Apple Mac OS and SCO Unix least vulnerable to attack
London, UK - 31 October 2002, 16:00 GMT - Based on the number of vulnerabilities announced in 2002 that affect operating systems, the SCO Unix, Apple Macintosh and Compaq Tru64 Operating Systems appear to be the least prone to hacker attack and damage from viruses and worms. This is one of the startling conclusions of the end-of-October 2002 analysis of digital attacks to be released on 1st November.
Most of the known software vulnerabilities announced in 2002 affected Microsoft Windows (44%) followed by Linux (19%), BSD (9%) and Sun Solaris (7%). By comparison only 0.5% of the vulnerabilities announced in 2002 affected SCO Unix, and 1.9% affected Mac OS and Compaq Tru64 systems respectively.
This pattern is mirrored by the overt digital attack data collected for 2002, which demonstrates this has been the worst year on record with 57,977 attacks having already taken place. The most attacked operating system in 2002 has been Microsoft Windows with 31,431 attacks (54%) followed by Linux with 17,218 attacks (30%), BSD (6%) and Solaris (5%). Apple Mac's OS suffered only 31 overt digital attacks, ie, 0.05% of all attacks in 2002 although Apple Mac has roughly 3% of the world's computer market share. SCO Unix suffered 165 digital attacks (0.2%) and Compaq Tru64 suffered 10 attacks (0.02%).
There are some operating systems that could be seen to have benefited from "security by obscurity". Most notably, Irix from Silicon Graphics with 6% of announced vulnerabilities suffered just 166 attacks; Novell Netware with 4.5% of announced vulnerabilities suffered 2 attacks; and IBM's AIX with roughly 4% of announced vulnerabilities suffered 199 attacks.
The projected economic damage estimate for overt digital attacks worldwide is $7.3 Billion for 2002 compared to $7.7 Billion for 2001. This stands in contrast to the projected 70,000 overt attacks for 2002 compared to 31,322 for 2001. When overt attacks, both recorded and unrecorded, are taken together with covert attacks, viruses and worms, the cumulative economic damage worldwide stands at between $33 and $40 Billion for 2002 so far. Although 2001 and 2002 have suffered similar economic damages and appear to be stabilising, previous years have shown exponential growth.
New vulnerabilities announced by software vendors or discovered by users in 2002 so far are 1,162 of which a record 309 were cited in October alone. Vulnerabilities pertain to the operating system, server software and third party applications and have a cumulative impact on digital attacks, for example, where blends of new and old vulnerabilities are exploited simultaneously. By comparison, there were 1,506 vulnerabilities announced in 2001, 990 in 2000, 861 in 1999 and just 245 in 1998.
"Current security efforts suffer from the incorrect assumption that adequate security can be provided via frequent patches whilst the vulnerabilities found in mainstream operating systems are growing. In reality, the need for secure operating systems and software is immediate in today's computing environment due to substantial increases in connectivity. The threats posed by the modern environment cannot be addressed without going back to basics and building trusted computing platforms from the ground up. Any security effort which ignores this fact can only result in short term gain and long term pain," said DK Matai, Chairman and CEO of mi2g.