Vista security vs. Linux and OS X - Thoughts?

Discussion in 'Windows Desktop Systems' started by NetRyder, Mar 22, 2007.

  1. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
    While going through my feeds earlier today, I noticed links to a couple of reports about how Vista has been doing so far in terms of security. I haven't had a chance to research the claims presented, so I thought it would be interesting to discuss and dissect them here. :)

    Symantec study - Windows security, in general:

    The first is from a study conducted by Symantec, and as we all know, they've had their fair share of disputes with Microsoft. Surprisingly, even under such circumstances, this is what they had to say about Windows in general (not Vista specifically):

    [FONT=Verdana, Arial, Helvetica, sans-serif][SIZE=-1]http://www.internetnews.com/security/article.php/3667201

    Windows Vista - 90 Day Vulnerability Report:
    [/SIZE][/FONT]
    [FONT=Verdana, Arial, Helvetica, sans-serif][SIZE=-1]More interesting to me, however, is this 90 day vulnerability report, comparing Vista to XP as well as Linux and Mac OS X. Here's a chart displaying the results, but I would suggest skimming through the full PDF report as well:[/SIZE][/FONT]


    [FONT=Verdana, Arial, Helvetica, sans-serif][SIZE=-1][​IMG][/SIZE][/FONT]


    [FONT=Verdana, Arial, Helvetica, sans-serif][SIZE=-1]Bear in mind that this report was compiled by a [/SIZE][/FONT]Security Strategy Director at Microsoft, so there's good reason to take it with a grain of salt, but no reason to dismiss it completely unless there are glaring factual flaws.

    Thoughts?

    So what do you guys think? It seems quite interesting to me, but as I said, I haven't had the chance to look for contradicting evidence yet. Does anyone want to try to contest the findings, especially from the second report? :)

    I realize that I might be opening a big can of worms with this thread, so I ask, in advance, that you remain civil and respectful, even if your opinions differ from someone else's. No personal attacks, please.

    Fire away.
     
    Last edited: Mar 22, 2007
    Grandmaster likes this.
  2. Geffy

    Geffy Moderator Folding Team

    Messages:
    7,805
    Location:
    United Kingdom
    I hate you :p *runs*


    Certainly looks like MS really have pushed security of code higher up their priority list. The graph though, is that referring to the first 90 days since Vista was released or in the first 90 day period since each of those operating systems was released?

    I'd be wary of any "Vistas security is crap/wonderful" reports for at least the first 8 to 12 months after its been released. No doubt once its popularity and prevalence has picked up we should get a more accurate picture.

    The other thing of course is the personal opinion of users. I for example am less patient with my Windows devices than my Mac. So it will also depend on how secure users feel using an operating system. I personally feel better on my Mac because I know updates will be applied as soon as they are fixed rather than at a set time each month, what's more is that I can run the update tool once to get all the updates. The Windows Update tool you have to download the first barrage of updates then check again to see if there are any updates to your updates. Basically you keep running the update tool until it doesn't find anything further.

    Admittedly I have not seriously used Vista since PB2 but I would doubt that windows update has been overhauled for it. Love to be proven wrong though.
     
  3. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
    Haha. You're pardoned. This time. :D

    It refers to the first 90 day period after each OS was released. The latest available versions were examined - so Ubuntu 6.06, SuSE 10, OS X 10.4.0, etc.

    I definitely agree, and so does the author of the second report. From the PDF:
    How much impact has that commitment had for Windows Vista security? It is too soon to get a complete picture, but as of February 28, 2007, the full release of Windows Vista has been in production use by business customers for 90 days – the minimum period for which I think we can start to look for indications of improvement. [...]

    As an early and tentative indicator, this is good news for Windows Vista security, but keep in mind that it is early days yet, and we should have a more informative view after we pass the 6-month and 1-year milestones.
    However, given the fact that the second report is based on vulnerabilities within the first 90 day period after each OS was released, and not just within the past 90 days until today, it seems like a fair comparison, doesn't it?

