When Paul Murphy wrote "Better Mac OS X security numbers" in response to my "Vulnerability statistics for Mac and Windows" blog, I had an idea of what to expect but never in my wildest dreams could I imagine Paul would go so far to spin the numbers in such a blatant manner. If Paul was just trying to get a reaction from me, I guess he succeeded but now I'm going pick his "logic" apart.
Paul makes two astonishing points:
- If an Apple advisory is made up of 40 distinct CVE vulnerabilities, then it should count as just one security issue against Apple.
- If Paul can't find a publicly released proof-of-concept working exploit for a Mac vulnerability, then it isn't a threat no matter how serious the vulnerability is.
To make his first point, Paul references a "highly critical" 40-vulnerability Secunia advisory 16449 for Mac OS X and "less critical" single-vulnerability Secunia advisory 16210 for Windows. The first and obvious problem is that Paul points out that the Mac advisory only affects "one actual Mac OS" while the Windows advisory affects "every Windows OS" and points out that Secunia lists 13 individual Windows versions and only "Apple Macintosh OS X". This is a blatant lie because there is no such thing as just "Apple Macintosh OS X" since that represents a generic family of Apple Mac Operating Systems dating back to the year 2000. If you look at the bottom of the Secunia advisory for the Mac, you'll see that it lists every client and server Mac operating system from 10.3.9 to 10.4.2. But even with we accept Paul's deception, we could take his "thinking" to its logical conclusion and count the install base of users and say that a Windows vulnerability should count 100 million times whereas a Mac vulnerability should only count 4 million which would obviously be absurd.
But this isn't the end of it because in a declaration that would make Baghdad Bob proud, Paul claims that the Mac advisory which contains 40 unique CVEs is actually a single flaw! Paul defends this absurd claim by saying "because they all trace to same bit of code, it just gets used in a lot of places". Oh really Paul? Did you actually read the CVEs? Did you notice that the flaws ranged from OpenSSL to Apple HFS+ to Kerberos to AppKit to Bluetooth to servermgrd to slpd Directory Services? But hey, let's not quibble over a minor thing like that and let's just call it ONE flaw in the Mac OS X code.
Then in a declaration that would make all the underground hackers of the world salivate, Paul states: "The reality is that a vulnerability without an exploit doesn't threaten anyone's security. What we need to count to decide which OS is more secure, is actual exploits, not the potential for them". Paul bases his conclusion on the fact that he only found five payloads in the Metasploit database under Mac OS X. Of course, Paul fails to take in to account that the proof-of-concept for the recent Mac OS X zero-day vulnerability isn't listed in the shellcode section of the Metasploit database he links to and the same is true of many other Mac exploits. Even the most recent batch of 20 security holes for Mac OS X released two days ago had working proof-of-concept code out in the wild the very same day Apple released the patches! The reality is that Paul simply hasn't a clue where to actually look.
Aside from the obvious factual errors, I guess Paul wouldn't mind leaving his Macs unpatched then since the problems (at least in his mind based on his limited research) are only theoretical. If he feels so strongly about it, he should leave his personal Mac unpatched and I'll be happy to contact some people in the underground hacker forums that would be happy to test his "theoretical" issues. Just give me the word Paul and I'll pass them your email address. But you just keep your hands over your eyes and I'm sure nothing bad will happen since it's all "theoretical".