Vista security vs. Linux and OS X - Thoughts?

[NetRyder]

While going through my feeds earlier today, I noticed links to a couple of reports about how Vista has been doing so far in terms of security. I haven't had a chance to research the claims presented, so I thought it would be interesting to discuss and dissect them here.

Symantec study - Windows security, in general:

The first is from a study conducted by Symantec, and as we all know, they've had their fair share of disputes with Microsoft. Surprisingly, even under such circumstances, this is what they had to say about Windows in general (not Vista specifically):

[FONT=Verdana, Arial, Helvetica, sans-serif][SIZE=-1]But Symantec, no friend of Microsoft, said in its latest research report that when it comes to widely-used operating systems, Microsoft is doing better overall than its leading commercial competitors.

[/SIZE][/FONT][FONT=Verdana, Arial, Helvetica, sans-serif][SIZE=-1]The information was a part of Symantec's 11th Internet Security Threat Report. The report, released this week, covered a huge range of security and vulnerability issues over the last six months of 2006, including operating systems.[/SIZE][/FONT]

[FONT=Verdana, Arial, Helvetica, sans-serif][SIZE=-1]The report found that Microsoft Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006.[/SIZE][/FONT]

[FONT=Verdana, Arial, Helvetica, sans-serif][SIZE=-1]http://www.internetnews.com/security/article.php/3667201

Windows Vista - 90 Day Vulnerability Report:
[/SIZE][/FONT]
[FONT=Verdana, Arial, Helvetica, sans-serif][SIZE=-1]More interesting to me, however, is this 90 day vulnerability report, comparing Vista to XP as well as Linux and Mac OS X. Here's a chart displaying the results, but I would suggest skimming through the full PDF report as well:[/SIZE][/FONT]


[FONT=Verdana, Arial, Helvetica, sans-serif][SIZE=-1]

[/SIZE][/FONT]


[FONT=Verdana, Arial, Helvetica, sans-serif][SIZE=-1]Bear in mind that this report was compiled by a [/SIZE][/FONT]Security Strategy Director at Microsoft, so there's good reason to take it with a grain of salt, but no reason to dismiss it completely unless there are glaring factual flaws.

Thoughts?

So what do you guys think? It seems quite interesting to me, but as I said, I haven't had the chance to look for contradicting evidence yet. Does anyone want to try to contest the findings, especially from the second report?

I realize that I might be opening a big can of worms with this thread, so I ask, in advance, that you remain civil and respectful, even if your opinions differ from someone else's. No personal attacks, please.

Fire away.

 

[Geffy]

No personal attacks, please.

I hate you *runs*


Certainly looks like MS really have pushed security of code higher up their priority list. The graph though, is that referring to the first 90 days since Vista was released or in the first 90 day period since each of those operating systems was released?

I'd be wary of any "Vistas security is crap/wonderful" reports for at least the first 8 to 12 months after its been released. No doubt once its popularity and prevalence has picked up we should get a more accurate picture.

The other thing of course is the personal opinion of users. I for example am less patient with my Windows devices than my Mac. So it will also depend on how secure users feel using an operating system. I personally feel better on my Mac because I know updates will be applied as soon as they are fixed rather than at a set time each month, what's more is that I can run the update tool once to get all the updates. The Windows Update tool you have to download the first barrage of updates then check again to see if there are any updates to your updates. Basically you keep running the update tool until it doesn't find anything further.

Admittedly I have not seriously used Vista since PB2 but I would doubt that windows update has been overhauled for it. Love to be proven wrong though.

 

[NetRyder]

I hate you *runs*

Haha. You're pardoned. This time.

Certainly looks like MS really have pushed security of code higher up their priority list. The graph though, is that referring to the first 90 days since Vista was released or in the first 90 day period since each of those operating systems was released?

It refers to the first 90 day period after each OS was released. The latest available versions were examined - so Ubuntu 6.06, SuSE 10, OS X 10.4.0, etc.

