Daniel Eran Dilger in San Francisco
Random header image... Refresh for more!

Vista vs Mac OS X Security: Why George Ou’s ZDNet Vulnerability Numerology is Absurd

200712211018
Daniel Eran Dilger
Notorious Zoon Award winner George Ou is again trying to convince the world that Mac OS X’s security is in shambles while Microsoft has solved the security crisis it created, at least for users of new PCs and when excluding that pesky problem of vast existing networks of compromised Windows bots that plague us all with mountains of spam no matter what platform we use.

This time, the problem isn’t just his penchant for getting facts wrong, failing to understand anything about the subjects he writes, orchestrating elaborate conspiracy theories, or dramatically casting derision on anyone who corrects him. Instead, he’s teamed up with ZDNet cohorts to disingenuously present false information he knows is wrong because he’s been corrected about posting vulnerability statistics from Secunia without context before.


Ou Vulnerbility stats Dignan

While posted by, bylined, and tagged under “George Ou,” ZDNet published the article under the picture and name of young padawan Larry Dignan. That’s curious because Dignan typically always plays the second fiddle bridesmaid in ZDNet’s tag team anti-Apple rhetoric pieces commonly written in collusion by a number of wags. To understand the extent of ZDNet’s predisposition to publish sensationalized false information, consider what else Dignan has written recently for ZDnet:

 Wp-Content Uploads 2007 12 Wp-Content-Uploads-2007-12-Wp-Content-Uploads-2007-12-200712201946

Larry Dignan’s Zune Fantasy Highlights CNET’s ZDNet Blogger Credibility Problems
ZDNet’s George Ou Exposed as Ignorant Microsoft Shill

The Problem with Vulnerability Stats.
Sure enough, Dignan/Ou’s “Mac versus Windows vulnerability stats for 2007” was brought to me in part by Microsoft’s ad banners. The article claimed that vulnerability tracking is “significant because it shows a trend that can give us a good estimate for how many flaws we can expect to find in the coming months.” But that’s not true, for a number of uncontroversial reasons.

First of all, the Ou/Dignan source for vulnerability counts is Secunia. Secunia’s primary source for vulnerability counts is often the developer; every time Apple releases a patch, Secunia goes through Apple’s patched flaw reports and adds those solved issues to its database. If Apple never patched the flaws only it knew about, or failed to release details of its patched flaws, it would lower the number of vulnerabilities Secunia lists, but certainly wouldn’t have any positive impact on either the security or the potential for exploit of Apple’s products. That means numbers of flaws are indicative not only of problems, but also of solutions. It’s not a simple case of “fewer is better.”

Secunia also adds reports of exploits involving software Apple bundles with Mac OS X whenever a third party vendor describes a problem in their own code. In some cases, this involves optional installs or server software that most users don’t ever use. Anyone comparing vulnerabilities between products would have to take a close look at what’s being compared to see if the numbers have any correlation with reality on any level.

Because an operating system can have a wide definition, comparing vulnerabilities between Windows and Mac OS X would have to take into account how each is packaged and delivered. Are the numbers counting just a subset of vendor supplied software, everything the user gets in a retail package, everything a typical user would have to install to make normal use their system, or anything that could be installed from any source?

Does it include old versions of software, or only the most up to date versions? Do numbers include patched issues or only outstanding ones? All of these factors demonstrate the potential for gross misstatements of fact. Vulnerability stats do not “speak for themselves,” and only a very dishonest ventriloquist would suggest they do.

Reading Between the Lies.
At the top of every advisory statists report, Secunia adds: “PLEASE NOTE: The statistics provided should NOT be used to compare the overall security of products against one another. It is IMPORTANT to understand what the below comments mean when using the statistics, especially when using the statistics to compare the vulnerability aspects of different products.” Strike one against Ou/Dignan.

The ZDNet article limits its scope to 2007, comparing Mac OS X to Windows XP and Vista, with a total for “XP+Vista” that supposedly excludes duplicated vulnerabilities, and an “average flaws per month” calculation. That in itself throws up red flags like a Chinese New Year parade for anyone with an IQ above 75. Ou has already demonstrated that he is out to prove Mac OS X is bad, so any massaging numbers around in creative ways is a bit hard to swallow.

In order to unmuddle the facts, I’ll compare all of the vulnerabilities Ou listed for either version of Mac OS X (Tiger and Leopard), but only compare the short list of vulnerabilities he cites for Windows Vista, which pundits tell us is completely secured and has none of the pandemic security problems Microsoft advertises about Windows XP now that it has a new product to sell.

A Look at December 2007 Vulnerabilities.
Within the month of December 2007, Windows Vista had six flaws listed by Secunia which would allow remote attackers to gain privileges or execute arbitrary code based on defects in Windows Media, DirectShow/DirectX, Windows SMB networking, and the Vista kernel.

