≡ Menu

George Ou is a braver man than I

ZDNet’s George Ou decided to find out whether the old accepted wisdom that Mac OS X had less security vulnerabilities than Windows to the test. So he took a look through all the Secunia advisories on the two OS’s, and totalled up the number of vulnerabilities (note – this isn’t the same as the number of advisories, as Secunia, Apple and Microsoft all bundle together multiple vulnerabilities in single advisories.

The results show that, in fact, Mac OS X has had more vulnerabilties over the past couple of years, and that the number of so-far unpatched ones on each platform is relatively small – 3 on Windows to 1 on OS X.

Predictably, the Mac zealots are going ballistic, and accusing George of “bias” simply for digging out fact which show that the Mac may not be the uber-platform they want. One zealot – and he really does deserve the name – thinks George should be “banded” [sic] from writing. Ladies and gentlemen, the bare facts do not lie.

These Mac zealots – who don’t, incidentally, represent the majority of Mac users – remind me of that poster that was up on the wall in Agent Mulder’s office, with “I WANT TO BELIEVE” on it. They want to believe that an OS can be perfect. They want there to be a special fairy-land where Bad People can’t get at their data. And they don’t want to think they might have to actually take some precautions themselves. They want The Mothership to do it all for them.

Comments on this entry are closed.

  • RB

    The key here is your term “facts”. George’s results are disputable, certainly.

  • James Bailey

    It’s patched as of today. How’s Microsoft doing with their unpatched vulnerability?

  • James Bailey

    One other point. OS X security is still nearly perfect. Once again a massive security vulnerability and no one took advantage of it.

    The Mac is more secure because people believe it to be more secure. No one bothers to spend the time and effort to create an exploit for OS X even when the exploit is trivial. In this case all it would have taken is to hijack a popular Mac website. And create a shell script. It is a near certainty that the majority of Mac users visiting the site would be vulnerable.

    Now you can’t claim that hijacking a website is hard. It happens every day and there are literally hundreds of popular Mac websites.

    The vulnerability was trivial to exploit. A few seconds in the finder to create the file. However long it takes to write the shell script containing the payload. And one line of HTML code to make download and execute on every vulnerable Mac that visits with Safari.

    So I again ask, why didn’t it happen? You can’t claim obscurity on this one. It is dog standard technology, Unix and HTML.

    I would love someone to do a serious piece on why vulnerabilities aren’t exploited on the Mac web. This is the second one in 2 years and this one is even easier to exploit than the last one.

    I still believe the answer to the question is because Apple has a good reputation for squashing bugs. That hackers just can’t be bothered to create an exploit for a machine that is going to be patched in less than 2 weeks from the publication of the vulnerability. The simple fact that Software Update is on by default makes the box unattractive to attack.

  • James Bailey

    One more point and then I’m done. George Ou didn’t do any research. He is lazy. I want to know how long those disclosed vulnerabilities were open. Was it one day, 3 days, 7 days, 12 months? Clearly the answer to that question is far more important than simple addition.

    So yeah, I do have a problem with his methodology. It isn’t very useful in determining who is more vulnerable.

    And I’ll take the historical record as proof enough that his conclusion is just wrong.

  • http://technovia.typepad.com Ian Betteridge

    I’d certainly dispute the idea that George is “lazy”. His post was clearly labelled as NOT answering the question of which platform was more secure, but simply putting to bed the lie that Mac OS X had fewer vulnerabilities.

    Your point about software update is an interesting one – and it raises another issue. The Mac I’m working on at the moment is running 10.3.9, not the latest OS. That’s because it’s in a corporate environment, where upgrading OS X to 10.4 for 200 seats to get not much significant doesn’t make sense. I wonder how many other “non-current” OS X installs are out there? How few major accounts upgraded? And how much the platform itself is fracturing?

  • James Bailey

    > The Mac I’m working on at the moment is running 10.3.9, not the latest OS.

    I don’t understand what you are asking. Did you download the latest patch? It is for both 10.3.9 and 10.4.5.

    http://docs.info.apple.com/article.html?artnum=61798

    You are making up problems where none exist.

    As for George Ou being lazy we will have to disagree on that. Either he is lazy but sincere or a shill for Microsoft. He had to know that putting out FUD on Mac security was going to cause a firestorm of protest so it would have been in his best interest to actually have all the relevant facts. So, assuming that he is smart enough to understand the difference between a security vulnerability that is open for 72 hours and one that is open for 72 days, why didn’t he go and find out? Even if he had only done it for the unpatched ones, it would have been interesting insight.

    He gets no benefit of the doubt from me. His past writing has shown him to be biased in favor of Microsoft in my opinion.

  • James Bailey

    One more for today. If you need more evidence that George Ou is either lazy or a shill.

    http://weblog.infoworld.com/securityadviser/archives/2006/03/why_does_micros.html

    A choice quote.

    “Currently 23 of the 93 vulnerabilities remain unpatched (according to http://www.secunia.com). That percentage hasn’t changed much over the years. It is the one fact that I cannot dispute with critics. …

    True, most unpatched vulnerabilities are non-critical. But a few are somewhat concerning, even though they are ranked un-important by Microsoft.’

    I have to ask you and maybe you can ask George, how he missed these statistics in his “reporting”. I won’t expect a retraction from him though unless of course he really isn’t a shill.

  • http://technovia.typepad.com Ian Betteridge

    You’d do far better posting this in the comments on George’s story than here. That’s if you really want an answer of course. Although, actually, if you ferrit through the 400+ comments, I believe George may have answered this one.

  • James Bailey

    I’m pretty sure he is hopeless. You have shown that you are not. I am responding to your defense of George Ou. I’m assuming that you as a journalist have better access to him as well. Since you seemed concerned about his article, I thought it might be interesting for you to follow up.

    No I’m not going to wade through the comments on the ZD site. They have what could be the worst comment system on the net for reading.

  • James Bailey

    BTW, to make a lie of my previous statement I went and tried to find George Ou’s posts in the talkback section. I found this gem. I’m posting this here to support my contention that he is a hopeless lunatic.

    http://www.zdnet.com/5208-10533-0.html?forumID=1&threadID=18366&messageID=356678&start=101

    Not being left alone

    “you think the hackers would be leaving those highly vulnerable machines alone simply because they are not MS”

    Hacking Mac computers is big since the people that own them are more wealthy. It’s just that you don’t hear about them since criminal hackers don’t want you to.

  • mark

    I would not claim that the Mac is less vulnerable – every OS has vulnerabilities. I do claim that in the current environment, the Mac is more safe.

    In other words, I could leave my wallet hanging out in two different towns. I would be equally vulnerable, but in some towns and not others, I would be a lot safer. The odds of being mugged are much greater in some places and not in others.

    Empirical evidence tells me which town is safer today. Same goes for OSes on the Internet.