Wednesday, December 19

Mac versus Windows vulnerability stats for 2007

byte_bucket over in the #pauldotcom IRC channel turned me onto this article, simply because I am a self proclaimed Apple fanboy. Sounds good, I don't mind, I like it when people point me to articles. I read alot of news during the day, but sometimes I don't get to see all the news articles.
Anyway, George Ou writes on zdnet.com an article comparing the amount of vulnerabilities for XP, Vista, and OSX. At first glance we look at this column comparison and say "holy crap, osx had a hell of alot more vulnerabilities than Vista or XP combined!"



True. Now, in my usual Microsoft punditry and OSX defender stance, let me point out the less obvious in these three operating systems.

1) OSX hasn't had to deal with a bunch of hackers before, now that it's being increasingly targeted, especially Quicktime, Apple is dealing with it.
2) XP and Vista are closed platforms. Apple, save for their internal binaries, is pretty much open. You can see how it all works.
3) and probably the most critical, OSX is built, and contains a TON of open source software. Cups, apache, pcre, mysql, the list goes on and on and on.

So not only does Apple have to patch their own stuff, but they have to wait for the open source community to patch, then get the communities patch, tie it into their products, test test test test and test, then release their own patch. Makes sense so far right? OSX Server even contains software owned by my company. Sourcefire. OSX Server contains ClamAV.

Are there more vulnerabilities in OSX then there are in Windows? Yes. But you are comparing apples (no pun intended, okay, well, slightly) and oranges. Windows has 94% marketshare! Just one vulnerability for Windows has the potential to cause alot more damage than 30 vulnerabilities for OSX.

Then you have to look at the security models of the two. OSX, most everything runs in "userland". Whereas in Windows, applications and services run at alot of different permissions, system, admin, user, etc...

One thing I don't like about Leopard is the same thing I didn't like about Tiger. The firewall. There is no "DENY ALL". There is a "Deny all, um.. except stuff that will break osx". Which is fine, as long as there aren't any vulnerabilities in things like mDNSResponder. (port 5353) But, there have been remote vulns in mDNSResponder! The other thing I don't like about the Leopard firewall? It's OFF by default. Granted, there is only one port open by default in OSX (5353), as opposed to Windows where there are at least 3.

So, yes, OSX has more vulnerabilities then Windows, but does it matter?

UPDATE: From the comments: iamnowonmai says "I would like to see a list of all the vulnerabilities in Xthe third-party software that people commonly use on XP. Since Acrobat is not a part of the OS, it doesn't count? Or Word? Outlook? And at least the third-party software gets updated on a Mac. How many fools are out there still using Acrobat version 4?"

Brings up a good point. Windows doesn't have to patch all the "other" software that is on it's system. Apple does. Apple includes alot of software to make their user experience better and more seamless. Windows relies on 3rd party developers for this. Say what you will, but these are things you need to take into thought when you read this article.

10 comments:

Matthew Lee Hinman said...

In regards to the Leopard firewall, you could use a program like WaterRoof and manually manage the firewall. You can specify a DENY ALL rule if you're managing ipfw yourself.

Yea, it doesn't count because you have to know enough to write your own ipfw rules and manage and it isn't all setup for you by default :)

craig said...

It would be interesting to see if Jeff Jones publishes a one year report to follow up on his other reports comparing the number of vulnerabilities found in Vista, XP, RHEL4, Ubuntu 6.06, Novell SLED10 and Mac OSX 10.4 during the first six months of their respective releases.

His 6 month conclusion? Vista had the least vulnerabilities found in the first 6 months than all the others in their first 6 months.

Link below for the full report.

http://blogs.csoonline.com/windows_vista_6_month_vulnerability_report

Matthew Lee Hinman said...

In regards to the Leopard firewall, you could use a program like WaterRoof and manually manage the firewall. You can specify a DENY ALL rule if you're managing ipfw yourself.Yea, it doesn't count because you have to know enough to write your own ipfw rules and manage and it isn't all setup for you by default :)

craig said...

It would be interesting to see if Jeff Jones publishes a one year report to follow up on his other reports comparing the number of vulnerabilities found in Vista, XP, RHEL4, Ubuntu 6.06, Novell SLED10 and Mac OSX 10.4 during the first six months of their respective releases.His 6 month conclusion? Vista had the least vulnerabilities found in the first 6 months than all the others in their first 6 months.Link below for the full report.http://blogs.csoonline.com/windows_vista_6_month_vulnerability_report

iamnowonmai said...

I would like to see a list of all the vulnerabilities in Xthe third-party software that people commonly use on XP. Since Acrobat is not a part of the OS, it doesn't count? Or Word? Outlook?

And at least the third-party software gets updated on a Mac. How many fools are out there still using Acrobat version 4?

Joel Esler said...

You have an excellent point. If Windows distributed all their 3rd party application's patches, and that was taken into account here, I am quite sure that the numbers would be much higher.

Anonymous said...

Joel, nice to see some level headed analysis of the article. I agree if we were to count in all the vulnerabilities in the office, acrobat, flash, antivirus, and other 3rd party software that just about everyone runs under Windows...the numbers would be much more revealing and useful.

