Have an account? Log in to leave your comments!
journal: mac · win · think
Known knowns, known unknowns, and security
Rumsfeld's quote aptly describes the world of computer security.
Donald Rumsfeld took a lot a flak in his term as Secretary of Defense. Perhaps one of his best quotes was also his most amusing:
“As we know, there are known knowns are things we know we know. We also know there are known unknowns. That is to say,we know there are some things we do not know. But there are also unknown unknowns - the ones we don’t know we don’t know.”
Rumsfeld’s quote aptly describes the world of computer security.
As it stands today, Windows has been, by far, the biggest malware target, partially due to its large market share and partially due to legitimate security problems, especially before Windows XP Service Pack 2. Apple’s Mac OS X has yet to see anything more than a couple sporadic minor malware threats (mostly proof-of-concepts). OS X’s lack of malware is believed to be due to Apple’s relatively small market share and OS X’s inherently better security. Security experts are apparently puzzled as to why Mac OS X hasn’t seen more hacks. Also, it’s debatable whether Mac OS X itself is really any more secure than Windows or if Mac OS X’s good malware record so far is due to its relative obscurity (i.e. nothing has been proven either way), so for the time being, we only really know one thing for certain: Microsoft Windows has been the victim of many more malware threats than Mac OS X.
About a week and a half ago, Symantec released a report analyzing how quickly it took for security fixes to be issued for Windows, Mac OS X, and Red Hat Linux. Microsoft released fixes for security flaws an average of 21 days after the bug was discovered between July and December 2006. In the same timeframe, Apple released fixes after an average of 66 days and Red Hat took 58 days. (Meanwhile, Internet Explorer and Mozilla browsers had considerably more vulnerabilities than Safari or Opera.)
A bit later, Andy Patrizio of Internet News wrote an article originally entitled Surprise, Microsoft Listed as Most Secure OS based upon the Symantec whitepaper (the article headline has since been changed to the more accurate “Report Says Windows Gets The Fastest Repairs"). Can anyone make the claim that Microsoft Windows is the most secure OS? If you go by the numbers for this six-month period, then yes. The problem with that, though, is that it only tells a small fraction of the story.
Just because fewer vulnerabilities were discovered for Windows in the last six months of 2006 than other operating systems does not automatically make Windows the most secure OS. Conversely, if, hypothetically, Mac OS X came in with the fewest number of vulnerabilities in that six-month period, it would not make Mac OS X the most secure OS out there either. So okay, great, security experts found 39 vulnerabilities in Windows and 43 for Mac OS X. So what? What does that mean? Does it mean anything?
All Symantec did was give us a number of vulnerabilities found. We do not know how many vulnerabilities still exist. There might be 100. There might be 1,000. We don’t know. We can’t know. They haven’t been found yet. Since we don’t know how many vulnerabilities still exist in any operating system, much less how severe those as-yet undiscovered bugs are, we can’t say which OS is more secure based solely on the number of vulnerabilities found in a six-month time period. You can’t ignore such numbers of course, but there is much more going on. To base how secure an OS is on the number of vulnerabilities found in 6 months would be irresponsible and misleading. Unfortunately, the original headline to Patrizio’s article suggested that this is the case (in all fairness to Patrizio--what a great Italian name--it’s quite possible that his editor wrote the headline, so I can’t really hold it against him). The point I’m trying to make is this: these vulnerability figures can and do vary. You can’t put too much stock over short-term vulnerability counts alone. For example, how easy is it for hackers and malware to exploit the flaws? How serious are they? How quickly do vendors correct flaws?
While, in my opinion, the number of exploits found is relatively unimportant compared to other factors, the developer’s response time to a vulnerability is very important, and it’s something Apple needs to work on, especially if they use security as a key part of their marketing. Since I’m not a programmer, I don’t know what goes into developing a patch, but I’m sure that if Microsoft can get patches out in one third the time it takes Apple to push them out the door, then there is something Apple needs to work on. Again, actual security of an operating is hard to quantify, but security response time can make a huge difference in providing customers with peace-of-mind that their OS’s vendor takes security seriously.
It’s a scary world out there, isn’t it? There are things “we don’t know we don’t know” (thanks, Rummy). As always, the best advice is simple: surf safely. Use protection (a firewall and antivirus software). Be your own secretary of defense (from a computing standpoint, anyway). Don’t be swayed by security sensationalism: the number of vulnerabilities discovered is not necessarily an indication of anything. So good night, sleep tight, and don’t let the browser bugs bite!