In contrast, Mac OS X had nearly 60! However, two that Ou cited were listed like this:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-2788. Reason: This candidate is a duplicate of CVE-2007-2788. Notes: All CVE users should reference CVE-2007-2788 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

and another 20 were listed as:

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Two others related to different versions of Adobe Flash Player, with one being an “unspecified vulnerability in Adobe Flash Player 9.0.47.0 and earlier, when running on Opera before 9.24 on Mac OS X, that has unknown ‘Highly Severe’ impact and unknown attack vectors.”

Hooboy! Watch out, users of old Opera installations running a specific version of Flash, you never know what might happen if hackers discover where you are. Perhaps Apple could secure Mac OS X by preventing it from running Flash Player or Opera, as it did with the iPhone. Oh the humanity!

Gone in a Flash: More on Apple’s iPhone Web Plans

Some vulnerabilities where actual faults within Apple’s proprietary code:

  • a Leopard Mail attachment could launch an attachment with a malicious script in its resource fork
  • an Apple Java implementation flaw could allow a bypass of Keychain controls to add or delete keychain items
  • a vpnd flaw could allow a hacker to crash the VPN server.

The rest were related to external software:

  • 14 flaws in Sun’s Java SDK or JRE
  • two tcpdump flaws in open source code could result in a crash
  • 6 Perl library flaws that could result in a crash
  • a GNU tar flaw could play into a user assisted file deletion
  • CUPS could crash
  • two Samba flaws had unknown consequences
  • a Python flaw could cause a crash
  • four flaws in different versions of Rails could result in remote reading of xml files or man in the middle attacks.
  • an OpenSSL flaw could result in certificate spoofing

More Questions than Answers.
Just based on the last month of vulnerability stats, we found that it wasn’t really a case of Microsoft having a few flaws and Apple having ten times as many. In reality, Microsoft was responsible for a half dozen problems with its own proprietary code that all allowed the potential for exploits to run arbitrary code or gain privileges.

That’s bad, and it matches up with the same kind of pandemic problems we’ve witnessed in Microsoft’s development efforts over the last decade. It’s also Vista we’re talking about here, not some old legacy problems from years ago. This is the operating system Microsoft worked on for years, wrote from the ground up, and spent billions on to solve all those old security problems.

Yet after a year on the market, it’s still showing the type of flaws that allow execution of arbitrary code, the same problem that launched Microsoft’s virus and malware crisis. Nobody should suggest that Microsoft’s employees are incompetent, because it is virtually impossible to deliver bug free code. What is clear however is that the idea that Windows has now “solved all of its security issues” is simply misinformed.

Now look at Mac OS X. A third of the flaws listed for Apple were unknown reservations or duplications. Apple had one flaw that could enable a trojan email, and several that could result in a nefarious attacker crashing a background service. Of all the third party open source software Apple includes, several projects reported a number of bugs, the majority of which came from Sun’s Java. (Note that the iPhone doesn’t run Java either.)

Now think about that: does Java development only occur on the Mac platform? What about Perl, Python, and Rails, are they all Apple-centric phenomena? What about their proprietary equivalents: are there no bugs at all in any of Microsoft’s development tools, or do we just not know as much about any of them because Secunia doesn’t have anything like the worldwide open source community reporting on them? Does Adobe Flash not have any bugs on the Windows side, or is it only a problem for Mac users?

Pay No Attention to That Man Behind the Curtain.
Looking closer at these details reveals that Microsoft’s 79,000 employees, 81% profit margins on Windows, and $14 billion of annual Windows revenue don’t automatically give it the ability to deliver flawless Windows code. Instead, it actually reported more significant and problematic security isues this month in the now year-old Windows Vista than Apple had in its new Leopard and existing Tiger code combined. Vista’s problems are also more likely to be exploited, because many of the flaws are shared with an operating system lots of people actually use: Windows XP.

Apple has less than 22,000 employees and earns 15% net profit margins overall; perhaps Apple’s people are just working harder. That would explain why the much smaller Apple earned roughly half of Microsoft’s revenues over the past year: $24 billion vs $51 billion. It also explains why Apple could release three major updates to Tiger (10.4.9 through 10.4.11), a reference release of Leopard 10.5 , and follow up with a major update in 10.5.1 all in a year that Microsoft failed to release even a single service pack for either Windows XP or for Vista.

Of course, that pattern is nothing new because Apple has released over 40 major updates on the level of Microsoft service packs and five reference releases in the same half decade that Microsoft has struggled to deliver a just a scant few. At the same time, Microsoft has been dogged by security problems, stability issues, and most recently, an operating system it can’t even sell to consumers or to businesses.

the Wow starts now

Ten Myths of Leopard: 2 It’s Only a Service Pack!
Will Leopard Miss Vista’s Window of Opportunity?
Microsoft’s Outrageous Office Profits
Leopard, Vista and the iPhone OS X Architecture

Second Verse, Same as the First.
In November, the vulnerability details worked out along similar lines. There were no bugs reported by Microsoft, so according to ZDNet, this suggests a future lull in the Windows crisis of spyware, malware, and virus outbreaks at some point in the future. I wouldn’t switch off your anti-virus protection just yet however.

