Remember, an aging code base is a feature

Research shows more vulnerabilities for OS X than Windows.

The Macalope receives the InfoWorld Daily email and today’s Quote of the Day was:

Surprise, Microsoft Windows is no worse than most other popular platforms in terms of the number of vulnerabilities. Numbers alone never tell the whole story, but you can’t read the figures and come away feeling that the Mac OS X or Linux is somehow doing a better job.

Indeed, numbers alone don’t tell the whole story and, ironically, neither does InfoWorld’s security blogger Roger Grimes.  He does admit the following about the source of the information:

Jeff Jones, of course, is a Microsoft employee. But he compiled his figures from the commonly respected, vender neutral, CVE list.

Hmm.  OK.  That’s fine.  And, actually, Jones’ post is a fairly neutral, sober look at the numbers.

But let’s look at his conclusion:

Within the platform space, both Mac OS and the Linux kernel are experiencing a general multi-year trend of higher numbers of vulnerability disclosures, while both Windows and Unix systems have generally trended downward during that time period.  However, in the most recent year, Windows and the Linux kernel contributed relatively less than last year, while Mac OS and Unix contributed relatively more.

Hmm.  Hmm.  Now why might that be?  Hmm.  Hmm.

Hmmmmmmmmm…

Could the fact that Microsoft has not substantially updated Windows for five fricking years have anything to do with it?

It should be rather unsurprising that an operating system which has only been updated with patches and bug fixes for five years would be more secure than one that’s been updated with new features every year.

The Macalope does believe that Microsoft is taking security more seriously than Apple currently is.  But that’s probably because Microsoft has such a huge security problem.  And it remains to be seen whether Vista’s solution to security – throw up a dialog box every time the user tries to do something – is really workable.  So, let’s look at those number in another year.

Grimes, meanwhile, rushes to a conclusion of his own which is wholly unsupportable:

If you want true security, use OpenBSD, otherwise what you use is going to have a fair amount of publicly announced exploits on a regular basis.

Uh, well, actually, Rog, there’s “a fair amount” and then there’s “next to none.”  Here on the planet Earth, you can count the number of OS X exploits on one hand (currently, at least).  Perhaps the 100-fingered creatures that inhabit Glaxxor 6 in the Arcturus Nebula can count the number of Windows exploits on one hand, but that’s not really a fair comparison, is it?

Vulnerabilities != exploits.

But the Macalope expects Grimes knows that.

6 thoughts on “Remember, an aging code base is a feature”

  1. You know as well as I do that the inhabitants of Glaxxor 6 only have 88 tentacles, not 100. And they have little interest in your earthly operating systems.

  2. Meanwhile, back on the blue globe itself, our own tentacled creatures try making a living by saying that Windows is secure and the Mac is hideously unreliable, because they know that to say any otherwise is to mutter whispers into a torrent which is, in our 10 fingered land, the awful storm of fact.

  3. A recent airing of the show security now, Steve Gibson actually stated that Vista will be more vulnerable since they have completely written the security aspect to it. It is kind of like thinking that building a completely new dam will be more secure than the patches made to the old one.

  4. The phrases that are actually true but, left unexplained, does not point towards the truth is the use of “relatively more” and relatively less”. To make up some numbers: 98% sucky is relatively less sucky than 99%, but it is still really bad suckiness.

    It’s like the old dandruff shampoo commercial: “while both have effective dandruff fighting ingredients, this one has an extra ingredient that makes your scalp tingle. So you know it’s working.” Are we buying dandruff shampoo to fight dandruff or to tell us it’s working?

    I think that is the same, anyhow.

Leave a Reply to pedro Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.