Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

OS X, iOS and Linux have more vulnerabilities than Windows


  • Please log in to reply
27 replies to this topic

#1 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:59 AM

Posted 24 February 2015 - 10:25 PM

BetaNews has a posted a story stating that OS X, iOS, and Linux have more vulnerabilities than Windows. This information was based off of a GFI blog post where they analyzed the information found in the National Vulnerability Database. The National Vulnerability Database is a repository of known vulnerabilities found in operation systems and applications. This site is a product of the NIST Computer Security Division, Information Technology Laboratory and is sponsored by the Department of Homeland Securitys National Cyber Security Division.
 

In fact, in 2014 it is OS X that was found to be riddled with the greatest number of security problems -- 147 in total, including 64 rated as high severity, and 67 as medium. Also from the Apple stables, iOS did not fare all that much better: 127 vulnerabilities including 32 high and 72 with a medium rating. The latest version of Windows -- Windows 8.1 -- was found to have 36 vulnerabilities, and its predecessors -- Windows 8 and 7 -- both had the same number.
[...]
Microsoft might celebrate coming ahead of Apple and Linux in one department, but Internet Explorer was found to be the most insecure web browser. IE had 242 vulnerabilities, compared to 124 in Chrome, and 117 in Firefox.


OS-chart.jpg
Top operating systems by vulnerabilities reported in 2014 as calculated by GFI.
Image courtesty of GFI


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


BC AdBot (Login to Remove)

 


#2 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:05:59 PM

Posted 24 February 2015 - 10:33 PM

This doesn't take away the fact that 99% of malware is written for Windows desktops and Android though.

 

But good to remind us all that we are not impervious to malware, no matter what OS we use.



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:59 AM

Posted 24 February 2015 - 10:35 PM

Related topic here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:59 AM

Posted 24 February 2015 - 10:43 PM

My question is if the numbers for Linux and OS X are for all versions, then shouldn't we tally up the windows vulns too?

#5 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:05:59 PM

Posted 24 February 2015 - 10:45 PM

Good point Grinler. And not all Kernels are created equal either...



#6 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:59 AM

Posted 24 February 2015 - 10:55 PM

If all versions are tallied up then Windows is still the king of vulns :P

Alex

#7 RobertHD

RobertHD

  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere in Oz
  • Local time:06:29 PM

Posted 25 February 2015 - 01:06 AM

ah! but 7 and 8 have both the same number OS X and ios has more vulns then ms


Robert James Crawley Klopp


#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,070 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:59 AM

Posted 25 February 2015 - 02:29 AM

My question is if the numbers for Linux and OS X are for all versions, then shouldn't we tally up the windows vulns too?

Fabian said in chat yesterday that he thinks the vulnerabilities for Windows are roughly the same ones for each OS listed there other than a couple of specific ones. He also suggested that perhaps they are using the latest version of MacOS. The table is definitely confusing however.

xXToffeeXx~

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:03:59 AM

Posted 25 February 2015 - 10:53 AM

The title should probably be changed to 'had', as they've all (to my knowledge) been patched.

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#10 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:01:29 PM

Posted 25 February 2015 - 01:25 PM

Considering the wide range of audience and popularity of Microsoft, a medium / below vul cannot be considered as same as that of a product which has lesser audience.
Another factor to be considered is, the time which was required for initial hotfix/final patch and the (mis)use of indexed vul in wild....
But the listed are only the publicaly announced, a lot more to come..... :)
Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#11 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:05:59 PM

Posted 26 February 2015 - 12:00 AM

I was discussing this with a friend and we came up with some other points to note.

  • Linux is open source, which means you can look directly at the source code, which will also mean vulnerabilities are far easier to tally in an open book by white hats who can patch them before announcing their existence. Where a "hacker" could find far more vulnerabilities than what is listed in the article under Windows, but would not reveal them... and is still exploiting them now.
  • How many of these vulnerabilities were actually exploited?
  • How many of these vulnerabilities are exploitable remotely?
  • Did Microsoft actually announce all of its patched vulnerabilities? I understand that would have been a bad idea... would just attract the patch hackers.
  • Do these figures actually show that Linux and Apple developers spent far more time probing their systems for vulnerabilities and patching them? Therefore making them actually more secure?