I'd be wary of any "Vistas security is crap/wonderful" reports for at least the first 8 to 12 months after its been released. No doubt once its popularity and prevalence has picked up we should get a more accurate picture.

I definitely agree, and so does the author of the second report. From the PDF:

How much impact has that commitment had for Windows Vista security? It is too soon to get a complete picture, but as of February 28, 2007, the full release of Windows Vista has been in production use by business customers for 90 days – the minimum period for which I think we can start to look for indications of improvement. [...]

As an early and tentative indicator, this is good news for Windows Vista security, but keep in mind that it is early days yet, and we should have a more informative view after we pass the 6-month and 1-year milestones.
​

However, given the fact that the second report is based on vulnerabilities within the first 90 day period after each OS was released, and not just within the past 90 days until today, it seems like a fair comparison, doesn't it?

I can run the update tool once to get all the updates. The Windows Update tool you have to download the first barrage of updates then check again to see if there are any updates to your updates. Basically you keep running the update tool until it doesn't find anything further.

Admittedly I have not seriously used Vista since PB2 but I would doubt that windows update has been overhauled for it. Love to be proven wrong though.

Yeah, I remember running into that in XP a few times. Windows Update is now a separate applet in Vista. It doesn't run within the browser like it did in previous version of Windows. And as far as I can remember, I haven't had to re-check for updates to get additional ones with this new system since I started using the RTM build in November. They all come down in one block.

 

[LordOfLA]

Well I'd say that at least the RHEL4/Centos bar isn't wrong. We have to reload a few boxes a month due to them being exploited. Some of that will be down to lax admin by the owner, some to poor script programming but the bulk is down to the packages avalable from RH/Centos and cPanel being out of date. Backporting can only account for so much. More so the fact they don't seem to do any active security patching beyond the first 90 days of release.

End result being more than a few boatloads of very vulnerable, very easy targets just broadcasting themselves to the wenb sitting on our racks.

People wonder why there are DDoS nets around. Ask Redhat.

 

[Geffy]

I think its been noticed that I didn't read much further than the post

it would definitely be interesting to see the 90 day and then semi-annual results. Would be interesting to see if they tend to go up or down over time.

 

[Sazar]

I think Vista is pretty secure.

And Net, you smell funny

 

[Shamus MacNoob]

This is a nice suprise for Vista out of the box secure , good work Microsoft .

 

[kcnychief]

I don't have much comparison with other Operating Systems, but I do have to say that Vista is a HUGE improvement wrt overall security vs. the previous platform (winxp).

 

[Shamus MacNoob]

It looks that way for now , hope it holds up

 

[j79zlr]

Really this is all you need to read, to know that it is not Symantec but Microsoft who wrote this:

ABOUT THE AUTHOR
Jeff Jones is a Security Strategy Director in Microsoft’s Trustworthy Computing group.

Sigh, of course this is the first 90 days it was released to business users. It was only released on Jan 30th to everyone. No IT dept in their right mind would be rolling out Vista, especially on day one.

What are these vulnerabilities, ones that were made up? I see no mention of where these numbers come from, only their "internal security team".

While you are all fawning over these supposed results, remember that Linux packages literally thousands of different software with it. So basically that is comparing the base MS operating system with every bit of software available for linux. E.g. there are over 11,000 ports of different software for Gentoo. Do the Vista numbers include every piece of software that will run on it?

Who cares how many patches are released, they are necessary. That is why you must update your software no matter what OS you are running.

Ubuntu
http://secunia.com/product/12470/?task=advisories
Unpatched 0% (0 of 61 Secunia advisories)

Redhat
http://secunia.com/product/4670/?task=advisories
Unpatched 0% (0 of 266 Secunia advisories)

OS X
http://secunia.com/product/96/?task=advisories
Unpatched 7% (7 of 100 Secunia advisories)

Sun Solaris 10
http://secunia.com/product/4813/?task=advisories
Unpatched 11% (11 of 99 Secunia advisories)

XP Pro
http://secunia.com/product/22/?task=advisories
Unpatched 18% (33 of 179 Secunia advisories)

Vista
http://secunia.com/product/13223/?task=advisories
Unpatched 67% (2 of 3 Secunia advisories)

Looks like in non-MS sponsored or conducted studies they are still the worst.

