back to article And the buggiest OS provider award goes to ... APPLE?

Apple's operating systems and Linux racked up more vulnerability reports than Windows during 2014, according to research from security outfit GFI. Cupertino's OS X and iOS platforms topped the 2014 bug charts with 147 and 127 holes disclosed in each, nudging out the Linux Kernel with 119 flagged flaws, the National …

  1. PCS

    Despite the numbers the dev's should be aiming for zero vulnerabilities - no matter was the OS is.

    These numbers prove that nothing is 100% secure and bug-free, despite certain sections of the IT community wearing rose-tinted spectacles.

    1. RyokuMas

      Agreed - there is no such thing as a totally secure system, just one that hasn't had any flaws found yet.

      1. Stuart Castle Silver badge

        My old Software Engineering Management lecturer told us something I think is very true. He said that if you developed a perfectly secure system, you would become very wealthy very quickly, as such a thing is virtually impossible to achieve.

      2. Michael Wojcik Silver badge

        there is no such thing as a totally secure system

        ... because the phrase "totally secure" is meaningless. "Secure" is a relative attribute: it indicates the work factor faced by an attacker1 attempting to make the system do something it's not supposed to do, or fail to do something it is supposed to do, under a particular threat model.

        To paraphrase John von Neumann, anyone who speaks of a "secure system" in absolute terms is in a state of sin.

        For the same reason, "security" is not solely defined by the system itself. Both what the system is "supposed to do" and the threat model are defined externally and can change. Thus you cannot speak accurately of a system's security as if that is an attribute of the system.

        1In this context, "attacker" can be "accident".

    2. h4rm0ny

      >>"These numbers prove that nothing is 100% secure and bug-free, despite certain sections of the IT community wearing rose-tinted spectacles."

      Indeed. I've had numerous arguments with GNU/Linux zealots (note: zealot != user) on here. Say what you want about Windows but no-one has ever sat back and said: 'I don't need to worry about security, I use Windows".

      Anything as sophisticated as an OS is going to have flaws. I think most actual GNU/Linux sysadmins are smart enough to know how seriously they have to take security, but there is a second tier of zealots who talk as if GNU/Linux is far ahead of Windows in security. That hasn't been true for quite a long time now, but I still see it routinely on these forums. There was a post here just the other day that said Windows had fewer vulnerabilities than Linux in the last year (as this report suggests) and it got downvoted to oblivion.

      1. Lars Silver badge
        Coat

        "there is a second tier of zealots who talk as if GNU/Linux is far ahead of Windows in security"

        I believe those guys talk, think about viruses and in that respect they are right, of course. I you have say 500 known Linux viruses there are more than a million for Windows.

        But of course viruses are not the only thing there is regarding security.

        If you search for antivirus for Linux you find stuff like this:

        "When You Need an Antivirus on Linux

        Antivirus software isn’t entirely useless on Linux. If you are running a Linux-based file server or mail server, you will probably want to use antivirus software. If you don’t, infected Windows computers may upload infected files to your Linux machine, allowing it to infect other Windows systems.

        The antivirus software will scan for Windows malware and delete it. It isn’t protecting your Linux system – it’s protecting the Windows computers from themselves."

        I have not downloaded any antivirus for Linux as I dont mix with any Widows mahines and still I have used Linux since 97 with no infections so far, but things may change. Nor would I feel secure dowloading any free antivirus for Linux as that program could contain just the malware I don't need at all.

        I could imagine there has been a "snowball effect" regarding viruses on Windows, so many to learn from and tweak.

        Then there is, of course, the one and only old explanation about there being more computers running Windows. And why not.

        But then again if you consider how Linux runs the backbone of the internet, more than every second web server on the internet, more or less every stock exchange in the world, big firms like Google, Facebook and similar, more or less every super computer and so forth, I would say it's rather silly to claim there are no interesting victims to hit.

        But anyway software will contain bugs now and in the future.

        Try to stay safe.

        1. Anonymous Coward
          Anonymous Coward

          "But then again if you consider how Linux runs the backbone of the internet, more than every second web server on the internet, more or less every stock exchange in the world, big firms like Google, Facebook and similar, more or less every super computer and so forth, I would say it's rather silly to claim there are no interesting victims to hit."

          Presumably why hacking and defacement statistics demonstrate that you are several times more likely to be compromised if you run Linux as an internet facing system than if you run Windows Server...

          Of business servers that do the real day to day work (email, fileservers, database, authentication, web portals, etc.) the overwhelming majority run Windows Server, and it's market share is still growing. Windows Server has a 75% market share according to Forbes.

        2. Paul 195

          What have you got against widows?

    3. Anonymous Coward
      Anonymous Coward

      PCS +1

      Given the other tens of thousands of applications out there not on this list, the total vulnerability count probably reads like a telephone number.

    4. SuccessCase

      Shoddy Lack of Fact Checking

      This is extremely bad reporting. Really, do some fact checking El Reg. This is a "report" (it in fact isn't a report), its a badly disguised press release by a security firm who sell services to the PC industry. The database they have trawled is the US National Vulnerabilities database, which lists fixed reported vulnerabilities voluntarily reported by companies. There is no equivalence or assurance in terms of how comprehensive vendor reporting is, nor does the database try to pretend there is, all the reporting is voluntary. If a vulnerability isn't reported by the company it isn't reported. If a company reports more fixed vulnerabilities, it will have a higher count on the database, if a company has a ton of vulnerabilities and fails to fix them, it will have a low count on the database. If a company reports vulnerabilities on a precautionary basis but that were never exploited, they will appear on the database. In other words the database can tell you nothing about the relative state of security of OS A versus OS B.

      The company that prepared this report, works for PC industry vendors. It provides a nice bullet point for PC marketing. There is nothing, nothing, objective or professional about it. Your half-hearted disclaimer in the last paragraph is hardly sufficient to claim objective reporting on this one.

      1. Anonymous Coward
        Anonymous Coward

        Re: Shoddy Lack of Fact Checking

        "There is no equivalence or assurance in terms of how comprehensive vendor reporting is, nor does the database try to pretend there is, all the reporting is voluntary."

        Somehow I suspect that coverage of Apple, Microsoft and the Linux kernel is going to be pretty comprehensive...

  2. Paw Bokenfohr

    I don't understand reporting these stats...

    ...as that Linux or OSX has more vulnerabilities than Windows when you then go on to say that 80% of the flaws are with third party software.

    1. Anonymous Coward
      Anonymous Coward

      Re: I don't understand reporting these stats...

      but those flaws then often go on to compromise the underlying OS.

      1. Rick Giles
        FAIL

        Re: I don't understand reporting these stats...

        "but those flaws then often go on to compromise the underlying OS."

        That's like blaming Ford or Chevy when your crown air freshener stops working or flies out of the back window and hits you in the head during a sudden stop.

    2. Anonymous Coward
      Anonymous Coward

      Re: I don't understand reporting these stats...

      It's no suprise there are more bugs reported against a large number of third party applications (that you may have or may have not installed) than those reported about a handful of kernels (which you have always installed)

      Applications may also be very large compared to a kernel (i.e. a database engine).

      Anyway, a kernel bug is usually nastier than am application bug, because often happens in code executed with high privileges.

    3. NogginTheNog

      Re: I don't understand reporting these stats...

      If the software is included in a distro then it becomes a problem for the OS it's distributed with if it offers a way to compromise the entire system? The open-source ethos relies heavily on bundling 'third-party' software as it makes more sense than reinventing the wheel (and the bugs!).

    4. Anonymous Coward
      Anonymous Coward

      Re: I don't understand reporting these stats...

      "...as that Linux or OSX has more vulnerabilities than Windows when you then go on to say that 80% of the flaws are with third party software."

      That means that if you looked at a Linux distribution instead of just the kernel, the Linux figures would be 5 times worse....

  3. Otto is a bear.

    Which begs the question

    If it's that full of holes, and is generally perceived to be used by a high value user base, why there are only a vanishingly small number of attempts to exploit them.

    1. h4rm0ny

      Re: Which begs the question

      You haven't specified a subject but I'm going to assume that you are talking about GNU/Linux. There are two answers to your question (neither mutually exclusive). The first is that you're wrong - there actually aren't a "vanishingly small number of attempts to exploit them". Companies face active attempts to compromise their GNU/Linux systems daily. It is end users who don't see many attacks.

      And that last part leads into the second answer which is regarding the disparity between attacks on GNU/Linux end users and those on Windows end users. The reasons are fairly elementary. If it takes the same amount of effort to craft an attack on either OS, are you going to direct your malware efforts at the OS that has a huge proportion of the total end users, or the one that has a small proportion. Furthermore, are you going to target the userbase that is a mix of technically competent and technically incompetent people, or the one that is stripped of the technically incompetent people?

      Short version: For back-end systems, your question is actually wrong - both GNU/Linux servers and Windows servers are actively targeted because they have equal value. For end users, the reason for the huge disparity is that the two sections do not have equal value.

