The Active Network
ActiveMac Anonymous | Create a User | Reviews | News | Forums | Advertise  
 

  *  

  Mac versus Windows vulnerability stats for 2007
Time: 09:54 EST/14:54 GMT | News Source: ZDNet | Posted By: Brian Kvalheim

The year 2007 has been an interesting year that brought us improved security with Windows Vista and Mac OS X Leopard (10.5). But to get some perspective of how many publicly known holes found in these two operating systems, I’ve compiled all the security flaws in Mac OS X and Windows XP and Vista and placed them side by side. This is significant because it shows a trend that can give us a good estimate for how many flaws we can expect to find in the coming months. The more monthly flaws there are in the historical trend, the more likely it is that someone will find a hole to exploit in the future. For example back in April of this year, hackers took over a fully patched Macbook and won $10,000 plus the Macbook they hacked. I used vulnerability statistics from an impartial third party vendor Secunia and I broke them down by Windows XP flaws, Vista flaws, and Mac OS X flaws. Since Secunia doesn’t offer individual numbers for Mac OS X 10.5 and 10.4, I merged the XP and Vista vulnerabilities so that we can compare Vista + XP flaws to Mac OS X. In case you’re wondering how 19 plus 12 could equal 23, this is because there are many overlapping flaws that is shared between XP and Vista so those don’t get counted twice just as I don’t count something that affects Mac OS X 10.4 and 10.5 twice.

So this shows that Apple had more than 5 times the number of flaws per month than Windows XP and Vista in 2007, and most of these flaws are serious. Clearly this goes against conventional wisdom because the numbers show just the opposite and it isn’t even close.

Write Comment
Return to News

  Displaying 1 through 25 of 341
Last | Next
  The time now is 2:05:27 PM ET.
Any comment problems? E-mail us
#1 By 2960 (72.196.195.185) at 12/18/2007 12:08:39 PM
Before I go any further, I DO NOT OWN A MAC!

That said, these numbers mean nothing to me.

Do another chart showing how many bugs are actually responsible for real, bonified break-ins, security breaches, malware delivery, etc...

Things would turn around rather quickly I think.

Fixing bugs thus driving up the count should not put you on anyone's shit-list.

Not fixing them and allowing breaches should.

TL

#2 By 37047 (216.191.227.68) at 12/18/2007 12:45:22 PM
When we can get an accurate count of the total number of defect discovered, both internally and externally, and how many have been fixed, and how many are still outstanding, then, and only then, will we have some useful numbers with which to draw some useful conclusions. Otherwise, like TL stated, we will simply continue to punish those who fix more bugs and publish the fixes.

#3 By 29967 (72.221.79.220) at 12/18/2007 1:20:58 PM
whats wrong with making a comparative analysis like this? Just because they haven't been exploited, doesn't mean they shouldn't still be counted. I mean, i've yet to see anyone prove that Mac can't be targeted..... mostly, again, because of its low marketshare. People don't see a benefit to bringing down a minority of the worlds computers. Remember the blaster worm? remember how MANY systems were restarting for no reason whatsoever? THAT is why people create worms and viruses.... to take a shot that will be heard 'round the world..... not to "sneak up behind a few people and take their wallets"...... So, when it comes to the number of exploits being USED against Mac vs windows, Mac will always have the advantage... If one day the majority of systems are Mac, things WILL shift in the other direction, and Mac will take a hit.... possibly even eventually becoming "the bloated, bug ridden, operating system" that windows is now.

#4 By 2960 (72.196.195.185) at 12/18/2007 1:53:31 PM
Because it's not a comparative analysis for security status, which is what the article tries to implicate.

I don't care how many bugs are logged. All I know is I don't spend 25% of my service time removing spyware and viruses from Macintosh's. No one does.

And that is a simple, real-world fact.


#5 By 16797 (65.93.213.131) at 12/18/2007 2:44:08 PM
#4 True, but then, to put thing in perspective, how many Macs do you service at work, compared to Win/PCs?

For example, here, where I work, there are no Macs.

#6 By 52115 (66.181.69.250) at 12/18/2007 3:26:51 PM
What this also doesn't state is the amount of remote exploits compared to local eval type vulnerabilities.. Linux has more local eval types then remote exploitable..

#7 By 37 (66.188.104.250) at 12/18/2007 3:35:18 PM
Putting in to perspective for me is real time, just like TechLarry mentioned. I have had Windows computers in my house for a decade. They were attacked by spyware, virus, as well as slow downs through out the day/week. They frequently needed "reformatting" to clean up Windows was real time. And now, here I sit with an iMac that I bought in May. Never needs restarting (besides the security updates), EVER. Never gets a virus or spyware attack. The computer literally runs 24 x 7 since May, and runs just as fast all day, every day as day one.