    Yeah, I remember running into that in XP a few times. Windows Update is now a separate applet in Vista. It doesn't run within the browser like it did in previous version of Windows. And as far as I can remember, I haven't had to re-check for updates to get additional ones with this new system since I started using the RTM build in November. They all come down in one block. :)
     
  4. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    Well I'd say that at least the RHEL4/Centos bar isn't wrong. We have to reload a few boxes a month due to them being exploited. Some of that will be down to lax admin by the owner, some to poor script programming but the bulk is down to the packages avalable from RH/Centos and cPanel being out of date. Backporting can only account for so much. More so the fact they don't seem to do any active security patching beyond the first 90 days of release.

    End result being more than a few boatloads of very vulnerable, very easy targets just broadcasting themselves to the wenb sitting on our racks.

    People wonder why there are DDoS nets around. Ask Redhat.
     
  5. Geffy

    Geffy Moderator Folding Team

    Messages:
    7,805
    Location:
    United Kingdom
    I think its been noticed that I didn't read much further than the post :p

    it would definitely be interesting to see the 90 day and then semi-annual results. Would be interesting to see if they tend to go up or down over time.
     
  6. Sazar

    Sazar F@H - Is it in you? Staff Member Political User Folding Team

    Messages:
    14,905
    Location:
    Between Austin and Tampa
    I think Vista is pretty secure.

    And Net, you smell funny :eek:
     
  7. Shamus MacNoob

    Shamus MacNoob Moderator Political User

    Messages:
    4,199
    Location:
    L'Ile Perrot Quebec
    This is a nice suprise for Vista out of the box secure , good work Microsoft .
     
  8. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    I don't have much comparison with other Operating Systems, but I do have to say that Vista is a HUGE improvement wrt overall security vs. the previous platform (winxp).
     
  9. Shamus MacNoob

    Shamus MacNoob Moderator Political User

    Messages:
    4,199
    Location:
    L'Ile Perrot Quebec
    It looks that way for now , hope it holds up
     
  10. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    Really this is all you need to read, to know that it is not Symantec but Microsoft who wrote this:

    Sigh, of course this is the first 90 days it was released to business users. It was only released on Jan 30th to everyone. No IT dept in their right mind would be rolling out Vista, especially on day one.

    What are these vulnerabilities, ones that were made up? I see no mention of where these numbers come from, only their "internal security team".

    While you are all fawning over these supposed results, remember that Linux packages literally thousands of different software with it. So basically that is comparing the base MS operating system with every bit of software available for linux. E.g. there are over 11,000 ports of different software for Gentoo. Do the Vista numbers include every piece of software that will run on it?

    Who cares how many patches are released, they are necessary. That is why you must update your software no matter what OS you are running.

    Ubuntu
    http://secunia.com/product/12470/?task=advisories
    Unpatched 0% (0 of 61 Secunia advisories)

    Redhat
    http://secunia.com/product/4670/?task=advisories
    Unpatched 0% (0 of 266 Secunia advisories)

    OS X
    http://secunia.com/product/96/?task=advisories
    Unpatched 7% (7 of 100 Secunia advisories)

    Sun Solaris 10
    http://secunia.com/product/4813/?task=advisories
    Unpatched 11% (11 of 99 Secunia advisories)

    XP Pro
    http://secunia.com/product/22/?task=advisories
    Unpatched 18% (33 of 179 Secunia advisories)

    Vista
    http://secunia.com/product/13223/?task=advisories
    Unpatched 67% (2 of 3 Secunia advisories)

    Looks like in non-MS sponsored or conducted studies they are still the worst.
     
  11. vertigo

    vertigo OSNN Senior Addict

    Messages:
    330
    i'm no expert on security but surely linux's "vulnerabiliteis" have been exaggerated, you dont hear of virii, spyware, etc in linux communities very often.

    maybe they headed over to launchpad and just wrote down the number of reported bugs and said "yep, that'll do"
     
  12. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    come sit in our datacenter and tell me that linux vulnerabilities are exaggerated.....
     
  13. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    How outdated are your servers?
     
