Surprise... Mac versus Windows vulnerability stats for 2007

re: Surprise... Mac versus Windows vulnerability stats for 2007

happybox23 — Mon, 24 Dec 2007 05:24:28 GMT

a fact: who the hell cares making a virus for a computer that is below 10 percent in the market share they are just wasting their time making such and its not worth it thats why no viruses does really attack mac platform at the moment....im not a pc fan but i prefer pc right at this time due to hardware and software support. if apple really wants to go head to head with microsoft make your OS compatible to non-apple hardware....

I Organize » Blog Archive » Surprise??? Mac versus Windows vulnerability stats for 2007Paul's …

Mon, 24 Dec 2007 00:39:37 GMT

Pingback from I Organize » Blog Archive » Surprise??? Mac versus Windows vulnerability stats for 2007Paul's …

Surprise… Mac versus Windows vulnerability stats for 2007Paul's SuperSite blog | Techitorial Gadget Reviews and Tech Updates

Sun, 23 Dec 2007 19:12:49 GMT

Pingback from Surprise… Mac versus Windows vulnerability stats for 2007Paul's SuperSite blog | Techitorial Gadget Reviews and Tech Updates

Learn about apples » Blog Archive » re: Surprise… Mac versus Windows vulnerability stats for 2007

Sun, 23 Dec 2007 09:31:05 GMT

Pingback from Learn about apples » Blog Archive » re: Surprise… Mac versus Windows vulnerability stats for 2007

re: Surprise... Mac versus Windows vulnerability stats for 2007

DRWAM — Fri, 21 Dec 2007 12:44:06 GMT

With all due respect, I 'get it' all too well. I have published scientific papers and know what valid accurate data collection is supposed to be, and this collection of data for comparison purposes is not valid [which is exactly what has been done as you can see in the side-by-side chart], regardless of where it came from [feel free to type Apple in caps all you want it's still flawed/invalid for this comparison]. Any conclusion from such comparison is therefore invalid. Also, adding your comments to my words to make their meaning fit your defense/and invalidate is a little over the top ['Who's interest...']. You either did not understand what I wrote, or something else...Either way you are quite wrong, no matter what part of the data you like to defend. This is just an invalid comparison. Again [should I type caps?] if you look for vulnerabilities of 3rd party software, AND reported them, I would bet that Windows has infinitely more by the great volume of software. But an exhaustive detailed, unbiased method of collecting and reporting did not even close to get accomplished in this data, in any parameter. [shipped software only, OS only, all software ever written, whatever...]

Could Vista or XP has less vulnerabilities than Leopard or Tiger? Absolutely possible. But to do a fare, unbiased comparison, you cannot use the method employed in the above data. I guess that I was a little redundant.

re: Surprise... Mac versus Windows vulnerability stats for 2007

Auras — Fri, 21 Dec 2007 12:05:43 GMT

Another fact why there are so many exploits for 3rd party apps is because they are pre-installed with OS X (i.e. ruby, java, adobe acrobat, safari) but they are not on any copy of windows install media.

re: Surprise... Mac versus Windows vulnerability stats for 2007

drylight — Fri, 21 Dec 2007 10:30:29 GMT

Some facts and reality for you uneducated Windows fanboys.

www.roughlydrafted.com/.../vista-vs-mac-os-x-security-why-george-ous-zdnet-vulnerability-numerology-is-absurd

re: Surprise... Mac versus Windows vulnerability stats for 2007

Dipsh t Admin — Fri, 21 Dec 2007 02:28:40 GMT

You are not really getting it.

The listing that Ou compiled, which he got from Secunia, which culls CVE data, shows the vulnerabilities that were patched during any given month. For the month of December, according to the list by Ou, they had a ton that ***APPLE*** has acknowledged and FIXED themselves. As in, APPLE's programmers in Cupertino sat down and programmed away these vulnerabilities, then released a patch or series of patches to fix them. There really is no flawed methodology, and since Secunia is only reporting what --->APPLE<--- is *FIXING*, there really is no ambiguity. If you don't agree with this, then you are not agreeing with Apple's own disclosure of vulnerabilities and fixes.

