Aaron Adams’s Blowhard Blog

Making headlines in the Mac world today is this article from the Denver Post about a study conducted by Louisville-based security firm SecureStill. The study concludes that any OS can be attacked, operating systems with current patches are reasonably secure, and operating systems with older patch revisions have the life expectancy of a Hershey bar in a blast furnace before they’re violated.

Ok, that all makes sense. But if you read to the bottom of the article, you’ll notice a detail that raises some questions.

Here’s what the article has to say about the version of Mac OS X that was tested:

Apple Mac OS X Jaguar

Attacks: 3

Results: Survived all attacks

Jaguar? That’s the Mac OS X 10.2.x series, which hasn’t been a current operating system since October of 2003. (The current OS X version is 10.3.8.)

This can mean one of two things. They could actually be using an older version of OS X for their tests, which immediately calls into question the conclusion that machines without current OS versions and patches are vulnerable. Remember, the last major update to Jaguar was approximately 17 months ago. The article says that Windows XP versions prior to SP2, which was made available last August, approximately 7 months ago, were extremely vulnerable. If they are indeed using Jaguar for these tests, then relatively ancient operating systems (at least for the Mac) aren’t totally vulnerable. Does that speak well for OS X, or does it indicate a flaw in StillSecure’s study? (Or both?)

The second possibility is that they simply got the name of the operating system wrong. The 10.2.x series of Mac OS X was called Jaguar, and the current 10.3.x series of Mac OS X is called Panther. If 10.2.x wasn’t used, who messed up the name, the Denver Post or StillSecure? If the Denver Post made the mistake, we can pretty easily chalk that up to usual newspaper technical ignorance and still be left with questions about the article’s validity. I find it hard to believe that would be the case, as the article seems to rely pretty heavily on information from StillSecure. If StillSecure made the mistake, then the validity of their study comes into question. How could they get the very simple name of the operating system wrong? Why wouldn’t they double-check that before releasing the information to a news outlet like the Denver Post? Why not just use a more accurate version number, which would more clearly indicate what version of OS X was used for the study? What other little details might StillSecure have gotten wrong in their analysis?

Either way, there are some doubts about this article. The conclusion that old operating systems are vulnerable is in question because they state that a very old OS fared very well in the test. The conclusion that new operating systems are more secure is invalid because they didn’t test a new operating system for the Mac. Maybe the whole study is questionable because they botched one significant but simple detail and can’t even get the name of the operating system they used correct, and they opted to use the less accurate OS series name rather than a more accurate version number. How many other details could they have gotten wrong?