What’s the Most Secure OS? Surprise! It’s Windows. (Well, sort of.)

[Lyte]

This makes for an interesting read!

What’s the Most Secure OS? Surprise! It’s Windows. (Well, sort of.)
Blogger: John McCormick
March 24th, 2007

The startling conclusion that Microsoft has the most secure OS isn’t mine (although I don’t find it all that fantastically unlikely), but that of some observors who came to that conclusion after looking at Symantec’s Internet Security Threat Report Volume IX that covers the second half of 2006.

Here's a quick look at a few of the relevant numbers; see what you make of them:

• For the period of July 1, 2006, through December 31, 2006
• Windows had 12 severe threats with the total of 39 vulnerabilities fixed in an average of 21 days.
• Mac OS X had 1 severe threat but Apple had an average 66 day turn-around for the entire 43 vulnerabilities reported.
• Red Hat Linux was actually faster than OS X with a 58-day average time to fix a total of 208 vulnerabilities.
• Of those Red Hat threats, 2 were critical and 130 were rated medium severity.
• HP-UX had 98 vulnerabilities and needed an average of 101 days to fix them.

Still, pity the poor Sun users who waited an average of 122 days for fixes of the 63 Solaris vulnerabilities.

Mozilla users rejoice - the average time to patch a vulnerability was the best of any browser, only 2 days, vital if you are facing a zero-day threat.

What shouldn't come as a surprise is Symantec's report that the biggest vulnerability threat is found in the newest hot branch of software - Web apps!

Another unsurprising (at least to me) part of the report was the first paragraph of the Executive Summary:

"Over the past two reporting periods, Symantec has observed a fundamental shift in Internet security ctivity. The current threat environment is characterized by an increase in data theft and data leakage, and the creation of malicious code that targets specific organizations for information that can be used forfinancial gain."

Also, right in line with my recent report here on the California Secretary of State's exposure of hundreds of thousands of individuals' Social Security Numbers on their official Web site, Symantec reports that the government sector in total was responsible for 25 percent of the identity theft activity related to online security breaches.

Comming in second as the biggest threat to your personal identity were educational-related sites, with medical sites taking a close third.

Of course those are the groups that keep the largest amount of personal information outside the three highly centralized credit reporting agencies, so perhaps it really shouldn't be surprising to anyone that the most data theft came from the places with the most personal information.

77% of all Web browser attacks were aimed at Internet Explorer (the biggest target obviously, so no surprise there).

There is a lot of useful information to be gleaned from this Symantec report and every security professional needs to download and study a FREE copy. It not only tells you what category of threats you need to protect against most, it also includes a lot of useful information about which regions have the most infected computers (and that therefore you should be especially wary of Web sites in those areas and emails from people in those locations. By the way, the U.S. is the origin of more attacks than any other country (probably has the most computers also) and, on average, China has the most bot-infested computers in the world, but the U.S. ranks second in the number of infected systems while Israel has the highest percentage of hackers per PC.

But there is good news for IT security managers too; the home user is the subject of targeted attacks more than 90 percent of the time, which means that your workers aren't.

SPAM now makes up about 59% of all email traffic and 65% of that is in English (a lot of it pretty broken English in my experience).

A really alarming statistic was that Symantec had only identified 1 zero-day threat in the first half of 2006 but the security company documented 12 in the second half.

The report also details the percentages of each kind of malware detected and has a vast amount of useful information, not the least of which is the headline-making finding that Microsoft is currently the best performing company when it comes to the speed of fixing vulnerabilities in a major OS.

I would only be fair to remind everyone that Microsoft also mainly sticks to a regular monthly security patch release, with only an occasional mid-month release in extreme cases. I wonder what Microsoft's numbers would have been if they released patches as soon as they were available?

I also feel compelled to point out that the #1 ranking was based only on the speed with which the companies responded to threats, not the severety of the threats or how much trouble the patches caused.

Nevertheless, this report from a company that is finding itself more and more in competition with Microsoft in the security market (and therefore probably isn't cutting Microsoft any slack) is certainly a good one for the folks at Redmond.

So, why does nearly everyone seem to believe Microsoft is so slow to provide patched code?

I feel it is just just like Detroit, which now makes pretty good cars and trucks but is still considered by many to turn out inferior quality products; it may take a LONG time to convince people that Windows is actually pretty secure and Microsoft is very responsive to threats.

