Mac OS X not as secure as you think!

[GimmeDaMic]

Article Here

Security statistics show surprising finds



The Microsoft Windows application is more secure than you think, and Mac OS X is worse than you ever imagined. That is according to statistics published for the first time this week by Danish security firm Secunia.

The statistics, based on a database of security advisories for more than 3,500 products during 2003 and 2004 sheds light on the real security of enterprise applications and operating systems. Each product is broken down into pie charts demonstrating how many, what type and how significant security holes have been in each.

The figures have shown is that OS X's reputation as a relatively secure operating system is unwarranted, Secunia said.

This year and last year Secunia tallied 36 advisories on security issues with the software, many of them allowing attackers to remotely take over the system - comparable to figures on operating systems such as Windows XP Professional and Red Hat Enterprise Server.

"Secunia is now displaying security statistics that will open many eyes, and for some it might be very disturbing news," said Secunia chief executive Niels Henrik Rasmussen. "The myth that Mac OS X is secure, for example, has been exposed."

Its service, easily accessible on its website, allows enterprises to gather exact information on specific products, by collating advisories from a large number of third-party security firms.

Secunia said the service could help companies keep an eye on the overall security of particular software - something that is often lost in the flood of advisories and the attendant hype.

"Seen over a long period of time, the statistics may indicate whether a supplier has improved the quality of their products," said Secunia chief technology officer Thomas Kristensen.

He said the data could help IT managers get an idea of what kind of vulnerabilities are being found in their products, and prioritise what they respond to.

For example, Windows security holes generally receive a lot of press because of the software's popularity, but the statistics show that Windows is not the subject of significantly more advisories than other operating systems. Windows XP Professional saw 46 advisories in 2003-2004, with 48% of vulnerabilities allowing remote attacks and 46% enabling system access, Secunia said.

SuSE Linux Enterprise Server (SLES) 8 had 48 advisories in the same period, with 58% of the holes exploitable remotely and 37% enabling system access. Red Hat's Advanced Server 3 had 50 advisories in the same period - despite the fact that counting only began in November of last year. Sixty-six percent of the vulnerabilities were remotely exploitable, with 25% granting system access.

Mac OS X does not stand out as particularly more secure than the competition, according to Secunia.

Of the 36 advisories issued in 2003-2004, 61% could be exploited across the internet and 32% enabled attackers to take over the system.

The proportion of critical bugs was also comparable with other software - 33% of the OS X vulnerabilities were "highly" or "extremely" critical by Secunia's reckoning, compared with 30% for XP Professional and 27% for SLES 8 and just 12% for Advanced Server 3. OS X had the highest proportion of "extremely critical" bugs at 19%.

Sun Microsystems' Solaris 9 saw its share of problems, with 60 advisories in 2003-2004, 20% of which were "highly" or "extremely" critical.

Comparing product security is difficult, and has become a contentious issue recently with vendors using security as a selling point.

A recent Forrester Research study compared Windows and Linux supplier response times on security flaws and was heavily criticised for its conclusion that Linux suppliers took longer to release patches. Linux suppliers attach more weight to more critical flaws, leaving unimportant bugs for later patching, something the study failed to factor in, according to Linux companies.

Suppliers also took issue with the study's method of ranking "critical" security bugs, which did not agree with the suppliers' own criteria.

Secunia agreed that straightforward comparisons are not possible, partly because some products receive more scrutiny than others.

Microsoft products are researched more because of their wide use, while open-source products are easier to analyse because researchers have general access to the source code, Kristensen said.

"A product is not necessarily more secure because fewer vulnerabilities are discovered," he added.

Matthew Broersma writes for Techworld.com

[kram 2.0]

Do bare in mind that there are more MS Windows users in this world than Mac OSX users - therefore, it's normal for the viral attackers to try to get the larger gropus, the MS owners. In that sense, it's generally more accepted that the minority will be safer. Think of it in terms of MSIE vs. Firefox. MSIE is a generally vulnerable browser, while Firefox is less known, and has less security holes. Just my perspective on it - doesn't change my mind as I'm going to buy a Mac this coming fall to replace my sister's Win2000 as she goes off to school.

Hope that helps,
kram

[HAL9000]

This is EXACTLY what I've been saying all along to all those that whine about how MS isn't secure... when you have millions of lines of code... gimme a break.. it isn't gonna be perfect and SOMEBODY will find a way.

[ric449]

Like kram said, it's al about the minorities and the majorities. For all people know firefox could have as many holes as swiss cheese, but because more people use IE it's the IE holes that are noticed. It's the same for OS's, XP is most popular at the moment, so why bother on something as small as OS X?

[Force Flow]

Mac O/S's haven't been a real target since they're not mainstream O/S's. Malicious coders usually try to hit the largest area as possible, so Windows O/S's fit the bill. Apple hasn't really had to worry about security too much until they went Unix-based.

[aym]

If the more popular is more targeted, could you please tell me why Apache web server isn't targeted even that it's more popular? Apache runs 70% of the web, and still IIS gets much more viruses and worms.

Netcraft web survey.

EDIT:

Quote:

Like kram said, it's al about the minorities and the majorities. For all people know firefox could have as many holes as swiss cheese, but because more people use IE it's the IE holes that are noticed. It's the same for OS's, XP is most popular at the moment, so why bother on something as small as OS X?

I don't think so, check out my post in this thread, Firefox is designed to be secure, unlike IE, and patches in case of bugs come out much faster too.