  14. ming

    ming OSNN Advanced

    Messages:
    4,252
    Location:
    UK
    although they have boasted about vista being the most secure OS ever made, one should expect there to be less vulnerabilities than xp, especially in security reports.
     
  15. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    Also, from the article:

    And they conclude windows is the most secure why?
    [/SIZE][/FONT]
     
  16. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
    Please read the first post again. They are two separate reports. The first one is published independently by Symantec. The second one is published by a Microsoft employee, as I already pointed out in the post.

    Which report are you referring to? The Symantec one, or the Microsoft one? The latter includes some of the sources. For example:
    The source for this information is http://rhn.redhat.com/errata. Disclosure dates are compile from many sites, including (but not limited to) http://nvd.nist.gov and other vendor web sites.
    Please read the report again. This was addressed in the comparison:
    Red Hat and other Linux distribution vendors add value to their workstation distributions by including and supporting many applications that don’t have a comparable component on a Microsoft Windows operating system. It is a common objection to any Windows and Linux comparison that counting the “optional” applications against the Linux distribution is unfair, so I’ve completed an extra level of analysis to exclude component vulnerabilities that do not have comparable functionality shipping with a Windows OS.
     
    Last edited: Mar 23, 2007
  17. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    Most of our clients servers are set to auto update to the latest available packages from the OS and control panel vendors.

    The fact remains that linux and open source software remains incredibly vulnerable to attack and exploitation no matter what the fanboys on either side of the three fences (mac vs linux/bsd vs windows) would like to believe.

    Windows servers that are regularly updated and that have a good antivirus solution installed (at work we recommend nod32 or the juniper netscreen with its Kaspersky AV engine licensed) are a good deal less vulnerable to exploitation than a fully updated linux server with SPI packet filters.

    All it takes to have a linux zombie at your beck and call is for someone to install phpbb2 or os commerce and its ready for take over.

    This is all from physical experiance and evidence right here in front of me at work so I don't have any documentation to provide backup for all of the above.
     
  18. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
    Ah, now this is some interesting data to chew on. :)

    I've left a comment under the original article to see if I we can get a response from the author of the report.
    http://blogs.csoonline.com/windows_vista_90_day_vulnerability_report#comment-3119
     
  19. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    Do you mean cPanel? Because that is notoriously bad as far as exploits are concerned. Maybe it wouldn't be if it was open-sourced ;)

    I am not sure about os commerce, but phpbb has had its fair share of exploits as well, but I haven't seen any on updated versions. I still run it on my website and never experienced any of the exploits which seemed to be patched before making their rounds in the wild. Unpatched boards did get hit en masse. I still see the traces of attempts in my web logs.

    Are these boxes rooted? or just defaced?

    But alas, those are not OS exploits, they are exploits in programs. If you were running W[indows]AMP instead of LAMP servers you would see the same thing. Poor programming by the developers who wrote the PHP code and clueless end users installing or not updating their software are to blame.

    Leaving your phpinfo.php file open isn't a good idea either but plenty do.
     
  20. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
    Jeff posted a response to this quite promptly. Here's what he has to say regarding the Secunia numbers:
    This is a topic I've written about before on my technet blog. However, I may reprint some of it here too since you've asked hte question.

    Basically, Secunia doesn't try to track disclosed issues for the Linux distros at all. I've engaged with them on this and spoken with the CTO and they have some practical reasons for this - say I disclose a vuln in Linux kernel 2.6, which is the basis for many different distros. Can you tell if the vuln applies to all of those distros or not? Red Hat customizes their kernel, for example - they many not load that component or may have already fixed the issue. Multiply that times 250 distros and individual validation is just too hard for Secunia to do.

    Result - they simply post advisories after the vendor has acknowledged an issue with a patch. On the other hand, wide coverage for MSFT products means most disclosures get tracked before a patch is necessarily available.

    The bottom line is that the Linux distro numbers for "unpatched" on Secunia are very inaccurate - I'll blog with details to prove this soon...
    Source: http://blogs.csoonline.com/windows_vista_90_day_vulnerability_report#comment-3123

    I think he might have a valid point. I'm waiting for his follow-up post with the details. Will keep you guys posted.