Re: @AC
It wasn't me that actually downvote your comment, however cannot agree with your claims.
1) not arguing the numbers, however they might be different.
2) as far as Apple is concerned, their decision to let exploitable version of Java linger on users machine (when it shouldn't have been there in the first place, even patched) is what Apple managerial position, and proprietary attitude is all about. Yet, it has nothing to do with overwhelming number of "supposed" vulnerabilities, while in the case of MS we can recall stuxnet (and its kins), conficker etc
3) the defacement statistics looks pretty fishy, and this is why:
a) 1,126,987 a year means 1126987/(365*8*60^2)=.107 per second, or about 1 every 10 seconds (taken a typical 8-hour work day). This is only for Linux systems , there are more. And it's a human task, you can't automate it, since you have to verify the actual defacement took place, not like the stats done by netcraft, for instance.
So the numbers are most probably exaggerated.
b) even if you know the numbers are accurate, how would you know what system each defaced system runs. Netcraft database could be used, but still, there should still be be unknown ones, since some don't publish their http tokens (or do it partly only) . Both OS and server, yet they have a finely grained stats, where every vendor seems to be represented, pretty strange.
c) and even if b) is right getting to know what exactly was used as an exploit would be even more challenging, you have to verify a CMS, kernel version for each case. In the Windows case it would be easier, since there is much less variations... Unless the victims find out and report you, or the perpetrators do it and you buy their claims.
I can't really buy these numbers, sorry.
Biting the hand that feeds IT
