Vista vs Mac OS X Security: Why George Ou’s ZDNet Vulnerability Numerology is Absurd
December 21st, 2007
Daniel Eran Dilger
Notorious Zoon Award winner George Ou is again trying to convince the world that Mac OS X’s security is in shambles while Microsoft has solved the security crisis it created, at least for users of new PCs and when excluding that pesky problem of vast existing networks of compromised Windows bots that plague us all with mountains of spam no matter what platform we use.
This time, the problem isn’t just his penchant for getting facts wrong, failing to understand anything about the subjects he writes, orchestrating elaborate conspiracy theories, or dramatically casting derision on anyone who corrects him. Instead, he’s teamed up with ZDNet cohorts to disingenuously present false information he knows is wrong because he’s been corrected about posting vulnerability statistics from Secunia without context before.
While posted by, bylined, and tagged under “George Ou,” ZDNet published the article under the picture and name of young padawan Larry Dignan. That’s curious because Dignan typically always plays the second fiddle bridesmaid in ZDNet’s tag team anti-Apple rhetoric pieces commonly written in collusion by a number of wags. To understand the extent of ZDNet’s predisposition to publish sensationalized false information, consider what else Dignan has written recently for ZDnet:
The Problem with Vulnerability Stats.
Sure enough, Dignan/Ou’s “Mac versus Windows vulnerability stats for 2007” was brought to me in part by Microsoft’s ad banners. The article claimed that vulnerability tracking is “significant because it shows a trend that can give us a good estimate for how many flaws we can expect to find in the coming months.” But that’s not true, for a number of uncontroversial reasons.
First of all, the Ou/Dignan source for vulnerability counts is Secunia. Secunia’s primary source for vulnerability counts is often the developer; every time Apple releases a patch, Secunia goes through Apple’s patched flaw reports and adds those solved issues to its database. If Apple never patched the flaws only it knew about, or failed to release details of its patched flaws, it would lower the number of vulnerabilities Secunia lists, but certainly wouldn’t have any positive impact on either the security or the potential for exploit of Apple’s products. That means numbers of flaws are indicative not only of problems, but also of solutions. It’s not a simple case of “fewer is better.”
Secunia also adds reports of exploits involving software Apple bundles with Mac OS X whenever a third party vendor describes a problem in their own code. In some cases, this involves optional installs or server software that most users don’t ever use. Anyone comparing vulnerabilities between products would have to take a close look at what’s being compared to see if the numbers have any correlation with reality on any level.
Because an operating system can have a wide definition, comparing vulnerabilities between Windows and Mac OS X would have to take into account how each is packaged and delivered. Are the numbers counting just a subset of vendor supplied software, everything the user gets in a retail package, everything a typical user would have to install to make normal use their system, or anything that could be installed from any source?
Does it include old versions of software, or only the most up to date versions? Do numbers include patched issues or only outstanding ones? All of these factors demonstrate the potential for gross misstatements of fact. Vulnerability stats do not “speak for themselves,” and only a very dishonest ventriloquist would suggest they do.
Reading Between the Lies.
At the top of every advisory statists report, Secunia adds: “PLEASE NOTE: The statistics provided should NOT be used to compare the overall security of products against one another. It is IMPORTANT to understand what the below comments mean when using the statistics, especially when using the statistics to compare the vulnerability aspects of different products.” Strike one against Ou/Dignan.
The ZDNet article limits its scope to 2007, comparing Mac OS X to Windows XP and Vista, with a total for “XP+Vista” that supposedly excludes duplicated vulnerabilities, and an “average flaws per month” calculation. That in itself throws up red flags like a Chinese New Year parade for anyone with an IQ above 75. Ou has already demonstrated that he is out to prove Mac OS X is bad, so any massaging numbers around in creative ways is a bit hard to swallow.
In order to unmuddle the facts, I’ll compare all of the vulnerabilities Ou listed for either version of Mac OS X (Tiger and Leopard), but only compare the short list of vulnerabilities he cites for Windows Vista, which pundits tell us is completely secured and has none of the pandemic security problems Microsoft advertises about Windows XP now that it has a new product to sell.
A Look at December 2007 Vulnerabilities.
Within the month of December 2007, Windows Vista had six flaws listed by Secunia which would allow remote attackers to gain privileges or execute arbitrary code based on defects in Windows Media, DirectShow/DirectX, Windows SMB networking, and the Vista kernel.
