Secunia notoriously screams ‘Mac OS X not as secure as you think’

“Windows is more secure than you think, and Mac OS X is worse than you ever imagined. That is according to statistics published for the first time this week by Danish security firm Secunia,” Matthew Broersma reports for Techworld.

[MacDailyNews Take: Ouch… laughing too hard… sides splitting….]

“The stats, based on a database of security advisories for more than 3,500 products during 2003 and 2004 sheds light on the real security of enterprise applications and operating systems, according to the firm. Each product is broken down into pie charts demonstrating how many, what type and how significant security holes have been in each,” Broersma reports.

“One thing the hard figures have shown is that OS X’s reputation as a relatively secure operating system is unwarranted, Secunia said. This year and last year Secunia tallied 36 advisories on security issues with the software, many of them allowing attackers to remotely take over the system – comparable to figures on operating systems such as Windows XP Professional and Red Hat Enterprise Server,” Broersma reports. “‘Secunia is now displaying security statistics that will open many eyes, and for some it might be very disturbing news,’ said Secunia chief executive Niels Henrik Rasmussen. ‘The myth that Mac OS X is secure, for example, has been exposed.'”

Full article here.

MacDailyNews Take: Give us a break, Secunia. To paraphrase Jack Nicholson, “sell crazy someplace else, we’re all stocked up here.” These idiotic articles always seem to come from Techworld by way of Secunia – you do the math.

Related MacDailyNews articles:
Secunia issues ‘extremely critical’ vulnerability alert for Mac OS X – May 24, 2004
Techworld unbelievably screams ‘Mac OS X riddled with security holes’ – May 04, 2004

59 Comments

  1. ummmmmmm…. okay.

    Then why is every Pee-Sea owner I know tearing his hair out over spyware and trojan horses, and I hear NONE of this from my Mac friends?

    And MOST of the Mac owners I know are ignorant that there is even a PROBLEM, matching the number of Pee-Sea users who don’t know at all that their Mac counterparts are free of this plague.

    If the Macintosh world was being brought to its knees by viruses, we would know about it.

    Just today a 21 year old college student I know is ready to switch because his PC was eaten by viruses. I’m moving him into a Mac laptop, when just last year he was dead set against Macintoshes.

    Little by little, bit by bit. There has never been a BETTER time to switch your friends and co-workers. Be gentle. Be persuasive. Be a missionary.

    DV

  2. In an email I told them I could name over 30,000 virii, trojans or worms for XP. I asked them to name 1 for OS X.
    I said I could document thousands of breaches and infections on XP. I asked them to document 1 on OS X.
    I said I knew of several unpatched holes or open ports in XP or Microsoft apps. I asked them to tell me of 1 in OS X or an Apple app.

    They never even bothered to get back to me.

  3. The way they measured this is a complete joke–the proportion of serious vulnerabilities of all advisories announced? Even if you accept that idiotic measure (as opposed to how many Mac computers are actually affected by virii, etc.), XP comes out worse than OS X because the base number of advisories is 44% higher!
    Wonder what Secunia gets out of this crap?

  4. My post on Scobleizer blog

    I think if you look at that article objectively there must be something wrong with Secunia’s analysis. Is it just that no blackhat wants to be the first with a real, in the wild exploit of OS X? Is a 4% market share too small to be interesting?

    First, there are a huge number of Mac haters in the world. So, there must be some evil-doer who would like to be famous for being the first with a real Mac security breach. So, it isn’t because everyone loves Apple.

    Ok, then it must be that the market share is too small, right? Nope. For example, John Gruber of Daring Fireball cites an example where a very small niche was attacked. See http://daringfireball.net/2004/06/so_witty John cites a Bruce Schneier analysis of the So Witty worm. “Twelve thousand machines was the entire vulnerable and exposed population, and Witty infected them all � worldwide � in 45 minutes. It�s the first worm that quickly corrupted a small population.”

    Secunia’s analysis was shallow and answered no real questions. I suspect that it has more to do with expectations than anything else. Apple fixes bugs quickly. They have automated update of system software that nearly every user has enabled. Apple’s Software Update is enabled by default.

    So I think it comes down to expectations. It is hard to do anything to OS X. Even when there is an unpatched exploit, it can take quite a while to discover a mechanism to actually do more than crash machines. The expectations are that a virus/worm writer can spend a lot of effort for very little or no payback. Compare this to recent outbreaks in the Windows world. The vast majority of the problems came from unpatched machines after the patch was available on Microsofts website. That is much less likely to happen on OS X. Without the expectation of some success, even a wide open hole in OS X isn’t exploited, because no one wants to spend the time on it because they don’t have an expectation of success.

    The number of “successes” in the Windows side of things makes it impossible for Microsoft to convince the world that their OS is secure. Even if Microsoft is doing a better job now, the crapware developers are already expecting their work to pay off. They have an incentive to actually spend the time to build software to exploit the problems in Windows. And in my opinion, it isn’t going to get better. See this: http://news.com.com/Corporate+Web+servers+infecting+visitors'+PCs/2100-7349_3-5247187.html

  5. If you make your money and justify your existence by “finding vulnerabilities” in computer software and operating systems it is in your best interest to assure the world there is no good and easy way out. With many in the IT world at least pondering a Windowless or Non-Microsoft homogenous solution, spreading FUD about the available options (Mac OS, UNIX, LINUX, Solaris) is kind of like a guarantee of continued significance and employment.
    I am not foolish enough to suggest that anyone running any system does not need an organization checking for security problems, but a large switch away from Micro$oftopoly’s offerings will make the services they offer a much less visible and valuable product. Many people have made a very good living from the lack of security present in many software/OS products and would like to keep on doing so.
    The issue is this- scaring clients into believing FUD that LINUX and Mac OS are not going to give them increased security will undoubtedly lead them to continue to deal with Micro$oftopoly and thereby continue their need for “security consultants” and other “experts”. It is in Secunia’s interest to cry that the sky is falling for all parties, not just one, proving the need for the service they provide.
    Non IT world equivalent: asking the salesman at the tire store if you need new tires. There is no such thing as a totally secure system that interfaces with outside networks or the internet. That said, there ARE much more secure solutions available than ANY VERSION of Windows or Windows Server. Nobody with a functioning brain cell could dispute that based upon real facts and evidence.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.