Vulnerability statistics for Mac and Windows

ZDNet ^ | February 28, 2006 | George Ou

[elfman2]

In yesterday's article "Is Mac OS as safe as ever", Joris Evers poses the age old question if Mac OS security is myth or reality. I decided to settle this once and for all with some hard numbers from the independent security research group Secunia along with the number of CVE issues for Microsoft Windows XP and Mac OS X within the last two years.

Before I post the data, I want to make a few things clear since I keep getting the same questions and accusations every single time I post data on vulnerability statistics.

- When visiting the Secunia links I provide in this blog, please DO NOT quote me on the number of advisories for a particular OS and blast me for getting the numbers wrong. I am NOT counting advisories; I'm counting the actual number of vulnerabilities. There are many advisories that contain multiple vulnerabilities and CVE IDs. Sorry for the shouting, but I get about 10 of these "I don't count the same number of issues" every time.

- No matter what some people may say, vulnerability ratings from Secunia are a valid measurement of security risk. If we can't count the number of actual security vulnerabilities (with severity and patch status in mind), what can we count?

- There seems to be a cavalier attitude that a vulnerability is not a problem if it hasn't been widely hacked yet. The truth is that professional hackers don't want notoriety because it's bad for business. Before Microsoft's infamous WMF vulnerability was infamous because of all the press coverage, it sold on the black market for $4000. Nothing kills a money maker in the digital underworld faster than public exposure.

- There will always be those who say vulnerabilities are only "theoretical". Anyone who feels this way should leave their computers unpatched for all "theoretical" problems and post their email and IP address in talkback section and I'll be sure to forward a copy to the hacker forums. I'm sure it probably won't be a problem since the problem is only "theoretical".

- I make no claims on which operating system is better. You look at the data and you be the judge

- The three most severe levels of vulnerabilities from Secunia are analyzed in this chart.

- The two less critical categories from Secunia were left out so the significant data will fit better on the screen.

- The grayed out section represents the vendor with the worst security of the month.

- Red font text represents unpatched vulnerabilities correlating to the degree of vulnerability. For example in the month of February 2006, Apple's Meta data shell script execution flaw hasn't been fixed yet so it gets a red 1 in the extremely vulnerable column.

The data is clear, and Apple has a lot more vulnerabilities of every kind ranging from moderately critical to extremely critical. While Windows had some months with more security disclosures, they are more spread out while Apple tends to release mega-advisories with dozens of vulnerabilities at a time. There were seven months where Apple disclosed more a dozen or more highly critical vulnerabilities and August 2005 saw nearly three dozen of them. One of the most severe zero day exploits for Mac OS X disclosed this month with a working proof-of-concept has yet to be patched so we'll have to wait and see how long it takes Apple to release a patch.

Microsoft on the other hand seems to let some moderately critical and even one highly critical vulnerability go unpatched for more than a year. I've hammered Microsoft for this issue in the past and Microsoft has responded to me that they are clarifying some of these issues with Secunia because some of the unpatched vulnerabilities may be moot. I'm still waiting for Microsoft's detailed explanation on these unpatched vulnerabilities.

[Swordmaker]

FUD comparison of "vulnerabilities" between OSX and XP based on Secunia's exagerated threat levels that have been laughed at repeatedly and ignored as the desperately try to sell their anti-virus software.... PING!

Secunia consistently exagerates the threat levels of minor security issues for the Mac... they have been roundly criticized for it in the past by other security companies.

How do you tell that Apple has done something that might capture more market share? The FUD articles start appearing!

If you want on or off the Mac Ping List, Freepmail me.

[solitas]

secunia? Individuals still take them seriously? Go figure…

[Tribune7]

Mac users ought to become more security concious -- learn how to set up and use user accounts, security features on wireless routers etc. -- but I have yet to spend three days cleaning off malware from a Mac nor have I seen the email addresses of corporate officers stolen from a Mac via virus and used to spam the company's employees with porn.

I can't say this about PCs.

[Swordmaker]

The vast majority of Secunia's "vulnerabilities" require physical access to the computer. Those that don't, with the notable exception or two, involve services that are TURNED OFF in the default OS X installation... but Apple patches them anyway.

Secunia finds out about most of these because APPLE tells them because they are, for the most part, open source. How many things has Microsoft quietly patched and never mentioned, because they are considered "trade secrets."

Several times, when Secunia released its latest FUD, I have analyzed their exagerated "security levels" and found their hysteria totally unwaranted.

[Tribune7]

Anybody who says XP is more secure that OS X has been licking toads or getting a paycheck from Redmond.