As for Apple, the same Leopard Mail attachment flaw was listed again for good measure, and Secunia listed a warning that a flaw in AppleRAID under Tiger could allow an attacker to cause a crash on mount by giving you a “crafted striped disk image.”

There were three independent vulnerability warnings that noted “checking ‘Block all incoming connections’ in the Leopard application firewall does not prevent root processes or mDNSResponder from accepting connections.” Apple solved this problem by changing the label text to “Allow only essential services.” In other words, those three vulnerabilities were never really vulnerabilities, but Ou counted them anyway because he knows not of which he speaks.

There were lots of bugs listed that might result in a crash or other problems:

  • one related to a CFNetwork crash, an FTP misdirection, or a certificate spoofing
  • CoreFoundation could cause a crash
  • applications under Tiger could crash
  • four Tiger kernel flaws were outlined
  • two Tiger network flaws cause crash
  • 14 flaws in Safari could potentially affect users on any platform
  • three Tiger AppleTalk flaws
  • two bzip race conditions
  • a BIND DNS flaw
  • an MIT Kerberos flaw could cause a crash
  • and of course, Adobe Flash 9 was present and accounted for as well.

Does A Pattern Emerge?
In September and October, the tables turned: there were no reports about Apple at all, but three related to Vista: Windows Mail/Outlook Express could allow NNTP servers to execute arbitrary code; Windows Services for UNIX could allow local users to gain privileges; and RCP runtime libraries could allow denial of service attacks.

In the last three months, did the overall security of Windows Vista wildly oscillate? Did its vulnerability to attack double between September and October, then suddenly vaporize in November, only to suddenly become six times less secure this month? Or do vulnerability counts just make a really bad measure of overall security?

Further, is there a connection between Apple’s ability to improve its software at regular intervals, and Secunia knowing about flaws that Apple fixed? In November, Apple released 10.4.11; suddenly Secunia was flooded with reports of a couple dozen flaws affecting Apple’s software in versions of Tiger 10.4.10 and earlier (see the listing above). Perhaps when Microsoft releases a Vista service pack, we’ll also know more about the flaws that are as yet unreported in Windows.

An Open and Shut Case.
Windows Enthusiast pundits love to recount software flaws they discover from reading the notes Apple publishes as it patches them or in reports issued by open source developers, but they seem blind to the reality that Apple’s progressive rollout of significant improvements and its cooperation with open source isn’t a retroactive problem, but rather a competitive advantage.

The statistics above outline that the open source community is pinpointing problems in BIND and Kerberos and OpenSSL and various development libraries. However, those distributed resources can’t openly review the flaws in closed Windows code such as Active Directory, Microsoft’s proprietary authentication code, or its development libraries and tools. It is safe to assume however, that they are there. Look at the quality assurance that delivered Vista, the Zune, the 360, and Internet Explorer.

Symbiotic: What Apple Does for Open Source

Symbiotic: What Apple Does for Open Source
Apple’s Open Source Assault
Microsoft’s Unwinnable War on Linux and Open Source

Bill Gates and Bugs.
Open source is about progress, and making progress involves being aware of your own mistakes. Microsoft is about profits. That’s why Bill Gates famously told Focus magazine back in 1995: “The reason we come up with new versions is not to fix bugs. It’s absolutely not. It’s the stupidest reason to buy a new version I ever heard. When we do a new version we put in lots of new things that people are asking for. And so, in no sense, is stability a reason to move to a new version. It’s never a reason.”

That same profiteering mindset built everything related to the Microsoft empire: a focus on advertising features regardless of usability, a general contempt for reality, and a denial that problems need real solutions rather than just a future promise of an expensive, profitable vaporware upgrade.

That cult of mediocrity has spawned a dedicated following of enthusiasts that are happy to support wishful thinking against reason and buy bad products like the Zune out of principle and allegiance to a brand that abuses them. As Harvey Lubin noted, it’s a case of Stockholm Syndrome. Microsoft has a nation of users brainwashed by nonstop propaganda that rivals the old Soviet Union, and is no less interested in keeping them locked inside its Iron Curtain.

Soviet Microsoft: Stockholm Syndrome Among Unswitchable Windows Users

Soviet Microsoft: Stockholm Syndrome Among Unswitchable Windows Users
Soviet Microsoft: How Resistance to Free Markets and Open Ideas Will the Unravel the Software Superpower
10 Fake Apple Scandals: #10 – Apple’s Mac and iPhone Security Crisis

Security through Spewing Absurdity.
Not knowing where the missing floorboards are doesn’t make you secure as you walk about in the dark. Having Ou wave a flashlight in your face doesn’t help; instead, it makes it more likely that you’ll fall through the floor and into the dark cold basement of Windows. That’s Ou’s intention, and it fits ZDNet’s business model, because Microsoft pays it to lure people into expensive catastrophe and entrapment using the misleading distractions of FUD.