      1. Anonymous Coward
        Anonymous Coward

        Re: Which begs the question

        Actually I suspect he was talking about the Apple OSs, given they came in top and that we're always hearing about how wealthy/attractive/clever/fashionable/etc. they are.

        1. h4rm0ny

          Re: Which begs the question

          Ah, you're probably right. I don't use OSX so I can't really comment on that.

      2. Anonymous Coward
        Anonymous Coward

        Re: Which begs the question

        "I'm going to assume that you are talking about GNU/Linux."

        Assume all you want, but we have no stats for GNU/Linux, only Linux and it has nearly as many holes as **all versions of OS X combined**!

        Now add Samba, Gnome, BASH etc and you can see what an utter dog GNU/Linux is from a security viewpoint.

        1. Eddy Ito

          Re: Which begs the question

          @AC, given they specified that vulnerabilities like ShellShock and HeartBleed were among the vulnerabilities that dinged the Linux kernel we know they are in fact referring to GNU/Linux. We also know that one of the two following things is true, either you are unaware that ShellShock was related to bash and HeartBleed to OpenSSL and not the Linux kernel proper in which case you're too ignorant to comment intelligently or you are aware in which case you are a troll.

        2. Crazy Operations Guy

          "Now add Samba, Gnome, BASH etc"

          OS X contains both Samba and bash, as well as OpenSSL and many, many other GNU utilities, daemons, and packages. After all, OS X, in its current form, is not much more than *BSD with a ridiculously heavy-weight window manager, some extra drivers, and a couple system parameters tuned for the hardware.

    2. This post has been deleted by its author

      1. h4rm0ny
        Headmaster

        Re: Which begs the question

        I grew up in the UK hearing "begging the question" in the sense that something immediately demanded an obvious question be asked. So did most people grow up with that meaning around them. It's not like a word such as "whale" where it has a definition independent of common meaning and if someone calls a shark a whale you can correct them. It's a phrase. You have a different and far less intuitive understanding of the phrase which may or may not be older, but is not authoritative - because it's a phrase.

        The only phrase that can be said to be inherently wrong is "I could care less" unless that's actually what someone intends to convey which it seldom is. Other than that I get tired of somebody popping up whenever other people are using a common phrase in the way both they and the listener are used to using it and attempting to tell them they're wrong and they should use the newcomer's definition. Really, such behaviour just begs the question of what they actually want by doing this, my answer to which is that they just like pretending they know more than other people.

        TL;DR: Pedant Fail.

        1. ratfox

          Re: Which begs the question

          You descriptivist!

          1. h4rm0ny
            Pint

            Re: Which begs the question

            >>You descriptivist!

            The scientist knows something. The non-scientist does not know it. And between the two is the Engineer who actually gets stuff done. I will wear your slur with pride. ;) :p

          2. Michael Wojcik Silver badge

            Re: Which begs the question

            You descriptivist!

            Hardly, with that rubbish about "whale" having some sort of independent meaning.

            Language does not require different ontological cateogories for different words and phrases. They all have the same status: they are signals used by interlocutors in a dance that attempts to get their audience to converge on a meaning sufficiently similar to their own. To that end speech communities converge toward (but never quite to) a set of interpretations (denotations and connotations, generally weighted and context-sensitive) for any given word or idiomatic phrase. Different communities will have somewhat different sets, and every language user belongs to multiple communities and code-switches. That is all words are. They do not have existence independent of use, much less meaning.

            That said, I too endorse the shibboleth of using "beg the question" for "raise the question"; just as a matter of style. It's unnecessary elevation. It's not quite as bad as, say, using "I" in the objective case ("between you and I" - a vile barbarism much loved by scriptwriters these days).1 But it sounds affected and it's unnecessary, even if it didn't grate on people familiar with the etymology of the expression.

            1That is properly a matter of usage, the pronoun "I" traditionally being used specifically and exclusively for the nominative case. (It's not a "grammatical error", because grammar is not offended. There's a well-formed prepositional phrase there. It's simply an error of using a word in a form that is not traditionally the preferred one.)

        2. Brewster's Angle Grinder Silver badge
          Coat

          So I can correct you?

          "It's not like a word such as "whale" where it has a definition independent of common meaning and if someone calls a shark a whale you can correct them"

          *cough* whale shark *cough*

          1. This post has been deleted by its author

        3. Anonymous Coward
          Anonymous Coward

          Re: Which begs the question

          Well that's one of the most fallacy laden responses I have ever seen!

          First things first, "begging the question" is not a phrase it is a defined logical fallacy.

          I also grew up in the UK and was taught the correct meaning of "begging the question" at school; it is basically circular reasoning. Asserting that a particular incorrect usage of the phrase by a large number of people makes your use correct is also incorrect, just because a proportion of people use a phrase in that way does not make that use correct.

          The next part of the response is not a discussion of the reason behind the point it is simply an attack on the person making the post.

          I was lucky and went to a South Yorkshire pit village Comprehensive school where we had a debating society, we were encouraged to learn how to spot fallacies in arguments and how to counter them.

          1. Brewster's Angle Grinder Silver badge

            Re: Which begs the question

            "I also grew up in the UK and was taught the correct meaning of "begging the question" at school; it is basically circular reasoning."

            *sigh*

            The OED lists both definitions, noting that the meaning 'invite the obvious question' is by far the commonest use and has been in print for a hundred years. Neither meaning trumps the other; we are watching language mutate. Of course, avoiding the phrase reduces the attack surface of your prose and decrements its cliché count. But it was perfectly clear what she meant.

          2. h4rm0ny

            Re: Which begs the question

            >>"Well that's one of the most fallacy laden responses I have ever seen!"

            Really? Then allow me to list the fallacies in your response.

            >>"First things first, "begging the question" is not a phrase it is a defined logical fallacy."

            It is most certainly a phrase, it may or may not also be this other thing. False Dichotomy.

            >>"I also grew up in the UK and was taught the correct meaning of "begging the question" at school"

            Assuming the Answer. You declare that it is the correct meaning because you believe it to be so. Were you to argue that it was the original meaning, you would have more of a case perhaps. But even there the phrase in that sense is actually a mistranslation of petitio principii which means "assuming the initial point". It is ironic that you are arguing that your definition is correct because your misuse is a old. If you doubt any of this, by all means check and you'll find that I am correct.

            >>"Asserting that a particular incorrect usage of the phrase by a large number of people makes your use correct is also incorrect, just because a proportion of people use a phrase in that way does not make that use correct."

            Two flaws in this one. Firstly, a repetition of assuming the answer (stating it is incorrect therefore my explanation must also be incorrect). Secondly, you argue that words have meaning other than their usage in order to try and show how a minority definition of the phrase is right. This argument carries some weight in some cases - such as my example of someone calling a hammerhead a whale. It has weight because the majority of people have a different understanding; there is a scientific classification that ties to it; and there is an existing better word to use which is "shark". None of these are an absolute argument, but they are all good ones and amount to it being legitimate to correct someone. "Begging the question" isn't a word, it's a phrase with two different meanings. One is a minority use debating term which also has a better and far less awkward alternative which is "Assuming the Answer". Something I know you are familiar with because of your vaunted experience of Comprehensive School Debating Societies. (A rather sad Appeal to Accomplishment, btw.)

            >>"The next part of the response is not a discussion of the reason behind the point it is simply an attack on the person making the post."

            Correct. Just as they began this with an attack on someone else for using a phrase that everyone understood and which is commonly used that way by most people. An attack or insult of someone is not a fallacy unless it is used in lieu of argument. With me, you will find it is always a supplement.

            >>"I was lucky and went to a South Yorkshire pit village Comprehensive school where we had a debating society, we were encouraged to learn how to spot fallacies in arguments and how to counter them."

            Excellent. I suggest you read your own post in that case.

      2. Anonymous Coward
        Anonymous Coward

        Re: Which begs the question

        Actually it may well beg the question.

        The OP states that the the OS is full of holes and then asks why more exploits have not been seen.

        There is an implicit assumption regarding the number of holes in the OS and this is used as a premise to question the number of exploits. We do not know that the OS has a larger or smaller number of holes than any other OS to the OP is begging the question in the formal sense; we have to accept the conclusion that there is a large number of holes in order to ask the question.

      3. Anonymous Coward
        Anonymous Coward

        Re: Which begs the question

        @Symon:

        Did you even read the Wikipedia article?

        The term "begging the question" originated in the 16th century as a mistranslation of Latin petitio principii "assuming the initial point".[2] In modern vernacular usage, "to beg the question" is sometimes also used to mean "to raise the question" (as in "This begs the question of whether...")

    3. big_D Silver badge
      Coat

      Re: Which begs the question

      You might say it is full of holes.

      Tim Cook says it is full of stars...

      Oh, wait.

