Is Windows more secure than Mac?

I always loved Apple commercials for the Mac, it was always fun to see the new jab they would take a Microsoft.  I specifically got a chuckle out of the claims the Mac is so super secure and Windows was plagued with security issues.

In reality though, Mac OS has more vulnerabilities on a month to month basis than Microsoft Windows.  I brought up this in a previous post Apple Joins the Army and referenced an article with the exact statistics.  If I remember correctly, the average monthly vulnerabilities on the Mac platform was five times higher than Microsoft Windows.

I was reading this article today about Marc Maiffret, an ex-hacker who turned professional.  Featured in People Magazine’s 30 People under 30, he is definitely someone to listen to.  I immediately thought of Kevin Mitnick but that’s another story.  Marc is a co-founder for eEye Digital Security and now works as Chief Security Architect at FireEye.

He goes on to mention that he believes Microsoft does a better job auditing their code than Apple.  I would take this further in the fact many Mac users do not take security serious and many do not run any third party security products.  Until recently, many security vendors did not create products for Mac OS.  Apple commercials would you lead you to believe the Mac is super security and not vulnerable to hackers, viruses, and other forms of malicious software.

Apple has two things in their favor regarding security.  Mac OS is based on Unix, and inherits a lot of security developed over the many years.  The second reason I think is more significant, no one used to care about hacking the Mac OS outside of academic reasons.  As of December 2009, Microsoft Windows had over 92% market share compared to Mac OS at just over 5%.  Hacks built for the Windows OS can reach a larger user base and yield an exponentially higher ROI to hackers.

Although I am a big fan of Firefox (albeit far from perfect) Microsoft made impressive improvements with the security of Internet Explorer.  Ever since Bill Gates released his Trustworthy Computing memo in January 2002, Microsoft has shown significant attention to security.

Adobe patches more bugs

Last Thursday Adobe patched 12 bugs in their Flash application, three of these were caused by Microsoft.  For at least a week hackers have been exploiting at least one of these vulnerabilities.  You can find the full details of the security bulletin on Adobe’s website under Security Advisories.

The report refers to ten vulnerabilities that can potentially lead to compromised systems by allowing hackers to execute their own code.  Windows, Mac, and Linux machines were address in this patch, although Solaris is still set for a future update.

July 10th Microsoft notified Adobe about vulnerabilities in Microsoft’s ATL (Active Template Library), two weeks prior to public announcement.  Microsoft security team has been investigating these ATL for flaws since early 2008.  “[Microsoft] was moving very fast to pull resources together to help us do triage on our products,” said Brad Arkin, Adobe’s director for product security and privacy.

“The hard part was determining what was vulnerable,” said Brad. “It’s easy to rebuild a test version, but then we had to make sure [that] works and make sure we didn’t break it.”

Patched versions of the Flash Player  for Windows, Mac and Linux can be downloaded from Adobe’s Web site.   Users can use Flash’s built-in automatic update mechanism to grab the new versions.

It is a step in the right direction to see Adobe take vulnerabilities in their products more seriously and address these issues in a timely fashion.

Adobe acknowledges the importance for security

Many agree Adobe has never responded to security vulnerabilities in their popular products quickly. Known vulnerabilities would take weeks and in some cases months before being addressed. Most recently in February Adobe confirmed a known vulnerability in their Acrobat PDF software and admitted the vulnerability is actively being used by hackers. Brad Arkin, Adobe’s director for product security and privacy mentions this event is what prompted a new security practice.

Adobe has started reviewing the code in Adobe Reader and Adobe Acrobat products and is identifying “at-risk areas” that will be addressed and ultimately re-written. “We’re going to broadly look at the whole application, but focus on at-risk areas, where we’ll do threat modeling, static code analysis and look for potential vulnerabilities,” said Arkin. “We’re going to do a lot more pro-active work,” he promised. “We want to shake loose vulnerabilities.”

Arkin promises a regular patching cycle and in fact will deliver patches the same day as Microsoft. Although their patch cycle is quarterly, not monthly, the patches will be delivered the second Tuesday of the month. This schedule has not officially started.  Arkin also mentioned JavaScript will not be disabled by default in future builds of Adobe Acrobat products.

More information on Adobe Acrobat’s new security initiative can be found on Adobe’s Asset blog.

Microsoft finally patches URI handling flaws

If you heard of maliciously rigged PDF files, then you probably have been waiting for Microsoft to patch this vulnerability that they originally blamed FireFox for back in July. Known attack vectors exist in these applications while used with Internet Explorer 7:

  • Mozilla Firefox (2.0.0.5 and lower)
  • Skype (3.5.0.238 and lower)
  • Adobe Acrobat 8.1
  • Miranda 0.7
  • Netscape 7.1
  • MIRC chat for windows

Back early in October, Microsoft released Security Advisory 943521 about the vulnerability and reports of remote code execution with the promise of a new patch. As of today, the patch is released as security bulletin MS07-061.

Windows XP & Windows 2003 Servers using Internet Explorer 7 should update as soon as possible to this patch.