Wednesday, February 25, 2015

On OS X and iOS security vulnerabilities and shoddy reporting

Security, as we take great pains to repeatedly point out, is something that deeply affects people. It affects their stress and trust levels when dealing with technology. When it's misreported it turns what should be an empowering experience into one of fear, uncertainty, and doubt. And it's far too frequently done just to get the worst kind of attention. The latest case in point is a — I don't want to call it a report — from GFI which claims OS X and iOS were the "most vulnerable operating systems of 2014. And, frankly, it's bullshit.

There are so many problems with GFI's not-a-report that it's hard to figure out where to begin.

  • OS X and iOS are listed as single line items on the chart yet Windows is broken down by version. Why wouldn't all operating systems be listed the same way? Can we just add all the Windows numbers up and see how big that number is in comparison?

  • The National Vulnerability Database (NVD) lists everything reported to it by vendors, including Apple, Microsoft, and others. That doesn't make it an accurate measure of vulnerabilities. It makes it an accurate measure of reporting. Why isn't that distinction properly reflected?

  • Different vendors, including Apple and Microsoft, have different policies and procedures when it comes to reporting vulnerabilities to the NVD. Apple reports every fix in their advisories. (You can find them via the Apple Security Updates page.) If there's no uniform reporting standard, how uniform conclusions be drawn?

  • Microsoft has no "low vulnerabilities" listed. Does that mean there aren't any or they don't report them the way other platforms do?

  • OS X and iOS both have significant UNIX and open source software (OSS) components shared by BSD and other operating systems. That makes for a much different, and much wider possible reporting pool than, for example, Windows. How was that accounted for?

The relative security of a platform has nothing to do with how well a company reports the vulnerabilities they fix — though seeing good reporting is certainly comforting. The relative security of a platform certainly has nothing to do with grossly distorted and disingenuous attention-bait.

I'm not sure how this not-a-report got approved for publication, and I'm flabbergasted that it got picked up by mainstream outlets, seemingly without even a cursory look to see if it made any sense whatsoever.

In an era where some vendors have intentionally gone from defending to attacking their own customers, proper security reporting couldn't be any more important.

This type of misrepresentation happens regularly enough, however, that I'm beginning to suspect it's not done for the benefit of consumers at all. And that feels more like a security threat than anything contained in this not-a-report.








No comments:

Post a Comment