Detroit will have to keep proving that it can make reliable vehicles for a long time to overcome the advantage some foreign makes have. (Turning out more popular designs with better gas mileage couldn't hurt either - I'm NOT Detroit-bashing - I have a lot of old Detroit Iron, including some with very big displacement engines from the muscle-car era - several 460's and one 455.)

Likewise, Microsoft is going to have to keep being the fastest to patch its most basic product for a long time to convince people that it is really doing a good job.

(Making a much smaller and highly secure alternative to Vista would also be a good place to earn some points - at least with me.)

How about YOU? What do you think of the implications in this Symantec report?

[AngelArs]

Quote:

Originally Posted by Lyte

see what you make of them

They are fabricated. In other words they are BS

[Lyte]

Quote:

Originally Posted by AngelArs

They are fabricated. In other words they are BS

What's fabricated? The "relevent numbers" or the threats... or both?

How 'bout a lil bit o' substantiation, eh?

Lyte

[AngelArs]

Sure.

Architectural elements between the different OS's are key to this discussion, and they we're virtually ignored in their findings. MacOS was designed on top of BSD, an already EXTREMELY secure variant of Unix. One the other hand the Windows architecture has never been secure (ever) because design decisions made many years ago make it almost impossible to secure it now. An OS can only be as secure as it's framework allows it to be. Look at it this way, you make a house frame out of balsa wood and no matter what you would try to do to make that house sturdy afterward, it will always have a vulnerability because the decision was made to use balsa wood for its frame work. For example; Windows has a feature called 'RPC' which makes the system very vulnerable, and you cannot turn it off because certain parts of Windows use RPC to talk to other parts of Windows, EVEN if the computer is not on a network. A long time ago Apple made the decision to design the MacOS with RPC turned OFF by DEFAULT! Even if you want to turn it on it is still very difficult. Another quick example; If an attacker finds a security bug in Explorer, he can use it to do anything they want to a Windows computer--change the Registry, install software, change the operating system, whatever -- because Explorer is considered to be part of the operating system. You can sometimes remove explorer but 9 times out of 10 you will have OS problems down the line, and they aren't patchable. On the Mac, the Web browser is just a program, just like any other program. Now, since windows has such shotty framework, the only thing that windows can do to get around these security vulnerabilities is to 'patch' them up with band-aids, but NO band-aid can ever be as good (or secure) as having a solid foundation. Another example; on a Mac, the operating system makes a clear distinction between "user space" and "system space." The user may not change parts of the operating system without entering an administrator password. On Windows, if the user simply runs a program, that program can make changes to the system without a password. Windows is pretty famous for this. On the Mac, programs are not permitted to access system events, like mouse clicks or buttons, that belong to other programs. On Windows, one computer program can "spoof" events in another program; that means, for example, that program A can make program B believe "hey - the user just clicked this button" when really they didn't. The article also claims that it took Apple a 66 day turn-around but that simply isn't true. Just ask any Mac user and they will tell you that any issues that might ever be raised are usually fixed within a few days or a week or two at most. The report also bases a lot on a Symantec report, and most professionals these days simply don't consider Symantec as a trustworthy source. So now your next question is probably going to be, "why has Symantec come out with such a untruthful report"? Simple, as a vendor they absolutly hate the Mac community because they can't make any money off of them, and because it was the Mac community that first exposed a lot of their fraudulent activity several years ago. Now Symantec has what you would call 'a chip' on their shoulders, and I don't mean a computer chip Bottom line: this article bases it's opinion on a report issued by a company that has a grudge. Can you say 'house of cards'? Reminds me of the old tobacco companies and how they swore up and down that smoking didn't cause cancer. You'll also notice that the report was ONLY for a 6 month period. God forbid they analyze the entire time that the OS has been released to the public

[Lyte]

Angel,

Thanks for the response!

I'm wondering though... if the reason why so many vulnerablities have been found with Windows is because it is so popular. If there were as many MACs out there as Windows, I dare say it would have been chopped to pieces more than it has been thus far. This is not say Windows isn't a big ol' slice of swiss cheese. My thought is that Windows is a particularly juicy target because so many people are using it. Consider Willie Sutton's response when asked why he robbed banks... "because that's where the money is."

Lyte

[AngelArs]

Quote:

Originally Posted by Lyte

I'm wondering though... if the reason why so many vulnerablities have been found with Windows is because it is so popular.