  4. tempemeaty
    Facepalm

    Apple OSX, Quick and dirty or...?

    Apple. This is what happens when you insist on a rapid release schedule. Quick and dirty or at a more practical pace compatible with the Quality of a release. (my worthless two cents again)

    1. Slap

      Re: Apple OSX, Quick and dirty or...?

      I've no idea why your post has been downvoted so much.

      I'm in agreement. This yearly release schedule is causing major headaches with the bugs it introduces. Not just the security bugs, of which most appear to have existed for quite some before being discovered, but the stability bugs - the things that kill otherwise functioning stuff. Hence my main machine still runs Mavericks.

      Apple is well overdue for a "No new features" release.

      1. Mark 65

        Re: Apple OSX, Quick and dirty or...?

        Mavericks? You modernist you. Still on Mountain Lion here as I think the first 3 or so Mavericks releases all had fix one issue create another.

  5. h4rm0ny

    This is not a football match.

    I have hope that this comments section will not become a sports match - all of the comments so far have been non-partisan. I guess we'll find out after lunch when the East Coast has woken up and seen this. ;)

    Anyway, I don't think this shows a failure on GNU/Linux's part. I think instead it shows how far Windows has come. Go back to the Windows XP era and this situation was far reversed. XP had a poor security model and was riddled with problems. GNU/Linux has actually improved as well. It's just that Microsoft bit the bullet with Vista and went through the massive pain of re-doing much of their system from the ground up. We're now seeing the long-term benefits of that process.

    And aside from changes to their security model and obvious improvements to their quality control, there's another thing MS addressed which isn't impacting those figures above but is impacting actual daily security a lot. And that is they took some of the responsibility for security back from the user and manage it themselves now. All Windows systems can have Windows Defender / SmartScreen / etc on and running and any that doesn't have Third Party anti-malware software running normally does. Windows Defender isn't fully as comprehensive as something like Trend Micro or Kapersky, but it does the job and has low-impact. The fact that modern Windows installs have proper anti-malware up to date by default now is making a big difference to the general state of end user security.

    1. Anonymous Coward
      Anonymous Coward

      Re: This is not a football match.

      Agreed, and compared to Windows 95/98/ME, Windows NT/2000/XP was a veritable fortress.

      Microsoft has come a LONG way, from a relative laughing stock that could not be taken seriously for anything moderately secure, to a reasonably decent platform.

      Such a shame though coding for it is a royal pain due to its largely NIH-inspired programming interfaces.

      Linux has moved forward in that time, but it didn't have as far to come on the security front.

      It has a LONG way to go on the usability front. People at my workplace complain about how hard Linux is to use, even describe it as "weird", but that is because many of them started with Windows XP (or maybe Windows 98) and didn't see what Linux was like years ago when getting a graphical desktop meant a long session with XF86configurator and a need for deep knowledge of your hardware.

      1. h4rm0ny

        Re: This is not a football match.

        >>"It has a LONG way to go on the usability front."

        I actually find it fine to use, though I will concede I started out with HP UNIX and XWindows so I may not be fully calibrated to the average user. But still, I think Distros like Mint are out of the box pretty good. I agree it is light years ahead of where it was and I have many memories of hours spent editing xorg files trying to get it to work right.

        The area that I personally think GNU/Linux might want to improve on a bit more, is enterprise tools. I'm happy to be corrected on this one if I'm wrong. I have programmed on GNU/Linux professionally and used to use Gentoo as my primary so I therefore have a reasonable understanding of the principles and how it is put together, but I have never administered a company's Linux systems so I may not have a solid feel for this - like I say, if I am wrong I am happy to be corrected. But last year I encountered puppet for the first time. I also have had to witness the painful, painful way in which user accounts are being managed across many Linux boxes / VMs. The sysadmins doing all this aren't idiots, they're smart people. So if this is really how things are done in the Linux enterprise environment then they are actually behind the tools that MS provide for this by a considerable margin. Given Linux's stronghold is backend enterprise, I think this is as important as UI refinements, imo.

        Of course it's difficult to find people who are experienced sysadmins of both Windows AND Linux, so informed comparisons are hard to come by. Unlike most of my posts, I wont be arguing in defence of this one either way - these are just my impressions.

        1. Peter Gathercole Silver badge

          Re: This is not a football match. @h4rm0ny

          System administration is one of those areas where Linux has suffered because of the diversity of the distros.

          The one-size-fits-all processes like useradd will do the basic job at hand on the local system, and are pretty similar across all versions of Linux. Once you get beyond this, each of the distros have their own idea of how to streamline this and other admin tasks, and most of these are pretty distro specific. In some cases they are proprietary and closed source to try and generate a revenue stream, and do not interoperate.

          There is not even a consistent package management format across all versions of Linux.

          It is very difficult for a new Open Source package to come along and streamline this. What is needed is a low-level tool that goes in at a suitable level so that it can manipulate the configuration files/databases/objects fundamental in Linux, to provide a consistent system management layer in all distros .

          What you actually get (like with Puppet) is a whole load of distro specific methods layered on top of and driving the specific interfaces for each distro. This works, but is high maintenance, which often means that it becomes paid-for software (again, Puppet is an example of this).

          There are two ways this could happen. One is if the major distros decide to collaborate and produce a common administration interface. The other is for a standardisation body to add the specification of such an interface, and have the distros adopt that standard.

          The former is unlikely to happen, as the distro specific sysadmin stuff is where people like RedHat and Canonical make some of their money. The latter cannot happen as there is no accepted Linux standard or even standardisation authority, and even if there were, it would be dominated by the commercial distro maintainers, because they are the only people who might have resources to invest in a standard, and then we are back to the former point.

          So what we have left is paid-for software or home-grown scripts put together by sysadmins which do the job, but are seen as being messy.

          I can see no way of moving this forward unless someone with big pockets and a lot of influence with the distro maintainers decides to take it on.

          1. h4rm0ny

            Re: This is not a football match. @h4rm0ny

            >>"The former is unlikely to happen, as the distro specific sysadmin stuff is where people like RedHat and Canonical make some of their money. The latter cannot happen as there is no accepted Linux standard or even standardisation authority, and even if there were, it would be dominated by the commercial distro maintainers, because they are the only people who might have resources to invest in a standard, and then we are back to the former point."

            That's a really interesting post, I've just snipped out part of it. It might be optimistic (or naïve according to view) but perhaps there is a third option. Linux grew out of a community of people collaborating voluntarily. Perhaps given there is an evident need, the same can happen again. It may seem unlikely, but then the entire Open Source movement was, and yet people made it happen.

            1. Peter Gathercole Silver badge
              Unhappy

              Re: This is not a football match. @h4rm0ny

              It is entirely possible that it could be done as a community project, but the resource involved would probably be too much for a one-man band, or even a small group of people doing it in their spare time, and the necessity to test it against the plethora of distros would be a similarly mammoth task.

              It's easy to have a community project that adds a veneer over the top, because you can break the tool down into modules that drive the documented tools. Getting in at the fundamental layers, where the different disros tend to differ from each other, and where the documentation has not been maintained, or in some cases not even written is a much harder task, and requires much more research and testing.

              It would be difficult to get such a layer accepted to the extent that the major distro owners would adopt and maintain this common approach in preference to their own distro specific tool.

              If we had had a situation where a fully free Linux had become a defacto standard, then if that distro maintainer was altruistic, they could have incorporated something like this and hope that it would be picked up by other distros, but it seems unlikely that the increasingly fragmented Linux world will settle on a dominant distro (hell, the systemd risks fracturing the community even more than it currently is).

              What with Canonical, a company that was being portrayed as a bit of a white knight a few years back, going in a direction that is unlikely to be followed by other distros, I think the time for a dominant distro is fading into the past. Mint is unfortunately reliant on Ubuntu, and RedHat always had an agenda to try to leverage support contracts from their users. SuSE, which looked like it's independence was under threat appears to have weathered the storm but has lost followers. Debian appears to be going with systemd, which will alienate a lot of people (and will be a nightmare to administer using a tool such as I am proposing).

              I suppose that Lennart Poettering (systemd) could take on an administration tool that would plug into systemd and extend it to cover other sysadmin tasks, but I for one would not trust him to run such a project without making it almost completely unusable/unsupportable.

              Unhappy.

              1. h4rm0ny

                Re: This is not a football match. @h4rm0ny

                There's not much I can argue against in that post. Seems to be (sadly) right on the money. Especially your summary of the main distros. I'm quite sure that Poettering probably would take it on - seeing as there's nothing he's encountered so far that he hasn't tried to vacuum into systemd. But like you, that's not a solution I look forward to seeing.

        2. Fred Flintstone Gold badge

          Re: This is not a football match.

          I have many memories of hours spent editing xorg files trying to get it to work right.

