A new security update released by Apple on Tuesday patches several exploits recently discovered in its Mac OS X operating system, including one widely publicized issue with its disk image software. Of the twenty two vulnerabilities fixed by the updated – which is labeled Security Update 2006-007 – twelve are related to flaws that could lead to arbitrary code execution.
Apple Patches 22 Security Holes in Mac OS X
85 Comments
Of which one needs you to click on a untrusted link in order to function.
You asked for one example. I gave you two.
And RedHat 4 has 240 according to Secunia.
I had a look at the list, of the top 20, 3 were related to system functionality. The other 17 were vulnerabilities in software that also runs on Windows. Things like PHP and firefox and wireshark.
If only Windows came with this level of functionality
If you go through this stuff regularly, surely you come to a few obvious conclusions?
1) That Apple has a great many vulnerabilities. There may be more or less than Windows, they may patch them faster or slower, but there are lots.
2) If they were exploited in the wild on the same scale as are the Windows vulnerabilities, there would be a disaster in the Mac world similar in kind to the malware disaster in the Windows world.
3) However, they are obviously not being exploited. Whether this is because of the lower installed base, the greater difficulty of exploitation, or because Mac users engage in less risky behaviour.
4) So from a practical point of view, if you are an end user and taking no more than casual precautions, your risks of getting infected are negligible with a Mac but significant with Windows. Probably the same is true if you are a desktop Linux user.
People should stop modding down NotParker, and just make the argument. Yes, he is basically right about the numbers of vulnerabilities. But he is completely missing the bottom line point about the real world experience, so he is wrong about what the facts mean.
Take a health example. We know that northern European cattle breeds are highly vulnerable to tropical insect borne infections. Does it matter? No, as long as they live in Europe, who cares? Its rather similar, as a matter of practice, your chances of infection fall dramatically if you move away from Windows. This is surely not subject to dispute? Its not just how vulnerable you are. Its also the environment you are living and working in.
Modding the guy down may relieve people’s feelings, but it is not confronting the error, which is a combination of correct facts and a conclusion which doesn’t follow from them. As long as you don’t confront the error, it can keep on being repeated.
-
2006-12-02 12:50 pmnetpython
Its not just how vulnerable you are. Its also the environment you are living and working in.
The same network we are all connected to?
That rules out the environment factor.On the contrary taking the factor insider in to account and the environment even gets worse.I mean how many corporate desktops have a firewall?
-
2006-12-02 6:27 pmNotParker
I mean how many corporate desktops have a firewall?
In our K12 organization, we have a firewall on the perimiter and each XP SP2 install runs the firewall with certain ports open to our server subnet so we can do remote admin etc. The firewall is administered by group policy.
-
2006-12-02 6:32 pm
-
2006-12-02 7:58 pm
-
2006-12-02 8:05 pmNotParker
The firewall is administered by group policy.
Active directory.
Group Policy (which predates Active Directory).
Active Directy does determine which Group Policy Objects are applied.
-
2006-12-02 5:19 pmNotParker
Its rather similar, as a matter of practice, your chances of infection fall dramatically if you move away from Windows.
Maybe. But on the other hand Debian servers have been hacked several times in the last 3 years. It may be that the hacking going on in Linux and OS X isn’t discovered as often.
Most Windows users are not infected.
Use the firewall, IE7 (preferably on Vista) don’t click on jpg’s emailed to you, run an anti-virus.
I believe the number of Linux users is so small it hasn’t been worth it for many hackers (except for Debian).
On the other hand, concept virus’s for OS X do indicate a trend.
A lot of WIndows hacking is because of a few virus/hacking kits being available and a lot of users not doing a few simple things to kep themselves safe.
Concept virus’s for OS X indicate work is being done.
Go ahead, be blase about it. I’m kind of blase about my chances of being attacked. With the firewall on nothing can get to my PC if I don’t want it. Its also being a DSL router. And I run an anti-virus.
I don’t think OS X users are taking precautions.
I do think the Debian server administrators were taking precautions. But they were still hacked twice. As was the GNU Savannah server. And it took them a month to notice.
“On December 1st, 2003, we discovered that the “Savannah” system, which is maintained by the Free Software Foundation and provides CVS and development services to the GNU project and other Free Software projects, was compromised at circa November 2nd, 2003.”
http://gcc.gnu.org/ml/java/2003-12/msg00058.html
I wonder how many other Linux servers are compromised and no one ever notices.
-
2006-12-02 6:51 pmalcibiades
The argument might be, Linux and Mac systems are already compromised in large numbers, we just don’t know it. Seems unlikely. Surely if that were true we would find it being reported, because we know what kind of systems spam origniates from? It seems really unlikely that all the security organisations would just have missed it.
I can think of four reasons to explain why Linux/Mac users are less exploited, despite the existence of vulnerabilities.
One, Mac users are considerably older on average. Linux users are more knowledgeable. That implies more experience, more care, less gaming, less ringtones etc.
Two, there are fewer of them, so there is likely to be less targetting.
Three, they do not generally sign on as root/admin. So the targets available are smaller and better hardened.