In contrast, Mac OS X had nearly 60! However, two that Ou cited were listed like this:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-2788. Reason: This candidate is a duplicate of CVE-2007-2788. Notes: All CVE users should reference CVE-2007-2788 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
and another 20 were listed as:
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
Two others related to different versions of Adobe Flash Player, with one being an “unspecified vulnerability in Adobe Flash Player 220.127.116.11 and earlier, when running on Opera before 9.24 on Mac OS X, that has unknown ‘Highly Severe’ impact and unknown attack vectors.”
Hooboy! Watch out, users of old Opera installations running a specific version of Flash, you never know what might happen if hackers discover where you are. Perhaps Apple could secure Mac OS X by preventing it from running Flash Player or Opera, as it did with the iPhone. Oh the humanity!
Some vulnerabilities where actual faults within Apple’s proprietary code:
- a Leopard Mail attachment could launch an attachment with a malicious script in its resource fork
- an Apple Java implementation flaw could allow a bypass of Keychain controls to add or delete keychain items
- a vpnd flaw could allow a hacker to crash the VPN server.
The rest were related to external software:
- 14 flaws in Sun’s Java SDK or JRE
- two tcpdump flaws in open source code could result in a crash
- 6 Perl library flaws that could result in a crash
- a GNU tar flaw could play into a user assisted file deletion
- CUPS could crash
- two Samba flaws had unknown consequences
- a Python flaw could cause a crash
- four flaws in different versions of Rails could result in remote reading of xml files or man in the middle attacks.
- an OpenSSL flaw could result in certificate spoofing
More Questions than Answers.
Just based on the last month of vulnerability stats, we found that it wasn’t really a case of Microsoft having a few flaws and Apple having ten times as many. In reality, Microsoft was responsible for a half dozen problems with its own proprietary code that all allowed the potential for exploits to run arbitrary code or gain privileges.
That’s bad, and it matches up with the same kind of pandemic problems we’ve witnessed in Microsoft’s development efforts over the last decade. It’s also Vista we’re talking about here, not some old legacy problems from years ago. This is the operating system Microsoft worked on for years, wrote from the ground up, and spent billions on to solve all those old security problems.
Yet after a year on the market, it’s still showing the type of flaws that allow execution of arbitrary code, the same problem that launched Microsoft’s virus and malware crisis. Nobody should suggest that Microsoft’s employees are incompetent, because it is virtually impossible to deliver bug free code. What is clear however is that the idea that Windows has now “solved all of its security issues” is simply misinformed.
Now look at Mac OS X. A third of the flaws listed for Apple were unknown reservations or duplications. Apple had one flaw that could enable a trojan email, and several that could result in a nefarious attacker crashing a background service. Of all the third party open source software Apple includes, several projects reported a number of bugs, the majority of which came from Sun’s Java. (Note that the iPhone doesn’t run Java either.)
Now think about that: does Java development only occur on the Mac platform? What about Perl, Python, and Rails, are they all Apple-centric phenomena? What about their proprietary equivalents: are there no bugs at all in any of Microsoft’s development tools, or do we just not know as much about any of them because Secunia doesn’t have anything like the worldwide open source community reporting on them? Does Adobe Flash not have any bugs on the Windows side, or is it only a problem for Mac users?
Pay No Attention to That Man Behind the Curtain.
Looking closer at these details reveals that Microsoft’s 79,000 employees, 81% profit margins on Windows, and $14 billion of annual Windows revenue don’t automatically give it the ability to deliver flawless Windows code. Instead, it actually reported more significant and problematic security isues this month in the now year-old Windows Vista than Apple had in its new Leopard and existing Tiger code combined. Vista’s problems are also more likely to be exploited, because many of the flaws are shared with an operating system lots of people actually use: Windows XP.
Apple has less than 22,000 employees and earns 15% net profit margins overall; perhaps Apple’s people are just working harder. That would explain why the much smaller Apple earned roughly half of Microsoft’s revenues over the past year: $24 billion vs $51 billion. It also explains why Apple could release three major updates to Tiger (10.4.9 through 10.4.11), a reference release of Leopard 10.5 , and follow up with a major update in 10.5.1 all in a year that Microsoft failed to release even a single service pack for either Windows XP or for Vista.
