On 10/19/07, mike <[EMAIL PROTECTED]> wrote: > > There were 18 security advisories from Secunia for mac os x so far in > 2007. > Seven of these were rated highly critical meaning system level access, > access to private files etc. The holes are there. Not long ago a hole in > quicktime was exploited in just a few hours when the winner was offered > 10k > for doing so. I wouldn't go as far as saying mac os is less secure then > windows, I would say it probably is more secure, but it's not some > impregnable wall as some mac users believe. Seven critical flaws prove > that. Interestingly, Vista had six in the same time period.
1. The rating is related to the impact *if* the vulnerability were exploited. 2. The rating is *not* in any way related to how likely it is to be exploited or how easy it is to be exploited. 3. The incident you cite was one where a reward was given to anyone who could exploit a Mac - no one could for the $10,000 offered. So they then changed the rules so that you could have a user download anything they wanted to the machine and then run it. Under those new rules, someone exploited QuickTime. I agree with you that any system can be exploited if you have a user download something and then execute it with sufficient privileges. 4. If you think about 1 and 2 above, you would wonder why these services don't rate vulnerabilities by how much of a "real world problem" they are. This is, in part, because it is much easier to identify what is theoretically possible than to evaluate the ease of exploitation in the real world. 5. One "real world" example of the impact of all these vulnerabilities: membership in a botnet (which means someone else has enough control over your computer to make it do what he/she wants, pretty much). There are, indeed, Mac, Unix, and Linux computers in botnets today. But each of those constitutes well below 1% of all the compromised computers out there. Using this "real world" measure (come up with your own, as well), Windows vulnerabilities are the primary cause of spam and denial-of-service attacks world wide. By at least a 100-1 (probably more like 10,000 to 1, but detailed statistics aren't available), Windows vulnerabilities are more severe than any other OS on the Internet. -- John DeCarlo, My Views Are My Own ************************************************************************ * ==> QUICK LIST-COMMAND REFERENCE - Put the following commands in <== * ==> the body of an email & send 'em to: [EMAIL PROTECTED] <== * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] ************************************************************************ * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header "X-No-Archive: yes" will not be archived ************************************************************************