Four, they don’t have this infernal combination of Explorer, ActiveX & Outlook to all interact and feed off each other.
Might not that account for the observed phenomena better than the hypothesis that infections are numerous but unnoticed?
I agree with you that there is a worrying level of complacency particularly among Mac users, or at least those who contribute to these forums. You have the usual chorus of determinedly ignorant rage when any threat is suggested. One would far rather hear them saying yes, we are not immune because no-one is, we need to be careful despite the good record so far.
However, so far, and it may change, their complacency if not their rage is justified by experience. You can’t point to any record of exploits out in the wild infecting Macs, even with this level of complacency. It may not be due to the platform being wonderfully secure, and the material you cite does cast doubt on whether it really is, but whatever the reason, its a fact that isn’t seriously disputable.
-
2006-12-02 8:11 pmNotParker
The HoneyPot projects seems to disagree with you:
“In the two-week test, marketing-communications firm AvanteGarde deployed half a dozen systems in “honeypot” style, using default security settings. The six machines were equipped with Microsoft Windows Small Business Server 2003, Microsoft Windows XP Service Pack 1 (SP1), Microsoft Windows XP SP1 with the free ZoneAlarm personal firewall, Microsoft Windows XP SP2, Macintosh OS X 10.3.5, and Linspire’s distribution of Linux.
…
Windows XP SP1 with the for-free ZoneAlarm firewall, however, as well as Windows XP SP2, fared much better. Although both configurations were probed by attackers, neither was compromised during the two weeks.
The most secure system during the experiment was the one running Linspire’s Linux. Out of the box, Linspire left only one open port. While it reacted to ping requests by automated attackers sniffing for victims, it experienced the fewest attacks of any of the six machines and was never compromised, since there were no exposed ports (and thus services) to exploit.
The Macintosh machine, on the other hand, was assaulted as often as the Windows XP SP1 box, but never was grabbed by a hacker, thanks to the tunnel vision that attackers have for Windows. “The automated bot/worm attackers were exclusively using Windows-based attacks,” said Colombano, so Mac and Linux machines are safe. For now. “[But] it would have been very vulnerable had code been written to compromise its system,” he added.”
http://connect.educause.edu/blog/sworona/winnie_the_pooh_security/5…..
In my reading of HoneyPot projects the commonality seems to be a lot of scanning for Windows vulernabilities with much less for Linux and OS X.
Some Linux boxes deployed with default settings were eventually compromised because the much rarer scanning for Linux vulnerabilities eventually found them.
If scanning for Linux and OS X boxes ocurred as regularly as scanning for Windows vulnerabilities, the Linux boxes and OS X boxes would be compromised.
-
2006-12-03 6:32 pmalcibiades
Guys, this is a serious argument and deserves consideration. You should not, no way, be modding this down. I don’t know whether its right or wrong, but it is in no way abusive.
-
2006-12-03 7:04 pmNotParker
Guys, this is a serious argument and deserves consideration. You should not, no way, be modding this down. I don’t know whether its right or wrong, but it is in no way abusive.
The modding system, for the most part, is used by FOSS supporters to try and hide anything they disagree with.
-
2006-12-03 11:12 pmarchiesteel
The vast majority of your flamebait posts are off-topic, and calling FOSS advocates “cultists” is abusive.
This has nothing to do with trying to suppress your drivel, but rather with trying to keep the debate elevated. You obviously cannot achieve that, hence your very low “Trust” rating.
I see that you have now resorted to the tacting of reposting your ad hominem attacks, strawman arguments and just plain off-topic posts once the stories are over three days old, so that they cannot be modded down. Of course, now one cares much about reading the comments for these old stories, and so you’re basically wasting your time speaking to a metaphorical wall. That’s fine with me: as long as you waste your time here, you don’t pollute the newer threads.
-
2006-12-04 7:09 amalcibiades
In the present case, regardless of some of his previous comments which have indeed been provocative, he is making an interesting and perhaps valid argument.
The first thing he did was point to real evidence of very large numbers of vulnerabilities on MacOS and Linux. He gave links and cited sources. The evidence tended to show that in number and severity they were enough to present users with the same orders of problems, if they were exploited with the same zeal and the same sucess the Windows ones are.
He was then challenged on why, if there are so many and so severe vulnerabilities, the actual infection rate is so low. Because this is undisputed, that it is very low indeed.
He has now given evidence, with sources cited, that the reason may be in large part that the Mac and Linux desktops are simply not being targetted.
Never mind how we all feel about this. This is an empirical scientific question, and his position is logically consistent.
I have to say, the last part of his argument does not fully convince me.
I accept that the attack rate is low, as shown. I am not however persuaded that a set of machines where no-one is running as root and everyone is running a firewall by default is going to be as vulnerable as the Windows base, even were it targetted as enthusiastically. I would like to see cases not of theoretical vulnerability, but of actual penetration of real machines run by their real owners. It is also still clear that if you move away from Windows, you stop being targetted, and that alone reduces your risk. The analogy would be, stay away from bad water areas, and your susceptibility to cholera remains while your risk of illness falls. So he has not refuted that argument at all; he has only at best shown that the protection is perhaps due to lack of exposure rather than immunity. But lack of exposure is also protective.