          I still have the occasional nightmare featuring sendmail.cf :)

          I rather liked HP-UX, more than IBMs AIX (use the force menu, Luke). SunOS and Solaris weren't bad either, provided you got GCC installed asap. Ah, memories.. :)

          I think it's a good thing that this apparent myth of invulnerability got cracked, because it ensures people go back to actually paying attention to security. This whole "it can't happen to me" feeling was dangerous IMHO.

          Having said that, I still prefer a Unix derivative over Windows but that has more to do with expertise. I know what to look for to make a Unix derivative safe, whereas someone who works with Windows on a daily basis as sysadmin is always going to be better than me at keeping that platform clean.

      2. Doctor Syntax Silver badge

        Re: This is not a football match.

        " People at my workplace complain about how hard Linux is to use, even describe it as "weird", but that is because many of them started with Windows XP (or maybe Windows 98) and didn't see what Linux was like years ago when getting a graphical desktop meant a long session with XF86configurator and a need for deep knowledge of your hardware."

        To a large extent "hard to use" can translate as "different" but the desktop you're providing can also make a difference. Presumably they'd have come up with exactly the same reaction to Win 8.

      3. RealBigAl

        Re: This is not a football match.

        Personally I found it easier to transition from XP/7 to Linux Mint than to Windows 8. When some friends heard I was using Linux they "didn't want to know about all that command line stuff" until they saw the actual desktop in action and thought it was some version of Windows they'd not heard of.

        The only area Linux falls behind Windows for me is printing, and that's down to manufacturers driver support (specifically Canon, the bar stewards).

        1. Anonymous Coward
          Anonymous Coward

          Re: This is not a football match.

          "The only area Linux falls behind Windows for me is printing, and that's down to manufacturers driver support (specifically Canon, the bar stewards).

          CUPS is common to OSX and all the popular Linux distros (it's maintained by Apple), so if a printer is advertised as Mac compatible, it will work with Linux. Often the set up procedure is miraculous when demonstrated to a Windows user, as there's not really an "Add printer" procedure involving drivers and the like. It's all seamlessly handled by CUPS. You join a LAN with a networked printer or plug in a USB printer, select print in your program and a list pops up with every printer it finds as it finds them.

          I have had no trouble with Canon printers, though Lexmark's firmware is better IMHO. Both run Linux internally these days. Epson Inkjets on the other hand can be a bugger.

          1. Anonymous Coward
            Anonymous Coward

            Re: This is not a football match.

            It looks you never used AD and printers. In Windows you can load printer drivers on a server, and have them automatically deployed when a user adds a printer. Users can search for printers in AD (and you can search also for printer features), or printers can be automatically added through group policies. You can set them up per site, so if a user moves it will always find the nearest printers already added.

            Even Plug&Play has been doing for years what you say CUPS does, and since it can look for drivers from Windows Update (or a WSUS server ), unless you want the latest drivers from the manufacturer, the printer is added automatically.

            CUPS comes with many drivers as well, but it often lacks specific drivers to exploit specific printers functionalities, especially the high end photo printers.

  6. cmannett85

    Are issues being found because we are looking harder, or because more are being made, or both? Who knows, as you can't come to any useful conclusion from this data.

  7. alain williams Silver badge

    Comparing like with like ?

    It is very hard to see what they are comparing with what. If it is a default install then all operating systems will install a very different collection of applications ... this makes a naive comparison meaningless.

    1. h4rm0ny
      Thumb Up

      Re: Comparing like with like ?

      If you read the linked article, he actually breaks it down by GNU/Linux distribution (that's even referred to in El Reg's summary) and he also addresses break down of the vulnerabilities between OS and application. He's actually done an extremely good job here - I'm impressed.

    2. Flocke Kroes Silver badge

      Not comparing at all

      The purpose of the source article is to demonstrate the importance of keeping up to date with the patches with whatever software you are using. No-one gets to sit back and say "I don't need no steeking patches", no matter what OS they are using. The statistics do point at two important security tips not mentioned in the article: "If you do not need it, do not install it", and "If at all possible, turn it off".

      For a proper comparison, you need to know what is being defended, and who it is being defended against. Publicised exploit statistics are not a good source for comparison. I would suggest setting up multiple high value targets with the same budget, regularly pulling the hard disks, comparing the contents to a clean install and seeing which OS survives the longest.

    3. thames

      Re: Comparing like with like ?

      @alain williams - "It is very hard to see what they are comparing with what."

      It's easy, he's comparing apples to oranges. For example, I just went to the NIST database and did a few queries of my own. Red Hat Enterprise had a total of 37 vulnerabilities, and that included things like vulnerabilities in Java (which might be better classified as third party).

      So why does all of RHEL have fewer vulnerabilities than the Linux kernel supposedly does on its own? The reason is simple, I took a quick scan over the Linux kernel vulnerability list, and it was dominated by new "releases" such as 3.17 or 3.18. I'm running a fairly new user kernel, and it's only 3.13.

      A "release" by Kernel.org doesn't automatically go into production on RHEL, Suse, or Ubuntu. Kernel development is time based, and each "release" is simply whatever they happened to have when the release date (every few weeks) rolls around. You don't install kernels from Kernel.org unless you are either a kernel developer, or else you are really, really adventurous. Instead, you wait for your distro to test and package one up, and they won't do that until it has been tested. That's not even taking into account the difference between development releases and long term support releases (which I won't go into).

      That doesn't even take into account the fact that the kernel that Red Hat (for example) releases is not the same thing that the central kernel developers released. Red Hat, Suse, etc. add their own fixes and patches, and send the results upstream (with a CVE) as well as to their customers. That's what distros get paid to do.

      To get the equivalent to this for Windows, you would need access to Microsoft's internal bug tracker and then report "oh noes! Windows 12 development version has bugs in it!". Well no guff, non-released development software does indeed have some serious bugs. The question that matters is how many of those bugs make it out into an actual public release that people are expected to use for serious work. Because Linux development takes place out in the open instead of behind closed doors, you get to see all the internal screw-ups before they get fixed that you don't get to hear about when they happen in the development of proprietary code. What matters to you and I though is what gets shipped as a final product.

      So why did GFI spaff out some rather obvious guff? Well:

      a) They really have no idea what they're doing, or

      b) They're trolling for business from panicked users by positioning pumped up numbers in the press.

      I would take a guess that the answer is "a", someone knows how to click on a NIST web form, but has no idea what the numbers really mean. If that's the sort of company you want to pay to handle your security for you, then good luck.

  8. h4rm0ny

    Android

    Android isn't in the list. I went back to the original article and found its entry:

    6 total vulnerabilities 4 high severity 1 medium severity 1 low severity

    This is really interesting. Why? Because the state of actual security of Android in the wild is atrocious. And yet in terms of vulnerabilities the OS itself is pretty low. Why the contradiction? Most people probably are already answering: OEMs. Regardless of whether it should be the OEMs stepping up or Google having set up a different model in the first place, the unpatched and out of date Android systems out in the world are innumerable. Vulnerability stats aren't the only key part of security - update model is a critical part so any discussion about relative security of different platforms needs to include this.

    If Google genuinely thought that their 90 day policy improved security then where they should direct it, is against their own OEMs. Either Google is responsible for Android security or it is not. And if it is not (as is frequently stated by those who argue against critics of Android security), then Google should be treating the OEMs that same as it treats other companies such as Apple and Microsoft. Android is currently where Microsoft was in the XP era - fragmented updates across a userbase that is largely security-ignorant. And like Android, MS wasn't selling it directly in many of these cases, but leaving responsibility with the OEMs.

    MS eventually realized two things: One, whether it was the OEMs fault or not, it was harming them. Two, educating users on security wasn't working. So they took back control and they started putting in their own security tools even though that upset their business partners who sold anti-virus software of their own. Google needs to look at doing the same thing even if it's painful or upsets their OEMs.

    1. Anonymous Coward
      Anonymous Coward

      Re: Android

      Many OEMs just don't care. I recently asked ZTE about my phone, which I bought in January.

      Their answer was, It's a device we designed in 2013, we no longer care about it. So I'm stuck with Android 4.1. Hopefully this phone will last long enough for something that actually meets my needs comes on the market.

      That or maybe I'll just wean myself off the need for a mobile phone and the mobile carriers/phone makers/etc can do without my business.

      1. Charlie Clark Silver badge

        Re: Android

        Your statutory rights are unaffected by manufacturer's interpretations. You are perfectly within your rights to insist upon repair or replacement if you can demonstrate a defect in the product. IANAL but a known security vulnerability should count. Mention this and a possible to trip to the small claims court the next time you speak to them.

    2. Cuddles

      Re: Android

      I don't know that OEMs are necessarily the biggest problem. By far the biggest issue Android has is that idiots will happily install every piece of malware they can find as long as it pretends to be a free fart app. It doesn't matter how secure and up to date the OS might be if the user happily gives all the malware they can find full access to everything.

