Surprise, Apple's OS X Comes Out as Most Vulnerable Software of 2015

Hackread ^ | January 3, 2015 17:01 UTC | Ali Raza

[Up Yours Marxists]

You’re passing around semantics. Accept the fact that your precious operating system has holes in it. Some of them as old as 25 years.

And the absolute arrogance of security that one shouldn’t be making the internet safer just amplifies the problem. Out of all the viruses people send me in emails, do you know how many in the past 2 years have come from Microsoft users? ZERO. All of the garbage I’ve received and been trapped in the scanners have come from arrogant Apple users who love to spread virus that take advantage of vulnerabilities and exploits, or whatever you spin it as.

[Da Coyote]

The wife and I both despise El Capitan.

Much more of this cr*p and we will go back to Unix.

Nope, no Microsoft. Not now. Not evah!

[central_va]

Nope. Mac professionals don't do antivirus or anti-malware. Don't need to.

Agree.

[Tzfat]

You clearly don’t know much about Macs, and firing a Mac user for doing what we all do would make you a very irresponsible manager.

I clearly said that I don’t use antivirus or antimalware. Macs are UNIX variants, they have lots of built in network security. Not a packet leaves my Macs without me being able to know exactly where it goes. Bet you don’t maintain that level of authenticity on your end.

My point was that no Windows user can even comprehend running a PC without antivirus - and yet Mac professionals don’t even think about it. What does that say about vulnerability?

[roadcat]

Out of all the viruses people send me in emails, do you know how many in the past 2 years have come from Microsoft users? ZERO.

Not in my case. All the viruses sent, have come from Microsoft users. All. Doesn't bother my Macs, but my Windows machines squawk. My Macs rarely need rebooting. Windows, very often in order to recover from problems. Of particular concern is a brother-in-law who downloads to his PC from many questionable sites (movies etc.); all his emails carry viruses. I never get them from Mac folks.

[Up Yours Marxists]

Well that’s great that you are security wise in the Linux/Unix world.

We had to hire expensive administrators to tighten up Unix security back in the 80’s. I couldn’t begin to think my wife or my kids for that matter could ever handle that kind of security. Nor keep on top of all the patches required for the OS. My grandkids? Maybe.

Either way, would you be so kind as to use virus protection so that other users on other operating systems don’t get virus you might unintentionally spread through Unix? That would be most helpful.

[Up Yours Marxists]

That’s probably because all those Microsoft users download porn and free games laced with garbage. I don’t need any other programs other than Office and don’t visit crazy sites. Haven’t had a virus attack in over 5 years.

So I guess one could say that if one likes porn, doesn’t want to pay for anything, and expects the world to be polite, kind and courteous, by all means buy an unprotected Mac. You know, the one that runs the new crowned champion of security holes.

[Tzfat]

Why would Mac user care about passing on viruses to Windows users. We aren’t infected. Yeah, Typhoid Macs rule ;)

We stay clean.

[tacticalogic]

One reason Windows typically has more vulnerabilities attributed to it than Linix and derivatives is that there is more functionality built in via dotnet.

For example, the infamous Poodle vulnerability is attributed to a third party library (Open SSL) used by many Linux systems, but not to Linux itself.

Windows servers don't exhibit the behavior because they use code from the dotnet crypto assemblies. If the same vulnerability had been found there, it would have been attributed to Windows.

[Up Yours Marxists]

It says you have NO FEEDBACK LOOP as to whether you are infected or compromised. Because people like you are arrogant into thinking you’ll never be attacked, hackers will prey on you in the dark of the night. This attitude wouldn’t last a week in the TOS military security world. And shouldn’t that be what we strive to achieve out here in the world of the little people?

Antivirus and network scanning provides users the necessary feedback needed to identify security breaches. Only FOOLS believe their security is 100%, requiring no need for security reviews. At a minimum if you’re not running AV, scan vulnerabilities and exploits and scan often. Like daily. Hourly is good. Real-time is best.

[roadcat]

So I guess one could say that if one likes porn, doesn’t want to pay for anything, and expects the world to be polite, kind and courteous, by all means buy an unprotected Mac. You know, the one that runs the new crowned champion of security holes.

Funny thing is, you just described most Microsoft Windows users. My brother-in-law is a cheapskate, downloads crap from questionable sites and is a jerk. He used to work for IBM in San Jose until they closed their factory (their PCs sold to Lenovo in China). Windows users are the biggest porn downloaders.