I’m not sure how this is going to be tested empirically. Presumably the only test is going to happen if Linux and MacOS get enough share to be worth targetting, and for people to start routinely identifying and targetting them. Then we’ll see.
But that is his point….
-
2006-12-05 4:28 amhylas
“Never Mind the Bollocks, Here’s the Sex Pistols”
Blue Pill types (Win x86) of *kits are real threats, as Ms. Rutkowska has illustrated, rather expertly.
They’re not just a threat for Win and Linux, you need to be thinking a little more “inside the box” here.
http://www.securityfocus.com/news/11372
http://it.slashdot.org/it/06/11/18/1351229.shtml
http://www.osnews.com/permalink.php?news_id=16374&comment_id=178043
http://slashdot.org/comments.pl?sid=207252&cid=16899958
We, as a community (IT) are – way, far, behind, not to be dramatic, but you can imagine what lurks silently in, (for example) disk drivers, and bios’ on some computers connected to (outward facing) infrastructures (Utility Companies, Banks, key ISPs)?
Logic bombs are not just for pissed off SysAdmins.
I mean, really … Spammers are kicking our asses.
What would (could) happen if an enemy had half a plan?
Why do we, as a nation (USA) always have to be reactionary, rather than vigilant?
Tell me folks, does “DoS” *just* mean “packet flooding”?
I’ll play Chicken Little.
You … think about it.
Edited 2006-12-05 04:33
Oh No! Not again!
12 abitrary code execution bugs!!
Apple continues to try and outdo Firefox!
Edited 2006-11-30 01:22
12 abitrary code execution bugs – fixed.
If bugs are found and fixed, then all is well.
Not really so… The presence of so many bugs could be an indicator of sloppy coding, which would mean more bugs. It’s not necessarily a good sign when software gets a lot of bugfixes, especially if those fixes are often for critical security holes.
like Microsoft Windows…booya!
I’m glad you used the word “could”. Most complicated pieces of software have lots of bugs that are found at different times in the softwares life. What I care about is they are fixed not that they never show up. Linux has bugs, Windows has bugs, Oracle has bugs, SQL Server has bugs.
Every software is buggy, more than you’d know. Seeing some of them get corrected is not just a sign of _possibly_ more bugs, but also of them willing to fix before these get massively exploited. And well, we’ve seen counterexamples on this planet too many times. All in all, updates are welcome, give us more.
Correct, but that’s still better than having lots of bugs and *not* fixing them.
At least it’s not as bad as Windows.
At least it’s not as bad as Windows.
Over the last year there have been many more “arbitrary code execution” security holes in OS X than in Windows.
15 Critical: http://www.frsirt.com/english/advisories/2006/4750
1 Critical:
http://www.frsirt.com/english/advisories/2006/4629
1 Critical:
http://www.frsirt.com/english/advisories/2006/4313
12 Critical:
http://www.frsirt.com/english/advisories/2006/3852
3 Critical:
http://www.frsirt.com/english/advisories/2006/3737
7 Critical:
http://www.frsirt.com/english/advisories/2006/3577
16 Critical:
http://www.frsirt.com/english/advisories/2006/3101
Thats 55 just back to August 1st.
Another 46 back to May 11th
At least another 9 back to January 1st.
110 Critical (minimum) for the year.
Funny, that you didn’t provide numbers for Windows.
When I am looking at Secunia:
For windows:
http://secunia.com/product/22/?task=statistics_2006
For Mac OS X:
http://secunia.com/product/96/?task=statistics_2006
Windows has almost the twice of security holes than Mac OS X (84 VS 163), but 58% of the security holes of windows provides a system access against 25% on Mac OS X (so 21 for Mac OS X VS 95 for Windows).
Moreover, all unpatched security holes on Mac OS X on secunia have been patched yesterday. There is still 29 security holes unpatched on windows, so no, it is not as bad as windows.
Those are advisories, not vulnerabilities. A lot of people make that mistake when using Secunia for statistics.
An advisory can content many vulnerabilities.
Funny, that you didn’t provide numbers for Windows.
When I am looking at Secunia:
My comments were for 2006.
Secunia says 39 in XP for 2006. 39% of those are critical or highly critical.
That means 15 for Windows XP in 2006 versus over 110 for Apple OS X.
Actually, secunia reports only 21 vulnerabilities for Apple in 2006.
So that makes it 39-21 or for criticals: 15-10.
Also, telling figures are the unpatched vulnerabilities figures (a good sign of how much a vendor cares about its customers). Microsoft XPPro: 29. Apple OSX: 7.
Oops.
Again, it’s useless comparing data from different sources, it almost never works.
“That means 15 for Windows XP in 2006 versus over 110 for Apple OS X.”
2003, XP, 2000 and NT4 are all based on the original NT code base. I’m sure Vista does too for backward compatibility. I’m also quite sure it contains open sourced software that McSoft claims is innovated.