      1. h4rm0ny

        Re: Android

        >>"By far the biggest issue Android has is that idiots will happily install every piece of malware they can find as long as it pretends to be a free fart app"

        That's what I meant when I compared it to XP and how trying to educate users just didn't work for MS which was what they tried to do for a long time. Send an attachment saying "BritneySpearsNaked.exe" and half of my colleagues back then would cheerfully infect themselves. :( That's why pretty much every Windows system these days as anti-virus built in by default and tools like SmartScreen. Microsoft gave up waiting for the kids to grow up and just went back into parent mode (for better or worse).

        You can't stop people being stupid, but there's definitely room for Google to work on the same problem with Android.

    3. Anonymous Coward
      Anonymous Coward

      Re: Android

      "Android isn't in the list. I went back to the original article and found its entry:

      6 total vulnerabilities 4 high severity 1 medium severity 1 low severity"

      That still sucks compared to say Windows Phone 8 on zero vulnerabilities...

    4. eulampios

      Re: Android

      >>This is really interesting. Why? Because the state of actual security of Android in the wild is atrocious.

      This is doubly interesting.

      I know what tune exactly you're humming, h4rmony, yet let me kindly ask your definition of the security in the wild? There is a virus/trojan in the lab or wild receptively. Never heard about "security in the wild", though.

      Or is it a number of Android apps lurking "in the wild" awaiting for users' installation? The statistics of bad wares is meticulously conducted by many AV vendors and reflected in the press, not that it goes very well with my own "local" experience...

      If that was the atrocity you're talking about, why didn't you say a word in all of the previous posts about the Windows viruses/trojans atrocious "security in the wild"?

      Even if one discounts viruses, those two atrocities beg to differ quite much though, IMHM.

      1) How do you prevent installing a trojaned application? On Windows -- by using an AV (recommended by Microsoft) often after the installation. On Android -- by analyzing the transparent apps permissions before the installation.

      2) The destructive capabilities of an app. On Windows, the installer does not mandate running it as a separate user and usually ends up running as a current user or admin. Android's installer creates a new user for the app, effectively separating the apps away from all other apps and processes.

      3) Third is my experience of not having met a single Windows user that had no malware problem (in the past at least) and likewise, never seeing an Android user that had installed a trojaned app once.

      1. h4rm0ny

        Re: Android

        >>"I know what tune exactly you're humming, h4rmony, yet let me kindly ask your definition of the security in the wild? There is a virus/trojan in the lab or wild receptively. Never heard about "security in the wild", though."

        "In the wild" means real world common usage. So if an OS has fixes for 70% of its vulnerabilities, but most of those fixes aren't installed by the majority of the OS's user base, as is the case with Android, then there is a large discrepancy between the OS in the wild and in the more controlled environments of the vendor and minority exceptions.

        >>"If that was the atrocity you're talking about, why didn't you say a word in all of the previous posts about the Windows viruses/trojans atrocious "security in the wild"?"

        Because the point I was making was the importance of patch release processes and how OEMs are severely damaging Android security and making it a joke in the IT world through their unwillingness to patch things. I didn't go on a tangent about Microsoft or viruses because these are irrelevant to whether what I say or not is accurate. All supported Windows OS installations have access to the latest patches. Most Android ones do not. Hence when I talk about this problem, I'm talking about Android.

        1. eulampios

          Re: Android

          >>..but most of those fixes aren't installed by the majority of the OS's user base, as is the case with Android..

          Despite all this deplorable situation you describe, how many times have you heard about the actual exploits of those vulnerabilities in the wild? How many times did you personally hear from users around you about highjacked Android desktops, Android scareware, sniffed password etc? What about the altera pars, MS Windows? As far as I am concerned, I know a lot of users from both of these worlds. The subjective score from my sample is "most to none" , that is most MS Windows users I know have had at least one malware problem before and specifically complained (directly or indirectly) to me about that, whilst no one I know has ever mentioned to me a single Android malware problem on his/her phone or tablet.

          To me, when a "mostly unpatched" system with the "atrocious security in the wild " is less exploited than its counterpart with the mostly patched and "the great security in the wild" is a manifestation of the fact that the former has a much superior security design than the latter.

          1. h4rm0ny

            Re: Android

            Eulampios - an argument about Android vs. Windows security based on your demands about how many times I have personally known a user affected by malware is as pointless as you creating the argument in the first place. I commented about the dire state of Android updates by OEMs and how that needed to be resolved. Why you feel the need to leap in and point at Windows to make it an OS vs. OS battle, I don't know and little care. And arguments about how you personally have never had anyone come to you for help with "highjacked Android desktops" as you put it (!), is no basis for any kind of insight.

            You use the phrase "altera pars" which means listen to the other side. Why do you see things as "sides" or respond to someone pointing out a very real problem in the Android ecosystem with attacks on Windows? You are absurdly partisan and it is, quite frankly, boring.

            EDIT: And as, based on previous experience, you're unlikely to let this go, I'll answer the pointless question with an answer that is equally meaningless statistically: "once". In the last couple of years I can recall one person coming to me with a problem of malware on their Windows machine. They had received one of those fake calls from people claiming to be from Microsoft and got her laptop infected. The comparison number of people who have come to me with problems with an Android phone is zero. So I suppose to you that represents Android being infinity times more secure, does it not? Anyway, most people I know have iPhones and most of those with less money have Windows Phones so far as I've actually paid attention to what my friends use. One has a Meego phone, iirc. Is any of this helpful? No, didn't think so. Maybe at least it will show how pointless you insisting on using such metrics for comparison is, however.

            1. eulampios

              Re: Android

              >>Eulampios - an argument about Android vs. Windows security based on your demands about how many times I have personally known a user affected by malware is as pointless as you creating the argument in the first place.

              However pointless it might be to you, h4rmony, it is not necessarily pointless to the end user that have to deal or not to deal with the aforementioned malware.

              >>Why you feel the need to leap in and point at Windows to make it an OS vs. OS battle,

              Since you're not a moderator of the current forum, you're not to judge about my needs, so I would say and comment whatever and whenever I feel and think appropriate, shutting me up here is going against the "let the other side be heard as well" paradigm, you have alluded to.

              On the other hand, although the term "altera pars" is often idiomatically used with audiatur, the 3d passive subjunctive present form of the verb "audire", to listen, it just means an-/the other side in Latin and was supposed to mean simply what is said: the "other side". Should've used the neutral koine term "ἡ ἄλλη πλευρά" instead :)

  9. Bruce Hoult

    not consistent at all

    This is pretty silly. Most of the bugs found on OS X were in SSL, bash and so forth that are present on Linux as well, just not in the *kernel*.

    1. Anonymous Coward
      Anonymous Coward

      Re: not consistent at all

      Well people keep saying that open source is great because bugs and security flaws get found, then others complain when they are found.

  10. Anonymous Coward
    Anonymous Coward

    The writing was on the wall when Tim Cook starting firing some of the long term Apple software engineering guys.

    1. Crazy Operations Guy

      The OS changed way to much for those developers to be useful, which is why most of them were layed-off. The OS went from being produced whole-cloth internally with tight integration between the hardware and the OS itself. Then OS X came along and they basically scrapped everything and started over with a NetBSD kernel and a shell over it. A few years later, they went and completely changed the hardware, going from PowerPC to IA-64 bringing a complete change in architecture (CISC is favor of RISC, reversal of endianess, bus changes, etc...). The current iterations of OS-X have far more in common with Windows and Linux than they do with MacOS 9. With all those changes, even the lead architect on OS-9 would be about as useful to the OS-X dev team as a philosopher would be to NASA.

  11. jason 7

    MS could probably close a few of those holes...

    ...if it just switched some of the security options in Windows on by default.

    Will they at least get rid of Admin accounts as the default and integrate EMET into Windows as standard?

    Other than that I feel Windows gets its rap purely to the size of it's user base.

    If there is a flaw in Windows and 90% of the worlds users use it then they need to know and the worlds media responds in the usual fashion.

    If there is a flaw in OSX then it gets onto a few news articles and is usually downplayed for some reason and then slips off the radar a day later.

    If there is a flaw in Linux then its posted up on a few forums for those that need to know.

    But at the end of the day if anyone here can write perfect secure code with 100% reliability then please step forward with your resume...

    1. Crazy Operations Guy

      Re: MS could probably close a few of those holes...

      Microsoft has been trying to push security-by-default for the last several releases, but turning on too much at once ended up resulting in many of the issues in Vista and many of the compatibility issues you see between releases. UAC was an attempt at reducing the impact of giving users admin rights, if they strip everyone of admin rights by default, they'll just go and give themselves admin rights anyway (For the same reason that I see so many Linux newbies just log on as root after becoming frustrated with running sudo when they just want to install a single package).

      The problem is that Microsoft wants to implement new security features, but they also need to pay the bills. No one is going to buy a copy of Windows that they'll have to wait months before software gets properly re-written to run in a secure environment.

  12. MJI Silver badge

    the Apple bugs are ?