Directly from APPLE, you can find this information listed here: lists.apple.com/.../msg00001.html

Very straight forward, as it is on APPLE's web site, on APPLE's security announcement list, and is patched by APPLE.

Straight from that article, it states:

"Java Release 6 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site:

www.apple.com/.../"

The Java update is being supplied by APPLE!

A little bit better explanation of patched vulnerabilities here:

docs.info.apple.com/article.html

Once again, on APPLE's web site.

In reference to the Java issue, see here:

docs.info.apple.com/article.html

Count the number of CVE's referenced in the lower part of the article. I did it, and guess what, it comes to? 16, the amount you mentioned.

"Apple is reporting what some person spent many hours hacking away, as it was in his interest to produce such data"

Who's interest? Do you mean Ou found all of these vulnerabilities? If you do think this, then you are very wrong, and you are not reading what is being posted in the list.

re: Surprise... Mac versus Windows vulnerability stats for 2007

DRWAM — Thu, 20 Dec 2007 22:49:21 GMT

I see your point, but don't agree. Apple is reporting what some person spent many hours hacking away, as it was in his interest to produce such data. [He probably would of had more fun trying to pick up chicks, but to each his own]. There was no indendent study looking for these exploits and Microsoft may not be doing the same type of reporting, so a comparison data/report is statistically flawed and the methodolgy for this reporting is flawed. Also, I meant that the person tallying the vulnerabilities [Apple just listed them as reported by specific users] as OS vulnerabilities is wrong. The link you supplied is for JAVA, and there is a report that Apple does not use ["There are 16 reports in the OS X column for the Sun JRE/JDK. However, Sun does not provide a JVM for OS X"]. Sorry, but I think that the tally and method are wrong. If a group of numerous people sat down for a few months and searched for vulnerabilities in any software, don't you think that the gizillion software titles for Windows would find many, many more in Windows than on a Mac just because there is a zillion more apps for Windows? I do, and I bet most sensible person would as well.

But, lets assume that the tally is correct, since that is all we have. Isn't it ironic that people were claiming that Bill Gates was delusional when he stated something to the effect that the Mac had more vulnerabilities, and he turns out to be correct! You gotta love the media. They are pretty much all self serving pecker heads.

re: Surprise... Mac versus Windows vulnerability stats for 2007

Dipsh t Admin — Thu, 20 Dec 2007 20:30:02 GMT

"don't and many others don't agree with them"

By them you mean Apple? Because, once again, Secunia and CVE don't use some black art to determine these vulns, they use the data from the security community and the software publishers.

"stating that a 3rd party security problem is the OS problem is wrong, flawed and inappropriate when reporting OS vulnerabilities"

Hmm, now we are getting in to an interesting situation. If Quicktime and Acrobat (two very popular attack vectors on Windows) allows a piece of malware to get through, who gets the blame? No doubt, Apple and Adobe should get the blame in these cases, but how many of the same people right here on this board would squawk about how bad the security is on Windows (fivepoint I'm looking at you)? Now if Office 2008 allows a piece of malware to get through on a Mac, guess who will get the blame by many of the people on this board? No need to respond, we already know the answer.

"If Ou did it, then he is the wrongster instead of Secunia."

Wrong on both accounts. Apple is the "wrongster" as you put it. They (being Apple of Cupertino) are fixing these vulnerabilities and offering them for download. Look at the security fixes that Apple posts, it's all there for anyone who wants to look. Secunia and the CVE are just clearinghouses for this data. Ou is analyzing it. You can complain about how the data is being analyzed, but you CAN NOT complain about where the data is coming from, because, like I have now said 2-3 times, the data is coming directly from ***APPLE***! Once again, see where this data is coming from right here, hosted on Apple's web site:

--> lists.apple.com/.../Security-announce <--

re: Surprise... Mac versus Windows vulnerability stats for 2007

DRWAM — Thu, 20 Dec 2007 19:41:10 GMT

Yep, but some of the quotes state that Apple is reporting vulnerabilitiesm that are in third party software, not the OS, and that these are in the list, and obviously should not be there. So sorry, I don't and many others don't agree with them, and stating that a 3rd party security problem is the OS problem is wrong, flawed and inappropriate when reporting OS vulnerabilities. If Ou did it, then he is the wrongster instead of Secunia. But Ou is and has been a Mac basher for a long time and anything that he reports should be scrutinized due to heavy bias. Also, not using XP Home in the data and not separating the older Mac OS's is just not fair, but that's just what was done, and more. Here's the link with the much of the rebuttal:

blogs.zdnet.com/Burnette

re: Surprise... Mac versus Windows vulnerability stats for 2007

Dipsh t Admin — Thu, 20 Dec 2007 18:31:53 GMT

"CVE-2007-3504 is described as Windows-only. However, it appears in the OS X column."

Once again, when you see these in the list the Ou provided, they are things that *APPLE* is providing as bug fixes. Take a look at this link:

lists.apple.com/.../msg00001.html

This CVE is listed in it, and when you go to the bottom, you can see that *APPLE* is updating it as part of updating the OS.

Those outside of the IT or security communities may have never heard of Secunia, but they are indeed very well respected, and they simply don't make stuff up. These vulnerabilities that they list are provided to them by other parties.

To rehash:

The list that Ou provides is exactly from what Apple provides, ie, these are the things that Apple is updating in its OS software. No matter what everyone finds in CVE's listed, they are being patched by Apple. This information comes directly from their "security-announce" mailing list. Since all of this data is originating from the same place, Apple, we can all assume that it is true. In that regard, the general methodology is solid. However, since the lists that Secunia provides, and Apple's own method of reporting is different and not as fine grained as MS, the analysis has to be deeper since you can not compare Apples (of Cupertino) to Apples (NOT of Cupertino).

Once again, for those that may have some turtleneck fuzz stuck in their brains, the list that George Ou provides is from Apple directly by way of Secunia and CVE. Apple extensively uses the CVE, like they should, and Secunia culls the CVE information.

re: Surprise... Mac versus Windows vulnerability stats for 2007

DRWAM — Thu, 20 Dec 2007 17:20:05 GMT

oops, more importantly, thank you all for your help with aiding my partners computer selections. the recent 3 went well, and the dv9500t series 17in laptop from the HP Home & and Home Office makes me drool more than when I look at my wife's butt. It's sweet... and so is the laptop!

re: Surprise... Mac versus Windows vulnerability stats for 2007

DRWAM — Thu, 20 Dec 2007 17:02:07 GMT

Some of this [their are plenty more] from ZDnet blows a few holes in those numbers, clearly indicating that the report [from the renown expert Secunia?] is flawed, skewed and plain old wrong:

"There are 16 reports in the OS X column for the Sun JRE/JDK. However, Sun does not provide a JVM for OS X. Indeed, the corresponding CVE reports don’t list OS X as an affected OS. Why are those reports in the OS X column ?"

"The OS X column also contains Ruby on Rails vulns. And Safari 3 vulns (which Apples lists under OS X AND Windows but not you). And Adobe Flash player."

"CVE-2007-3504 is described as Windows-only. However, it appears in the OS X column."

"The problem being that you are only reporting CVEs for Windows for the XP Professional and Vista products (leaving out the Home Edition and Server products). However, you are reporting all OS X CVEs, including any for 10.0, 10.1, 10.2, 10.3, and their respective SERVER products because Secunia doesn’t provide a finer-grained OS X search"

There were many more brilliant comments explaining why the stats are a load of crap, but hey, I'm just a doctor, not an IT guy.

re: Surprise... Mac versus Windows vulnerability stats for 2007

Xtreem0 — Wed, 19 Dec 2007 22:59:59 GMT

personaly vista is as good for people who want to do symple things as well as complex ones. OSX i fined to be about the same. (i just dont like how it works personal choice) but xp has to be the worst operating system out there.. Example..

XP: 1 month 2 spyware (god knows were...)

Vista 1 year 0spyware 0 vireses (no anti vires!)

now for me i cannot complain anymore when it comes to using windows. But i will never say xp was a great operating system.