The number for fixes and patches should be counted as a `cumulative` for `all` NT releases together over the last number of years since NT was marketed.
I cringe when I must perform a McSoft update, patch, etc on one of my Oracle application server. The last crash of a 2003 server was March 2006 after installing a `patch`. The former DBA doesn’t work here any longer.
Thank goodness the legitimacy code didn’t fark the Oracle servers like it did other institutions.
The number for fixes and patches should be counted as a `cumulative` for `all` NT releases together over the last number of years since NT was marketed.
You might get to 110 critical patches then.
Thank goodness the legitimacy code didn’t fark the Oracle servers like it did other institutions.
Even on OpenVMS, I found Oracle’s uptime isn’t too hot. Patch, patch, patch …
Not again… throwing numbers to an issue that cannot be answered by those numbers, useful only to make some average joes somewhat dizzy. If you care enough to get numbers, then get real numbers of vulnerabilities, of their impact (those which need switching to root mode and willingly executing an unchecked executable don’t really count), how many were exploited, how many even have some prrof-of-concept exploit, how many were fixed before being exploited, how many were local and how many remote, the time needed for the _working_ patch to come out, and yes count the need-to-be-patched-again patches as vulnerabilities too, and I could just go on endlessly with this, hopefully someone gets the point.
Modded back up, its a series of hard references to real facts, and an assertion that may or may not be based on them. No reason whatever to mod this down.
Edited 2006-11-30 11:35
“Get your facts first, then you can distort them as you please.” – Mark Twain
12 found, 1000s left … just like any major software project of this size.
Not sure why anybody still gets excited by these security reports for any platform.
http://www.frsirt.com/english/advisories/2006/4750
Must have been 48 days since the last update that required an update – bye bye uptime
…both Windows and Mac OSX are pretty bad when it comes to security.
Yeah, Linux is so much secure with its 102 security holes only in the kernel …
http://secunia.com/product/2719/?task=statistics_2006
Just grabbing a sample (Red Hat), 311 security holes at the same time…
http://secunia.com/product/2536/?task=statistics_2006
So much secure …
Woow, you’re the first person that i’ve ever seen that don’t have a scroll down feature on his browser.
links :
Vulnerability Report: Linux Kernel 2.6.x
http://secunia.com/product/2719/?task=statistics_2006
Vulnerability Report: RedHat Enterprise Linux WS 3
http://secunia.com/product/2536/?task=statistics_2006
Vulnerability Report: Apple Macintosh OS X
http://secunia.com/product/96/?task=statistics_2006
Yep, scroll down, and compare “unpatched” and “Extremely critical” values. I had never realised that linux were so much more secure than Mac OS X.
[Edit : typo fix]
Edited 2006-11-30 13:46
The only people who make any security decisions based on numbers (wichever way they may go) from companies like Secunia are people who don’t understand security.
Man I am SO sick of people parroting “numbers of security vulnerabilities”. You guys are a bunch of OS fanboys who know nothing about actual security research. Every time some article comes out about some OS having patches released there is a huge flood of posts about how “my OS is more secure than yours” with a bunch of links to secunia. Vulnerability statistics are just that, statistics, and they need to be interpreted by a neutral party who is skilled in security research, not an OS fanboy looking to discredit a competing OS. That’s right, someone who knows what those vulnerabilities actually mean. Posting “numbers of vulnerabilities” is completely meaningless.
I’d also like to say that patching vulnerabilities is a good thing, despite what certain people might have you believe. It means that those vulnerabilities don’t exist anymore..that they were fixed. It means that the vendor is trying to do the right thing by fixing their product. In this case it is an enormous software product with millions of lines of code. Anything that size is going to have loads of bugs no matter how well designed it is or how good their development practices are. It’s just a fact. Apple users should be happy that the problems were identified and fixed.
Apple users should be happy that the problems were identified and fixed.
They must be 5 times happier than XP users in 2006.
Well at least that’s probably true
Perhaps you should read my comment again. I don’t think you understood what I was saying.
Because OS X contains a lot of Opensource packages, it may have more fixes than say Windows, which is mainly “In-House” coded.
Whereas some of those security and patches were effected OpenSSL, PHP, PPP, Samba, gnuzip and perl.
Which may, or may not of been Apples implementation of them.
At least they are quick turn a rounds for the fixes, and are a lot easier to apply.
Because OS X contains a lot of Opensource packages, it may have more fixes than say Windows, which is mainly “In-House” coded.
And the point is…? You have your OS, you make it as you want and keep it updated as you want; bugs must be fixed, no matter if you include F/OSS packages or not. Not using those packages explains nothing, it’s Microsoft who decided to make Windows this way. And ask Vistas’s “new” network stack about OSS…
And ask Vistas’s “new” network stack about OSS…
I sent the network stack a TCP packet, but after all the SYN/ACK’ing it refused to answer questions about F/OSS
Yes, but bugs in OSS software are generally easier to find, as you can examine the Source. Therefore a higher patch count is expected in OSS-based software, this is a side-effect of more bugs being detected, not of the software actually having more bugs.
That’s an amazing amount of equivocating, bravo!