No. It's the framework it's built upon.

Quote:

If there were as many MACs out there as Windows, I dare say it would have been chopped to pieces more than it has been thus far.

This is the same old worn out comment that been repeated over and over again on the net. Let's take a minute and put it under a real world microscope, and look a little closer at it to see just how ridiculous this myth really is.

Virus writers write viruses that exploit any vulnerability that they can find, regardless of the popularity of the platform. Most viruses are not written by 13 year olds trying to boost their ego like they did years ago. Today writing viruses are BIG money, especially in countries like Russia. For example, the "Whizzer" worm, is a complex and sophisticated virus designed to infect a computer by exploiting an obscure flaw in one particular version - of one particular company's software firewall program.

The total number of people in the whole entire world who used this version of this program was only around 50,000. Yet the virus writers found and exploited that flaw. Why? Because they could.

I think we can both agree that 50,000 users is a far smaller number than the number of people who buy a Mac every month (Apple is at last count shipping about 120,000 Mac Minis per month, every month, for the last two years solid, and that doesn't even include any of their other models like their laptops, which they sell at least 3 times as many of). Virus writers are even still writing the occasional virus for AmigaDOS! The point is that virus writers write WHERE-EVER they can find a vulnerability. They do not care about the platform. They only care about the vulnerabilities that they can exploit.

Now consider this, let's say that you know how to write viruses. As low a profession as it might be, we'll say that you are really good at writing viruses. You also know that Macs are known to be bullet proof. Now don't you think for a minute that it might tempt you to be the very FIRST person to write a real Mac virus? Your name would go down in Cyber history if you could do that, right? But still you don't see any real viruses around for modern day Macs... why? For a clue to the answer it might be time to consider what is known as "Occam's razor" which states: All things being equal, the simplest solution tends to be the best one. The simplest solution for the Mac virus question is that these hackers today are very capable of writing a virus, but they simply can't find a way to use it in the OS X architecture. It all goes back to the OS's foundation, and OS X was designed on top of BSD, an already EXTREMELY secure variant of Unix.

Windows however... was not

[Lyte]

Quote:

Originally Posted by AngelArs

Virus writers write viruses that exploit any vulnerability that they can find, regardless of the popularity of the platform.

True! However, virus writers get their kicks not simply from writing a virus that penetrates the penetrable but also from writing a virus that does the most damage. Writing a virus that kills 10,000computers is a yawn... kill 100,000 computers and that's kinda interesting... but kill a 1,000,000 computers would be pretty note worthy! Volume doesn't matter.

Consider too that most malicious coders are not coding for prestige. They code in order to gain access to personal data. Easy or not... it's far more logical to write a hack that will get me the personal data of 1000 than the personal data of 100. Again... it's a numbers game for many hackers.

I'm no MAC expert so I Googled "mac vulnerabilities" and there are some interesting articles to be read.

Lyte

[AngelArs]

Quote:

Originally Posted by Lyte

True! However, virus writers get their kicks not simply from writing a virus that penetrates the penetrable but also from writing a virus that does the most damage.

No, that's not the case anymore, and it hasn't been like that for over 6-7 years now. There are several good books written about this. Viruses = big money, and they will go where ever they can.

Quote:

Writing a virus that kills 10,000computers is a yawn

Surly you can't really believe that. Don't you think that by now SOMEONE would have written a Mac virus if it were possible? Even if it was only for the fun of it... It hasn't happened because it's nearly impossible to do, pure and simple. Explain why they would bother to write viruses like the whizzer worm, which was no small virus by the way, and viruses for systems like AmigaDOS that are almost none existent these days. It has nothing to do with the amount of computers, it's all about vulnerability.

BTW-have you updated your virus definitions lately? And don't forget about that spyware update

[Lyte]

Quote:

Originally Posted by AngelArs

BTW-have you updated your virus definitions lately? And don't forget about that spyware update

Oh... I'm well protected!

Lyte

[lifetech]

Windows is a secure OS because it has been throughly tested by lot of microsoft programmer but few linux/unix which are free open source are buggy but we have to remember that the root password mechanism in Nix operating systems make datas safe than in windows as simple viruses can not attack like they do in windows.

Datas in windows r never secure...who own the file...no one..no chmod..everything is deir in nix (short form of linux/unix based os)