connected.
“So if i understand him, the most vulnerabilities are discovered, the most the OS is secure, lol…”
I don’t think that is what they are saying at all. What I do believe they are saying is that, a product could have a lot of vulnerabilities but the impacts of those vulnerabilities could be rather minimal. Where as another product could have very few vulnerabilities but those vulnerabilites could have extremely negative impacts. Basically meaning that you cannot us the number of vulnerabilities as the only measure of a systems security. You also have to weigh in the impacts those vulnerabilities to measure a systems security as well as a whole stack of other things like how fast a vendor responds with a fix etc……
All real issues 11 in total, it’s worse for 2003. How is it that thier advisories have different modus oprendi for different OSes. Here is the clincher, one of the advisories for XP has 14 Vulnerabilities and is counted as one !!!!
They also seem to have missed the 40 for IE 6.0 which given it’s tight integration with the OS should also be counted.
All OSes will have vulnerabilities. Wouldn’t finding and patching more vulnerabilities make an OS more secure? Its a paradox. There is no way to really know which OS has more holes, only which OS has more of them plugged up.
Not only which of them are more plugged up.. but also, which OS is most likely to be running as root/administrator
OSX more-or-less forces me to run as a regular user by requiring a pwd to do anything which changes the system. Windows is pretty blase about power-users being able to change things
That sort of this has an effect on security as even if a system can be compromised remotely, if you get immediately faced with a password prompt you can’t DO much!
Oh.. and installed base is important. Hackers will always go for the common systems, as a virus targting windows can travel further and faster than a mac virus of similar style.
Nice spin job. Reporting like this beauty of an article would make any political spinmeister proud. You can spin it or dress it up any way you like, but it doesn’t change the underlying truth that Windows is far more inherently insecure than OS X or Linux. Now when they can show actual OS X systems in the wild that have been compromised by said vulnerabilities, then they’ll have a real story…
I would love to see vunerabilities classified a little better, perhaps into ‘server’ and ‘desktop’.
For instance, on my home Linux desktop, I’m not running Apache, CVS, Sendmail, Bind or anything like that, and I doubt many Windows home users are running IIs or Exchange server etc.
But, some security hole in an open source game or IM app may effect me, and an IE flaw would effect a Windows home user.
The point of this ramble is that Windows is probably a pretty good server OS when set up correctly, but since the vunerabilities are all lumped together with IE exploits etc it’s almost impossible to tell.
Linux and MacOS are more secure by default because IE and Outlook are generally not installed. Seriously, those two applications are the primary vector of the vast majority of system compromises. Raw statistics show that trojans, spyware, and other self-reproducing code make intrusions via system vulnerability exploits pale in comparison.
These security studies never take this very obvious fact into account.
And honestly…I don’t see how ANYONE can consider Windows remotely secure because of the architectural flaws that make “shatter” attacks possible. In my opinion, a local escalation of priveledges can be just as dangerous as a remote exploit. Users are often clueless, and we all know how easy it is to get a lUser to run random code, whether it be by social engineering or exploit of userland applications.
It is an admirable thing that Microsoft is rewriting a good part of Windows for Longhorn, and is willing to break application compatibility in SP2 in the name of security. But in the meantime, a virgin Windows box exposed to the internet will become infected with some form of malware within minutes. Even with (updated) firewall, antivirus, and anti-spyware software, its only a matter of time with average usage.
A quick look at your email inbox will tell you which OS is least secure. Most secure is a matter of contention, but I doubt anyone wants, or can run OpenBSD or Trusted Solaris as a multimedia home desktop.
//My friends with Linux and OS X just don’t have these problems. A fresh install still works a year later.//
That’s also because your friends with Linux and OS X are likely more technically astute than your Windows-using pals.
I’ve found that it kinda depends on the users. Since most folks buy PCs at Best Buy/CompUSA/Circuit City, most folks get Windows. Most folks don’t have a clue about OS security. Thus, Windows gets hammered — and, yes, Windows seems to be less secure, out of the box.
Personally — I’ve been using Windows 2000 for four years, and Windows XP for two. I have properly configged rigs. I’ve yet to have any viruses. I have no Spyware. Basically, no problems, other than an occasional glitch, as you’d get with any machine.
Remember, there’s lots of folks out there using computers that really shouldn’t be. Same thing with driving cars. Just slightly less dangerous. 🙂
I somehow don’t understand this.
There’s noted XFree, mozilla, openoffice, gaim… for RH. Ok, RH ships server with them and publishes exploits in he same errata.
Where are IE and Outlook express exploits (I found only 3 and 1 indirect)? M$ ships Windows with IE and OE, but publishes exploits as separate topic. I still can’t buy windows without them. And I really sure there was more than 4 bugs in Explorer.