Apple goes way out of it's way to provide the end user a system with nearly everything they could want and they get stuck patching a lot of 3rd party software.

The above being said, the long string of QuickTime issues across all platforms is a bit disturbing...I've got clients that have removed QT corp wide as they are tired of the endless patching needed for something that ultimately didn't have enough biz value to compensate for the headaches. The fact that they took nearly a month to fix the lastest vuln, a vulnerability that was the introduction of an old vulnerability, and a vuln' that was being exploited in the wild didn't help.

Apple is going to have to realize fast that the days of their relative security via obsurity are quickly coming to an end and adjust fast.

Apple had best be putting together an internal division whos sole purpose is code auditing and getting on top of these vulnerabilities in a much faster fasion.

3. Apple needs to be much more transparent and detailed in what their updates are addressing. Their security bulletins are a joke compared to what Redmond publishes....that's not a compliment either. They can do both a 'simple' and advanced version of the buletins for the average user and tech pros respectively.

Default firewall off? I know they are trying to be careful not to break things for the unsavy new user, but sooner or later a good network worm will shater their reputation on security in a network minute.

Security is one of their key selling points today, so they best start learning and organizing to back those statements up.

I understand what they were trying to do with the Leopard firewall, but it is too limiting without hitting the command line. This is perfect example of where they are going wrong.

They've got to realize that a growing percentage of their user base is a few notches above joe average user and learn how to meet the needs of both.

Turn the firewall on by default or at least offer the option to the user during the install sequence. Or at least warn them that it's off, why it's so, and how to turn it on.

I know they want the firewall/security panel to be user friendly for Joe Average User. It would be just wonderful if they would learn to add an "advanced" button" for those of us that would like to have a bit more control over things. This would win them a lot of good will with their more technical users.

They've got to get beyond the mentality that all their customers are clueless folks that just want things to work and could care the least about the underlying technologies. They've got to appear to the IT guys and corporate folks if they want to get substantial market penetration. Right now, their mode of business leaves a lot to be desired there.

Apple's doing a lot of good stuff, but they dearly need to wake up and realize the "honeymoon" they've had on security issues is coming to an end fast.

JT

iamnowonmai said...

I would like to see a list of all the vulnerabilities in Xthe third-party software that people commonly use on XP. Since Acrobat is not a part of the OS, it doesn't count? Or Word? Outlook?And at least the third-party software gets updated on a Mac. How many fools are out there still using Acrobat version 4?

Joel Esler said...

You have an excellent point. If Windows distributed all their 3rd party application's patches, and that was taken into account here, I am quite sure that the numbers would be much higher.

Anonymous said...

Joel, nice to see some level headed analysis of the article. I agree if we were to count in all the vulnerabilities in the office, acrobat, flash, antivirus, and other 3rd party software that just about everyone runs under Windows...the numbers would be much more revealing and useful. Apple goes way out of it's way to provide the end user a system with nearly everything they could want and they get stuck patching a lot of 3rd party software.The above being said, the long string of QuickTime issues across all platforms is a bit disturbing...I've got clients that have removed QT corp wide as they are tired of the endless patching needed for something that ultimately didn't have enough biz value to compensate for the headaches. The fact that they took nearly a month to fix the lastest vuln, a vulnerability that was the introduction of an old vulnerability, and a vuln' that was being exploited in the wild didn't help.Apple is going to have to realize fast that the days of their relative security via obsurity are quickly coming to an end and adjust fast.Apple had best be putting together an internal division whos sole purpose is code auditing and getting on top of these vulnerabilities in a much faster fasion. 3. Apple needs to be much more transparent and detailed in what their updates are addressing. Their security bulletins are a joke compared to what Redmond publishes....that's not a compliment either. They can do both a 'simple' and advanced version of the buletins for the average user and tech pros respectively.Default firewall off? I know they are trying to be careful not to break things for the unsavy new user, but sooner or later a good network worm will shater their reputation on security in a network minute. Security is one of their key selling points today, so they best start learning and organizing to back those statements up.I understand what they were trying to do with the Leopard firewall, but it is too limiting without hitting the command line. This is perfect example of where they are going wrong.They've got to realize that a growing percentage of their user base is a few notches above joe average user and learn how to meet the needs of both. Turn the firewall on by default or at least offer the option to the user during the install sequence. Or at least warn them that it's off, why it's so, and how to turn it on.I know they want the firewall/security panel to be user friendly for Joe Average User. It would be just wonderful if they would learn to add an "advanced" button" for those of us that would like to have a bit more control over things. This would win them a lot of good will with their more technical users.They've got to get beyond the mentality that all their customers are clueless folks that just want things to work and could care the least about the underlying technologies. They've got to appear to the IT guys and corporate folks if they want to get substantial market penetration. Right now, their mode of business leaves a lot to be desired there.Apple's doing a lot of good stuff, but they dearly need to wake up and realize the "honeymoon" they've had on security issues is coming to an end fast.JT