    Well are they Apples or are they BSDs?

    1. Anonymous Coward
      Anonymous Coward

      Re: the Apple bugs are ?

      I count 24 OS patches across all supported versions of FreeBSD for all of 2014. And that does include some things like OpenSSL (6 patches alone) that are included as part of the OS distribution, but not BASH (Shell Shock) that only affected completely optional software. Also, that is patches, which are generally fewer than the number of bugs discovered.

  13. Tim99 Silver badge
    Gimp

    Apples compared to Oranges

    OK, I admit it - I read the original article. Not the best headline unless Betteridge's Law applies?

    The original article states that Windows 8.x and Internet Explorer combined have 278 vulnerabilities including 242 High Level vulnerabilities. OS X and Safari have 217 including 67 High Level vulnerabilities...

    1. Britt
      Meh

      Re: Apples compared to Oranges

      You can choose your browser but you are stuck with the OS.

      Foundations built upon sand as the old fable goes.

      1. Tim99 Silver badge

        Re: Apples compared to Oranges

        @Britt

        These are client systems, not minimal Debian or OpenBSD server installations that can do useful stuff without a browser - Have you tried running OS X or Windows without their bundled browsers? You can't uninstall the core components on either machine, but you can uninstall a lot more of Safari. I note that Chrome and Firefox also have more high level vulnerabilities than Safari, so if you were using OS X you might not bother.

        1. Britt
          Meh

          Re: Apples compared to Oranges

          That's OK then. It's not like swathes of people click on the "Faster browsing!" button every time people hit up Google is it.

          Once again, if the foundations are less than desirable, no matter how good or bad the applications running on top are, it's still Swiss cheese.

    2. Anonymous Coward
      Anonymous Coward

      Re: Apples compared to Oranges

      "The original article states that Windows 8.x and Internet Explorer combined have 278 vulnerabilities "

      But that IE number is the total vulnerabilities for all versions of IE from all current OS versions...

  14. sward

    Stop counting CVEs!

    I can well believe Windows has got to a stage where security vulnerabilities are not as prevalent (relatively - they're probably absolutely more prevalent) as they once were, but...

    Stop counting CVEs!

    It's not even accurate enough for a ballpark figure.

    CVEs are public (after any embargo). Not all security vulnerabilities are made public, and Microsoft are as guilty as, if not more than, any other vendor. Its CVE counts like this that actually encourage vendors to avoid disclosure if at all possible.

    Microsoft handles its own CVEs, as do other vendors such as Red Hat. Sure, they all have guidelines on what to issue CVEs for, but all CVEs are not equal. A single CVE identifier is supposed to cover one issue, yet Microsoft has been known to issue one CVE covering many vulnerabilities.

    Disclosure of security vulnerabilities is not exposure to security vulnerabilities. The timely disclosure of vulnerabilities is more likely to prevent exposure because it gives those actually maintaining the systems the opportunity to mitigate the vulnerabilities. The very fact the Microsoft complained about Google's 90-day disclosure policy, that's ~3 months by the way, means they are not fixing vulnerabilities they know about in a timely manner. You can't assume that just because a vulnerability is not widespread public knowledge that attackers don't know about it. This goes even more so for a vulnerability that has already been reported to the vendor -- at least one other actor, the reporter, knows about the vulnerability, and you should assume that others do too.

  15. Anonymous Coward
    Anonymous Coward

    Lies, damned lies...

    "more nasties in Mac OS ... than in Windows"

    This is true only if you compare apples and oranges.

    The table shows that, if you combine all versions listed, Windows OS has 248 vulnerabilities, making Microsoft the clear winner/loser (always assuming that no nasty is double-counted).

    Statistics can be tricky - but they're not that tricky.

    1. h4rm0ny
      Facepalm

      Re: Lies, damned lies...

      >>"The table shows that, if you combine all versions listed, Windows OS has 248 vulnerabilities, making Microsoft the clear winner/loser (always assuming that no nasty is double-counted)."

      Do you really think that most of the vulnerabilities listed for "Windows 8.1" are not also vulnerabilities in "Windows 8"? That there isn't massive overlap between the different versions and you're not just counting the same vulnerability twice? Maybe we should add up all the different Linux distributions make Linux the worst OS instead of OSX? It's using the same logic you just have!

      "Statistics can be tricky - but they're not that tricky."

      Too tricky for you, nitwit.

      1. Anonymous Coward
        Anonymous Coward

        Re: Lies, damned lies...

        "Too tricky for you, nitwit."

        As the nitwit in question, I should maybe point out that language can be tricky too, especially if you ignore part of what's written. Didn't you notice what I said about double counting?

        There is no evidence in the article which enables anybody to say how many vulnerabilities in Win 8 also affect Win 8.1 (to use your example). There may be 'massive overlap', as you suggest - but, on the basis of the table we have, all we can say for certain is that it is between 0% and 100% (inclusive). At least, that's all I can say - and that's all I did say.

        1. h4rm0ny

          Re: Lies, damned lies...

          >>"As the nitwit in question, I should maybe point out that language can be tricky too, especially if you ignore part of what's written."

          Yes, I did. You put a minor get-out clause in there and then proceeded to roll forward with your conclusion anyway.

          >>"There is no evidence in the article which enables anybody to say how many vulnerabilities in Win 8 also affect Win 8.1 (to use your example).

          It doesn't need to be in the article. We can bring the context ourselves. Windows 8.1 and Windows 8 are overwhelmingly the same code base and this is trivial to check by inspection if you doubt it. 8.1. is mostly some GUI changes. One would have to be entirely ignorant of this fact to think summing the total of two different versions of Windows was a legitimate comparison to a single version of OSX.

          >>"At least, that's all I can say - and that's all I did say."

          That isn't all that you said. You titled your post "lies, damned lies and statistics", stated that it was comparing apples to oranges and declared Microsoft to be the "loser" with a small admission that it might not be true. When anyone with any context would rightfully throw out the idea of summing the bugs from 8 and 8.1 after a moment's thought. Your entire post is based on a premise that is trivial to show is wrong. That you acknowledge the premise doesn't mean it's not silly to hold it up as a reasonable possibility.

          1. Anonymous Coward
            Anonymous Coward

            Re: Lies, damned lies...

            "8.1. is mostly some GUI changes"

            It was a 3.6GB download on top of Windows 8. That's a lot of GUI...

            1. h4rm0ny

              Re: Lies, damned lies...

              >>"It was a 3.6GB download on top of Windows 8. That's a lot of GUI..."

              That update pack incorporates the majority of the patches and updates that were issued to Windows 8 in between 8 and the release of 8.1. What you downloaded isn't just updates to the UI, it bundles together all of the intervening changes that Windows 8 receives as well.

    2. Paul Hampson 1

      Re: Lies, damned lies...

      I think you might not have understood the numbers. They describe vulnerabilities found that affect each system. Consequently, the same vulnerability can affect more than one version and is represented in the numbers multiple times.It therefore makes no sense to sumg the numbers for windows since the total is meaningless. An easy to see example is compariosn of v8 to v8.1 figures, which are identical because they share so much code that the vulnerabilities tend to work on both.

    3. Anonymous Coward
      Anonymous Coward

      Re: Lies, damned lies...

      "The table shows that, if you combine all versions listed, Windows OS has 248 vulnerabilities, making Microsoft the clear winner/loser (always assuming that no nasty is double-counted)."

      Well they will be double (or more!) counted if you add together all different Windows OS versions - and compare to one Mac-OS version....

  16. jason 7

    I think the long and the short of it is...

    ...whichever OS you choose, you cannot afford to be complacent.

    We all need to accept that our fave OS could bite us at any time.

  17. jbuk1

    Why no Windows Server 2008 r2 or 2012 R2?

    They do realise that 2008 and 2008R2 are completely different OS's. One based on Vista and the other on Windows 7.

    I hope they're not bundling them both in together as 2008.

  18. Roo
    Windows

    "For example, unlike Windows, the Linux Kernel can be upgraded independently of the rest of the operating system; therefore it is hard to link Linux Kernel vulnerabilities to a specific Linux distribution or Linux distribution version."

    If Florian gave a fuck about producing an accurate or useful picture for the punter, all he had to do was pick a distribution, and take an inventory of the kernel revisions that got punted with that distro over the year. It's not hard, the information is in the public domain.

    Instead, Florian has decided to use a methodology that produces a figure that isn't representative of what a real world Linux user would encounter (because in practice distributions ship a small fraction of the kernel revs that are out there), but just happens to be the biggest possible value he could arrive at with the least amount of effort.

    He really shouldn't have bothered.

    1. Roo
      Windows

      Care to elaborate on the reason behind the down vote or are you simply trying to bury bad news for a shilling ?

    2. Bleeding Hedge

      Chalk and 492 variants of cheese

      Talking about 'Linux' is a bit like talking about 'cheese'. There are so many different distros - some are based on kernels and repositories that are months behind the latest releases and are more likely to have bugs and security flaws.