Either this security firm isn’t as credible as they say or they lack brains to add 2 and 2.
You might be right about Linux users (in fact, it’s a certainty), but Mac users are more clueless than Windows users (I work in a design studio), and they do have far fewer problems. Reinstalling the OS is simply not an option for them (getting them to upgrade – which actually works with Mac OS X – can even be difficult).
I won’t get into all the deep technical details, since I’m not all that knowledgeable about operating systems. However, there are two points that contribute HUGELY to Windows’ security problems.
1.) By default, users are given administrator privileges. This is one of the stupidest moves I’ve ever seen when it comes to security. Microsoft should have recognized long ago that a large portion of its users are total idiots, and will execute any code that promises them free stuff/porn, which will then install itself in the form of spyware and viruses. On Linux and Mac OSX, the user must enter a root password in order to install or uninstall anything, so the user will be made aware whenever any changes are being made to the system.
2.) By default, a lot of useless services are enabled for end-users of Windows XP. The Messenger service is a great example that allows advertisers to take a measure of control over a remote PC, but has little practical value to an end-user. It’s just another gaping security hole that the average Joe isn’t going to be aware of when he turns on his PC.
Statistics don’t take these facts into account. The vulnerability may be there in other operating systems, but they are not so blatantly exposed like in Windows.
As a former Applecare rep, I can assure you that “technically astute” is NOT the hallmark of a Mac user.
Many are of course, but the primary user of Macs remains those who need its simplicity and ease of use. Well, maybe not *need*, but they are not the slightest bit interested in learning about computers at all, only using them. Thats where Macs are the best choice, as no other system can really fill that niche. Every other system out there requires much more from its users.
Something that irks me about stats like these is what would windows security record be if they shipped with 4 CD’s worth of programs like linux distro’s? what if they shipped with 3-4 browsers, 3-4 e-mail clients 2 dns servers, 3 mail servers, etc? Linux has 4x the software, but its not allowed to have more bugs? Just doesn’t make sence to me.
Last 5 years? Well, you were wrong in last 5 years. btw. When looking for security holes look for IE and OE holes too. They are included in Windows but errata is separate. If you look at most of errata for Linux you see that it’s not for system parts but various software. If you wanna check this you should add M$Office too.
Why shocked?
Most of these don’t concern tipical install. 1/4 are valid for server and 1/4 for tipical desktop. Other software like rsync, mutt, lftp… it is included on distribution but very few people needs them. Most of them are not even installed in tipical setup.
Where on the other hand you install complete Windows and complete OSX.
The fact of the matter is, unless these exploits can be done on a default install, the system isn’t really insecure. Just because Mac OS X needs a number of patches via Software Update doesn’t mean it is vulnerable. Out of the box, Mac OS X ships with ZERO services running. So even if Apple decides to force everyone to upgrade SSH via softwareupdate doesn’t mean that your average Joe is vulnerable if he doesn’t. In fact he probably doesn’ t even know ssh exists and as usual it isn’t running by default.
Such isn’t the case with Windows (self-explanatory)
On Linux and Mac OSX, the user must enter a root password in order to install or uninstall anything, so the user will be made aware whenever any changes are being made to the system.
Simply false.
On OS X, the typical user is an “admin”, which means they can copy things into /Applications, thus “installing” them.
On Linux, typical users can install programs into their home directories. As can “non-admin” users on OS X.
On both platforms, nearly all ignorant users that are prompted for a password to install something, will happily type it in without even thinking, thus negating the whole point of not running as root.
The “not running as root” issue is not irrelevant, but it is completely overblown when talking about desktop machines. Most of them are only used by a single person and the vast bulk of malware/viruses/trojans/whatevers simply don’t need elevated privileges to do their work.
that is for OS X package installs, but for installer items, you must put in your Admin password.
“I dont want anyone to hack my user account.. i honestly dont care if they root my computer, all my vital information is in my personal user account.”
Do you not relize that the super user of a system has complete control over your system and can look at everybody’s data? At the very least they can change your password and get in that way…..
I’ve got email few days ago offering me free porn if I install porn browser conveniently attached to email.
Now, assuming this is porn browser for Mac OSX and I am dumb enough to trust the promise, do you think that the need to enter Admin password will stop me?
I was not talking down OS X, I was pointing out an discrepancy that the other poster had in his/her post
Do you not relize that the super user of a system has complete control over your system and can look at everybody’s data?
Actually, if you have FileVault (see http://www.apple.com/macosx/features/filevault/index.html ) turned on even the superuser can not read your data. And if they change the password, the data is not un-encrypted with that new password.
This is actually probably a good idea if you’re never going to forget your password.