 

[vertigo]

i'm no expert on security but surely linux's "vulnerabiliteis" have been exaggerated, you dont hear of virii, spyware, etc in linux communities very often.

maybe they headed over to launchpad and just wrote down the number of reported bugs and said "yep, that'll do"

 

[LordOfLA]

come sit in our datacenter and tell me that linux vulnerabilities are exaggerated.....

 

[j79zlr]

How outdated are your servers?

 

[ming]

although they have boasted about vista being the most secure OS ever made, one should expect there to be less vulnerabilities than xp, especially in security reports.

 

[j79zlr]

Also, from the article:

[FONT=Verdana, Arial, Helvetica, sans-serif][SIZE=-1]During this period, 39 vulnerabilities, 12 of which were ranked high priority or severe, were found in Microsoft Windows and the company took an average of 21 days to fix them. It's an increase of the 22 vulnerabilities and 13-day turnaround time for the first half of 2006 but still bested the competition handily.

[/SIZE][/FONT][FONT=Verdana, Arial, Helvetica, sans-serif][SIZE=-1]The one bright spot in all of this is that of the 208 Red Hat vulnerabilities, the most of the top five operating systems, only two were considered high severity, 130 were medium severity, and 76 were considered low.
[/SIZE][/FONT][FONT=Verdana, Arial, Helvetica, sans-serif][SIZE=-1]
Then there's Mac OS X. Despite the latest TV ads ridiculing the security in Vista with a Matrix-like Agent playing the UAC in Vista, Apple (Quote) has nothing to brag about. Symantec found 43 vulnerabilities in Mac OS X and a 66 day turnaround on fixes. Fortunately, only one was high priority.[/SIZE][/FONT][FONT=Verdana, Arial, Helvetica, sans-serif][SIZE=-1]

And they conclude windows is the most secure why?
[/SIZE][/FONT]

 

[NetRyder]

Really this is all you need to read, to know that it is not Symantec but Microsoft who wrote this

Please read the first post again. They are two separate reports. The first one is published independently by Symantec. The second one is published by a Microsoft employee, as I already pointed out in the post.

What are these vulnerabilities, ones that were made up? I see no mention of where these numbers come from, only their "internal security team".

Which report are you referring to? The Symantec one, or the Microsoft one? The latter includes some of the sources. For example:

The source for this information is http://rhn.redhat.com/errata. Disclosure dates are compile from many sites, including (but not limited to) http://nvd.nist.gov and other vendor web sites.
​

While you are all fawning over these supposed results, remember that Linux packages literally thousands of different software with it. So basically that is comparing the base MS operating system with every bit of software available for linux. E.g. there are over 11,000 ports of different software for Gentoo. Do the Vista numbers include every piece of software that will run on it?

Please read the report again. This was addressed in the comparison:

Red Hat and other Linux distribution vendors add value to their workstation distributions by including and supporting many applications that don’t have a comparable component on a Microsoft Windows operating system. It is a common objection to any Windows and Linux comparison that counting the “optional” applications against the Linux distribution is unfair, so I’ve completed an extra level of analysis to exclude component vulnerabilities that do not have comparable functionality shipping with a Windows OS.
​

 

[LordOfLA]

How outdated are your servers?

Most of our clients servers are set to auto update to the latest available packages from the OS and control panel vendors.

The fact remains that linux and open source software remains incredibly vulnerable to attack and exploitation no matter what the fanboys on either side of the three fences (mac vs linux/bsd vs windows) would like to believe.

Windows servers that are regularly updated and that have a good antivirus solution installed (at work we recommend nod32 or the juniper netscreen with its Kaspersky AV engine licensed) are a good deal less vulnerable to exploitation than a fully updated linux server with SPI packet filters.

