London-based security firm mi2g has released a report concerning security vulnerabilities across all the major, and minor, operating systems. mi2g is a private company that describes itself as focusing on Digital Risk Management (not to be confused with Digital Rights Management). The firmis results iterate what many Observers in the Mac community have long known: The Mac OS is the least vulnerable operating system to attack, while Windows is the most vulnerable. According to the report, there were some 57,977 computer attacks so far in 2002, with only 31 of them against Macs, which translates into .05% of the total. Windows, on the other hand, suffered some 31,431 attacks, or 54% of the total. Spokespersons from mi2g were not immediately available to specify how many of those attacks were Mac OS X, and how many were against previous versions of the Mac OS.
Most of the known software vulnerabilities announced in 2002 affected Microsoft Windows (44%) followed by Linux (19%), BSD (9%) and Sun Solaris (7%). By comparison only 0.5% of the vulnerabilities announced in 2002 affected SCO Unix, and 1.9% affected Mac OS and Compaq Tru64 systems respectively.
This pattern is mirrored by the overt digital attack data collected for 2002, which demonstrates this has been the worst year on record with 57,977 attacks having already taken place. The most attacked operating system in 2002 has been Microsoft Windows with 31,431 attacks (54%) followed by Linux with 17,218 attacks (30%), BSD (6%) and Solaris (5%). Apple Macis OS suffered only 31 overt digital attacks, i.e., 0.05% of all attacks in 2002 although Apple Mac has roughly 3% of the worldis computer market share. SCO Unix suffered 165 digital attacks (0.2%) and Compaq Tru64 suffered 10 attacks (0.02%).
The report also mentions that some computer systems benefitted from "security through obscurity," and listed several OSes to which that applies. The Mac OS was not listed in this category, as noted above. From the report:
There are some operating systems that could be seen to have benefited from "security by obscurity". Most notably, Irix from Silicon Graphics with 6% of announced vulnerabilities suffered just 166 attacks; Novell Netware with 4.5% of announced vulnerabilities suffered 2 attacks; and IBMis AIX with roughly 4% of announced vulnerabilities suffered 199 attacks.
The firm estimates lost productivity from direct attacks to be as much as US$40 billion, with most of that damage occurring to Windows networks. From the report:
The projected economic damage estimate for overt digital attacks worldwide is $7.3 Billion for 2002 compared to $7.7 Billion for 2001. This stands in contrast to the projected 70,000 overt attacks for 2002 compared to 31,322 for 2001. When overt attacks, both recorded and unrecorded, are taken together with covert attacks, viruses and worms, the cumulative economic damage worldwide stands at between $33 and $40 Billion for 2002 so far. Although 2001 and 2002 have suffered similar economic damages and appear to be stabilizing, previous years have shown exponential growth.
You can read the full report at the companyis Web site. TMO will be offering a follow up report when we have been able to talk to the company.