Mac OS X security myth exposed

And thousands of other products and OSes given security rundown.

Windows is more secure than you think, and Mac OS X is worse than you ever imagined. That is according to statistics published for the first time this week by Danish security firm Secunia.

The stats, based on a database of security advisories for more than 3,500 products during 2003 and 2004 sheds light on the real security of enterprise applications and operating systems, according to the firm. Each product is broken down into pie charts demonstrating how many, what type and how significant security holes have been in each.

One thing the hard figures have shown is that OS X's reputation as a relatively secure operating system is unwarranted, Secunia said. This year and last year Secunia tallied 36 advisories on security issues with the software, many of them allowing attackers to remotely take over the system - comparable to figures on operating systems such as Windows XP Professional and Red Hat Enterprise Server.

"Secunia is now displaying security statistics that will open many eyes, and for some it might be very disturbing news," said Secunia chief executive Niels Henrik Rasmussen. "The myth that Mac OS X is secure, for example, has been exposed."

Its new service, easily acessible on its website, allows enterprises to gather exact information on specific products, by collating advisories from a large number of third-party security firms. A few other organisations maintain comparable lists, including the Open Source Vulnerability Database (OSVDB) and the Common Vulnerabilities and Exposures (CVE) database, which provides common names for publicly known vulnerabilities.

Secunia said the new service could help companies keep an eye on the overall security of particular software - something that is often lost in the flood of advisories and the attendant hype. "Seen over a long period of time,the statistics may indicate whether a vendor has improved the quality of their products," said Secunia CTO Thomas Kristensen. He said the data could help IT managers get an idea of what kind of vulnerabilities are being found in their products, and prioritise what they respond to.

For example, Windows security holes generally receive a lot of press because of the software's popularity, but the statistics show that Windows isn't the subject of significantly more advisories than other operating systems. Windows XP Professional saw 46 advisories in 2003-2004, with 48 percent of vulnerabilities allowing remote attacks and 46 percent enabling system access, Secunia said.

Suse Linux Enterprise Server (SLES) 8 had 48 advisories in the same period, with 58 percent of the holes exploitable remotely and 37 percent enabling system access. Red Hat's Advanced Server 3 had 50 advisories in the same period - despite the fact that counting only began in November of last year. Sixty-six percent of the vulnerabilities were remotely exploitable, with 25 granting system access.

Mac OS X doesn't stand out as particularly more secure than the competition, according to Secunia. Of the 36 advisories issued in 2003-2004, 61 percent could be exploited across the Internet and 32 percent enabled attackers to take over the system. The proportion of critical bugs was also comparable with other software: 33 percent of the OS X vulnerabilities were "highly" or "extremely" critical by Secunia's reckoning, compared with 30 percent for XP Professional and 27 percent for SLES 8 and just 12 percent for Advanced Server 3. OS X had the highest proportion of "extremely critical" bugs at 19 percent.

As for the old guard, Sun's Solaris 9 saw its share of problems, with 60 advisories in 2003-2004, 20 percent of which were "highly" or "extremely" critical, Secunia said.

Comparing product security is notoriously difficult, and has become a contentious issue recently with vendors using security as a selling point. A recent Forrester study comparing Windows and Linux vendor response times on security flaws was heavily criticised for its conclusion that Linux vendors took longer to release patches. Linux vendors attach more weight to more critical flaws, leaving unimportant bugs for later patching, something the study failed to factor in, according to Linux companies. Vendors also took issue with the study's method of ranking "critical" security bugs, which didn't agree with the vendors' own criteria.

Secunia agreed that straightforward comparisons aren't possible, partly because some products receive more scrutiny than others. Microsoft products are researched more because of their wide use, while open-source products are easier to analyse because researchers have general access to the source code, Kristensen said.

"A third factor is that Linux / Unix people are very concerned about privilege escalation vulnerabilities, while Windows people in general are not, especially because of the shatter-like attacks which have been known for six years or more," he said. "A product is not necessarily more secure because fewer vulnerabilities are discovered."


What are your views on this subject? Use the form below to post a comment on this article up to 500 characters.


Characters remaining: 500

Add your commentComments

xjh | Published: 10:17 GMT, 17 November 2009

The reason why mac has so few viruses is because mac is not as widely used as windows, so it is common sense to try and do a hack that will affect more users.

asdf | Published: 12:05 GMT, 11 November 2009

As i turn on my win7 in 2s, this is not an argument...

Ivan | Published: 21:39 GMT, 04 November 2009

Its very nice to walk into the office and start work while listening to the Win-men trying get setup complaining of how slow their PCs have become. I get behind my desk and open my Laptop and start work. The Win-men keep complaining. I use to be, now I work.

RHP | Published: 21:31 GMT, 13 October 2009

http://news.techworld.com/security/5392/worlds-first-os-x-virus-hits-apple/ You are mistaken, there ARE viruses for Mac OSX, and it doesn't matter if there isn't viruses anyway, hackers can easily hack OS X.