[Tzfat]

You aren’t paying attention. I never said I don’t know what is going on on my networked Macs. I just don’t have to respond to too numerous to count alerts from antivirus or anti-malware, because.

Arrogance is thinking that because you go through an update dump every Tuesday, and run 3rd party bloat like Norton, that you are secure.

Mac professionals are very aware of the security on their machine, because we actually can see more than a stock Windows machine can.

Do you know everything your Windows 10 box is sending? If you did, you might consider joining the class action against MS for invasion of privacy. My Mac cannot send or receive without me being to watch.

[kjam22]

I don’t need any other programs other than Office and don’t visit crazy sites. Haven’t had a virus attack in over 5 years.

That and don't open crazy emails or click on email links.... It's not rocket science.

[Up Yours Marxists]

Ok, let’s just see how secure your Macs are and how confident your security prowess is. You have a firewall, correct? Turn it off. Let it all hang out.

Report back to us once you turn the firewall back on, if you can.

[mass55th]

Only in their wet dreams.

[Swordmaker]

Of the 384 vulnerabilities, only 2 resulted in exploits, and those were on older versions of OS X, AFTER the vulnerabilities were published and AFTER Apple had pushed out the patches, since Apple was the one who revealed the vulnerabilities. The exploiters were opportunists who took advantage of people who did not bother to install updates.

Apple Exploited Vulnerabilities by year, 2015 had 2

These two:

Note they are both earlier versions of OS X.10 Yosemite, not OS X.11 El Capitan

The exploit is quire complicated on the first, requiring construction of a complete dictionary to replace a supplied dictionary and then somehow getting it installed on the target computer. Not an easy task. This exploit turns out to be a proof of concept sent to a security company. It was never in the lab.

The second "exploit" was another proof of concept, never released into the wild.

Both were never in the wild.

[Tzfat]

Now you are just being stupid.

[Swordmaker]

The wife and I both despise El Capitan.

Much more of this cr*p and we will go back to Unix.

If you've got El Capitan, you've already got UNIX^tm, one of the most powerful OSes in the world, right in front of you.

[Swordmaker]

No specifics mentioned in this one as to exactly what the vulnerabilities might be.

I've looked. Nothing much. Only two were exploitable and those were proof of concept exploits. . . which took quite a bit of effort. Other high rated vulnerabilities required multiple things to be also wrong for them to be a danger. They needed to be fixed, and were fixed. Apple was the reporting source on the vast majority of the CVEs. . . when they fixed them.

[dayglored]

> Microsoft has been officially dethroned as the most vulnerable operating system in 2014. And the most vulnerable mobile operating system. Congratulations, Apple!

From the article:

> Adobe, everyone's expected leader, sits safely at 316, much behind OS X's tally. So much for Apple's security reputation.

"Safely"??? Adobe Flash??? Are you out of your mind? Or a shill? Or both? Based on your posting record, I might be inclined to think "both".

Speaking for a moment as the keeper of the Free Republic Windows/Microsoft Ping List, I'd like to congratulate YOU, Up Yours, for posting one of the most misleading and overall foolish tech threads in quite a long time.

The folks who run the CVE, and the folks over at CVEdetails.com, know that different reported vulnerabilities have wildly different importance and impact. For example, using the selector at CVEdetails, there are:

• Vulnerabilities with exploits
• Code execution
• Overflows
• Cross Site Request Forgery
• File inclusion
• Gain privilege
• Sql injection
• Cross site scripting
• Directory traversal
• Memory corruption
• Http response splitting
• Bypass something
• Gain information
• Denial of service

and others. So I have to ask you (rhetorically -- don't feel obliged to answer):

Do you not comprehend the difference between a software bug and an operational vulnerability?

Do you not comprehend the difference between a vulnerability and an exploit?

I think not.

Please understand, I'm not excusing nor apologizing for ANY of the entries on HackRead's article's list. All those entries belong there. But they are simply TOTALs without regard to importance or impact.

The article's inane gloating, and your subsequent gloating-by-proxy, are so blatantly ignorant as to be laughable.

So in your honor, as the holder of the "Most Technically Ignorant and Overall Foolish Tech Thread of 2016" Award, I will in a moment ping the Windows List so that they can come and commiserate over the fall of Windows as Vulnerability Leader.

And the year is brand-new! I'm confident that before the year is over, in your endless striving, you will have posted another such thread that exceeds even this one in technical ignorance and foolishness. Onward!

And a Happy New Year to you!