Is Your OS More Secure Than Mac OS X?

Is Your OS More Secure Than Mac OS X?

February 17, 2009

Paul Rubens
Abandon OS X Server! Throw out your Linux boxes! Set fire to Solaris! Prepare to move to Windows or AIX: the security of your organization depends on this.

The rantings of a madman? Probably. But this, at first glance, anyway, is the take away message from IBM's Internet Security Systems X-Force 2008 Trend & Risk Report.

The report found that the most vulnerable operating system in the world is ... Apple's OS X Server. This OS accounted for 14.3 percent of all vulnerability disclosures last year, followed closely by Apple's OS X desktop software, also with 14.3 percent. Next up was ... the Linux kernel, with 10.9 percent, followed by Sun's Solaris with 7.3 percent. It's only then that Microsoft gets a look-in with Windows XP (5.5 percent), Server 2003 (5.2 percent), Vista (5.1 percent), 2000 (4.8 percent), and Server 2008 (4.1 percent). IBM's AIX brought up the rear with a paltry 3.7 percent.

This follows a historic pattern, IBM discovered. During the past three years the most consistently vulnerable operating systems were ... OS X Server, OS X, and the Linux kernel, according to the survey. But all the main operating systems that IBM looked at — Windows 2000, XP, Vista, Server 2003 and Server 2008, OS X and OS X Server, Solaris, Linux and AIX — had vulnerability disclosures, so no one should be looking too smug.

Enterprise Unix Roundup

"All operating systems are insecure, but some are more insecure than others," as George Orwell would probably have said.

IBM defines a vulnerability as "any computer-related vulnerability, exposure, or configuration setting that may result in a weakening or breakdown of the confidentiality, integrity or accessibility of the computing system." Basically, it's bad. And last year a record number of vulnerabilities were disclosed: 7,406 of the critters, up 13.5 percent over the previous year. Of course, not all of these were vulnerabilities in the operating systems themselves, but they do make operating systems vulnerable, if you see what I mean.

The good news is that the proportion of vulnerabilities rated critical — i.e. ones that "are installed by default, network-routable, do not require authentication to access and will allow an attacker to gain system or root level access" — halved from 2 percent to 1 percent. But before you crack open the champagne to celebrate, bare in mind that there were more medium and high risk vulnerabilities in 2008 than in previous years.

But is OS X Server really less secure than Windows 2003 Server? Are you better off running Windows XP on the enterprise desktop than Ubuntu? Working out what IBM's figures actually mean turns out to be quite tricky. Here's why:

Discuss this article in the ServerWatch discussion forum

Unsure About an Acronym or Term?
Search the ServerWatch Glossary

Talking about disclosed vulnerabilities can be misleading, as by definition this leaves out vulnerabilities that aren't disclosed. That could be because the developer quietly patches them as soon as they are noticed or because the people who discover them want to keep them quiet for as long as they can. Or perhaps they haven't been discovered yet. And these are just a few of the possible reasons.

Simply counting vulnerabilities takes no account of the severity of the vulnerabilities concerned. OS X Server may well account for 14.3 percent of all the disclosed vulnerabilities, but if all of them have a "low" severity ranking, it's not as much a cause for concern as another operating system that accounts for a far lower proportion of vulnerability disclosures, all of which are critical.

Threat levels are derived from the Common Vulnerability Scoring System (CVSS), which looks at a vulnerability and considers:

  • The level of difficulty in accessing the vulnerable software interface
  • The impact that a successful attack has on the confidentiality, integrity and availability of vulnerable systems
  • Public availability and reliability of exploit code
  • Availability of patches or workarounds

OS X Server and OS X have a tiny market share of the operating systems market, so it's much less likely that reliable exploit code will be created and made publicly available for OS X vulnerabilities than, say, Windows vulnerabilities. That means that, all things being equal, the threat level of OS X vulnerabilities will likely be less than for Windows ones.

There's also probably an element of double counting going on. OS X and OS X Server, for example, have the same architecture and code base. It's odd that they both account for the same proportion of vulnerability disclosures, unless the same vulnerabilities are being disclosed for each OS. So Apple's two OSes may account for 28.3 percent of all the reported vulnerabilities, but when you take double counting into account, it's probably not as bad as it sounds.

So while IBM's report is a fascinating read (and there's much more in it besides the content mentioned here), it's not quite the survey encouraging organizations to abandon OS X Server and Linux in favor of Windows and AIX that it first appears to be. In other words, don't chuck out your Xserve or Linux box in the name of security quite yet ...

Paul Rubens is an IT consultant and journalist based in Marlow on Thames, England. He has been programming, tinkering and generally sitting in front of computer screens since his first encounter with a DEC PDP-11 in 1979.