      Also, being open source, Linux software is generally more open to scrutiny. Flaws are published as they are found whereas proprietary systems often have flaws going back years that the manufacturers have been keeping quiet about.

    3. Anonymous Coward
      Anonymous Coward

      "If Florian gave a fuck about producing an accurate or useful picture for the punter, all he had to do was pick a distribution, and take an inventory of the kernel revisions that got punted with that distro over the year."

      But then he would have had to include all the other software in a Linux distribution - which would be ~ 5 times more vulnerabilities according to the article...

  19. Doctor Syntax Silver badge

    When it comes down to severe vulnerabilities Linux kernel & Windows are more or less level. It's Apple that has the problems. Also that pariah of applications, Flash, comes out lower than IE, Chrome and Firefox but a larger proportion of vulnerabilities are severe. Another oddity: Seamonkey which combines browser and Thunderbird functionality comes out lower than either Firefox or Thunderbird.

  20. Alan Denman

    Obscurity versus no obscurity

    Seems strange that proprietary Apple relies on obscurity so they should really have less 'visible' holes.

    Quite worrying, far more so than the continued non reporting of their often flaky OS systems.

  21. Steve Graham
    WTF?

    Put up or shut up

    A methodology that generates a result that's so much at variance with common experience needs to come with an explanation. Or at least a theory.

    Windows is difficult to make secure because of its structure and complexity, and all the wonderful "features" which seemed like a good idea (to Microsoft) but are now forgotten, but still available (to hackers).

    1. h4rm0ny

      Re: Put up or shut up

      >>"A methodology that generates a result that's so much at variance with common experience needs to come with an explanation. Or at least a theory."

      Who says that it is at variance with common experience? I've generally found GNU/Linux and Windows to be comparable in security (assuming competent admin in both cases) with a slight practical edge to Windows because of their more standardized (imo) release process.

      >>"Windows is difficult to make secure because of its structure and complexity, and all the wonderful "features" which seemed like a good idea (to Microsoft) but are now forgotten, but still available (to hackers)."

      Like being able to pass in function definitions by text to Bash as an environment variable? Shame on you - this is the first out and out partisan post in this thread.

      EDIT: What did I say in my first post here? We'll find out when it gets to lunch time? Lo and behold it hits 12:30 and we suddenly get our first two partisan shots. *sigh*

      1. eulampios

        Re: Put up or shut up

        >>...because of their more standardized (imo) release process.

        Where did you find any standards in Microsoft release process ???

        Or did you mean the patch/update release process?

        1. h4rm0ny

          Re: Put up or shut up

          >>"Where did you find any standards in Microsoft release process ??? Or did you mean the patch/update release process?"

          I was talking about software vulnerabilities and fixes so I thought the context made it clear. Yes, I'm talking about Microsoft's more standardized release process for updates.

          1. eulampios

            Re: Put up or shut up

            >>I was talking about software vulnerabilities and fixes so I thought the context made it clear.

            Sorry, you were talking about the security in the broader sense: >>I've generally found GNU/Linux and Windows to be comparable in security (assuming competent admin in both cases)...

            Since the meaning is clarified now, your

            >> slight practical edge to Windows because of their more standardized (imo) release process

            sounds strange to me. I would rather choose when a vulnerability fixed within hours or couple days of its discovery without any standardization, than waiting weeks for it when it's done once every month on Tuesday.

            Moreover, since on GNU/Linux an update of an application barely requires a reboot of the whole system but only the application in question while many non-kernel MS Windows applications often need the complete system reboot, the practicality edge should be given to GNU/Linux.

            Further, in case of the kernel update a GNU/Linux system would keep the old kernel for the user to boot into in case the new kernel is faulty, so it's hard to end up with "an unbootable MS Windows update" situation. Or, likewise, when most of the entire system installs and updates (consisting of tens of gigabytes of binaries) is standardized through a single update/install mechanism (both front and back end), like apt (aptitude, synaptic, update manager) on Debian-based distros or yum on Red Hat based ones, etc versus a tiny number of mostly MS-based software is a huge, fat practical edge right there..

  22. TRT Silver badge

    Microsoft are doing better...

    at hiding their vulnerabilities.

    Of course, if you factor in uptake and deployment of the OS...

  23. Anonymous Coward
    Anonymous Coward

    Biased reporting

    If you combine all the Windows versions together (as has been done for OS X) then Windows has 248 vulns, that's 100 more than Apple.

    Linux puts in a very poor show of 119 for the **kernel alone**! How many more will Gnome, OpenSSL etc add to that number? F/OSS software is better? Far from it.

    1. h4rm0ny

      Re: Biased reporting

      >>"If you combine all the Windows versions together (as has been done for OS X) then Windows has 248 vulns, that's 100 more than Apple."

      Set theory is not your strong point. As pointed out elsewhere, nearly all of those vulnerabilities will be the same one present in multiple versions.

      1. Anonymous Coward
        Anonymous Coward

        Re: Biased reporting

        That only becomes obvious if you go back to the original report and read the excuse the original author puts out for trying to deceive people.

        If they can't be bothered to present an honest an unbiased view of the information, I can't be bothered to read their propaganda.

  24. Ben Liddicott

    Numbers are irrelevant. All are completely vulnerable

    The only important difference is between zero and one. Until any operating system can actually spend significant periods of time with no unpatched, in-the-wild exploited bugs, they are as bad as each other.

  25. Bronek Kozicki
    Coat

    OSX and Linux

    more buggy than Windows? that will ruffle some feathers.

    1. Anonymous Coward
      Anonymous Coward

      Re: OSX and Linux

      "More buggy" maybe, but I seem to spend less time fighting it and having to fix things on it when it breaks.

      A Windows license is ~$200. A day's work for me is about $250. Therefore over the course of a year, I can afford to spend a day fixing problems on Linux or spend a day's pay on a Windows license and still break even either way.

      However, we know Windows is not the trouble-free experience they tout it to be, I'm more likely to spend at least a day of my time just waiting for the usual "Applying Updates, do not turn off" messages, the usual hassling that I need to reboot for an update to take effect, searching around for the exact driver, troubleshooting obscure registry problems, fending off malware, etc.

      Spending an extra day of my time and keeping money in my pocket to pay for food, housing, electricity and computing hardware doesn't seem like such a bad deal now does it?

      1. Anonymous Coward
        Anonymous Coward

        Re: OSX and Linux

        "A Windows license is ~$200. A day's work for me is about $250"

        A RHEL license subscription starts at $799 per year. I use Windows wherever possible. A days work for me is about $1000. Go figure...

        "I'm more likely to spend at least a day of my time just waiting for the usual "Applying Updates, do not turn off" messages"

        WSUS is free and manages that for you. This is a good example of why you are only worth $250 / day.

        How long do you spend assessing all the security vulnerabilities for each platform? I am interrupted several times a month to look at many more Linux ones, but only once a month on Patch Tuesday to look at Windows ones...I spend far less of my time dealing with Windows updates overall.

        "searching around for the exact driver, "

        That's a far larger problem for Linux. based systems.

        "troubleshooting obscure registry problems"

        As opposed to trouble shooting problems in multiple randomly distributed text config files?

        "fending off malware,"

        Try running Windows and Linux based internet facing servers. The Linux ones get attacked and compromised far more often. I have never seen malware on a Windows server - only ever on a desktop. But I have seen lots of Linux based server boxes compromised to serve up malware, private FTP sites, Bit Torrent seeds, botnet CC servers, etc, etc...

        1. Chemist

          Re: OSX and Linux

          "A days work for me is about $1000. Go figure."

          Said the AC who could claim anything !

        2. Anonymous Coward
          Anonymous Coward

          Re: OSX and Linux

          "A Windows license is ~$200. A day's work for me is about $250"

          A RHEL license subscription starts at $799 per year.

          Who says I buy RHEL? Gentoo costs $0. Debian costs $0. Ubuntu costs $0.

          All three generally JustWork for my needs. Gentoo having the best flexibility, thus what I choose for my own personal gear. At work it has traditionally been Ubuntu, but lately we're moving to Debian for some of our appliances.

          I use Windows wherever possible. A days work for me is about $1000. Go figure...

          "I'm more likely to spend at least a day of my time just waiting for the usual "Applying Updates, do not turn off" messages"

          WSUS is free and manages that for you. This is a good example of why you are only worth $250 / day.

          Tell me, can I get a Linux version of WSUS? We don't have a Windows server, and not being traned in managing Windows, it would be lunacy to expect me to manage one.

          All the Linux boxes are happy to just do their downloads via a HTTP proxy. The downloads are cryptographically signed using GnuPG and the files are cached so they only get downloaded once. Simple, effective.