First, I make my living in information security. I can honestly say that the conclusions in this artical are !#@$%.
The counting methods employed are erroneous, the interpretation unsupported and the most salient issue not addressed.
Which is the most secure OS = which OS offers the least risk at the end of the day.
Let’s take an example of one of the bigger vulnerabilities, like the fairly recent sshd vulnerability:
On OSX (client):
1) sshd not enabled by default = reduced aggregate exposure
2) exploits only targeted 2 prominant platforms (linux/freebsd)=reduced threat.
3) exploit code only successfully targeted to x86 processors (not even a successful poc on ppc) = reduced threat.
Does this equate to the same risk that any one of the numerous MS rpc vulnerabilites? The artical would have them as equal even though the risk profile is quite different.
Sorry if I sound mad, but reality doesn’t support their analysis and isn’t helped by it either.
Bert
I admit I got a bit lost looking for the big windows/os x/linux comparison chart that I was led to believe existed on the site. I seem to be inept at working with gui’s.
Anyway, I don’t remember news stories about 12 takeover methods for OS X this year. If there were than osnews is really failing.
I’m going to guess that some of the stuff with RH that they report was “error in mySQL database” and “apache issue” etc. Just a guess.
Nothing is perfect, but I didn’t notice surprising statistics on openBSD’s security
.
“that is for OS X package installs, but for installer items, you must put in your Admin password.”
That’s correct and by default alone OSX is more secure than Windows given the BSD core.
I’m a Mac OS and Windows user, OS X is far more secure than XP and more stable. This article is far from real world.
I think if they had studied worms and trojans then they will sorry for what they say.
that is for OS X package installs, but for installer items, you must put in your Admin password.
The fact remains that regular users can, typically, “install” and run anything they want.
“The fact remains that regular users can, typically, “install” and run anything they want.”
Who cares? It has no effect on system stability or other users. Installing things on a proper system does not affect the programs installed systemwide.
In case you’re talking about users who admin their own box, short of taking away their computers, how could you possibly stop them from doing stupid things, on any OS?
Something that irks me about stats like these is what would windows security record be if they shipped with 4 CD’s worth of programs like linux distro’s? what if they shipped with 3-4 browsers, 3-4 e-mail clients 2 dns servers, 3 mail servers, etc? Linux has 4x the software, but its not allowed to have more bugs? Just doesn’t make sence to me.
Then why Linux distributions ship 3-4 browsers, 3-4 e-mail clients, 2 DNS servers? In my opinion, commercial distributions should only distribute ONE software of a kind and assure that the included software is as secure/bugfree as possible. They should stop Lego-ing everything together and entirely depend on the official maintener of the package for the fixes. For the sake of choice, additional packages should be available on an unmaintened CD or something like that.
Choice is good, but too much is like not enough.
I really desagree with this study, because it is basically wrong. How many critical faults people hear about MacOsX or different Unix like Linux or FreeBsd. And compare it now with the number of critical faults you heard about windows the last 6 months, say?
That’s a world of difference….. How many security updates for critical faults Microsoft has made during the last 6 months or more? Hundred and hundred of them….
How many Apple did? Less than 10. I know, i use macs and pcs everyday, on a big workgroup…. And basically everyone konw it. It is just a comparison of matter of facts…..
Just remember the security update that Microsoft has published last April that corrected ….100 faults, and many of them were critical. Everyone remember that, only Secunia does not. And by the way i find strange that they have been trying very hard for several weeks now to show that Osx is not secure or has critical faults!!!! Really strange.
And now take the number of critical faults discoverd with Internet Explorer, Outlook Express, and many components of Windows. One or several critical faults affecting windows is found almost every week. Just last week several ones have been discovered.
I don’t invent it, it is a matter of fact. And again take the number of faults discoverd in MacOsX recently. It it comparable to windows? i don’t think so…….
And how many virus exist on windows. Many of them exist on windows because they use critical faults on windows to spread or wahtever they want to do. Again that’s a matter of fact. No critical faults, no such kind of viruses. That’s simple.
And again take the number of viruses on osx using any king of faults which may have occured on that system……ZERO after 3 years being on the market. Compare with windows xp or whatever.
And sure, compare the number of critical faults discoverd on MacOsX after 3 years beeing on the market, with windows xp (3 years on the market too)…. That two different world. Even Windows server 2003 which appear last year have more critical faults that osx.
So what the point of that statistics of Secuna. I don’t understand it, and i don’t understand what they want to show or to say, and for who. They want to help Microsoft, maybe???? But we all know how it is, we all use computers everyday, we all see the number of patches that Microsoft have supplied so far.
