Mailbag: Mac Protection, More

I get weekly reports from US-CERT about cyber threats. One of the recent ones was about OS X. Actually, most of the weekly ones are about open source software and, increasingly, OS X. I guess in the downturn of the economy, folks figure they are getting a bargain buying their software at the "dollar store" (OK, Macs from Neiman Marcus). I guess you get what you pay for -- disposable software or a gated community with holes in the fence.
-Dan

Many years ago, a friend gave me a disk of files for my Mac SE. At least one of the files was infected with a virus. My Mac became infected also. I immediately bought an anti-virus program and removed the virus. That lesson taught me the importance of running an anti-virus program, and I have done so ever since. I've never had a problem since then.
-Anonymous

And one reader pokes some holes in Utest's recent contention that the IE 8 beta is currently the safest browser:

Um, the report says 356 uTesters evaluated Internet Explorer 8 and identified 168 bugs, including 9 percent that were classified as showstoppers. Also, 514 uTesters evaluated Firefox 3.1 beta and identified 207 bugs, including 24 percent that were classified as showstoppers. That's from the Utest Bug Battle page. So Firefox testers averaged 0.4 bugs each with access to source code, and IE testers averaged 0.47 bugs each despite using a proprietary browser.

Also: "During this first Bug Battle, the uTest community discovered one bug every 15 minutes in the three leading browsers; the good news, however, is the fact that no showstopper security flaws were found." The bugs that were found were mostly not security bugs, and no major security flaws were found in the course of this testing.

As far as I can tell, the bug lists aren't posted, so there's no indication what was actually found. Concluding that IE is "the safest, most bug-free browser" is not just a bit of a stretch, it's like stretching one piece of taffy from Florida to California. If you want numbers that actually relate to security, try Secunia: 30 percent (10 of 33 Secunia advisories) of the IE security flaws it's aware of are unpatched, and "The most severe unpatched Secunia advisory affecting Microsoft Internet Explorer 7.x, with all vendor patches applied, is rated Extremely critical." As for Firefox, 14 percent (1 of 7 Secunia advisories) are unpatched, and "The most severe unpatched Secunia advisory affecting Mozilla Firefox 3.x, with all vendor patches applied, is rated not critical."
-Anonymous

Meanwhile, Stephen has some more general grievances with the IE 8 beta:

Much as I like the auto-fill of the URL, the number of sites that already do not function with this version has become so numerous that I'm using Firefox far more these days. The RAD editor we use all the time in IE 7 simply doesn't work in IE 8. If you have a number of IE 8 windows (not tabs) open and click on an e-mail link from some support sites, the page opens in EVERY window! I've resorted to "Always run in compatibility mode" but Fidelity.com gets a permanent "NO! Site under maintenance" page for any log-in attempt. "Back" used to simply be a matter of going "back" -- but no, the geniuses at MS now make it an expired-page-retry 90 percent of the time. Logging in to a Web-commerce site used to be autonomous per IE 7 window, but not now! Testing our site is now a multi-machine affair, thanks to IE 8 -- and that's WITH "compatibility" on. Finally, it's ridiculously simple to drop down the URL history and hit the red X when you actually want to use the URL, not delete it! What -- no "Confirm delete from URL history" option?

Perhaps IE 8 has very few security bugs, but for usability I'd give it no more than 6, and the "fear factor" of uninstalling the beta (which was Microsoft's solution for a reporting services rendering issue) is more massive than I can say. Do I really want a hosed machine? Prior IE and MS uninstalls have left me with chills!
-Stephen

And finally, Rob closes out the year with a few good words about a Microsoft product that's taken plenty of shots in 2008:

I have installed over a hundred copies of Vista on newer PCs (no older than one year). Honestly, I have not had an easier time with an OS install before, ever. I waited over three months after RTM for Microsoft to patch the immediate bugs and get their ducks squared away (like XP and 2000, history shows every new OS has glitches to hurdle over before it's stable).

My first reaction was that it's a fast OS. It has a few quirks here and there with device drivers and legacy apps, but overall, it's slick. Then came SP1...WOW. I remember the first install on an HP Pavilion. Twenty-seven minutes to install, found the Wi-Fi, all peripherals and external HDDs, and just worked. No third-party driver installs. Simple. Easy. Fast. Slick. Love it. And I still do. I love Vista. I believe in it. I sell it daily and although I get the daily grinding calls about XP and its sad demise...well, some people don't like the new Honda Civic, either!
-Rob

Redmond Report is adjourning until next year, but keep sending us your letters! Leave a comment below or send an e-mail to [email protected] -- we'll resume posting them in January.

Posted by Doug Barney on December 18, 2008