Of course, that pattern is nothing new because Apple has released over 40 major updates on the level of Microsoft service packs and five reference releases in the same half decade that Microsoft has struggled to deliver a just a scant few. At the same time, Microsoft has been dogged by security problems, stability issues, and most recently, an operating system it can’t even sell to consumers or to businesses.
Second Verse, Same as the First.
In November, the vulnerability details worked out along similar lines. There were no bugs reported by Microsoft, so according to ZDNet, this suggests a future lull in the Windows crisis of spyware, malware, and virus outbreaks at some point in the future. I wouldn’t switch off your anti-virus protection just yet however.
As for Apple, the same Leopard Mail attachment flaw was listed again for good measure, and Secunia listed a warning that a flaw in AppleRAID under Tiger could allow an attacker to cause a crash on mount by giving you a “crafted striped disk image.”
There were three independent vulnerability warnings that noted “checking ‘Block all incoming connections’ in the Leopard application firewall does not prevent root processes or mDNSResponder from accepting connections.” Apple solved this problem by changing the label text to “Allow only essential services.” In other words, those three vulnerabilities were never really vulnerabilities, but Ou counted them anyway because he knows not of which he speaks.
There were lots of bugs listed that might result in a crash or other problems:
- one related to a CFNetwork crash, an FTP misdirection, or a certificate spoofing
- CoreFoundation could cause a crash
- applications under Tiger could crash
- four Tiger kernel flaws were outlined
- two Tiger network flaws cause crash
- 14 flaws in Safari could potentially affect users on any platform
- three Tiger AppleTalk flaws
- two bzip race conditions
- a BIND DNS flaw
- an MIT Kerberos flaw could cause a crash
- and of course, Adobe Flash 9 was present and accounted for as well.
Does A Pattern Emerge?
In September and October, the tables turned: there were no reports about Apple at all, but three related to Vista: Windows Mail/Outlook Express could allow NNTP servers to execute arbitrary code; Windows Services for UNIX could allow local users to gain privileges; and RCP runtime libraries could allow denial of service attacks.
In the last three months, did the overall security of Windows Vista wildly oscillate? Did its vulnerability to attack double between September and October, then suddenly vaporize in November, only to suddenly become six times less secure this month? Or do vulnerability counts just make a really bad measure of overall security?
Further, is there a connection between Apple’s ability to improve its software at regular intervals, and Secunia knowing about flaws that Apple fixed? In November, Apple released 10.4.11; suddenly Secunia was flooded with reports of a couple dozen flaws affecting Apple’s software in versions of Tiger 10.4.10 and earlier (see the listing above). Perhaps when Microsoft releases a Vista service pack, we’ll also know more about the flaws that are as yet unreported in Windows.
An Open and Shut Case.
Windows Enthusiast pundits love to recount software flaws they discover from reading the notes Apple publishes as it patches them or in reports issued by open source developers, but they seem blind to the reality that Apple’s progressive rollout of significant improvements and its cooperation with open source isn’t a retroactive problem, but rather a competitive advantage.
The statistics above outline that the open source community is pinpointing problems in BIND and Kerberos and OpenSSL and various development libraries. However, those distributed resources can’t openly review the flaws in closed Windows code such as Active Directory, Microsoft’s proprietary authentication code, or its development libraries and tools. It is safe to assume however, that they are there. Look at the quality assurance that delivered Vista, the Zune, the 360, and Internet Explorer.
Bill Gates and Bugs.
Open source is about progress, and making progress involves being aware of your own mistakes. Microsoft is about profits. That’s why Bill Gates famously told Focus magazine back in 1995: “The reason we come up with new versions is not to fix bugs. It’s absolutely not. It’s the stupidest reason to buy a new version I ever heard. When we do a new version we put in lots of new things that people are asking for. And so, in no sense, is stability a reason to move to a new version. It’s never a reason.”
That same profiteering mindset built everything related to the Microsoft empire: a focus on advertising features regardless of usability, a general contempt for reality, and a denial that problems need real solutions rather than just a future promise of an expensive, profitable vaporware upgrade.
