TechMiso

AppleInsider has taken the aforementioned Secunia vulnerability report to task, dismantling the claim that Apple has the highest number of security holes.

Secunia’s vulnerability counts reset when Microsoft changes the name of its product, but continue to accumulate for Apple because the company hasn’t rebranded Mac OS X since 2003, when Secunia began keeping track. Browsing Secunia’s database, it appears Mac OS X has suffered from hundreds of vulnerabilities while Microsoft’s Windows has racked up far fewer, but that’s only because Microsoft’s regular rebranding efforts reset Secunia’s clocks.

At the same time, Secunia does not break up Apple’s vulnerability counts by each reference release of Mac OS X, so its current vulnerability listings date back through Jaguar, Panther, Tiger, and Leopard, as well as the currently installed base of Snow Leopard.

How Secunia arrives at its totals are also puzzling, as according to its own statistics Apple’s Mac OS X was affected by 6 “advisories” in 2010, only one of which has not yet been patched. That issue is rated as “not critical” and can only be exploited by local users.

This is the article I should have written, but unfortunately I did not have the time to conduct the necessary in-depth research to write such an eloquent response to the obviously bogus report. AppleInsider should be praised for clearly articulating their dissection of the claims made in the report, especially since Secunia carries a lot of weight in the security industry.

It is obvious Secunia need to tweak their methods to better express an accurate depiction of the operating system vulnerability landscape. The first thing Secunia needs to do is retract the graph, which is what most people are paying close attention to. A visual representation of the number of vulnerabilities, with Apple sitting atop the chart, clearly does the security industry an injustice by not accurately reporting the current vendor vulnerability situation.

Although Mac OS X has remained virtually free of any large-scale virus or malware outbreaks, according to a report released by security firm Secunia the operating system ranks at the top of the most vulnerabilities chart in terms of the sheer number of exploits available.

Mac OS has remained relatively untouched by major viruses and hacking efforts in the past, as most ne’er-do-wells may have considered the operating system’s market share and thus potential for private information less enticing than those of Microsoft’s Windows. With the rise of Mac market share and the popularity of the iPhone, however, there is little doubt that Apple platforms will become major malware targets in the near future.

Surely this is rather unbelievable to most people, who expected to escape from Microsoft security vulnerability hell by switching to Mac OS X. Apparently the numbers do not lie, however I cannot help but feel the numbers are somewhat off.

I own a Mac at home but administer Windows XP at work, insofar as I am a network security professional whose job is to protect the network from bad guys and evil corporations incapable of adequately programming their software. Thinking back over the last couple years, I cannot fathom how Secunia came to the conclusion that Apple has a higher number of vulnerabilities than Microsoft. It is unbelievable, especially considering the large number of Windows patches I am required to push out on a monthly basis. Contrast that to the number of Apple patches I’ve installed on my home laptop and it just feels like the scales are tipped towards Microsoft by a large margin.

Check out the report for the full details.

Update: I failed to seize the opportunity to dissect the crappy Secunia report, but AppleInsider has taken charge, clearly dismantling the claims that Apple has the highest number of vulnerabilities. It is a wonderful read and is essentially the article I should have written.

A recently discovered flaw with Windows shortcut LNK files is being exploited by installing malicious software which is then used to gain administrator level access by esoterically installing a rootkit.

Microsoft has already warned users, in the Microsoft Security Advisory (2286198), that hackers are exploiting an unpatched Windows vulnerability within the Windows Shell component where Windows incorrectly parses shortcuts. Since the warning, Microsoft has reconfirmed what researchers discovered this exploitation to be an issue with shortcut (.LNK) files. The vulnerability is apt to allow malicious code to be executed most likely through removable drives. When executed, the malware includes a Trojan horse which can implement attack code that downloads a rootkit and then remain undetected while running.

Several version of Windows are affected by the Shortcut flaw including Windows 7 and the now-unsupported Windows XP SP2 (Service Pack 2 – As of July 13, 2010 Microsoft no longer provides security updates or support for Windows XP SP2). Researchers have noticed that the related Shortcut flaw malware is mostly from an infected USB drive.

There is a strong chance anti-virus software would not have caught this malware, mainly because it is a 0day but also because it is becoming exceedingly difficult to adequately detect rootkit installations. There is strong evidence suggesting the attackers will take advantage of this vulnerability to spread malware through Windows XP SP2 installations since Microsoft is opting not to offer a patch for that version of the operating system. A lot of SP2 installs are floating around the internets, for some reason completing ignoring the fact that Microsoft released XP SP3 well over 18 months ago.

Microsoft has caved in to the loud demands of their customers and announced Windows XP will be sticking around on the operating system scene for another ten years. Yes – ten more years with XP. Its default Playskool-like blue interface will continue to irritate more people than those who admit to enjoying the godawful GUI through 2020.

Prior to shipping Windows 7, we communicated that end-user downgrade rights provided in the software license terms of Windows 7 Professional or Windows 7 Ultimate editions preinstalled on a new PC would allow a customer to downgrade to either Windows XP Professional or similar Windows Vista versions for 18 months, or until the availability of SP1, whichever came sooner. Generally, PC manufacturers are in the process of ramping down Windows XP downgrade facilitation options that some offer today. As background, an OEM’s ability to generally offer downgrade facilitation options (e.g., preinstalling Windows XP Professional on a new PC that includes end-user rights for Windows 7 Professional) ends on October 22, 2010.

This is good news, especially if you have no compelling reason to upgrade from XP to Windows 7. A lot of folks, myself included, continue to run XP and actually prefer the operating system over Microsoft’s newer endeavors. Although many rave about Windows 7, there really is no reason to upgrade if all you do is use XP as vehicle for launching a web browser to reach the internets.

My main workstation is a MacBook Pro, however I continue to run an older HP desktop as a backup. It runs XP quite smoothly and is rarely used. Why would someone in a similar situation consider purchasing Windows 7 when Microsoft is committed to continually supporting XP through 2020?

Henry Blodget of Business Insider on the problems Microsoft is currently facing, potentially leading to their collapse:

The world has changed radically in the past few years. The Internet has continued to free app-makers from dependency on Windows or any other desktop platform (and, thus, from dependency on Microsoft). Apple’s iPhone has revolutionized the mobile business, unleashing a whole new wave of personal computing devices. Apple’s iPad seems on its way to supplanting the low-end PC business

Importantly, none of these trends depend in any way on Microsoft’s original monopoly and cash cow, Windows. None of these trends generate so much as a dollar of revenue or profit for Microsoft. (Microsoft is nowhere in mobile.  Or tablets. And it is reasonable to think that, in these two huge growth businesses, nowhere is where Microsoft will always be).

Google and Apple are revolutionizing the computing industry, taking away our reliance on Microsoft as the gatekeeper to the PC. The internet has allowed both of these companies to prosper, causing a transformation right before our very eyes. Microsoft, largely monolithic and nowhere near as nimble as their competition, has been unable to adapt to changing times and may suffer the ultimate consequences – irrelevance.

It was a good run Microsoft. Time for watch turnover – the changing of the guard if you will – to a company better equipped to handle the future of personal computing.

I’m sure security isn’t the only reason behind Google’s shift away from Windows. But nonetheless, here’s Microsoft’s comeback on the Windows Blog:

There’s been some coverage overnight about the security of Windows and whether or not one particular company is reducing its use of Windows. We thought this was a good opportunity to set the record straight.

When it comes to security, even hackers admit we’re doing a better job making our products more secure than anyone else. And it’s not just the hackers; third party influentials and industry leaders like Cisco tell us regularly that our focus and investment continues to surpass others.

It’s not just security, Brandon LeBlanc.