Mac OS X is full of holes

Dec 18, 2007 16:12 GMT  ·  By

Do you think that Windows Vista and Windows XP are security disasters? Well, in all fairness, chances are that indeed you would think that. Traditionally, the Windows platform, no matter the actual label of the iterations, has not been associated with a bulletproof operating system. Mac OS X and Linux, on the other hand, come with a natural end user perception of security. But at the same time, and this is a direct result of Apple's irresponsible marketing techniques, OS X has somewhat of an aura of impermeability to malicious code.

In fact, among the list of reasons delivered by the Cupertino-based software company as incentive to grab a copy of the latest cat, Mac OS X 10.5 Leopard, Apple states: "It's secure. In a world where PCs constantly do battle with viruses and malware, Mac OS X is a sea of tranquility. Just go about your business and Mac OS X minds the fortress. Your documents are safe even if you share your Mac with others, and you can keep your kids safe by using a rich set of parental controls."

Sea of tranquility? Fortress? The immediate consequence of such "descriptive" epithets for OS X security is the fact that Apple users generally run the operating system without a security solution. In fact, OS X users even deride Windows for the constant and immutable need to run an antivirus. But, OS X is not a fortress. Not by a long shot.

Case in point the December 12th, 2007 Apple Security Update 2007-009. With the update, the Cupertino-based company patched no less than 31 security holes impacting a variety of products, but with Mac OS X 10.4 Tiger and Mac OS X 10.5 Leopard taking center stage. Although Apple does not rate security flaws in accordance to a severity rating, almost half of the vulnerabilities allow for the execution of arbitrary code. This is equivalent with a Critical label judging by Microsoft terms.

In order to make a comparison between Vista and Leopard, you would have to consider that Microsoft has released a total of 12 Critical security bulletins for its latest Windows client, in the entire period since its launch, for over a year, judging according to the business release in November 2006. Out of the 18 patches impacting Leopard, no less than eight can be considered critical, as the vulnerabilities allow potential attacker to run arbitrary code on an affected platform.

That's eight in a single month. Now in all fairness, Microsoft's security bulletins account for more vulnerabilities in some cases, as a single release can address multiple holes, but by the looks of it Apple's really catching up with Leopard. And when it comes to malicious code, last I checked Sunbelt had an extensive list of websites serving the TrojanDNSChanger Trojan Horse (just scroll down and read the posts). And all that malware needs its vulnerabilities, well, Leopard and Tiger have plenty of those.