Wednesday, February 23, 2005

Secunia, Techworld, Mac OS X, and various Reality Distortion Fields

Recently, a Danish (I am told) internet security firm named Secunia has gotten a lot of free publicity, largely by making the pronouncement that Mac OS X is no more secure than other operating systems, notably Windows XP and its variations, which it considers the most secure of all.

Apple has gotten quite a bit (not a huge amount) of bad press over this, all of it citing Secunia's Press Release. The most vehement I have encountered is on Apple Shames Itself Again Over Security.

Unlike some pro-Apple bigots I am not entirely immune to doubting the utter superiority of Mac OS X to all alternatives, so I decided to do a little research. Something, apparently, no-one at Techworld is required to do.

If you visit Secunia's website, and I suggest you do, try looking at their archives of security alerts, under Apple: Mac OS X, and Microsoft: Windows XP Professional. I won't link directly, since you should go find these things yourself to (a) prove how easy it is, and (b) demonstrate that I am not cherry-picking my results.

First of all, in their summary graphs and tables, Secunia reports fewer security alerts for Mac OS X (all versions including server) than one variant (Professional) of Windows XP. But, hold your horses, Windows XP Professional is reported as having no serious issues, none, zero percent (out of 67).

But, when you scroll down the page you discover several serious issues listed. Hmm, if there are several, how does this come out as 0%? So either Secunia are incompetent, or dishonest. Certainly, journalists can't be bothered checking beyond press releases. Well, no surprise there.
What's more, one of these serious issues has been unresolved for nine months!

And then, there's the well-known gaping hole of ActiveX (an ActiveX control can do anything it likes to your machine). ActiveX issues are mentioned only once on Secunia's XP Professional page and shown as having a single serious flaw which has been fixed. (It's one of the 0%.) Well the fix is that the user has to magically know that this ActiveX control isn't safe and click "No" while to get his/her daily work done he/she may have to magically know that other ActiveX controls ARE safe and click "Yes". Whew. Glad that was "fixed".