[js1138]

Nevertheless, the majority of recent attacks require user permission to install. Look how many people installed the Sony virus. No OS can protect people from bad decisions.

The bad guys will forever be offering free stuff to children.

[Tribune7]

No OS can protect people from bad decisions.

That is true.

[Swordmaker]

Let's look at April 2004 where Secunia lists 4 Extremely Critrical vulnerabilities.

Secunia followed Intego's lead when they claimed to have found the first "OS X Trojan" and trumpeted it while attempting to scare Mac users into buying their software. Secunia jumped on that bandwagon. All four of the "extremely critical" issues were related to that "trojan".

April 19, 2004 - Security experts on Friday slammed security firm Intego for exaggerating the threat of what the company identified as the first Trojan for Mac OS X.

On Thursday, Intego issued a press release saying it had found OS X's first Trojan Horse, a piece of malware called MP3Concept or MP3Virus.Gen that appears to be an MP3 file. If double-clicked and launched in the Finder, the Trojan accesses certain system files, the company claimed.

While Intego said the Trojan was benign, it said future versions could be authored to delete files or hijack infected machines. In the release, and in subsequent telephone interviews, Intego was vague about the purported Trojan's workings and its origins.

On Friday, Mac programmers and security experts accused the company of exaggerating the threat to sell its security software.

"They gave the impression that this is a threat, but it isn't," said Dave Schroeder, a systems engineer with the University of Wisconsin. "It is a benign proof of concept that was posted to a newsgroup. It isn't in the wild, and can't be spread in the wild. It's a non-issue."

"They are spreading FUD to sell their software," said Ryan Kaldari, a programmer from Nashville, Tennessee, referring to the shorthand for fear, uncertainty and doubt.

So much for four of the five "extremely critical" vulnerabilities. Secunia has retained its hyperbolic rating... even though no one lost any sleep over the issue.

[zeugma]

Anybody who says XP is more secure that OS X has been licking toads

That has the looks of a great tagline!

[Tribune7]

Guess it will take teamwork LOL

[Question_Assumptions]

I've got a better test. I'll run my iBook with OSX connected to the Internet for five years with no virus scanner, no spyware scanner, and no add-on firewall (Oh, wait! I've already done that) and someone with strong faith that Windows XP is more secure than Mac OSX can run their computer connected to the Internet for five years with no virus scanner, no spyware scanner, and no add-on firewall (do you know anyone who does this?) and let's see who fares better at the end of that five year period. You can, of course, install all the recommended patches provided by your OS provider.

[TheBattman]

I'm still waiting to hear what that "EXTREME" security problem is in February.... Nothing that I have heard would classify as "extreme"....

[TheBattman]

- No matter what some people may say.....

Whenever someone has to defend their sources with a statement like that, it's pretty obvious they have a weak argument.

[Natty Bumppo@frontier.net]

I have spent the last four years conducting operational assessments of information assurance on fielded systems. The statistics to date:

Number of Windows boxes dropped: Several hundred thousand
Number of Linux boxes dropped: A few hundred
Number of Macintosh boxes dropped: Zero, zilch, nada

This in spite of the fact that Linux and Macintosh boxes each made up about 5% of the target population.

There are no publicly available exploits or tools to take down a Macintosh (or FreeBSD Unix) box.

There are no publicly available exploits or tools to take down some versions of Linux.

The BEST Intrusion Detection Systems detect have a probability of detection of about 20% against sophisticated threats.

The BEST Firewalls have a 10 - 20% probability of stoping a sophisticated attack.

Defense in depth and hybrid vigor are your friends.

Monocultures, whether it is all Cisco routers, or all Dell boxes, or identical versions of Windows XP with the latest patches installed are a hacker's playground.

Sleep well.

[CheneyChick]

Yep. The proof is in the pudding. All these Secunia studies and stats are BLAH BLAH BLAH when it comes to real life experience.

[elfman2]

"The BEST Firewalls have a 10 - 20% probability of stoping a sophisticated attack. "

Thank you. Your comments and several other on this thread are very helpful to me. Can you briefly list the primary ways to defeat 10% - 20% of the best firewalls or link to something not to in depth on it? Thanks.

[antiRepublicrat]

Can you briefly list the primary ways to defeat 10% - 20% of the best firewalls

I'll take a simple shot.

