Tuesday, April 24, 2007

If only it had market share, it would have Security Vulnerabilities

The revelation that the security flaw exploited to win a hacking competition last week was related to Java applets that used QuickTime is very interesting because of the usual argument that Macs are only seen as less vulnerable because they have a smaller installed base. Well QuickTime doesn't have a "smaller installed base". Its installed base is highly comparable to that of, say, Internet Explorer, Microsoft Office, or Windows Media Player. Indeed, given that Apple is less likely to rev QuickTime randomly (Windows Media Player 11 anyone?) and that iTunes and iPods are highly linked to the latest version, the chances are that its market penetration exceeds any of these products. Is that not interesting?

Here's QuickTime 7's stats from secunia.com (hey, they're biased against Apple*, but then who isn't in the security industry. Until we can get Mac users buying third party firewalls and antivirus software, we're going to keep telling everyone they're an accident waiting to happen). Note that these stats include the vulnerability exploited in the CanSecWest competition.

Here's Internet Explorer 7's stats (note that most folks are probably using Internet Explorer 6 still). IE7 has a similar number of vulnerabilities in a shorter timeframe, but they're more critical and far less likely to have been patched. (And remember, Secunia is the company that treats a trojan you need to download and type an admin password to install on a Mac as highly critical, while a vulnerability that can take over your PC if you just visit the wrong website is not.)

Here's Microsoft Office 2003's stats. Quite a few vulnerabilities, almost all remote, and, oh look, one in six is unpatched.

There are so many versions of Windows Media Player that linking them all would be kind of tedious. Windows Media Player 11 so far has no listed vulnerabilities. Here's WMP 9 and WMP 10 though.

Given that the vulnerability is an interface between code which relatively few people care about (Java) and code that gets a lot of attention (QuickTime), I suspect that it will probably turn out that some previously identified buffer overflow vulnerability that was fixed for QuickTime via more popular and conventional paths (e.g. the browser plugin) was not fixed for the Java QuickTime API.

Conclusion: Apple just writes better software than Microsoft, and doesn't leave critical vulnerabilities unpatched for years. But we knew that already.

Note: * Secunia, biased? Say it isn't so. Here's a vulnerability in IE that can make an arbitrary malicious file appear to be an html file when you "Save As...". Note its criticality. Here's an "extremely critical" vulnerability in Mac OS X (note that Mac OS X is one product, like Windows XP Home Edition). It's listed as partially unpatched because, apparently, you can still execute shell scripts that are placed in an archive manually. OMG really? Gimme Outlook 2000 which won't let me extract .exe's from email attachments even if I sign a release in triplicate. Yeah. That would fix it.