An article was recently published about the Army adding Macs to improve security. Although diversifying vendors will usually make you more secure if used to support a defense-in-depth strategy, the context of the article supports a lack of knowledge or evidence to support the statements made on the Army’s part.
Article in Full:
There is one particular statement that is worrisome whereas the Army security spokesperson has been quoted “Apple’s version of Unix is inherently more secure than Windows”. Now I don’t claim to know all the facts but if you look at the links provided below the Mac OSx falls behind in 2007 and in the year 2004 has less advisories, but remains equally comparative percentage wise in regards to the number of critical vulnerabilities.
Fortunately the article has a counter argument by Charlie Miller at the end supporting the fact that the Army needs to step it up with more than Macs when it comes to security strategy. He comments about Mac being “behind the curve in security”. Also has a great reference stating “In the story of the three little pigs, did diversifying their defenses help? Not for the pig in the straw house.” On the other hand diversifying is good if you use one product to back up the function of another project in the event one fails. So even though the pigs straw house was destroyed if that third pig could get to the brick house it would still survive.
Articles like this one from ZDnet where someone throws a query into Secunia and then writes “X is more secure than Y” are always a little weird. Take a look at the data referenced by the article and you’ll see a hugely suspicious number of “high” vulnerabilities (sometimes 60+ in a single month). What is going on here?
Well, the first one on the list (http://secunia.com/cve_reference/CVE-2006-0024/) is a weakness in Adobe Flash that exists in both OS X and Windows (this is MS06-020). Oddly, this is listed as a “High” in the OS X column and not listed at all in either Windows column.
Going down the list, it looks like roughly ~8 out of 10 of the weaknesses in the OS X column are in open source projects like Samba, CUPS, tcpdump, fetchmail, tar, PHP, and Perl. Others are in code authored by Apple. Of course, Windows offers no support for tcpdump, Perl, PHP, extracting tar archives out of the box, by default, so in a way a lack of features can be said to increase Windows’ security posture.
Should we blame Apple for every security vulnerability in every open source package utilized by OS X? Maybe, maybe not.
Here are some reasonable mitigating factors:
1. Clearly not all users are going to be executing untrusted Perl and PHP while using tcpdump to sniff traffic and launching fetchmail with sudo, so maybe not all of these should be considered “High”.
2. A lot of these vulns are “Crash the Service” attacks. Crashing the CUPS printing service might only be considered a high risk vulnerability to FedEx/Kinkos.
3. Some of these vulnerabilities don’t have proof-of-concept exploits available and have not been converted into script-kiddie friendly attacks.
Also, note that these issues are “Extremely critical, Highly critical, Moderately critical, Less critical” but I have two questions:
1. Who assigns these criticality ratings? They don’t appear to be in the CVE entries, so are these assigned by Apple or Microsoft? If so, that might introduce some bias.
2. “Extremely critical” in terms of what? Severity? Exploitability? Overall Risk? I’d assert that Severity is probably the only ranking criteria considered based on the two dozen or so issues I reviewed.
Finally, there are ton of articles out there on “time to remediation” considerations. Someone will write one of these hastily assembled “Secunia says Windows is more secure than Ubuntu based on the number of vulns found in 2007” type articles, and then someone else will write a counter article saying “yes, but Ubuntu fixes their stuff in a week and it takes MS months to fix stuff.” Apple looks like it is probably somewhere between Linux’s superfast fix times and MS’s more measured response times, but I’ve not analyzed this myself.
In my opinion, the question, “is X more secure than Y” is not something you could even begin to answer by spending 30 minutes on Secunia’s web site and writing a 3 paragraph article. The “data” there really is “data” and not “information.” Plus, the author makes no attempt to discuss default configurations, authorization models, process protection, you name it…
This has made my day. I wish all ptosings were this good.