[HAL9000]

Quote:

Originally Posted by aym_7 If the more popular is more targeted, could you please tell me why Apache web server isn't targeted even that it's more popular? Apache runs 70% of the web, and still IIS gets much more viruses and worms.

Simple... which one costs money? It's like I have always said... Live the American dream... just don't be too successful at it cuz everyone will hate you.

[aym]

I don't get it, IIS is target because it costs money or what? Or hackers attack MS just because it's successful?

Last time IIS was targeted they used an exploit to steal bank accounts, it could have been worse if they were able to target Apache instead, as much more websites use it.

[HAL9000]

That's just it.. everyone hates MS... specifically Bill Gates cuz he has all the $$$... if you hate it so much... Learn Linux... your apps don't work... tis called open source for a reason... design something better. So you have this hate for MS.. people who go to the extremes attack it... isn't rocket surgury.

[RHLinuxGUY]

Hal, do u hate open source and linux? Im not saying I hate windows, I like them both. Just asking.

[mairving]

It is all how you make the stats not the truth that is the key in that report. The biggest thing wrong with comparing the number of security advisories in 'Nix vs. Windows is nearly all of the security advisories in Windows applied to the operating system itself. A good portion of them were IE, which is so tightly woven into the OS as to become part of it. However, it is the opposite with the 'Nix apps. Most of them were not part of the OS, but were apps that may or may not have been installed. MS had a couple of really bad ones that you could get by doing nothing, i.e. Blaster and Sasser. How many major exploits like those did Apple or 'Nix have...zero.

So saying that Apple or other 'Nix based OS's are less secure than Windows because they have had more security advisories is totally stupid.

[HAL9000]

Quote:

Originally Posted by RHLinuxGUY Hal, do u hate open source and linux? Im not saying I hate windows, I like them both. Just asking.

I have said, nor implied any such thing... I have nothing against open source or 'nix... I run 'nix on my server... I patch the heck outta it on a very regular basis "because it doesn't have any security flaws".... I was just saying that when you're the biggest, people hate and attack you for whatever the reason. Do you REALLY think that if by somehow, some miracle happened and the majority of users were suddenly using some flavour of 'nix that all exploits in the world would stop? I hardly think so... these people would still go after the majority and you would still see just as much of this crap going on whether you like to believe it or not.

[aym]

As for the article itself, mairving has a good point, I also want to add that a default installation of Linux (and I think Mac OS X) doesn't have any network services enabled by default, unless the admin enables them, so even if some network service has exploits, it's not exploitable by default.

OTOH, Windows has many services enabled by default and you can't even disable some of them, to connect to the Internet and download patches you need a firewall of some sort.

MS takes months to release patches for some Windows exploits, while patches for Open Source projects are usually released within days or even hours.

And exploits in Open Source projects are usually very well documented, if you check out Windows Update after a fresh install, you'll find that one patch may fix several issues, and there is no way to tell what kind of issues they are.

If hackers were really after MS because it's the most successful, they would release viruses that make Windows stop working, wipe the HDD, and so on, to give the user a bad idea of MS products.

Today's viruses and worms leave Windows functional, and open back doors for sending spam and stealing bank accounts info, the user won't notice anything, and won't blame MS or Windows if something goes wrong.

As for majority thing, as I said, Apache is biggest in the web server market, and it's not targeted. Spammers can do all sorts of bad things if they manage to find an Apache exploit, because Apache servers are everywhere, connected to the Internet 24/7, but still they target IIS and Windows machines.

[HAL9000]

OK... keep failing to read what I said.. which do you pay for... MS... or Apache... The target is always the most popular that MAKES MONEY.

[aym]

Then how do you explain that the exploits aren't used to take down IIS servers or Windows machines? The average user or system admin won't even notice that their machine is sending spam or serving spyware, and won't think of switching to Linux or Apache as a result.

Hackers aren't attacking IIS or Windows to give MS bad reputation and stop it from making money, they are doing so to send spam, install spyware, steal bank accounts, and the like.

[mbossman2]

the point is this you go after the biggest target:

as an anology: you want to steal $$$, where do you go?
Small corner store
or
a bank?

You go to the bank because the payday is, potentially, much more significant.

Samething here:you are targeting low end servers and user workstations. which o/s do you target: the one with 50,000 users or the one with 50,000,000 users?

All the Linux/open source guru's will quickly find out, if/when their dreams are realized and they have the dominant platform, that their sense of security superiority is an illusion. At that point you will have large numbers of people all gunning for THEM and pointing out all the flaws and holes in their product and the patches will then start flying out fast and furiously, which in and of itself can cause major issues and the propellor head community will start championing the "next big thing", which will go thru the same cycle.

[mairving]

Quote:

Originally Posted by mbossman2 the point is this you go after the biggest target: as an anology: you want to steal $$$, where do you go? Small corner store or a bank? You go to the bank because the payday is, potentially, much more significant.

A better analogy may be:
A small corner store with iron bars around all of the windows and a sophisticated alarm system with a security guard making rounds.
or
A bank that forgot to lock their front door and turn on their alarm but they will lock the door next month when they come back and then forget to lock the back door.

[i486]

mods please delete.

[HAL9000]

Quote:

Originally Posted by mairving A better analogy may be: A small corner store with iron bars around all of the windows and a sophisticated alarm system with a security guard making rounds. or A bank that forgot to lock their front door and turn on their alarm but they will lock the door next month when they come back and then forget to lock the back door.

Don't forget to add.. no matter how secure the system... if there is SOMETHING in that store worth stealing that can't be had elsewhere.. they WILL find a way.