That cult of mediocrity has spawned a dedicated following of enthusiasts that are happy to support wishful thinking against reason and buy bad products like the Zune out of principle and allegiance to a brand that abuses them. As Harvey Lubin noted, it’s a case of Stockholm Syndrome. Microsoft has a nation of users brainwashed by nonstop propaganda that rivals the old Soviet Union, and is no less interested in keeping them locked inside its Iron Curtain.
Soviet Microsoft: Stockholm Syndrome Among Unswitchable Windows Users
Soviet Microsoft: How Resistance to Free Markets and Open Ideas Will the Unravel the Software Superpower
10 Fake Apple Scandals: #10 – Apple’s Mac and iPhone Security Crisis
Security through Spewing Absurdity.
Not knowing where the missing floorboards are doesn’t make you secure as you walk about in the dark. Having Ou wave a flashlight in your face doesn’t help; instead, it makes it more likely that you’ll fall through the floor and into the dark cold basement of Windows. That’s Ou’s intention, and it fits ZDNet’s business model, because Microsoft pays it to lure people into expensive catastrophe and entrapment using the misleading distractions of FUD.
While Ou and Dignan like to talk a lot about vulnerability counts, they never qualify what those numbers actually represent. For example, does it have any impact on security overall to find that throughout the last year:
for Mac OS X:
- 16% of the listed vulnerabilities threatened the potential for system access
- 10% threatened to expose sensitive data or system info
- the largest amount, 29%, were only denial of service attacks
while under Windows Vista:
- 43% of the vulnerabilities threatened to provide to system access
- 24% threatened to expose sensitive data or system info
- only 5% were limited to threatening a denial of service attack
Why Leave Out the Details?
Secunia also notes on its site that “writing 100% secure code is virtually impossible, hence the vendor’s responsiveness, willingness, and ability to provide quality patches to all its customers in a fast a reliable way is at least as important as the sheer number of vulnerabilities when considering the security of a product.”
Did Ou and Dignan read that, and then present their statistics in an effort to clear up a misunderstanding, or are they simply smearing around misinformation? For example, does it matter that Internet Explorer 7, the latest version of the web browser related to the majority of real world security problems that Windows users suffer from:
- had 17 advisories in 2007,
- 24% of which are still reported as unpatched,
- 45% of which risk system access or exposure to sensitive data,
- none of which are included in Secuna’s Windows Vista listings?
Apparently, Internet Explorer is only an integrated part of Windows when Microsoft wants to tie them together for anti-competitive reasons. When counting vulnerabilities, Internet Explorer is a totally different product, despite being bundled with Windows and one of the primary applications Windows users use and are abused by in terms of security flaws and problems. Why didn’t Ou and Dignan point out that rather significant detail?
In contrast, Secunia listed one advisory for Safari 2.x in 2007:
- it is reported as patched,
- while rated “less critical,” it risked exposure to sensitive data,
- of all the reports ever filed on Safari 2, none were rated even “moderately critical.”
Safari 3.0 was released mid year. It has no separate listing in Secunia’s database, but Secunia now includes Safari bug reports as part of Mac OS X, as noted above. Of course, that detail also suggests that other examples of Apple’s applications, third party software, and core OS or utility software bundled into Mac OS X have corresponding examples under Windows that do have flaws but are not included among Windows’ official vulnerabilities count, as they are on the Mac.
Bugs Will Be Bugs.
I should point out that I’m not attempting to suggest that Apple has no flaws, cannot possibly deliver problematic software, or can’t improve in its efforts. I’m only offering overwhelming proof that Ou’s data is riddled with problems and clearly involves issues Ou does not understand and is unqualified to discuss, and that the idea he leads readers toward is simply not true at all. Further, he knows all this because he posted the same garbage back in February and was corrected once already.
All software has flaws and requires diligent and ongoing efforts to correct and improve. It’s also worth noting that in some cases, Apple has even been criticized for quickly patching security flaws because some people would prefer the convenience of not having to deal with security precautions.
The best example is Apple’s recent patch for the TIFF vulnerability in an open source library, a flaw which allowed access to install iPhone software. Pundits complained about the problem and the solution at the same time.
UnWired! Rick Farrow, Metasploit, and My iPhone Security Interview
Kevin Poulsen Attacks Ron Paul, iPhone, Mac Users In a Single Broad Brush of Wired Incompetence
Kim Zetter and the iPhone Root Security Myth
Wait, Stop, Come Back.