          How long do you spend assessing all the security vulnerabilities for each platform? I am interrupted several times a month to look at many more Linux ones, but only once a month on Patch Tuesday to look at Windows ones...I spend far less of my time dealing with Windows updates overall.

          apt-get dist-upgrade is usually done for me in less than 10 minutes and rarely needs a reboot. The fixes come as they're released, not when the vendor feels it's time to push an update. I apply the updates when I feel I want to, not when the vendor thinks I should.

          "searching around for the exact driver, "

          That's a far larger problem for Linux. based systems.

          I have a laptop on my desk that identified 100% of the hardware from the Ubuntu LiveCD. Windows 7 64-bit OEM (self-installed, not the OEM image which was 32-bit) still fails to recognise some hardware.

          I've never had a problem with server or industrial hardware, generally our concern there ends with ensuring storage, network and serial interfaces work. Then again, we're in the SCADA/energy management business, so SATA/SAS and gigabit Ethernet is good enough, and the most "obscure" we get is talking Modbus to an RS-485 bus.

          Probably the hardest case I've struck was interfacing to a railway weighbridge and an Allen Bradley PLC. In both cases, it was a case of port the driver: we had the source code for the former, and we were able to get in touch with the company that did the latter. That was moving a system from SCO OpenServer 5 to Ubuntu Linux 12.04.

          The biggest issue being the difference between SCO's libc and default serial settings to glibc and Linux serial settings. Easily fixed once we knew what was going on.

          "troubleshooting obscure registry problems"

          As opposed to trouble shooting problems in multiple randomly distributed text config files?

          grep works with text files, not with binaries. Two places does not count as "randomly distributed" to me either. Usually they're in one of two places: $HOME or /etc.

          "fending off malware,"

          Try running Windows and Linux based internet facing servers. The Linux ones get attacked and compromised far more often. I have never seen malware on a Windows server - only ever on a desktop. But I have seen lots of Linux based server boxes compromised to serve up malware, private FTP sites, Bit Torrent seeds, botnet CC servers, etc, etc...

          Have done for years. In 2001 I set up my first internet-facing server. Over the years the hardware has been replaced and the OS updated/replaced. Never had a breech.

          This isn't to say my box is bulletproof, it isn't, there's no such thing. Just that I'm not a high-value target.

          1. Anonymous Coward
            Anonymous Coward

            Re: OSX and Linux

            "Tell me, can I get a Linux version of WSUS?"

            Yes - Red Carpet.

            "All three generally JustWork for my needs"

            But have no commercial support. If you run a real business that's generally not an option.

            "apt-get dist-upgrade is usually done for me in less than 10 minutes and rarely needs a reboot. The fixes come as they're released, not when the vendor feels it's time to push an update. I apply the updates when I feel I want to, not when the vendor thinks I should."

            So uncontrolled / without formal testing, tracking and evaluation then.

  26. joed

    Who has paid for the survey?

    I've never seen Windows without IE and it's not really possible to really remove it (but surely standalone numbers look better).

    1. Anonymous Coward
      Anonymous Coward

      Re: Who has paid for the survey?

      I don't remember IE on Windows 3.1.

      1. joed

        Re: Who has paid for the survey?

        well, as far as I recall I've never seen 3.1

    2. Sandtitz Silver badge
      FAIL

      Re: Who has paid for the survey?

      Does any Linux distro come without a browser? Should we factor in Firefox CVEs? Over 100 vulns in 2014.

      1. Anonymous Coward
        Anonymous Coward

        Re: Who has paid for the survey?

        Does any Linux distro come without a browser?

        Gentoo doesn't.

        Debian doesn't unless you install the desktop environment.

        Ubuntu doesn't unless you install the desktop environment.

        OpenWRT doesn't.

        Linux From Scratch doesn't.

        1. h4rm0ny

          Re: Who has paid for the survey?

          >>"Gentoo doesn't. Debian doesn't unless you install the desktop environment. Ubuntu doesn't unless you install the desktop environment. OpenWRT doesn't. Linux From Scratch doesn't.

          And none of those are the distros listed in this report. I mean, Ubuntu is, for example, but not "Ubuntu without a DE". If they're separating out Windows 8 and 8.1 when they are certainly separating out Ubuntu and Ubuntu Server.

          1. Anonymous Coward
            Anonymous Coward

            Re: Who has paid for the survey?

            And none of those are the distros listed in this report. I mean, Ubuntu is, for example, but not "Ubuntu without a DE". If they're separating out Windows 8 and 8.1 when they are certainly separating out Ubuntu and Ubuntu Server.

            They don't list "Ubuntu with a DE" either… They just list Ubuntu, and with Ubuntu, it is a user choice (default: enabled) as to whether a web browser is installed or not.

            Firefox is generally bundled because it happens to be one of the better ones. Maybe Chromium might take its place some day. If you install Kubuntu instead, it comes with Konqueror rather than Firefox.

            1. h4rm0ny

              Re: Who has paid for the survey?

              >>"They don't list "Ubuntu with a DE" either… They just list Ubuntu, and with Ubuntu, it is a user choice (default: enabled) as to whether a web browser is installed or not."

              Then why don't you drop the author of the study a line. It is apparent to me that they meant default installs and I would imagine pretty clear to everyone else but if you think it's ambiguous just email them. They've been responding to questions pretty quickly. I'll happily backtrack if they say that they meant Ubuntu non-Server with the desktop environment deliberately unselected. But that's not going to happen.

              This is a study of default installs. That's why it can include third party at all and why, as they said, they separated out the kernel as its own category.

              EDIT: I say they've been responding to comments, I should say the polite ones to be clear. There are a lot of nasty and abusive comments on there which I hope they will ignore.

              1. Anonymous Coward
                Anonymous Coward

                Re: Who has paid for the survey?

                Then why don't you drop the author of the study a line. It is apparent to me that they meant default installs and I would imagine pretty clear to everyone else but if you think it's ambiguous just email them. They've been responding to questions pretty quickly. I'll happily backtrack if they say that they meant Ubuntu non-Server with the desktop environment deliberately unselected. But that's not going to happen.

                This is a study of default installs. That's why it can include third party at all and why, as they said, they separated out the kernel as its own category.

                Ahh, because I'm not the one questioning whether there's a Linux distribution that ships without a web browser. That was Sandtitz 3 days ago. I gave a few examples, then you replied.

                The article mainly focussed on MacOS X vulnerabilities, I challenge you to find a mention of the word "Ubuntu" anywhere in the article, as you rightly point out, they do not mention "Ubuntu Server".

                They do mention a few distributions in the actual report, where they also state that the MacOS X statistics exclude Safari, so presumably they also exclude Firefox/Chromium. So the argument is entirely academic.

    3. Anonymous Coward
      Anonymous Coward

      Re: Who has paid for the survey?

      "I've never seen Windows without IE and it's not really possible to really remove it "

      Windows Server core install has been an option since Server 2008 - no IE at all.

  27. Anonymous Coward
    Anonymous Coward

    Only need to read one thing to see this "research" is worthless

    They claim the Linux KERNEL has all these vulnerabilities. No, Linux distributions do, but not the kernel. Kernel exploits are extremely rare (for any kernel, not just Linux) OpenSSH may ship with Linux distributions and up Linux's count for vulnerabilities, but that is not part of the Linux kernel.

    These idiots don't even know that much - they actually listed "Linux kernel" in the vulnerability listing, that wasn't (as I expected) a Reg journalist error!

    1. Anonymous Coward
      Anonymous Coward

      Re: Only need to read one thing to see this "research" is worthless

      "Kernel exploits are extremely rare (for any kernel, not just Linux)"

      Not for the Linux kernel they are not. Over 1200 vulnerabilities to date just in the Linux kernel.

      http://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33

      1. Anonymous Coward
        Anonymous Coward

        @AC

        Only a moron would quote such a link without actually checking it!

        Go to 2015, and look at the entries. The first one lists a security hole in Google Chrome. Somehow that's a flaw in the Linux kernel? If you look at their security list for Windows for 2015 and look at the first entry - same flaw in Google Chrome! In fact, a lot of the flaws listed for 2015 are from Chrome. That has nothing do with the Linux kernel, or Windows since Microsoft doesn't ship it with Chrome.

        In other words, your link is as stupid as the article.

        1. Anonymous Coward
          Anonymous Coward

          Re: @AC

          "Go to 2015, and look at the entries. The first one lists a security hole in Google Chrome."

          Looks like 1 month in 215 is cross referenced incorrectly. That's a whole 6 vulnerabilities.

  28. cashxx

    Article is flawed in its numbers

    OS X is various versions of OS X lumped into one while Windows is separate! Since IE is part of the OS IE should then be included with Windows OS if they want to play that game. Separate OS X or combine Windows numbers to equal things out! Same goes for Linux and iOS!!

    1. Anonymous Coward
      Anonymous Coward

      Re: Article is flawed in its numbers

      "OS X is various versions of OS X lumped into one while Windows is separate"

      No that's like lumping Windows Service packs together - which they have done.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like