I’m not sure that I see how.
“Therefore a higher patch count is expected in OSS-based software, this is a side-effect of more bugs being detected, not of the software actually having more bugs.”
When it is Windows that has the most bugs, it’s because of sloppy codinng and the closed source model, and that’s a bad thing. When it is OSS, it’s because more bugs are being found and fixed, because people can see the source, and that’s a good thing.
Can’t have it both ways, sorry
Can’t have it both ways, sorry
I don’t want it both ways. I never claim that microsoft has sloppy coding, because I don’t know that. What I do know (it is unequivocal) is that if you give security experts your source code, the probability of them finding holes (and you then patching them) is MUCH higher.
Finding holes in microsoft software is a bit like solving one of those logic puzzles blindfold. You can stumble on a solution if you’re lucky, but it is far easier if you can see what you’re doing.
That is why such arguments are pointless. Because we can’t see the Microsoft source, it is impossible to make claims about code quality. However becasue of NotParker’s constant trolling, people have to fight constantly to prevent him from painting a squewed picture.
Stephen.
Because OS X contains a lot of Opensource packages, it may have more fixes than say Windows, which is mainly “In-House” coded.
Interesting point. Microsoft went through the pain of shipping XP SP2, primarily a security SP instead of releasing XP R2 and I think that has paid off with fewer security holes in the last year as more and more Windows users have the firewall on by default and have automatic updates on.
Apple can’t really do that because most of their software is not under their control. And therefore they will continue to have hundreds of critical security holes each year.
How many Security Vulnerabilities are there in…
1) BeOS
2) Haiku
3) GEM/TOS (Atari ST)
4) AmigaOS
Yeah, that’s what *I’m* talkin’ ’bout! The OS’s that will probably be more secure than MacOS X or Windows XP/Vista…
* F O R E V E R!!! *
Security is directly proportional to obscurity.
The more popular the OS, the more holes that are found/exploited. Use an OS that is “off the radar”, so to speak, and you’ll NEVER have to worry about security vulnerabilities ever again…
Of course, if EVERYONE starts doing that, the OS will (technically) become immensely popular, which means…
Hmm…
Painted myself into a corner, didn’t I? Rats!
How many Security Vulnerabilities are there in…
There could be 1, there could be 1,000,000.
The point you’re missing (most people miss this one too) is that the number of security vulnerabilities is a constant (until some are patched). Finding a vuln. doesn’t make software less secure, it just advertises an existing hole. Just counting vulnerabilities is also bad, because, for example one MS Exchange POP server RCE vulnerability has a success rate of about 1 in 20 and is pretty difficult to inject code into, and crashes the service. Whereas some of the ActiveX vulnerabilities in IE are easy enough to be used by any skript-kiddie without you noticing.
The point you’re missing (most people miss this one too) is that the number of security vulnerabilities is a constant (until some are patched).
Unless you change your code. Like update it.
Isn’t the Linux kernel updated every month or two? Isn’t Firefox? New vulnerabilities generated all the in OSS.
Finding a vuln. doesn’t make software less secure, it just advertises an existing hole.
Sometimes it advertises a new attack vector. It tells hackers where to look. What to try.
Just counting vulnerabilities is also bad,
I disagree. Counting critical vulnerabilities is important. It tells you whether the vendor should take a time out and change their tools. Apples could spend soem time on Safari and Quicktime and iTunes, but a lot of the code they distribute is out of their hands.
Isn’t the Linux kernel updated every month or two?
Yes, but a point release doesn’t mean that every vendor should update their distro’s kernel. I know that in the run-up to Vista gold, there were multiple releases of the Windows kernel as updates were added, and bugs fixed. It’s the same with Linux, only the releases are public, which is better for everyone.
Isn’t Firefox?
No, security updates are regularly released (as in Microsoft products) but major updates are only made at well-defined intervals. I think that FF 3 is planned for mid-2007, this puts FF at a yearly release schedule.
New vulnerabilities generated all the [time] in OSS.
I think you forgot the time there for a moment. Actually, new code doesn’t automatically mean new bugs. As you’re so proud to announce, SQL Server has no reported vulnerabilities this year after a re-write. A lot of the bugs that are being found today are hangovers from the code that was developed pre-security-climate.
Sometimes it advertises a new attack vector. It tells hackers where to look. What to try
That’s why it’s a good idea to keep your software up-to-date and why Software distributers should regularly provide patches. I would prefer public (or private) disclosure of vulnerabilities to unannounced, illicit usage of the hole.
Making a flaw public is also good because it forces the manufacturer to patch the software fast, something that otherwise companies would not have any real incentive to do. I think that the Microsoft current patch period of a month is too big.
I disagree
So you’re saying that:
the infamous ‘windows messenger’ (net send …) vulnerability that anyone could use to cause popups on any unpatched computer connected to the internet just by typing into the command line on any other computer.
is of the same importance as:
A memory corruption bug that requires users to visit a specific website and that requries a specially-crafted payload of compiled bytecode, that only works on one target operating system and always crashes the host software.? hmm.