While Ou and Dignan like to talk a lot about vulnerability counts, they never qualify what those numbers actually represent. For example, does it have any impact on security overall to find that throughout the last year:

for Mac OS X:

  • 16% of the listed vulnerabilities threatened the potential for system access
  • 10% threatened to expose sensitive data or system info
  • the largest amount, 29%, were only denial of service attacks

while under Windows Vista:

  • 43% of the vulnerabilities threatened to provide to system access
  • 24% threatened to expose sensitive data or system info
  • only 5% were limited to threatening a denial of service attack

Why Leave Out the Details?
Secunia also notes on its site that “writing 100% secure code is virtually impossible, hence the vendor’s responsiveness, willingness, and ability to provide quality patches to all its customers in a fast a reliable way is at least as important as the sheer number of vulnerabilities when considering the security of a product.”

Did Ou and Dignan read that, and then present their statistics in an effort to clear up a misunderstanding, or are they simply smearing around misinformation? For example, does it matter that Internet Explorer 7, the latest version of the web browser related to the majority of real world security problems that Windows users suffer from:

  • had 17 advisories in 2007,
  • 24% of which are still reported as unpatched,
  • 45% of which risk system access or exposure to sensitive data,
  • none of which are included in Secuna’s Windows Vista listings?

Apparently, Internet Explorer is only an integrated part of Windows when Microsoft wants to tie them together for anti-competitive reasons. When counting vulnerabilities, Internet Explorer is a totally different product, despite being bundled with Windows and one of the primary applications Windows users use and are abused by in terms of security flaws and problems. Why didn’t Ou and Dignan point out that rather significant detail?

In contrast, Secunia listed one advisory for Safari 2.x in 2007:

  • it is reported as patched,
  • while rated “less critical,” it risked exposure to sensitive data,
  • of all the reports ever filed on Safari 2, none were rated even “moderately critical.”

Safari 3.0 was released mid year. It has no separate listing in Secunia’s database, but Secunia now includes Safari bug reports as part of Mac OS X, as noted above. Of course, that detail also suggests that other examples of Apple’s applications, third party software, and core OS or utility software bundled into Mac OS X have corresponding examples under Windows that do have flaws but are not included among Windows’ official vulnerabilities count, as they are on the Mac.

The Future of the Web: Safari, Firefox and Internet Explorer

Bugs Will Be Bugs.
I should point out that I’m not attempting to suggest that Apple has no flaws, cannot possibly deliver problematic software, or can’t improve in its efforts. I’m only offering overwhelming proof that Ou’s data is riddled with problems and clearly involves issues Ou does not understand and is unqualified to discuss, and that the idea he leads readers toward is simply not true at all. Further, he knows all this because he posted the same garbage back in February and was corrected once already.

All software has flaws and requires diligent and ongoing efforts to correct and improve. It’s also worth noting that in some cases, Apple has even been criticized for quickly patching security flaws because some people would prefer the convenience of not having to deal with security precautions.

The best example is Apple’s recent patch for the TIFF vulnerability in an open source library, a flaw which allowed access to install iPhone software. Pundits complained about the problem and the solution at the same time.

UnWired! Rick Farrow, Metasploit, and My iPhone Security Interview

UnWired! Rick Farrow, Metasploit, and My iPhone Security Interview
Kevin Poulsen Attacks Ron Paul, iPhone, Mac Users In a Single Broad Brush of Wired Incompetence
Kim Zetter and the iPhone Root Security Myth

Wait, Stop, Come Back.
For Ou and Dignan to do a copy and paste of lots of vulnerability report hyperlinks into a blog posting, do math on the number of links without even bothering to see if they are active issues or duplicates, ignore the severity or impact of the cited vulnerabilities, ignore the relevance of individual reports to actual users, and ignore the reality that the majority of the spyware, malware, trojans and viruses are designed for Windows users, and then print a headline that claims with authority to represent a true picture of reality: is fraud.

Ou and Dignan willfully misrepresented facts to present what everyone knows is false as “a possible truth” that may somehow be supported by research compiled by an authority. The problem is, that cited authority expressly insisted that ignorant reporters not use its listings to infer ideas based on numerology. It also clarified that its vulnerability counts are only as accurate and complete as those contributing the bug reports.

Secunia also takes great pains to outline that some operating systems, such as Mac OS X or Linux, compile large amounts of actively researched open code and include software packages and applications many users will never use, while others, such as Microsoft Windows, contain closed code that receives less scrutiny by fewer researchers and for whatever reasons excludes vulnerability notes on applications that are highly integrated parts of the system and involve every user.