For me, that is REAL TIME.

This post was edited by AWBrian on Tuesday, December 18, 2007 at 15:36.

#8 By 28801 (65.90.202.10) at 12/18/2007 3:41:48 PM
#7: For the rest of us who have IT jobs, Windows is essential - that's REAL TIME!

#9 By 37 (66.188.104.250) at 12/18/2007 3:58:33 PM
I work for Hilton Corporation. We have hundreds of thousands of Windows XP PC's on our WAN, all running Windows Servers 2000 and 2003 around the world. All with Office 2000, 2003 and 2007. We also use Exchange 2003 worldwide. Our property management system was developed for Windows only, and of course runs on Windows. These are my daily workstations that I must use.

It should also be known that we spend bottomless pits of money on researching and implementing spyware and virus programs for our servers and desktops around the world. Re-imaging the PC's are a daily tech support call. The number of virus' that employees are getting is phenomenal. Even implementing websense can't solve the spyware and virus' sneaking through IE.

Don't get me wrong though. As I have mentioned before, I was an Microsoft MVP for 8 years, and I do enjoy Windows. I just have learned it's not very reliable for the general community. It requires too much nurturing to make it "safe" and stable.

THAT is real time ;-)

This post was edited by AWBrian on Tuesday, December 18, 2007 at 16:02.

#10 By 82766 (202.154.80.85) at 12/18/2007 4:26:44 PM
Wow Brian! What are you guys doing wrong?! If I was "Hilton Corp" I'd be asking serious questions to my IT Dept if they were wasting so much daily time!!

I manage a few thousand XP and Vista (along with servers) PCs across the world and we have only ever discoverd 2 viruses* in the last six years and that was only because the service tech's had managed to work out how to shutdown the AV services. I plugged that one pretty quickly.

I reckon you guys need to seriously look at what you're doing with your AV products, edge protection etc!!

* the network, PCs and servers did not get infected either - the AV software stopped the infection perfectly fine. The service tech's had plugged their laptops into a customer's network - which had no protection at all.

This post was edited by MyBlueRex on Tuesday, December 18, 2007 at 16:30.

#11 By 60455 (71.12.191.230) at 12/18/2007 4:55:45 PM
#10, No kidding.

I was thinking the same things.

Any such enterprise would have https/https proxies and low cost subscriptions for edge and perimeter based appliances that all traffic would be examined many times before it reached a single host, or client. At which point, any threat would encounter yet more layers of filtration.

Also, policies across the network, which apply to everything, would restrict what users can do; what sites they can visit, and certainly, what they can install (nothing).

Windows clients are about the easiest systems to manage and keep clean. Even where such clients are used to conduct web research, those systems are isolated in their own switched V-LAN(s) and there is plenty of protection, including user roles and permissions, available to control what any drive-by mal-ware might be encountered.

Finally, the silly argument about gross mal-ware count is just that, silly. The largest percentage of the high count is made up by variations of a few threats. The 100,000 plus number is totally bogus. And the silly idea that COM Client controls like AcitveX can't be controlled is worse. There are GPO which allow one to distribute which are allowed. Al others being denied. Any decent NW Admin would look at any of this and shake his head.

#12 By 37 (66.188.104.250) at 12/18/2007 5:47:33 PM
I don't work for the IT staff at Hilton. I just know the history. And the same problems are seen at other national hotel chains, as well as restaurants world wide.

#13 By 28801 (65.90.202.10) at 12/18/2007 7:57:55 PM
#12: <disgusted>Please!</disgusted>
When apple can support 1% of the software Windows supports you can start pounding your chest. Until then, stay home and play with your iMovie, cause that’s all a MAC is good for.
Really! What the hell else are you gonna do with it besides manage photos, read email and make home movies?

#14 By 7754 (75.72.153.112) at 12/18/2007 9:02:07 PM
Will these arguments ever end?

The dispute over "who has the most holes?" is, as many put, not very helpful (save for what I'll discuss below)... but on the other hand, I don't see anyone pointing out what should be the takeaway from any security discussion: it takes only ONE HOLE (of the arbitrary execution kind) to take over a system. Everyone knows that's true of Windows... too few on the Apple side know it, and don't expect Apple to do their users the service. Try playing with hackers' tools sometime, and you'll see how easy it is--you don't really have to "know" anything. OS X, Linux, Windows... you name it. Just scan for a list of known exploits, plug that in, deploy it, and *boom*, you're in control. Now you can plant that rootkit that hides itself from the system, and you've got a machine that the user doesn't even know you have. You don't think that goes on in a cafe with free internet access?