Yes, but a point release doesn’t mean that every vendor should update their distro’s kernel.
Many do. Therfore more new code. Therefore more new vulnerabilities.
No, security updates are regularly released (as in Microsoft products) but major updates are only made at well-defined intervals.
So all those 1.x.x numbers from 1.0 to 1.5.6 are a figment of my imagination?
http://www.mozilla.com/en-US/firefox/releases/
19 in 2 years. 19 sets of new code. 19 sets of new vulnerabilities.
Actually, new code doesn’t automatically mean new bugs. As you’re so proud to announce, SQL Server has no reported vulnerabilities this year after a re-write. A lot of the bugs that are being found today are hangovers from the code that was developed pre-security-climate.
In Microsofts case the number of new vulnerabilities is dropping to close to zero for SQL 2005 and IIS6 and even XP hasn’t had too many htis year.
Whats Apples excuse for over 100 this year (other than they are in the pre-security climate).
When does OSS and OS X enter the post-security climate like Microsoft has?
So you’re saying that:
the infamous ‘windows messenger’ (net send …) vulnerability that anyone could use to cause popups on any unpatched computer connected to the internet just by typing into the command line on any other computer.
is of the same importance as:
A memory corruption bug that requires users to visit a specific website and that requries a specially-crafted payload of compiled bytecode, that only works on one target operating system and always crashes the host software.
So your saying a popup message vulnerability from 2003 is worse than an “arbitrary code execution” vulnerability in OS X? 110 of them in 2006?
I don’t think so.
As I’ve suggested many times, OS X and OSS should take a break from new features and do the security review that Microsoft did. I believe even andrew Morton said something similar a few months ago.
“Andrew Morton, the lead maintainer of the Linux production kernel, is worried that an increasing number of defects are appearing in the 2.6 kernel and is considering drastic action to resolve it.
“I believe the 2.6 kernel is slowly getting buggier. It seems we’re adding bugs at a higher rate than we’re fixing them,” Morton said, in a talk at the LinuxTag conference in Wiesbaden, Germany, on Friday.”
http://news.zdnet.co.uk/software/0,1000000121,39267255,00.htm
Edited 2006-11-30 17:54
Many do
I’m running debian and that’s still at 2.6.16.
When does OSS and OS X enter the post-security climate like Microsoft has?
hahaha post-security. There is no such thing. Someone famous (forget who) said Security is a journey, not a process. If you believe that there will be a post-security climate then you are naive.
As mentioned many times above, there is no evidence that OSX or any other OSS software is less secure than ANY Microsoft product, unless you have access to the Microsoft source? If you do, then I would have serious doubts about your neutrality in the issue.
So your saying a popup message vulnerability from 2003 is worse than an “arbitrary code execution” vulnerability in OS X? 110 of them in 2006?
Firstly, time is irrelevant here. I assumed that you had the intellect to relise that I was talking about the impact when discovered of these bugs.
Actually I do. I used to be seriously pissed off by the popup messages (sometimes up to 10 at once) coming up on my Win98 computer from the internet. I’ve never had a single issue with my Apple mac-mini, mainly because these vulnerabilities are POTENTIAL RCE exploits and tend to be very difficult to actually exploit in real life, try downloading MetaSploit and seeing how many of the published vulnerabilities actually work reliably, or at all.
believe even andrew Morton said something similar
The question here is significance. If you live in a small rural village, then dropping a piece of litter can be a BIG issue. If you’re in a big ugly city with lots of litter around, one more piece of litter won’t really matter all that much. Get the picture?
Before you flame me to eternity, I’m not suggesting that Linux is better or worse than Windows. Just that what Morton was talking about was relative number of bugs over time, not comparative number of bugs between OSs.
and do the security review that Microsoft did
What security review? Windows Vista? hahahaha. Or is this the new security review codenamed Aero? I’m confused.
hahaha post-security. There is no such thing. Someone famous (forget who) said Security is a journey, not a process. If you believe that there will be a post-security climate then you are naive.
Ok. Security is like a series of steps. Microsoft took a giant step when it took a time out and started the SLDC. Post SLDC has resulted in prodcuts like IIS 6 and SQL 2000 SP4+ and SQL 2005 and XP SP2.
Its time OS X and Linux did the same.
What security review? Windows Vista? hahahaha.
IE7. Vista. IIS6. SQL 2000 Sp4+. XP SP2.
Or is this the new security review codenamed Aero?
Nope. But if you think that I can see why you are worried about popups in Windows 98.
I’m confused.
So it appears.
SLDC
SLDC?? Do you mean SDLC? If you do then, that you’re just spouting buzzwords. Any worthwhile modern software project implements a Software Development Lifecycle. Hence all the timed releases etc…
If you mean SLDC, then provide a link, because I cant’ find any info on it.
Its time OS X and Linux did the same.
I believe that the step from OS 9 to OS X was part of apples security review. The move to Mach was a big security boost. The fact that Microsoft did theirs later is of little importance.
As for Linux, It’s never had a security problem, so doing a review is of little value.
XP SP2.