Does Secunia Intentionally Feed the Misinformation Machine?
While Secunia bends backwards to suggest that it’s only offering raw data that shouldn’t be misinterpreted, it sure presents data in a way that almost seems designed to be misused. Back in 2004, just a year after it started its vulnerability database, Secunia chief executive Niels Henrik Rasmussen insisted that his year long tally of vulnerability numbers demonstrated that “The myth that Mac OS X is secure… has been exposed.” Was that its intended purpose?

In 2003, Lance Ulanoff of PC Magazine announced that “The truth is that the Mac OS is just as vulnerable as Microsoft Windows. Overall, maybe OS X is better than Windows, but that’s not the point.” The next year, Matthew Broersma of Techworld then published Rasmussen vulnerability comments as a evidence that users should fear Mac OS X’s security, because Secunia’s numbers appeared to confirm what Windows Enthusiasts wanted to believe.

In the last four years, Secunia has been repeatedly cited as an authority for proving something that is observably not true; today, a brand new Windows box still can’t be directly connected to the Internet to download updates because it will almost certainly be compromised by malware infections before the patches can even download. In contrast, reports of attacks on Mac systems are still a mixture of hypothetical conjecture and theoretical possibility that deserve mention for their freakish novelty whenever a corner case is discovered or invented.

If vulnerability numerology had proven back in 2003 or 2004 that the Mac was not adequately secure, and if Secunia’s statistics were a “good estimate for how many flaws we can expect to find in the coming months” as Ou/Dignan insist, shouldn’t that dynamic have kicked in at some point over the last several years?

Something to consider: we learned this year that it takes a $10,000 prize and ideal conditions that include giving attackers special access in order to break into a Mac. In contrast, it takes $10,000 of firewall hardware and a bit of luck to prevent hackers from successfully attacking your company’s Windows boxes without even trying hard.

Apple’s Mac and iPhone Security Crisis: The Tale that Dogs the Wags

InfoWorld Publishes False Report on Mac Security

ZDNet Shill Confirms Credibility of ZDNet Shill.
How does ZDNet defend the business sense of hosting a false report on vulnerability numerology, a report Ou already used back in February, was corrected on, but then chose to spill out again for more click sensationalism now that ZDNet has promoted him from dancing shill to the author of its Zero Day security blog? And was nobody else at ZDNet more qualified than Ou to misrepresent statistics on Windows security?

With Ou’s credibility clearly lacking, ZDNet has been doing damage control in an effort to lend itself some credibility. ZDNet’s Ed Burnette volunteered to dismissed the overwhelmingly negative responses Ou got from his recycled article as “knee-jerk ‘this can’t be true’ reactions.”

Yes, we’re all so befuddled by Ou’s impressive vulnerability numerology that we can only be upset and ineffectually doubt the truth. Either that, or what I wrote. It appears nobody in the ZDNet organization is qualified to be writing about security, or Mac OS X, or perhaps even Microsoft.

Thanks to Michael Jackson for supplying the “Ou-ija” clairvoyance graphic.

Introductory prattle was moved into a separate posting after initial posting.

What do you think? I really like to hear from readers. Comment in the Forum or email me with your ideas.

Like reading RoughlyDrafted? Share articles with your friends, link from your blog, and subscribe to my podcast! Submit to Reddit or Slashdot, or consider making a small donation supporting this site. Thanks!

Technorati Tags: , , , , , , ,

28 comments

1 gus2000 { 12.21.07 at 1:12 am }

Calling Ou an idiot is an insult to idiots everywhere.

2 lightstab { 12.21.07 at 1:47 am }

I keep hearing these so-called security experts telling everybody the sky is falling and yet, we still have no viruses on OS X. I haven’t even heard of someone getting hit by that malware codec yet. Perhaps, no one wants to admit that they went to a porn site and got tricked, but the truth is, until we hear some real feedback from actual users, it’s all just fluff and FUD.

Thanks, Dan, for exposing these morons for what they are.

3 treestman { 12.21.07 at 1:58 am }

Nice article, Daniel.

As you mentioned, Microsoft started using statistics instead of real attacks to measure security a while ago.

While the ZDNet article made me puke, I expected it because there was similar statistical dancing in March and June.

After the latter I called Microsoft on it here:

http://thesmallwave.blogspot.com/2007/06/microsoft-building-better-security.html

A couple weeks later I wrote a prequel about it here:

http://thesmallwave.blogspot.com/2007/08/microsoft-windows-security-revisited.html

4 Zak { 12.21.07 at 5:43 am }

Well done for going to the trouble of actually trying to make sense of Secunia’s data. It amazes me that FUD such as Ou’s article gets any credence. Just look at the facts: there are currently no OS X viruses affecting any users. Every wise-ass thinks that hackers are about to unleash a plague of OS X viruses without really understanding why this hasn’t already happened.

No code is totally safe but Apple’s mix of open source and rapid response added to a philosophy that the user owns the desktop appears to be a very good strategy for keeping the platform free from malware. Something our Windows using cousins don’t seem to grasp.

