February 28th, 2006

Vulnerability statistics for Mac and Windows

Posted by George Ou @ 2:40 am

Categories: Security

Tags:

In yesterday's article "Is Mac OS as safe as ever", Joris Evers poses the age old question if Mac OS security is myth or reality.  I decided to settle this once and for all with some hard numbers from the independent security research group Secunia along with the number of CVE issues for Microsoft Windows XP and Mac OS X within the last two years.

Before I post the data, I want to make a few things clear since I keep getting the same questions and accusations every single time I post data on vulnerability statistics.

• When visiting the Secunia links I provide in this blog, please DO NOT quote me on the number of advisories for a particular OS and blast me for getting the numbers wrong.  I am NOT counting advisories; I'm counting the actual number of vulnerabilities.  There are many advisories that contain multiple vulnerabilities and CVE IDs.  Sorry for the shouting, but I get about 10 of these "I don't count the same number of issues" every time.
• No matter what some people may say, vulnerability ratings from Secunia are a valid measurement of security risk.  If we can't count the number of actual security vulnerabilities (with severity and patch status in mind), what can we count?
• There seems to be a cavalier attitude that a vulnerability is not a problem if it hasn't been widely hacked yet.  The truth is that professional hackers don't want notoriety because it's bad for business.  Before Microsoft's infamous WMF vulnerability was infamous because of all the press coverage, it sold on the black market for $4000.  Nothing kills a money maker in the digital underworld faster than public exposure.
• There will always be those who say vulnerabilities are only "theoretical".  Anyone who feels this way should leave their computers unpatched for all "theoretical" problems and post their email and IP address in talkback section and I'll be sure to forward a copy to the hacker forums.  I'm sure it probably won't be a problem since the problem is only "theoretical".
• I make no claims on which operating system is better.  You look at the data and you be the judge.

Data gathered from Secunia:

How to read chart:

• The three most severe levels of vulnerabilities from Secunia are analyzed in this chart.
• The two less critical categories from Secunia were left out so the significant data will fit better on the screen.
• The grayed out section represents the vendor with the worst security of the month.
• Red font text represents unpatched vulnerabilities correlating to the degree of vulnerability.  For example in the month of February 2006, Apple's Meta data shell script execution flaw hasn't been fixed yet so it gets a red 1 in the extremely vulnerable column.

The data is clear, and Apple has a lot more vulnerabilities of every kind ranging from moderately critical to extremely critical.  While Windows had some months with more security disclosures, they are more spread out while Apple tends to release mega-advisories with dozens of vulnerabilities at a time.  There were seven months where Apple disclosed more a dozen or more highly critical vulnerabilities and August 2005 saw nearly three dozen of them.  One of the most severe zero day exploits for Mac OS X disclosed this month with a working proof-of-concept has yet to be patched so we'll have to wait and see how long it takes Apple to release a patch.

Microsoft on the other hand seems to let some moderately critical and even one highly critical vulnerability go unpatched for more than a year.  I've hammered Microsoft for this issue in the past and Microsoft has responded to me that they are clarifying some of these issues with Secunia because some of the unpatched vulnerabilities may be moot.  I'm still waiting for Microsoft's detailed explanation on these unpatched vulnerabilities.