OS X Patches, Secunia Stats

Yesterday, Apple patched the DNS bug everyone was so worried about a few days ago (because some security researcher got ticked off that his name hadn’t been mentioned in dispatches). Time to revisit the whole “Mac OS X is less secure than we think” meme.

Remember, this is all versions of OS X since January 2003 vs. Windows Vista. (If I wanted to be nasty, I’d show the graphs for Windows XP Professional, various versions of Office, etc.. (At least Secunia has stopped treating each Microsoft SKU as a different platform.)

According to Secunia*, the most severe flaw in OS X in the last couple of years is this. If you’d like to skip reading it, the basic idea is this — there was a bug in Apple’s zip utility that would execute a specially tailored payload in a zip archive. So if you were using Safari with default preference settings and you clicked a link, the zip archive would download to your hard disk, get decompressed, and — potentially — arbitrary code could execute. Note that this is not a “Trojan Horse” in the sense that you don’t need to type in a password or deliberately do anything except click a link in a web page, so this is pretty severe.

This is rated by Secunia as¬†extremely critical — do you ever get the feeling that security researchers should be given a free thesaurus? — (“5” on their 5 point scale), even though (1) it requires some user action (it’s not like port vulnerabilities in Windows which allowed worms like BLASTER to simply take over a PC as soon as it was hooked up to the internet) and (2) there are no known instances in the wild.

Windows XP and Vista have a bunch of vulnerabilities rated highly critical (4/5) which are equally nasty. E.g. buffer overflows in the way Windows handled images in web pages that could cause arbitrary code execution. Casual user activity (browsing pages) could, theoretically, result in arbitrary code execution in user space. Apparently, for a problem of this severity to be rated extremely critical for Windows there need to be known examples in the wild.

Presumably, a vulnerability on the Mac requiring zero user action which obtained root access and had instances in the wild would rate mindbogglingly critical (8/5) on Secunia’s scale for consistency. I guess when there’s finally a worm out there that can compromise Macs, heads will explode.

* Why do I keep using Secunia? Because as security research firms go, they’re not quite as grotesquely anti-Mac as typical, and they offer links to embed live versions of their graphs.

Post Script

Apple’s patch doesn’t fix the DNS bug properly. It’s worth noting that this is only going to hurt servers (since most people don’t use OS X desktops as DNS servers, and indeed it’s not switched on by default) so technically this is a server bug. Still, it needs fixing and it’s another misstep by Apple (along with the whole MobileMe fiasco) in a short period.

Post Post Script

Also note that Apple’s initial patch did fix the vulnerability in OS X server (and, apparently, in server-like devices such as Airport Extreme), so basically all the whining was about nothing. It’s one thing to conflate OS X (desktop) with OS X (server) in counting bugs, and another to complain about OS X having an unpatched defect in a service that’s turned off by default and very few people would have switched on.

Secunia, Techworld, Mac OS X, and various Reality Distortion Fields

Recently, a Danish (I am told) internet security firm named Secunia has gotten a lot of free publicity, largely by making the pronouncement that Mac OS X is no more secure than other operating systems, notably Windows XP and its variations, which it considers the most secure of all.

Apple has gotten quite a bit (not a huge amount) of bad press over this, all of it citing Secunia’s Press Release. The most vehement I have encountered is on Techworld.com: Apple Shames Itself Again Over Security.

Unlike some pro-Apple bigots I am not entirely immune to doubting the utter superiority of Mac OS X to all alternatives, so I decided to do a little research. Something, apparently, no-one at Techworld is required to do.

If you visit Secunia’s website, and I suggest you do, try looking at their archives of security alerts, under Apple: Mac OS X, and Microsoft: Windows XP Professional. I won’t link directly, since you should go find these things yourself to (a) prove how easy it is, and (b) demonstrate that I am not cherry-picking my results.

First of all, in their summary graphs and tables, Secunia reports fewer security alerts for Mac OS X (all versions including server) than one variant (Professional) of Windows XP. But, hold your horses, Windows XP Professional is reported as having no serious issues, none, zero percent (out of 67).

But, when you scroll down the page you discover several serious issues listed. Hmm, if there are several, how does this come out as 0%? So either Secunia are incompetent, or dishonest. Certainly, journalists can’t be bothered checking beyond press releases. Well, no surprise there.
What’s more, one of these serious issues has been unresolved for nine months!

And then, there’s the well-known gaping hole of ActiveX (an ActiveX control can do anything it likes to your machine). ActiveX issues are mentioned only once on Secunia’s XP Professional page and shown as having a single serious flaw which has been fixed. (It’s one of the 0%.) Well the fix is that the user has to magically know that this ActiveX control isn’t safe and click “No” while to get his/her daily work done he/she may have to magically know that other ActiveX controls ARE safe and click “Yes”. Whew. Glad that was “fixed”.