5 John Muir { 12.21.07 at 8:33 am }

“His core competency is pussyfooting around while dramatic music plays, but he isn’t even fun to watch because he spends most of his time arguing with his audience in a fit of rage, trying to justify one clumsy fall after another.”

And like the Dvoraks and Enderle’s of the world, he will have secure employment manning the fort for years to come. Page views and dirty bucks matter more to them than honesty or honour could ever hope to imagine.

6 Sqe { 12.21.07 at 8:54 am }

Friends of mine were already using Ou’s article to attack Mac OSX.

Gladly you made that clear.

7 Robert.Public { 12.21.07 at 9:24 am }

I would like to hear what microsoft actually pays these guys. I know they think people are idiots. Thanks Dan for taking the time to stand up for us – week after week. You’ve been on a roll for the last 2 weeks or so, keep it up!

8 warlock7 { 12.21.07 at 9:43 am }

Daniel, as always, a very interesting and informative read. I believe that something is off a bit though.

As I understand it, the Java SDK and the JRE running under OS X are the responsibility of Apple and not Sun. Apple and IBM both have taken on the responsibility for developing their own versions of Java while Sun is only responsible for Java on Windows, Linux and Solaris.

So, attributing those “…14 flaws in Sun’s Java SDK or JRE,” to Sun isn’t really fair or accurate. Those 14 flaws are, in fact, Apple’s responsibility and shouldn’t be brushed off so lightly, especially considering how slow Apple is to get their version in line with the Sun developed versions. I’ll give you that they are not part of the OS, but put the responsibility where it lies.

9 Bill { 12.21.07 at 10:59 am }

What you have not taken into account is the lack of a valid comparison by means of dissimilar collection of the data, reporting of the data and setting parameters for it’s collection. This is an invalid comparison as stated above for numerous other reasons, some mentioned above. They need to set parameters of OS only, shipped software or any software, etc… An unbiased team needs to sit down for a time period to uncover exploits using a parameter and rules. Only then can ‘the numbers speak for themselves.’ Were some of these vulnerabilities discovered by non-Apple employees and then just sent to them? Please help me understand this how these vulnerabilities were found.

10 davebarnes { 12.21.07 at 11:48 am }

@Robert.Public “I would like to hear what Microsoft actually pays these guys.”
Microsoft pays them nothing.
You need to understand that what drives ZDnet is advertising. This means that eyeballs are important. They write/create controversy so people will visit their website. If they wrote a calm, sedate, reasoned article, then no one would visit and therefore no ad dollars.

11 Les { 12.21.07 at 12:44 pm }

“I know they think people are idiots.”

It’s not that they think people are idiots, they know the majority of people doesn’t have a master degree in OS security. A long, balanced article like this is more than most people are willing to read let alone understand. And let’s be honest, OS security shouldn’t have to be the issue it is nowadays if MS hadn’t fucked up so badly in the past…

12 Robb { 12.21.07 at 1:07 pm }

I’m not naive about security in OS X and I know that nothing is completely secure, but after all these years of us talking smack about how we don’t get malware and we don’t get viruses and with the Macs rising market share wouldn’t someone, somewhere, create an exploit in the wild? Even if it was just to shut us up?

13 Steve Nagel { 12.21.07 at 1:30 pm }

Speaking of eyeballs. I sent a brief note of protest to the INQUIRER yesterday regarding their use of this issue to generate eyeballs. Funny, it wasn’t posted by the “moderator.” This must be the new journalism at work.

14 AndyLee { 12.21.07 at 1:48 pm }

This article is greatly appreciated, as are links in the comments. If only I thought it would actually convince the people I have in mind — people I know who would only hear “OS X has more vulnerabilities!” without thinking to question the methodology. Oh, and for *me* to question the methodology must make me a rabid Apple cultist. The parallels to far-right thought processes are so depressing.

One gripe: did you have to belittle ballet dancers to score a cheap shot against Ou?

15 khichdo { 12.21.07 at 2:05 pm }

I dont understand why you always bring up this issue of employee count. How can you compare microsoft’s 80000 and Apples 12000 ? I am sure you know that not all the 80000 work on Windows, just as not all of apple’s 12000 work on the MacOS?

Also, Apple has the same advantage as Microsoft when compared to fixing undisclosed flaws in service releases and major OS releases. So that point is a wash.

Also, how is the fact that Vista is new supposed to matter anyway? Writing software is a complex undertaking, and there will always be bugs. Some of these will be remote execution, privilige execution etc. Nobody ever made a claim that Vista or MacOS solved all security problems.

