updated 11:55 am EST, Tue December 18, 2007
Windows Security in 2007
Microsoft may have readily eclipsed Apple in reducing the number of high-risk security vulnerabilities over the course of 2007, according to a list of Secunia notices compiled by ZDNet. While the security firm reported a lower number of security holes for Windows Vista than its XP predecessor, dropping the number of reported flaws from 32 to 20, all versions of Mac OS X produced a total of 243 flaws -- all but two of which are "highly critical" gaps that could significantly compromise a system if successfully exploited, according to Secunia.
The shared tally of Windows flaws amounts to 44, 27 of which were "highly" or "extremely" critical for the software. Secunia does not distinguish between Tiger and Leopard in the update, making it difficult to determine whether Leopard has improved overall security.
Crucially, Apple has also left a higher percentage of these attack vectors unpatched. Roughly 23 percent of all known vulnerabilities have not been fixed and could lead to denial of service 'flood' attacks or similar attacks if the OS is breached, Secunia says. About 15 percent of Windows XP exploits have been left open, while only 5 percent remain for Vista. It is unclear whether these statistics include flaws patched with the 2007-009 Mac OS X update, though the overall list includes vulnerabilities updated as recently as today.
The notice contradicts frequent claims of higher security for Mac OS X and highlights the potential risks associated with using a UNIX-based operating system as an OS foundation. Flaws that surface in FreeBSD, Linux, and other connected operating systems frequently suffer the same flaws, the notes show.
It is unclear at press time how many of the reported Secunia gaps are the result of common code base issues, though some of the unpatched issues relate to VPN or to UNIX services, many of which can only be exploited by a user in front of the physical computer itself. Secunia also does not typically create a detailed list of active, "in the wild" viruses and other exploits, which are largely believed to be far smaller in number for Mac OS X than for Windows.