Yeah. Well…that worked. :p
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dn…
“The Trustworthy Computing Security Development Lifecycle”
As for Linux, It’s never had a security problem, so doing a review is of little value.
Ha ha ha ha ha!!!!!
XP SP2.
Yeah. Well…that worked. :p
It seems to. 110 Critical security holes in OS X for 2006 and only 15 for XP SP2.
Edited 2006-11-30 19:12
110 Critical security holes in OS X for 2006 and only 15 for XP SP2.
As I’ve said before, check the comments, get your figures straight. You should always compare figures from the same source. If you do. You’ll see that on secunia (where the 15 came from) OSX outperforms XP on security alerts. Oops
The Trustworthy Computing Security Development Lifecycle
So what’s the difference between that and a normal Development Lifecycle? Oh yeah, there’s the word Security before each stage. good one.
You’ll see that on secunia (where the 15 came from) OSX outperforms XP on security alerts.
You’ll find the 110 by clicking on all the ones that say “multiple” or an s on vulnerabilities and adding them up.
http://secunia.com/product/96/?task=advisories_2006
21: http://secunia.com/advisories/23155/
12: http://secunia.com/advisories/22187/
3: http://secunia.com/advisories/22068/
etc etc.
You are counting patches. I’m counting vulnerabilities.
Actually I remember quite clearly a virus on my Atari ST that transferred from floppy to floppy automatically and humorously(!) reversed the behavior of the mouse.
Yet, I’ve been using Mac OS X since 10.0 and have not had a single virus.
I’m not sure that your assertion that “Security is directly proportional to obscurity” has actually been proven, though a lot of people state it as though it is irrefutable.
Woe! Doesn’t THAT bring back memories! The mouse-reversal virus! It was a boot-sector virus. It hit me, just once. I got rid of it using that program called VKiller, I believe it was… it popped up a skull and crossbones (when it saw the virus) and made this alarm sound… scared me seriously, the first time I heard it.
Ah, the memories of a simpler time… the late 80’s…
Thanks!
“Security is directly proportional to obscurity”
good theory…. and you may find statistics to “proove” your point. but i beleive the theory is incorect!
the truth is… MS built there OSs with security being and afterthought! they called it being “developer friendly”….. and the side effect was that windows turned out to be the swiss cheese of the OS world…. and windows became the virus writer and script kiddy platform of choice! sure, its 95% marketshare helped…. but i am willing to bet, that is solaris, or BSD was the OS with 95% market share…. that there STILL would be an order of magnitue LESS “holes” in the OS…. and PC security would not be what it is to day… and Oxy-moron!
…that Apple is and so is Microsoft, proactively fixing the bugs. We should be very happy about that. Please keep these meaningless arguments about which is more buggy or less buggy away from this thread. Just remember that Windows XP gets messed up quite easily whereas OS X doesnt. Remember OS X has a security model based on UNIX and thus it is logically more secure than XP. That Apple AND Microsoft are both fixing bugs, for Apple users this is icing on the cake, for XP users, this is NEEDED to sustain the computers running XP. I dont care that OS X has a lot less number of users than XP…I dont care which OS is new which one is old. All I care is the facts and that is OS X gets attacked a lot less. And to anyone, that should be a great metric point.
Now Vista is a totally different matter and we dont know how it is going to hold up so lets not go there as well.
My 2 cents.
People throwin numbers around all over the place don’t mean anything!
The question is whoever has more or less patches, bugs etc, which OS do people feel and are more safe using.
The day I see a mass infection of Mac or Linux desktops then I will go back to Windows.
All I see is theoretical virus this and Trojan that on the Mac os and Linux!
When that mass outbreak happens on Mac and or Linux give me a call. Till then I am feeling pretty safe!
Not that it bothers me that Windows gets spyware, viruses etc. It’s how I make my money. But it cracks me up when my friends snub their noses up at my Mac and then call me a week later cause their Windows machine is running funny. LOL!
Watching MS fanboys spin this thing would be entertaining if it weren’t quite so sad.
You can quote all the Secunia numbers you want (while gleefully ignoring the severity of said vulnerabilities), but the fact remains:
-Regardless of market share, there has yet to be any exploitation of these bugs reported.
-All the spambot/botnet/virus-spewers seem to be running Windows
-Linux also has a fairly small market share, yet plenty of the Linux (or some add-on such as PHP+PHPbb) boxes out there have been owned due to some software flaw.
You can talk about numbers all you want, but for now I’m just counting the number of owned OS-X machines.
My hope is that Apple gets embarrassed by the morons that try to spin this stuff and then they’ll start at least doing some automated testing and having a good hard look at the crustier BSD stuff that has not been touched in a decade.
[iYou can quote all the Secunia numbers you want (while gleefully ignoring the severity of said vulnerabilities)[/i]
Actually, I was just counting the critical ones.
110 Critical for 2006.
There are way more than 110 OS X vulnerabilities in 2006.
12 allow “arbitrary code execution”. That is as severe as it can be.
12 allow “arbitrary code execution”. That is as severe as it can be.