[The number of employees is a metric of company size. IIRC, ~4,000 of Apple's are retail staff. Microsoft has no retail stores. So comparing x to 4x is helpful in showing how much larger Microsoft is, despite only earning 2x as much. Apple also delivers many times more releases far more regularly. It also delivers far more successful implementations of its visions. Compare the last decade of Macworld plans with Microsoft's CES plans, all of which have completely failed apart from the billion dollar xbox boondoggle, which is still ranked as a "success" because Microsoft can actually ship some. If you aren't aware of Vista being hailed as a security panacea, welcome to life outside the cave. - Dan]

16 Bill { 12.21.07 at 9:08 pm }

I’m still curious to how these vulnerabilities are found. Does some hack send them to Apple or MS or do company employees find them? How finds them?

Thanks,

Bill

17 khichdo { 12.22.07 at 1:04 am }

Dan, if you are going to compare the employees, and then limit it to just OS releases, that is not a valid comparison. If you want to take all the employees, then you should compare all the software microsoft releases with all the software that apple releases. Microsoft has also delivered successful software in the enterprise space, eg: Sharepoint,Exchange etc.

[That's valid to point out, but compare how much revenue and profit Microsoft makes from its three monopolies (Windows, Server, Office). I posted the numbers: basically Office earns 66% profit margins ($11 billion on $16 billion), Windows earns 91% profit margins ($11.5 billion on $14 billion), but Server stuff combined only earns $3 billion on $11 billion in sales. So Microsoft might be focusing its development efforts at Server, but it isn't making money there because it faces some competition in that space (named Linux, Solaris, etc).

We also know Apple makes its money on consumer hardware, and software only reinforces those sales. So the fact that Apple is outmaneuvering Microsoft in desktop operating system development while also bringing in half its revenues overall, all while being a much smaller company, is relevant to consider. - Dan]

18 Bill { 12.22.07 at 9:34 am }

khichdo, these numbers show one thing, that Apple reports more [fixed, I think] vulnerabilities. That’s all. There was no control to compare how they were found or reported. There is was balanced method to determine what was to be reported or tallied, as stated above in my prior post. Therefore, no other valid conclusion can be made. The assertions that one OS is more secure than another is invalid in every scientific context. Yet, many above mentioned names published that assertion, some are felt to be knowledgeable or experts. They are obviously not [I have published and evaluated numerous scientific papers], and actually could be sued for slander or at least reprimanded from their employer. So if they are allowed to publish what ever wrong assertions or data, I am sure that Dan can publish anything he wants as well. Please go to their blog to complain.

Other assertions are that Microsoft just does not report their patched vulnerabilities [my understanding is that they were the patched ones that were reported] the same way or patches fewer. Or that hackers are not reporting them to MS, but may just be using them to turn Windows computers into spambots. I can go on and on, but no of it is valid. And we have not even gone on to show that the bundles Mac OS tally includes at least 3 versions. Could Vista have fewer vulnerabilities than Leopard? Sure, butu a balanced method of discovery, collection and reporting with absolute rules must be accomplished with a panel of experts. Otherwaise it’s all BS. It’s hard for me to believe that Rasmussen or anyone else, would make that statement. They are either idiots or have another agenda. I bet that it is the latter.

19 danieleran { 12.22.07 at 10:57 pm }

[This article was posted to slashdot and received some interesting comments there]

http://it.slashdot.org/comments.pl?sid=396432&cid=21780042

Is Secunia presenting slanted information with the expectation it will be misused?

Here’s one even better: We use GeSHi [qbnz.com] (Generic Syntax Highlighter) in WikkaWiki [wikkawiki.org]. We often scour the so-called “security vulnerability” databases because we’ve found many inaccuracies. In this specific case, Secunia issued this statement:

> we noticed the following entry in the changelog for GeSHi 1.0.7.18 and
> are about to issue an advisory based on this information.
>
> “Committed security fix for htmlspecialchars vulnerability. Also makes
> supporting multiple languages a lot easier”
> http://sourceforge.net/project/shownotes.php?release_id=489035 [sourceforge.net]
>
> To serve our mutual customers best we would appreciate to receive your
> comments on this issue before we publish our advisory.

WTF? This was a vulnerability in PHP’s htmlspecialchars() function, NOT GeSHi. Yet, Secunia was planning on milking this vulnerability in order to boost its “vulnerability count” at the expense of a project that had absolutely NOTHING to do with the vulnerability.

You see, these so-called “vulnerability experts” try to wring out as many vulnerabilities as possible, because we all know that the most effective “vulnerability expert” will be the one with the most posted vulnerabilities. So they go on fishing expeditions to uncover vulnerabilities that really don’t exist.

Or an even worse practice: “bottom-fishing” changelogs and bug trackers in order to discover vulnerabilities that have already been addressed. Here’s another instance where Secunia was caught trying to boost its street cred through disingenuous reporting: They apparently scoured our bug tracking database and discovered an issue (already fixed!) and falsely implied in their report that the content of wiki pages marked private might be accessible via RSS. This was clearly false, as the original bug report indicated that the page name (not content) could be accessed. Secunia later corrected [secunia.com] the false report.

