George Ou is a braver man than I

The key here is your term “facts”. George’s results are disputable, certainly.

One other point. OS X security is still nearly perfect. Once again a massive security vulnerability and no one took advantage of it.

The Mac is more secure because people believe it to be more secure. No one bothers to spend the time and effort to create an exploit for OS X even when the exploit is trivial. In this case all it would have taken is to hijack a popular Mac website. And create a shell script. It is a near certainty that the majority of Mac users visiting the site would be vulnerable.

Now you can’t claim that hijacking a website is hard. It happens every day and there are literally hundreds of popular Mac websites.

The vulnerability was trivial to exploit. A few seconds in the finder to create the file. However long it takes to write the shell script containing the payload. And one line of HTML code to make download and execute on every vulnerable Mac that visits with Safari.

So I again ask, why didn’t it happen? You can’t claim obscurity on this one. It is dog standard technology, Unix and HTML.

I would love someone to do a serious piece on why vulnerabilities aren’t exploited on the Mac web. This is the second one in 2 years and this one is even easier to exploit than the last one.

I still believe the answer to the question is because Apple has a good reputation for squashing bugs. That hackers just can’t be bothered to create an exploit for a machine that is going to be patched in less than 2 weeks from the publication of the vulnerability. The simple fact that Software Update is on by default makes the box unattractive to attack.

I’d certainly dispute the idea that George is “lazy”. His post was clearly labelled as NOT answering the question of which platform was more secure, but simply putting to bed the lie that Mac OS X had fewer vulnerabilities.

Your point about software update is an interesting one – and it raises another issue. The Mac I’m working on at the moment is running 10.3.9, not the latest OS. That’s because it’s in a corporate environment, where upgrading OS X to 10.4 for 200 seats to get not much significant doesn’t make sense. I wonder how many other “non-current” OS X installs are out there? How few major accounts upgraded? And how much the platform itself is fracturing?

One more for today. If you need more evidence that George Ou is either lazy or a shill.

http://weblog.infoworld.com/securityadviser/archives/2006/03/why_does_micros.html

A choice quote.

“Currently 23 of the 93 vulnerabilities remain unpatched (according to http://www.secunia.com). That percentage hasn’t changed much over the years. It is the one fact that I cannot dispute with critics. …

True, most unpatched vulnerabilities are non-critical. But a few are somewhat concerning, even though they are ranked un-important by Microsoft.’

I have to ask you and maybe you can ask George, how he missed these statistics in his “reporting”. I won’t expect a retraction from him though unless of course he really isn’t a shill.

I’m pretty sure he is hopeless. You have shown that you are not. I am responding to your defense of George Ou. I’m assuming that you as a journalist have better access to him as well. Since you seemed concerned about his article, I thought it might be interesting for you to follow up.

No I’m not going to wade through the comments on the ZD site. They have what could be the worst comment system on the net for reading.

I would not claim that the Mac is less vulnerable – every OS has vulnerabilities. I do claim that in the current environment, the Mac is more safe.

In other words, I could leave my wallet hanging out in two different towns. I would be equally vulnerable, but in some towns and not others, I would be a lot safer. The odds of being mugged are much greater in some places and not in others.

Empirical evidence tells me which town is safer today. Same goes for OSes on the Internet.