Kevin | Published: 21:24 GMT, 30 August 2009

@Lee - There are a lot of viruses for OS X. If you don't believe me, Google "Mac antivirus" and try to explain why OS X has anti-virus programs if no viruses exist.

Andrew | Published: 04:22 GMT, 12 February 2009

The data this is based on is so out of date its laughable - 2003-4?! What use is that to anyone in 2009? Or even 2007 when most people replied to this

lee | Published: 15:55 GMT, 20 January 2009

First, this article was written in 2004. Still, there is not one virus for a mac, not one at all. And this is because the OS is based on UNIX. Secondly, Mac OS 9 had a couple hundred viruses for it, with hardly any market-share, and when apple rebuilt the OS and called it OS X not one virus is available for it. OS X came out in 2001, it is now 2009 and not one virus, and has triple the marketshare of OS 9. Seriously, if any one of you could code, hack and crack, wouldn't you try to write a virus for mac, just to shut mac users up. So think of how many people hate mac, and probably quite a few of them can actually hack, don't you think they would have tried to infect a mac. So far it looks as if they have failed. I find it funny how Windows Fanboys (which are worse than mac fanboys) clutch at straws just to defend the bloatware they are using. So there goes the market-share myth....

Lindows OS X | Published: 03:09 GMT, 04 January 2009

In 4 years my Mac has NEVER got a trojan, spyware etc. I just spent 3 hours cleaning popup adware off my PC (with McAfee, firewall etc). This is a monthly PC problem! No comparison between the two OSs, Mac is superior :)

Lindows OS X | Published: 03:06 GMT, 04 January 2009

In 4 years my Mac has NEVER got a trojan, spyware etc. I just spent 3 hours cleaning popup adware off my PC (with McAfee, firewall etc). This is a monthly PC problem! No comparison between the two OSs, Mac is superior :)

magnetik | Published: 10:56 GMT, 17 November 2008

People don't realise that Secunia includes exploits for software like Apache, bundled with the OS, in the OS X list. A true comparison would be to compare OS X with a Windows machine loaded with every program written by M$ such as Exchange etc. Secondly, a lot of these "exploits" require legacy services to be turned on, which 99% of Macs will not be doing. A more realistic comparison would be to compare the *default* set up of Windows and OS X. What's more likely to be exploited, a freshly installed Windows machine with no anti-virus, firewall etc. or a fresh OS X install? I know what I'd bet my money on!

Related Security news

Microsoft denies building security 'backdoor' in Windows 7

Privacy organisations shouldn't read too much into NSA involvement it says

Pentagon expands exclusive deal with McAfee

Department of Defense uses McAfee products

Police arrest pair over global banking web scam

Man and woman arrested in Manchester for using notorious Zeus Trojan

Security star Fortinet sets price for IPO

Investors still have taste for tech.



Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Database security: Preventing enterprise data leaks at the source

IDC discusses the growing internal threats to business information, the impact of government regulations on the protection of data, and how enterprises must adopt database security best practices...

Download Whitepaper

Service-oriented security

SOA has become an integral part of enterprise software by providing a framework to efficiently develop software as services that is easily sharable, reusable, and integrated. No where is the need more apparent than in the Identity Management space. Welcome to the age of Service-Oriented Security (SOS).

Download Whitepaper

Data protection prospective vendor checklist

Organisations need a way to map business needs against all these challenges in procuring a technical solution. To help, SANS has developed the following Prospective Vendor Checklist.

Download Whitepaper

Unlock the power of the mainframe

This whitepaper presents the notion of CICS as an integration hub based on a component-based, service-oriented architecture supporting Web services. Highlights will review the challenges and contrasted support for Web services natively in CICS.

Download Whitepaper

Techworld UK - Technology - Business

COLT White Paper

Are all VoIP services the same?

Questions to ask your service provider to ensure you get the VoIP service you need
With careful choice of partner, your business can have all the advantages of VoIP access - reduced costs, flexibility and simplicity - without the drawbacks.
This white paper is your guide to ensure you get right the VoIP service and details the pitfalls which businesses would do well to avoid.

Download white paper
BMC

Ride the express lane in the journey to speed ITIL adoption

Explore the challenges in making the journey to ITIL and the criteria for selecting consulting services
By following ITIL practices, your IT organisation will become more closely integrated with the business. We recommend making the journey to ITIL in a sequence of six incremental steps, the phases of which are driven through execution of a strategic transformational roadmap.

Download white paper

Webcast: IT Financial Management: Cost Optimisation for Efficiency and Agility.
On Demand Webcast
Join this webcast to learn about the techniques and technologies that can help you prove the value of IT to the business by understanding the true cost of today's IT services and those that will be necessary to deliver future success.

Register Today

Site Map

IDG Network

* *