I've had to change my opinion about the article now... As a whole I find the article weak and mindless. Flawed and shoddy faux-journalism with a slant attempting to provide possibly misleading conclusions.


Edited by TsVk!, 26 February 2015 - 12:39 AM.


#12 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,080 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:05:59 PM

Posted 26 February 2015 - 04:58 AM

 

  • How many of these vulnerabilities are exploitable remotely?

Not many.

 

And regardless the Linux community reacted fast and patches were out in hours, Unlike Microsoft, Google has to embarrass them into fixing stuff.

 

Most of the time these vulnerabilities while serious, Do not really affect the average home user much if at all, And as long as you have updates enabled you should be ok.

 

Shellshock was a great example. While it was serious,................... If the average Linux user had UFW enabled it would have protected them against unknowingly running an Internet-facing service that could have been used to exploit it.

 

 

Did Microsoft actually announce all of its patched vulnerabilities? I understand that would have been a bad idea... would just attract the patch hackers.

I agree.

 

 

Where a "hacker" could find far more vulnerabilities than what is listed in the article under Windows, but would not reveal them... and is still exploiting them now.

A great hacker will not share the real gems with anybody.

 

 

Do these figures actually show that Linux and Apple developers spent far more time probing their systems for vulnerabilities and patching them? Therefore making them actually more secure?

You could be right.

 

 

As a whole I find the article weak and mindless. Flawed and shoddy faux-journalism with a slant attempting to provide possibly misleading conclusions.

I wonder if M$ had a hand in this?

 

The average PC user is still safer browsing the net and doing what average users do online on Linux than Windows, And that is a fact.


Edited by NickAu, 26 February 2015 - 04:59 AM.

Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:59 AM

Posted 26 February 2015 - 06:55 AM

Hi,

 

I've said it elsewhere, the linux kernel has had a few serious flaws exposed lately that would've allowed remote code execution with admin rights. I seem to recall at least 2-3 instances since December that were exploitable. The reason it is "of no concern to the home user" is that most home users don't use Linux in the first place. The fact that linux/osx is found to have more vulnerabilities is a direct consequence of the fact that Windows has been tested and pried into for the last 15 years, whereas the other OS got off relatively untouched.  So nowadays MS has multilayered approaches to prevent bugs from becoming vulnerabilities and is paying big bucks to anyone to reveal said bugs to them rather than the black market. Google's strategy to disclose the bug and the exploit publicly when the company is asking for a little more time is debatable.. The norm is to collaborate with the person fixing the bug, rather than exposing them while they're working on the bug because you're harming the user not the software developer. The fact that google also released the exploit makes this even worse, there was absolutely no need for that and only made sure that people could get exploited as fast as possible.

 

This being said, the majority of infections nowadays come from social engineering, which means fooling the user into installing the malware themselves. No admin rights needed or used, no priviledge esqualation, no vulnerability needed whatsoever to infect the user.

When vulnerabilities are used to infect users, they rarely are MS vulnerabilities.. They exploit flash, java, acrobat reader and those vulnerabilities usually apply equally to MS, OsX and Linux as well.. It's just that there's no big money in the sharehold of linux/osx users on the web and we get off free.. "security by obscurity", it's a bad idea, but so far it's working pretty well for us :lol:


is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:59 AM

Posted 26 February 2015 - 07:30 AM

Social Engineering has become on of the most prolific tactics for distribution of malware, identity theft and fraud. The attacker relies heavily on human interaction (the weakest link in security) and often involves tricking people in order to achieve the attacker's desired result.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:05:59 PM

Posted 26 February 2015 - 08:08 AM

I can prove that's true.... check out socialengineeringstatistic.doc.scr

 

edit: this goes for all sites, apps and social media, as well as twitter


Edited by TsVk!, 26 February 2015 - 08:17 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users