We’ve caught Secunia doing this on several occasions. My advice to anyone who is involved in an OSS project is to regularly scour the vulnerability databases and challenge each and every advisory that you believe is not accurate. You might be surprised at the amount of so-called “vulnerability intelligence” out there that is blatantly false, outdated, or inaccurate.

20 avocade { 12.24.07 at 9:43 am }

Fraud is a big word. Agree about the general sentiment of the article, however.

21 lilgto64 { 01.04.08 at 10:12 am }

I think Mark Twain said it best:

“There are three kinds of lies: lies, damned lies and statistics.”

source: http://www.twainquotes.com/Statistics.html

22 jabberwolf { 01.10.08 at 12:25 am }

So?

Your ENTIRE article tries to make excuses for about 1/3 of the holes. That still leaves OSX with about 10 times the security breaches!!!

Its kinda sad then mactards cant face the truth!
But it only shows how pathetic they can be when faced with facts…. excuses excuses.

Thats the difference, Windows users arent fans, we dont make excuses, we just want a fix, not an excuse.

Someone said why OSX doesnt get many viruses. Just based on the market share they wont spread a virus as fast, nor will it actually make it to many of its users.

Simple math mactards lack, exponential versus linear spread. Macs are more linear contact by numbers, MS users more exponential.

23 Bill { 01.10.08 at 9:20 am }

Actually Jabberwolf, You are both rude and stupid. If you can read above or at least know a little about statistics and valid data collection and evaluations, then you would understand that the assertions are invalid. Besides the fact that the Secunia doesn’t even find most of the data, only reports what they find, even when wrong, causing them to retract it when challenged. And the fact that the compilation was made by Mac bashers like yourself, who lack any credibility. Yes Jabbiemouth, you are the stupid idiot.
Windows girls go to Mac sites to badger, when Mac fans go to Windows sites to defend the Mac bashing. It so sad that you fools can leave us alone. If the market share is as low as you say, they why not ignore us? Oh yeh, you are all rude and stupid. Good luck with the Zillion viruses, trojans, and malware. I hope that opur 3 to 5 programs to try and prevent or eliminate them works. Talk about insecure! It’s Windows and winfans! Just to let you know, 4 friends with completely disabled Windows XP computers had over a total of 600 viruses and more malware and trojan horses. It’s real, unlike the crap that was published by Ou and company from an incompetent company that tries to prove it’s existence by listing wrongware [Secunia]. Secunia should be sued for fraud. One other thing dumbass, if you checked, most of the Apple data was from OS 10.3, which was 2 operating systems ago, and of course all patched. Microsoft, just doesn’t care to tell you how insecure Windows is, but the real tally of sucessful exploitations is the fact [you stupid butthead]

24 Tom Krazit of CNET and Eric Savitz of Barrons Deny the Jesus Phone — RoughlyDrafted Magazine { 01.26.08 at 6:38 am }

[...] The iTunes Monopoly/Failure Myth Who Was the Biggest Loser at Macworld? Vista vs Mac OS X Security: Why George Ou’s ZDNet Vulnerability Numerology is Absurd [...]

25 CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security — RoughlyDrafted Magazine { 03.28.08 at 10:06 am }

[...] Vista vs Mac OS X Security: Why George Ou’s ZDNet Vulnerability Numerology is Absurd security.itworld.com – Microsoft vs. Apple: Who patches 0-days faster? PdfMeNot.com – 0-Day Patch Study Why the Swiss Study was Fatally Flawed. The main tipoff that the study was completely worthless is that it neatly compares “0-day” patches across unrelated platforms. Three main points below describe specifically why this is inherently flawed. As an introduction: a 0-day patch is one delivered the same day the exploitable flaw that it corrects becomes publicly disclosed. [...]

26 AppleMania.info » Numerologia da vulnerabilidade de George Ou é absurda, diz especialista { 07.04.08 at 7:27 am }

[...] detalhes no extenso e altamente recomendável artigo completo de [...]

27 Microsoft’s Mojave Experiment Exposes Serious Vista Problems — RoughlyDrafted Magazine { 08.15.08 at 4:28 am }

[...] Vista vs Mac OS X Security: Why George Ou’s ZDNet Vulnerability Numerology is Absurd [...]

28 softwareDev78 { 06.06.10 at 9:21 pm }

I really like the way this article questions the absurdity and ambiguity of security flaw reporting. While it’s not easy to provide an accurate summary of security flaws, it seems clear there is an obvious bias in favor of Windows over OSX.
As an experienced software developer and in depth user or all Windows operating systems and Apple OSX, I would state, in my humble opinion, that Apple’s OS X has been far more stable and secure than any version of Windows I have had the misfortune of using.
This is not to say I’ve never had any problems using OSX, however, I’ve not experienced any security issue with OSX and I’ve used all sorts of open source and third party software on it for years.

You must log in to post a comment.