What the list DOES give an idea of, though, is just how full of holes OS X is--and consider that in light of how much research goes into finding Windows flaws vs. OS X flaws. Think about how many holes are NOT publicly known... and trust me, the hacker community isn't all that interested in public disclosure if there's real potential for damage (i.e., money).

That's why these articles ARE helpful, in a particular sense--hopefully they wake up Mac users to the reality that their computers are not invincible. They may have never been hacked before (or they may simply not know that they are/have been hacked already), but that hardly means that their system isn't a sitting duck if a hacker wants in.








#15 By 7754 (75.72.153.112) at 12/18/2007 9:21:49 PM
#4, #9... I don't know how many times I've said this already (with crickets in response, more or less), but for the love of crumbcake... make your users standard users already. If you really were interested in stopping viruses, malware, etc., that would be your first step. And if you're going to compare OS X and Windows on a level playing field, then you have to compare with that in mind. You can't give the keys to the kingdom to end users and expect not to get in trouble, just as you wouldn't let your users run as root if you were running an all-Mac shop.

#5: I worked at an ad agency for quite awhile, where it was roughly half-Mac, half-PC. The Macs were hardly a panacea. As I left, they were switching an entire department that had "switched to Mac" back to Windows PCs, and there were other departments on the list as each hit their next PC refresh cycle. The heavy Photoshop folks would probably always remain on Macs (that's all they've ever known, plus they more or less had their own IT infrastructure), but otherwise, for the rest of the company they were moving away from the Mac platform.

(Hooray! Take that, login bug! Copy before post, baby!)

#16 By 9589 (71.49.188.113) at 12/18/2007 11:58:22 PM
Ditto #11 and 15

We have over 110,000 employees and viruses, etc. are extremely rare. We are running almost a pure XP shop, with a sprinkling of Macs (mostly to check web code against for our customers that use the platform) and a few Vistas. The users at our company are just that users. They have rights to do bumpkus. So long as it stays that way our network is secure.

Meanwhile, I help my friends and neighbors fix their computers where warranted. One of the first things that I tell them is create a profile with user rights and use that for every day computing tasks. If they have to install a program or utility, switch over to the profile with administrator rights. Then, switch right back again when done. Add AV and ASW utilities and a router/switch (between the computer(s) and the cable modem/dsl modem) to the mix and it's computing nirvana unless there is some hardware malfunction.

#17 By 37 (76.210.78.134) at 12/19/2007 5:58:46 AM
"So long as it stays that way".

To bad it doesn't stay that way in our environments. With millions of users on our PCs, "standard" users are changed to admin's over night by tech geek employees, and systems are trashed. Unfortunately, Hilton support doesn't have control over the thousands of hotels individual property employees, and their respective IT staff. The second Windows is in admin mode, they are hosed.

rxcall. who said Mac was better than Windows. I know it wasn't me. I only said that I have had a better experience with my Mac to date than I did with 10+ years of Windows.

"That's why these articles ARE helpful, in a particular sense--hopefully they wake up Mac users to the reality that their computers are not invincible. They may have never been hacked before (or they may simply not know that they are/have been hacked already), but that hardly means that their system isn't a sitting duck if a hacker wants in. "

Couldn't agree more.

This post was edited by AWBrian on Wednesday, December 19, 2007 at 06:00.

#18 By 3746 (72.12.161.38) at 12/19/2007 7:23:03 AM
#12 and #17

What you are saying is not true about other hotel chains. I have a client that is one location of a large chain (not Hilton but one of the big boys). They have an centralized administration and very strict rules and procedures. I have worked for them for 4 years and there as only been 1 virus infection in the hotel. From my understanding the whole North American network is extremely secure and virus infection is very rare. Everything is controlled by the corporate at the central point since the moved to active directory. They even moved all the exchange servers out of the hotels to central. This location just went through a corporate audit which covers all aspect of the hotel not only IT. The IT portion was extremely in depth and covered just about everything with security being a top priority. If they have their act together any other national chain can.

This post was edited by kaikara on Wednesday, December 19, 2007 at 07:31.

#19 By 37 (76.210.78.134) at 12/19/2007 7:45:19 AM
My claims are true about other hotel chains (not all). My claim is about the largest ones, which include Hilton and Cendant properties (Cendant has Best Western, Ramada Inns, Wyndham and a select other smaller properties.