Those statistics and the scandalous conclusion from Secuna are simply WRONG. For me They just want to discredit the Unix operating systems, some guys tried to do so with Linux a few months ago, and know they try with MacOsX. For the benefit of who? ……Wel, Microsoft, ….maybe?, However this fact is rather clear for me….
In case you’re talking about users who admin their own box, […]
That would be precisely who I’m talking about, since it covers just about everyone not in a managed corporate environment.
[…] short of taking away their computers, how could you possibly stop them from doing stupid things, on any OS?
You *can’t*, which is precisely the point I continually try to hammer home and the one that the just about every armchair expert on this subject can’t seem to grasp. It is why the biggest security hole in the system is the user.
Most machines out there are single user desktops. The two arguments typically used – that only “root” can install system-wide things and that users can’t delete other users files *are almost completely irrelevant* to these machines.
Jut about everyone sitting in front of a computer can, one way or another, run any damn thing they want. Whether or not the thing they run has elevated privileges *on the local machine* simply *does not matter* in 99% of cases.
if windows was secure it wouldn’t be hacked so easily secondaly as Said “By Anonymous (IP: 217.61.223.—) – Posted on 2004-06-24 19:46:16” ( Mac OSx and Windows come with one package contrarly to linux distros, )
but the thingy here is that lately Mac OSx is based on Unix so I don’t think that unix would be easier to hack or to find a flaw easier then windows.
Secunia is an unhetical (super spelling) company:
They research nothing themselves, but steal advisories on various lists and other sites, then manage to get themselves advertised as the professionals.
Fact is that they know nothing, beside marketing. They hardly research anything themselve (check advisory credits)
Then, their last step is to give interviews about things they don’t care about, but should get some audience. That’s what they care about. I experienced theses problems with them already.
Windows is not very secure, and MacOSX is not unbeatable, but in the end, we know how it is, we who know what it is about. We, yes, but not the wide public, and that’s whom secunia touches.
I think the difference between OSX and windows is the fact that the security issues are taken care of before they are exploited not after. Anyone out there have their OSX box taken over by someone????
My Mac with OSX 10.2.8 has done weird things twice in the last year, and both times it involved trying to delete MS software, which I downloaded from MS.
Believe me or not, it’s the truth.
After playing with the app for a while, as I tried different ways of getting rid of it, it made a copy of itself, and the original app became property of the root.
The only way I could get rid of this ???, was to erase the HD and load a new system.
Both times, I got the blue screen and the beachball, and nothing else.
Had to unplug it to shut it down.
These are the only two times my Mac has ever done more than hiccup under heavy work loads.
Needless to say, because of my experience, and regardless of the cause, my machine shall remain MS free until the end of time.
I bett not but the page doesn’t load here.
Also the significance of the vulnerabilities are important. Almost no home-end-user cares for a vulnerability in NFS which is not enabled by default; Windows in general users however should care for the RPC and MSIE vulnerabilities because those are enabled by default and heavily used.
A clean fresh install of MacOSX is less secure than a clean fresh install of WinXP or Windows. Especially locally.
I’ve run OSX, 10.1, 10.2 and 10.3, and all are easier to get into tool-lessly than Windows. A tool constitutes some of them canned script kiddie parphanelia.
As the first comment says, number of vulnerabilities doesn’t matter so much as ease of access to the system. And it just so happen MacOSX, when not configured properly (and it doesn’t come well-configged) is quite open.
However, any properly configured machine can be much more secure. That’s when the vulnerabilities really start to matter.
How many Mac OSX vulnerabilities are because of IE for Mac? Or even Office for the Mac.
Great question!
The vulnerability may be there in other operating systems, but they are not so blatantly exposed like in Windows.
I just had to point out that I think that precisely what you mention above makes Windows insecure. There were conscious (hopefully) decisions made during Windows’ development that caused these problems…
A clean fresh install of MacOSX is less secure than a clean fresh install of WinXP or Windows. Especially locally.
What are you talking about? A clean install of OS X has zero open ports, making it just about impossible to exploit remotely. That is not the case in XP.
Locally, either can be exploited by booting into Safe/Single User mode. Same with any Unix system, or pretty much any system. But both can also be protected from this using BIOS/Open Firmware passwords and the like.
Either name some specific ways OS X is less secure out of the box, or admit you have no idea what you’re talking about. Cause you’re the first person I’ve ever heard say that.
“However, any properly configured machine can be much more secure. That’s when the vulnerabilities really start to matter.”
Ever heard of “OpenBSD — secure by default”?
Not that i fully agree with it, not believe it is 100% true, but some other vendors have taken this step as well.
http://story.news.yahoo.com/news?tmpl=story&cid=1804&ncid=738&e=7&u…
Are you really trying to compare that with OSX?
LOL
That above reason alone shows why windowz zealots about OS’es.
And no games don’t count.