I believe it was the best firewalls only catch 10-20% of the attacks. I'm not sure exactly what they mean by it, but:

Easy attack, go around. Does the company have dial-in access to their network that doesn't go through the perimeter firewall? Hit that. Does the company allow people to connect outside with modems? Hit that when they dial up. Some malware (often found on web sites) dials your modem for you. My old organization ripped the modem out of every computer they could and the baseline disabled the modem service for machines with built-in modems.

Aside from that, if the firewall is in any way useful, the organization will have various ports open, such as if they're running IM or servers for email, Web, FTP, streaming media, etc. Since those ports are open, an attacker can get through to exploit the software on the other end using various methods to hide what he's actually doing.

At its basic level, think of a firewall as a gate where outside people wearing certain uniforms are always allowed in. That doesn't keep a bad guy from putting on a plumber's outfit to get in. But when you're protecting clients behind a firewall, it can say that a plumber can't get in unless he is identified as part of an existing request from the client ("stateful" firewall).

Like they say, "A firewall can protect against any kind of network attack if you unplug it."

[Natty Bumppo@frontier.net]

I recommend Eric Cole's "Hackers Beware" published by New Riders (www.newriders.com or available from Amazon) as a good overview resource for network security. For examples of specific exploits, try http://johnny.ihackstuff.com.

antiRepublicrat has the general idea. Without getting too specific, the threat generally falls into three groups:

1. Script kiddies who download tools from hacker sites. Most lack any real insight as to how the tools are constructed or how they work. They are unaware that a lot of the tools they download contain other malicious payloads within them. Their advantage of course is numbers. Or as Scott Adams said in Dilbert: "You're pitting your intelligence against the hormones of millions of teenagers."

2. Organized hacker groups motivated by ideology or money. They generally have at least a couple of people who can design and build their own tools, or improve the ones they download. Far fewer in numbers than the script kiddies, they are generally more circumspect and harder to detect.

3. State sponsored hacker groups. More than 50 nations (some of them "allies") are currently conducting computer network exploitation and/or computer network attack against computer systems in the United States with economic intelligence the usual target. Their capabilities are similar to the organized hacker group, except that while an organized hacker group might work on a target for weeks or months, the state sponsored hacker will work on a target for decades.

Firewalls and IDS are pretty good against the script kiddies. It is against the organized hacker groups and state sponsored hackers that their performance falls off to the 10-20% range.

In a very general sense (insert LOTS of hand waving here) firewalls and IDS allow or block network traffic because of preset rules, signatures, or patterns; or they block the traffic because they detect anomalous network performance; or some hybrid of the two methods.

Unlike analog or mechanical systems which tend to be "communications poor," digital networks are communications rich and very "noisy." A lot of that noise is normal network management and administration. All hacker scanning tools are derived from normal network management tools and most hacks or exploits either look like or can be made to look like normal network traffic.

A hacker needs very little bandwidth to conduct scans and launch an attack. It is trivially easy to stay below the "noise" floor. Bandwidth usage (and probability of detection) go up after the exploit when the hacker steals the hash file for offline password cracking or begins to steal data files. However, very few organizations use firewalls or an IDS to look at outbound traffic.

Network and security logs will always detect hacking activity which is why good hackers go back and erase them. Most logs are stored on a hard disk and erased or reused every 14 days. Even if the hacker misses something, in two weeks it won't matter. And checking logs is tedious and time consuming so it is largely honored in the breach.

However if the organization sets up dedicated log server using a jukebox of write once media (DVD-R for example). The hacker can't erase their tracks and each attempt to do so doubles the probability of detection. Having such a log server doesn't relieve the tedium of reading the logs. But when an IDS or firewall does indicate an intrusion, the forensic evidence of the attack will be preserved in the logs.

Another common vulnerability: Even on "highly secure" networks, about 0.5% of all wireless capable Windows notebooks will be on, active, and wide open. That is because those are the factory defaults the notebooks ship with to make home wireless networking as easy as possible. Even though the owner/operator closes or turns off the wireless connection; updates, patches, and routine systems maintenance tend to restore the defaults. Doesn't sound like much until you realize that on a 2000 host network I am almost guaranteed to find 10 wide open, unprotected wireless access points that no one is monitoring.

[antiRepublicrat]

Even though the owner/operator closes or turns off the wireless connection; updates, patches, and routine systems maintenance tend to restore the defaults.

I can totally attest to that one. An organization I was in had an automated baseline script that made a lot of security settings, including disabling modems and dangerous services (this was just before built-in wireless came out). We didn't allow auto-update or automatic patching, because our lab tested every Microsoft patch before releasing it to the organization. Many patches were found to re-enable what we'd disabled or change our security settings.