IF this is true. However many of them are only potential remote code execution. It can be impossible to exploit a memory corruption bug, however they are all classified as RCE flaws because they *might* be able to run arbitrary code, this is another reason why quoting Flaw figures is not useful. This goes for Windows bugs AND Linux flaws AND Mac OSX vulnerabilities.
12 allow “arbitrary code execution”. That is as severe as it can be.
Please, point me to the os-x boxes 0wned using these.
And I’m not sure what you’re quoting, but any computer can execute arbitrary code, no?
Are you saying these are remote root exploits (or possibly, maybe exploitable bugs)?
And I’m not sure what you’re quoting, but any computer can execute arbitrary code, no?
I’m quoting the article at the top of the page.
[/i]Are you saying these are remote root exploits (or possibly, maybe exploitable bugs)?[/i]
Yes. Thats what “arbitrary code execution” means.
Someone earlier posted this link:
http://www.frsirt.com/english/advisories/2006/4750
12 of the 22 referenced by the article we are discussing allow “arbitrary code execution”.
The casual breathless, baffled reader
of this obviously meaningless, thought-unprovoking discussion,
admiring in great awe the mind-boggling courage of brave, tireless My-OS-is-Better-Than-Yours-soldiers of honour,
that are deeply trapped in the trenches,
without a single sign of being convinced by the other,
nor to ever give up or in
will undoubtedly have a hard time understanding
why.
Reading this forum I was wondering why people target a specific OS in the first place. In order to write a virus you have to own and know the OS in the first place. I believe targeting an OS is a result of the respect or lack of respect for the OS you own. Obvious there is not much respect in the Windows community from users who use/abuse their own OS. I wonder why!
Secunia the current state:
Windows XP Pro. Unpatched 29 ( of 163 Secunia advisories = 18% )
OSX Unpatched 7 ( of 84 Secunia advisories = 8% )
Now the number of Virii:
Windows: 1.45 * 10 ^ 5
OSX: never mind
and lets forget about spyware.
Edited 2006-11-30 22:16
Secunia the current state:
Windows XP Pro. Unpatched 29 ( of 163 Secunia advisories = 18% )
OSX Unpatched 7 ( of 84 Secunia advisories = 8% )
Many of the OS X ones are multiples. Some as many as 21.
Go back and count each individual one and get back to me.
In 2006 there are 110 Critical OS X vulnerabilities … so far. Only 15 XP … so far.
Hey, you may be comfortable with the those numbers. But, to be fair, you should count the vulnerabilities, not the patches.
Apple patches in bunches … not necessarily to mislead. But that is the result.
I have been following secunia for a long time.
What I am looking at:
-The number of UNPATCHED advisories, which for Apple has been close to zero for a long time.
-How much time does it take for Apple to patch them. Usually between 1 and 4 weeks.
-How ‘easy’ is to exploit the vulnerability and will it have a serious impact.
7 for the moment is exceptional high, so I am curious what it will be in a month time, I am quite confident we won’t need a service pack.
Also almost all vulnerabilities become known AFTER they have been patched, that means there has never been a real chance that these would be exploited.
Edited 2006-11-30 22:52
-How much time does it take for Apple to patch them. Usually between 1 and 4 weeks.
Do you have some sort of reference for that?
Sep 28 2006 for the OpenSSL vulnerability.
Dec 2005 CVE-2005-3962 Perl
Mar 29 2006 CVE-2006-1490 PHP
Oct 23 2006 CVE-2006-5465 PHP
Jul 6 2006 CVE-2006-3403 Samba
The 1 to 4 weeks thing is looking kind of shakey.
The 1 to 4 weeks thing is looking kind of shakey.
As i said in another thread:”All software is vulnerable”.
To give you an example:XP professional has 133+ vulnerabilities from which 17% is unpatched,even today.
http://secunia.com/product/22/?task=advisories
An unpatched example of a vulnerability rated highly critical and date realeased:2005-04-12.Isn’t that kind of looking shaky too?
http://secunia.com/advisories/14896/
The oldest unpatched flaw is from 2002-09-18.
Try to give some examples of unpatched vulnerabillities
in OSS software that has been unpatched after such a long time period.
To give you an example:XP professional has 133+ vulnerabilities
And RedHat 4 has 240 according to Secunia.
XP is 5 years old. RedHat is 2.
An unpatched example of a vulnerability rated highly critical and date realeased:2005-04-12.Isn’t that kind of looking shaky too?
“This can be exploited to execute arbitrary code by tricking a user into opening a specially crafted “.mdb” file in Microsoft Access.”
The truth is, if you’ve opened any kind of mdb file that you don’t know where it came from, your system is compromised. It doesn’t have to be “specially crafted”.
Its kind of like saying “This can be exploited to execute arbitrary code by tricking a user into opening a specially crafted “.exe” file.”
If you’ve opened the exe, you are at the mercy of what the exe does.
Try to give some examples of unpatched vulnerabillities
in OSS software that has been unpatched after such a long time period.
The two at the bottom of this page are from 2004:
http://secunia.com/product/4227/?task=advisories
Edited 2006-12-02 17:47
The two at the bottom of this page are from 2004: