tag:blogger.com,1999:blog-10259481.post7455965389848271098..comments2023-10-30T09:25:19.881-05:00Comments on Joel Esler: Mac versus Windows vulnerability stats for 2007Joel Eslerhttp://www.blogger.com/profile/05018134738510159518noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-10259481.post-44392435231222399532007-12-19T07:04:00.000-05:002007-12-19T07:04:00.000-05:00In regards to the Leopard firewall, you could use ...In regards to the Leopard firewall, you could use a program like WaterRoof and manually manage the firewall. You can specify a DENY ALL rule if you're managing ipfw yourself.<br><br>Yea, it doesn't count because you have to know enough to write your own ipfw rules and manage and it isn't all setup for you by default :)Matthew Lee Hinmannoreply@blogger.comtag:blogger.com,1999:blog-10259481.post-40909778048423073782007-12-19T09:29:00.000-05:002007-12-19T09:29:00.000-05:00It would be interesting to see if Jeff Jones publi...It would be interesting to see if Jeff Jones publishes a one year report to follow up on his other reports comparing the number of vulnerabilities found in Vista, XP, RHEL4, Ubuntu 6.06, Novell SLED10 and Mac OSX 10.4 during the first six months of their respective releases.<br><br>His 6 month conclusion? Vista had the least vulnerabilities found in the first 6 months than all the others in their first 6 months.<br><br>Link below for the full report.<br><br>http://blogs.csoonline.com/windows_vista_6_month_vulnerability_reportcraignoreply@blogger.comtag:blogger.com,1999:blog-10259481.post-60013329321964241412007-12-20T07:56:00.000-05:002007-12-20T07:56:00.000-05:00I would like to see a list of all the vulnerabilit...I would like to see a list of all the vulnerabilities in Xthe third-party software that people commonly use on XP. Since Acrobat is not a part of the OS, it doesn't count? Or Word? Outlook?<br><br>And at least the third-party software gets updated on a Mac. How many fools are out there still using Acrobat version 4?iamnowonmainoreply@blogger.comtag:blogger.com,1999:blog-10259481.post-24043959854305364102007-12-20T08:49:00.000-05:002007-12-20T08:49:00.000-05:00You have an excellent point. If Windows distribut...You have an excellent point. If Windows distributed all their 3rd party application's patches, and that was taken into account here, I am quite sure that the numbers would be much higher.Joel Eslernoreply@blogger.comtag:blogger.com,1999:blog-10259481.post-57050470893096262712007-12-20T09:40:00.000-05:002007-12-20T09:40:00.000-05:00Joel, nice to see some level headed analysis of th...Joel, nice to see some level headed analysis of the article. I agree if we were to count in all the vulnerabilities in the office, acrobat, flash, antivirus, and other 3rd party software that just about everyone runs under Windows...the numbers would be much more revealing and useful. <br><br>Apple goes way out of it's way to provide the end user a system with nearly everything they could want and they get stuck patching a lot of 3rd party software.<br><br>The above being said, the long string of QuickTime issues across all platforms is a bit disturbing...I've got clients that have removed QT corp wide as they are tired of the endless patching needed for something that ultimately didn't have enough biz value to compensate for the headaches. The fact that they took nearly a month to fix the lastest vuln, a vulnerability that was the introduction of an old vulnerability, and a vuln' that was being exploited in the wild didn't help.<br><br>Apple is going to have to realize fast that the days of their relative security via obsurity are quickly coming to an end and adjust fast.<br><br>Apple had best be putting together an internal division whos sole purpose is code auditing and getting on top of these vulnerabilities in a much faster fasion. <br><br>3. Apple needs to be much more transparent and detailed in what their updates are addressing. Their security bulletins are a joke compared to what Redmond publishes....that's not a compliment either. They can do both a 'simple' and advanced version of the buletins for the average user and tech pros respectively.<br><br>Default firewall off? I know they are trying to be careful not to break things for the unsavy new user, but sooner or later a good network worm will shater their reputation on security in a network minute. <br><br>Security is one of their key selling points today, so they best start learning and organizing to back those statements up.<br><br>I understand what they were trying to do with the Leopard firewall, but it is too limiting without hitting the command line. This is perfect example of where they are going wrong.<br><br>They've got to realize that a growing percentage of their user base is a few notches above joe average user and learn how to meet the needs of both. <br><br>Turn the firewall on by default or at least offer the option to the user during the install sequence. Or at least warn them that it's off, why it's so, and how to turn it on.<br><br>I know they want the firewall/security panel to be user friendly for Joe Average User. It would be just wonderful if they would learn to add an "advanced" button" for those of us that would like to have a bit more control over things. This would win them a lot of good will with their more technical users.<br><br>They've got to get beyond the mentality that all their customers are clueless folks that just want things to work and could care the least about the underlying technologies. They've got to appear to the IT guys and corporate folks if they want to get substantial market penetration. Right now, their mode of business leaves a lot to be desired there.<br><br>Apple's doing a lot of good stuff, but they dearly need to wake up and realize the "honeymoon" they've had on security issues is coming to an end fast.<br><br>JTAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-10259481.post-6263575392414748432007-12-19T12:04:00.000-05:002007-12-19T12:04:00.000-05:00In regards to the Leopard firewall, you could use ...In regards to the Leopard firewall, you could use a program like WaterRoof and manually manage the firewall. You can specify a DENY ALL rule if you're managing ipfw yourself.Yea, it doesn't count because you have to know enough to write your own ipfw rules and manage and it isn't all setup for you by default :)Matthew Lee Hinmannoreply@blogger.comtag:blogger.com,1999:blog-10259481.post-69530120208715025982007-12-19T14:29:00.000-05:002007-12-19T14:29:00.000-05:00It would be interesting to see if Jeff Jones publi...It would be interesting to see if Jeff Jones publishes a one year report to follow up on his other reports comparing the number of vulnerabilities found in Vista, XP, RHEL4, Ubuntu 6.06, Novell SLED10 and Mac OSX 10.4 during the first six months of their respective releases.His 6 month conclusion? Vista had the least vulnerabilities found in the first 6 months than all the others in their first 6 months.Link below for the full report.http://blogs.csoonline.com/windows_vista_6_month_vulnerability_reportcraignoreply@blogger.comtag:blogger.com,1999:blog-10259481.post-73728011516437605022007-12-20T12:56:00.000-05:002007-12-20T12:56:00.000-05:00I would like to see a list of all the vulnerabilit...I would like to see a list of all the vulnerabilities in Xthe third-party software that people commonly use on XP. Since Acrobat is not a part of the OS, it doesn't count? Or Word? Outlook?And at least the third-party software gets updated on a Mac. How many fools are out there still using Acrobat version 4?iamnowonmainoreply@blogger.comtag:blogger.com,1999:blog-10259481.post-12227118286851130292007-12-20T13:49:00.000-05:002007-12-20T13:49:00.000-05:00You have an excellent point. If Windows distribut...You have an excellent point. If Windows distributed all their 3rd party application's patches, and that was taken into account here, I am quite sure that the numbers would be much higher.Joel Eslernoreply@blogger.comtag:blogger.com,1999:blog-10259481.post-53216635415594740682007-12-20T14:40:00.000-05:002007-12-20T14:40:00.000-05:00Joel, nice to see some level headed analysis of th...Joel, nice to see some level headed analysis of the article. I agree if we were to count in all the vulnerabilities in the office, acrobat, flash, antivirus, and other 3rd party software that just about everyone runs under Windows...the numbers would be much more revealing and useful. Apple goes way out of it's way to provide the end user a system with nearly everything they could want and they get stuck patching a lot of 3rd party software.The above being said, the long string of QuickTime issues across all platforms is a bit disturbing...I've got clients that have removed QT corp wide as they are tired of the endless patching needed for something that ultimately didn't have enough biz value to compensate for the headaches. The fact that they took nearly a month to fix the lastest vuln, a vulnerability that was the introduction of an old vulnerability, and a vuln' that was being exploited in the wild didn't help.Apple is going to have to realize fast that the days of their relative security via obsurity are quickly coming to an end and adjust fast.Apple had best be putting together an internal division whos sole purpose is code auditing and getting on top of these vulnerabilities in a much faster fasion. 3. Apple needs to be much more transparent and detailed in what their updates are addressing. Their security bulletins are a joke compared to what Redmond publishes....that's not a compliment either. They can do both a 'simple' and advanced version of the buletins for the average user and tech pros respectively.Default firewall off? I know they are trying to be careful not to break things for the unsavy new user, but sooner or later a good network worm will shater their reputation on security in a network minute. Security is one of their key selling points today, so they best start learning and organizing to back those statements up.I understand what they were trying to do with the Leopard firewall, but it is too limiting without hitting the command line. This is perfect example of where they are going wrong.They've got to realize that a growing percentage of their user base is a few notches above joe average user and learn how to meet the needs of both. Turn the firewall on by default or at least offer the option to the user during the install sequence. Or at least warn them that it's off, why it's so, and how to turn it on.I know they want the firewall/security panel to be user friendly for Joe Average User. It would be just wonderful if they would learn to add an "advanced" button" for those of us that would like to have a bit more control over things. This would win them a lot of good will with their more technical users.They've got to get beyond the mentality that all their customers are clueless folks that just want things to work and could care the least about the underlying technologies. They've got to appear to the IT guys and corporate folks if they want to get substantial market penetration. Right now, their mode of business leaves a lot to be desired there.Apple's doing a lot of good stuff, but they dearly need to wake up and realize the "honeymoon" they've had on security issues is coming to an end fast.JTAnonymousnoreply@blogger.com