My Headlines

Saturday, March 29, 2008

Vista or Mac or XP is one less secure than the other?

by Don Burnett

It's been an interesting week... For months I have heard from Mac owners that the Mac OSX was more secure than Vista and you don't even need virus or malware protection... Now I have known this is not true, but those "anti-PC" Apple ads keep touting OS X and trashing Vista's security enhancements and the PC in general. I guess the news this week pretty much proved that wrong..

 

Evidence One: LinuxWorld/IDG News Service

http://www.linuxworld.com/news/2008/032708-gone-in-2-minutes-mac.html

Quote: " It may be the quickest $10,000 Charlie Miller ever earned. He took the first of three laptop computers -- and a $10,000 cash prize -- Thursday after breaking into a MacBook Air at the CanSecWest Applied Security conference's PWN 2 OWN hacking contest."

 

Evidence Two: ComputerWorld

http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=spam__malware_and_vulnerabilities&articleId=9072498&taxonomyId=85

Quote: " March 27, 2008 (IDG News Service) Apple's teasing commercials that imply its software is safer than Microsoft's may not quite match the facts, according to new research revealed at the Black Hat conference on Thursday. Researchers from the Swiss Federal Institute of Technology looked at how many times over the past six years the two vendors were able to have a patch available on the day a vulnerability became publicly known, which they call the 0day (zero-day) patch rate.  They analyzed 658 vulnerabilities affecting Microsoft products and 738 affecting Apple. They looked at only high- and medium-risk bugs, according to the classification used by the National Vulnerability Database, said Stefan Frei, one of the researchers involved in the study."

 

Evidence Three: CSO Security and Risk Blog: Jeff Jones (Security by the Numbers)

http://blogs.csoonline.com/windows_vista_one_year_vulnerability_report

Quote: " The results of the analysis show that Windows Vista continues to show a trend of fewer vulnerabilities at the one year mark compared to its predecessor product Windows XP (which did not benefit from the SDL).  If you are interested in how it did compared with Red Hat, Ubuntu and Apple Mac OS X, you'll need to download the full report. If you share the opinion that Windows and applications ported to Windows get a higher level of researcher scrutiny than other OSes, then the 6-month results are even more positive.  If you don't share that opinion, then they still stand on their own ..."

According to his report, Vista was more Secure than OS X (10.4) or Windows XP.. These are great reads for those who are still on XP or have "switched" to Apple OS X machines..

Evidence Four: computerworld: Julia King

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=312300

Quote: " Mac switch revisited: An enterprise PC shop's move to Apple isn't as easy as expected...Auto Warehousing Co.'s switch from PCs to Macs is proving more painful than expected."

Even though this company has been committed to moving to be a Mac based enterprise, the story really details differences and extra costs...

Summary: My read on all of this: no one operating system is really secure at best the OS can do things to minimize these things.. As I understand it, there are over 200 vulnerabilities still un-patched on OSX.. I look forward to seeing these numbers go down over the years to come. It looks like some of these companies are finally "getting it" with regards to the importance of secure systems..

4 comments:

ViewRoyal said...

You really should have read this before writing your article:
http://www.roughlydrafted.com/2008/03/28/cansecwest-and-swiss-federal-institute-of-tech-deliver-attacks-on-the-reality-of-mac-security/

I am a lover of children's literature said...

The most important thing to note is: Since Mac is picking up market at a fast pace, why is it, if OS X is so easy to hack, that not one... and I repeat: NOT ONE OS X machine has EVER been reported to have been hit by a hack in the wild since it came out .... some seven years now?

Hacking into a machine by lowering the rules, in a control environment, is one thing, hacking into a machine in the wild is another!

Don Burnett said...

It wouldn't change my mind, I own a Mac Mini, and I saw the hell people were going through during the last security update that was sent thru Apple's Software Update program.

Also did you read the last comment the "YEAR OF VISTA" security report from Jeff Jones of Security By the Numbers. He is someone that I very much trust about things, and it turns out that Vista is an incredibly secure OS when compared to XP and the Mac.

People don't take security on Apple Mac platforms very seriously, in fact I have 3 friends who don't even run Symantec Anti-Virus. I do run anti-virus and I have been doing so on Macs way before Mac OS X..

I think you are too platform religious to make the comments you are making.. I read the comments and they are saying because "Microsoft Sponsored" the event, somehow this contest and the results are invalid. That's a load of you know what..

What's under Mac OSX and it's nice gui interface?? A version of a Unix OS.. Unix and variants over the years have been attacked and hacked and UPDATED more than any other OS. Darwin isn't/wasn't any less subject to attack than other Unix variant.

None of the entries on RoughlyDrafted even address the 200 or so unfixed and publicly mentioned vulnerabilities in OS X.

The fact is Vista is a complete RE-WRITE of Windows from the ground up including IIS.. The RoughlyDrafted author doesn't acknowledge this and is still talking about Windows as a whole, while my comments are addressing Vista itself..

Let's address the iPhone versus PC comments (Apples to Oranges, he should have talked about Windows Mobile)...

"the installed base is currently too small to be used for botnet spamming.."

Very hard to believe but on a Windows Mobile phone, it's doubtful they can get on botnet with that either.



"the network uplink speed is also too slow and/or spotty to be used for spamming,
unlike wide-open Windows, the iPhone is closed and any open exploits can be pinched off quickly.."

If we are talking about Windows Mobile phones, Sprint for instance locks down the phone so you have to get "approved" applications.


"software updates on the iPhone are much easier to deliver and install than PC updates,
unlike a PC, the iPhone can be instantly cleaned up by plugging it into iTunes and hitting Restore."

If we are talking phones, Windows Mobile has a master reset option, and a sync back up and restore..

On Windows Vista Ultimate you get an image based back up and restore like much like "Norton Ghost"..

Why is this guy comparing a phone to a PC?

The fact is NUMBERS don't lie.. I don't even use the Swiss study with my comments.. I am using Security by the Numbers white paper on this..

The reality of this is the Mac is just as secure as any other platform. It's true with Windows Vista's complete re-write of security it's getting updated less..

The info you gave me, makes comments based on emotional argument not numbers. Security people will tell you the numbers reflect the reality of things..

Don Burnett said...

From Macworld UK:

http://www.macworld.co.uk/news/index.cfm?NewsID=14018

Maybe it's low marketshare that's going in Apple's favor. My point is that it's probably no better or worse than any other system.

There have been two virus/trojan threats in the past couple of years..

http://www.symantec.com/security_response/writeup.jsp?docid=2006-021614-4006-99

http://www.symantec.com/security_response/writeup.jsp?docid=2006-063013-2645-99

as far as machines being hacked, would people even know if they were being hacked? That's just a question.. Most hackers try not to leave evidence.. It's amazing that people seem to know where the Mac is exploitable.

I think as the Mac gets more popular it's only a matter of time. People forget that before MacOS X there was plenty of problems and viruses on classic MacOS..