For Ou and Dignan to do a copy and paste of lots of vulnerability report hyperlinks into a blog posting, do math on the number of links without even bothering to see if they are active issues or duplicates, ignore the severity or impact of the cited vulnerabilities, ignore the relevance of individual reports to actual users, and ignore the reality that the majority of the spyware, malware, trojans and viruses are designed for Windows users, and then print a headline that claims with authority to represent a true picture of reality: is fraud.
Ou and Dignan willfully misrepresented facts to present what everyone knows is false as “a possible truth” that may somehow be supported by research compiled by an authority. The problem is, that cited authority expressly insisted that ignorant reporters not use its listings to infer ideas based on numerology. It also clarified that its vulnerability counts are only as accurate and complete as those contributing the bug reports.
Secunia also takes great pains to outline that some operating systems, such as Mac OS X or Linux, compile large amounts of actively researched open code and include software packages and applications many users will never use, while others, such as Microsoft Windows, contain closed code that receives less scrutiny by fewer researchers and for whatever reasons excludes vulnerability notes on applications that are highly integrated parts of the system and involve every user.
Does Secunia Intentionally Feed the Misinformation Machine?
While Secunia bends backwards to suggest that it’s only offering raw data that shouldn’t be misinterpreted, it sure presents data in a way that almost seems designed to be misused. Back in 2004, just a year after it started its vulnerability database, Secunia chief executive Niels Henrik Rasmussen insisted that his year long tally of vulnerability numbers demonstrated that “The myth that Mac OS X is secure… has been exposed.” Was that its intended purpose?
In 2003, Lance Ulanoff of PC Magazine announced that “The truth is that the Mac OS is just as vulnerable as Microsoft Windows. Overall, maybe OS X is better than Windows, but that’s not the point.” The next year, Matthew Broersma of Techworld then published Rasmussen vulnerability comments as a evidence that users should fear Mac OS X’s security, because Secunia’s numbers appeared to confirm what Windows Enthusiasts wanted to believe.
In the last four years, Secunia has been repeatedly cited as an authority for proving something that is observably not true; today, a brand new Windows box still can’t be directly connected to the Internet to download updates because it will almost certainly be compromised by malware infections before the patches can even download. In contrast, reports of attacks on Mac systems are still a mixture of hypothetical conjecture and theoretical possibility that deserve mention for their freakish novelty whenever a corner case is discovered or invented.
If vulnerability numerology had proven back in 2003 or 2004 that the Mac was not adequately secure, and if Secunia’s statistics were a “good estimate for how many flaws we can expect to find in the coming months” as Ou/Dignan insist, shouldn’t that dynamic have kicked in at some point over the last several years?
Something to consider: we learned this year that it takes a $10,000 prize and ideal conditions that include giving attackers special access in order to break into a Mac. In contrast, it takes $10,000 of firewall hardware and a bit of luck to prevent hackers from successfully attacking your company’s Windows boxes without even trying hard.
Apple’s Mac and iPhone Security Crisis: The Tale that Dogs the Wags
InfoWorld Publishes False Report on Mac Security
ZDNet Shill Confirms Credibility of ZDNet Shill.
How does ZDNet defend the business sense of hosting a false report on vulnerability numerology, a report Ou already used back in February, was corrected on, but then chose to spill out again for more click sensationalism now that ZDNet has promoted him from dancing shill to the author of its Zero Day security blog? And was nobody else at ZDNet more qualified than Ou to misrepresent statistics on Windows security?
With Ou’s credibility clearly lacking, ZDNet has been doing damage control in an effort to lend itself some credibility. ZDNet’s Ed Burnette volunteered to dismissed the overwhelmingly negative responses Ou got from his recycled article as “knee-jerk ‘this can’t be true’ reactions.”
Yes, we’re all so befuddled by Ou’s impressive vulnerability numerology that we can only be upset and ineffectually doubt the truth. Either that, or what I wrote. It appears nobody in the ZDNet organization is qualified to be writing about security, or Mac OS X, or perhaps even Microsoft.
Thanks to Michael Jackson for supplying the “Ou-ija” clairvoyance graphic.
Introductory prattle was moved into a separate posting after initial posting.
Like reading RoughlyDrafted? Share articles with your friends, link from your blog, and subscribe to my podcast! Submit to Reddit or Slashdot, or consider making a small donation supporting this site. Thanks!