Hilton has very strict rules as well, and it is the Hilton corporate side (including their server farms) that are virus free. It's the individual franchises that have issues, including with their servers (that connect to the Hilton WAN), as well as their work stations.

It doesn't matter what hotel chain it is. These are franchises, and the franchisees purchase their PC's and supply their own IT staff (or choose to have none). No hotel chain has control over the employees at these franchises. You could be sitting in some server room, running a rock solid server farm, and have a firewall that doesn't allow a single thing to pass. But as soon as you go onto the property of an actual hotel, you are blinded by the real world. Workstations hacked out of user mode, running messengers, toolbars, spyware, virus' coming out of the woodworks.

I have been working in the hospitality field and working in this exact field for 14 years, and am completely familiar with the Windows/Virus/Spyware issues EVERYWHERE in restaurants and hotels.

This post was edited by AWBrian on Wednesday, December 19, 2007 at 07:52.

#20 By 2960 (72.196.195.185) at 12/19/2007 8:50:41 AM
#5,

I may not service Mac's in my current job, but I know the field well. It is what it is bud.

#10,

Your case is NOT typical, and I can almost guarantee you are running locked-down workstations. You just can't have stats like that with workstations running admin privs, which unfortunately is a basic requirement for XP to work right.

TL

#21 By 2960 (72.196.195.185) at 12/19/2007 8:52:21 AM
#13,

Again, doesn't matter. In the context of this story, which is listing a shit load of bugs and attempting to relate them to real-life SECURITY THREATS, the entire thing is bogus.

As the 9 year old brat on TV said "Deal with it" :)

TL

#22 By 2960 (72.196.195.185) at 12/19/2007 8:56:09 AM
#15,

Not my call. And if we did, half the stuff would break or be unuseable. XP in a locked-down configuration is absolutely useless to a travelling consultent, of which we have thousands.

You can't even create a wireless profile in IBM Access connections when in user mode. That would work just dandy for folks that need to use a dozen different access points a week on travel (hotels, airports, etc...) That is just one SMALL example.

for all it's faults, Vista's UAC is a step (a baby step) in the right direction.

TL

#23 By 2960 (72.196.195.185) at 12/19/2007 8:59:01 AM
YOU GUYS ARE MISSING THE POINT HERE!

I have NO ISSUE with the report as a list of bugs for each platform. Yep, more have been fixed on the Mac. So be it. I don't care. At least they get fixed.

What I take exception to is the application of this list to the determinination of which platform is more secure. That is a completely useless and bogus application of this report, and does not reflect real-life in any way, shape or form.

TL

#24 By 92283 (64.180.196.143) at 12/19/2007 10:33:46 AM
#20 "You just can't have stats like that with workstations running admin privs, which unfortunately is a basic requirement for XP to work right."

Power Users is used in our XP image. We had a few tweaks to make. It works fine and keeps the machine pretty locked down. We haven't had any virus issues.

#25 By 7754 (206.169.247.2) at 12/19/2007 10:34:46 AM
#22: that's the same line I've heard a thousand times, but it's just not true. What it takes is "will" on the IT side to say "we're going to do this"--though I totally understand about it not being your call. If they say they take security and malware seriously, though, they're lying to themselves if they're running as admin.

I'll give you a simple example--using IBM's Access Connections (which I absolutely hate--we immediately remove it and use the much simpler built-in WiFi utilities... but if you really want control over what access points people can use, it's ok). First off, there is a checkbox in Access Connections that allows non-administrators to make those kinds of changes (and these are right in the manual for Access Connections, incidentally):

1. On the menu bar of the main window of Access Connections, select Configure.
2. Select Global Settings.
3. Click the Network tab.
4. Click the checkbox "Allow Windows users without administrator privileges to create and apply location profiles".
5. Click OK.

Now, even if that option wasn't available--and the software vendor is uncooperative in making their application run properly--all you need to do for just about any program out there is simply open up that program's HKLM key and/or Program Files directory for the desired user group. This works for 99% of applications I've seen. There is the occasional oddball app that has some hardware dependency or something like that (please, no more dongles!!), but there are ways around that as well. Honestly, though, I haven't seen a situation like that in the past 5 or 6 years--every situation I've seen since around 2000 or so has been resolved by opening up the HKLM/Program Files permissions for that application. That's really a very simple thing to do when building your system images. ISVs are getting much, much better about writing their applications correctly, too (finally!!!!).

Write Comment
Return to News
  Displaying 1 through 25 of 341
Last | Next
  The time now is 2:05:27 PM ET.
Any comment problems? E-mail us
User name and password:

 

  *  
  *   *