All it takes to have a linux zombie at your beck and call is for someone to install phpbb2 or os commerce and its ready for take over.

This is all from physical experiance and evidence right here in front of me at work so I don't have any documentation to provide backup for all of the above.

 

[NetRyder]

Who cares how many patches are released, they are necessary. That is why you must update your software no matter what OS you are running.

Ubuntu
http://secunia.com/product/12470/?task=advisories
Unpatched 0% (0 of 61 Secunia advisories)

Redhat
http://secunia.com/product/4670/?task=advisories
Unpatched 0% (0 of 266 Secunia advisories)

OS X
http://secunia.com/product/96/?task=advisories
Unpatched 7% (7 of 100 Secunia advisories)

Sun Solaris 10
http://secunia.com/product/4813/?task=advisories
Unpatched 11% (11 of 99 Secunia advisories)

XP Pro
http://secunia.com/product/22/?task=advisories
Unpatched 18% (33 of 179 Secunia advisories)

Vista
http://secunia.com/product/13223/?task=advisories
Unpatched 67% (2 of 3 Secunia advisories)

Ah, now this is some interesting data to chew on.

I've left a comment under the original article to see if I we can get a response from the author of the report.
http://blogs.csoonline.com/windows_vista_90_day_vulnerability_report#comment-3119

 

[j79zlr]

Most of our clients servers are set to auto update to the latest available packages from the OS and control panel vendors.

The fact remains that linux and open source software remains incredibly vulnerable to attack and exploitation no matter what the fanboys on either side of the three fences (mac vs linux/bsd vs windows) would like to believe.

Windows servers that are regularly updated and that have a good antivirus solution installed (at work we recommend nod32 or the juniper netscreen with its Kaspersky AV engine licensed) are a good deal less vulnerable to exploitation than a fully updated linux server with SPI packet filters.

All it takes to have a linux zombie at your beck and call is for someone to install phpbb2 or os commerce and its ready for take over.

This is all from physical experiance and evidence right here in front of me at work so I don't have any documentation to provide backup for all of the above.

Do you mean cPanel? Because that is notoriously bad as far as exploits are concerned. Maybe it wouldn't be if it was open-sourced

I am not sure about os commerce, but phpbb has had its fair share of exploits as well, but I haven't seen any on updated versions. I still run it on my website and never experienced any of the exploits which seemed to be patched before making their rounds in the wild. Unpatched boards did get hit en masse. I still see the traces of attempts in my web logs.

Are these boxes rooted? or just defaced?

But alas, those are not OS exploits, they are exploits in programs. If you were running W[indows]AMP instead of LAMP servers you would see the same thing. Poor programming by the developers who wrote the PHP code and clueless end users installing or not updating their software are to blame.

Leaving your phpinfo.php file open isn't a good idea either but plenty do.

 

[NetRyder]

Ah, now this is some interesting data to chew on.

I've left a comment under the original article to see if I we can get a response from the author of the report.
http://blogs.csoonline.com/windows_vista_90_day_vulnerability_report#comment-3119

Jeff posted a response to this quite promptly. Here's what he has to say regarding the Secunia numbers:

This is a topic I've written about before on my technet blog. However, I may reprint some of it here too since you've asked hte question.

Basically, Secunia doesn't try to track disclosed issues for the Linux distros at all. I've engaged with them on this and spoken with the CTO and they have some practical reasons for this - say I disclose a vuln in Linux kernel 2.6, which is the basis for many different distros. Can you tell if the vuln applies to all of those distros or not? Red Hat customizes their kernel, for example - they many not load that component or may have already fixed the issue. Multiply that times 250 distros and individual validation is just too hard for Secunia to do.

Result - they simply post advisories after the vendor has acknowledged an issue with a patch. On the other hand, wide coverage for MSFT products means most disclosures get tracked before a patch is necessarily available.

The bottom line is that the Linux distro numbers for "unpatched" on Secunia are very inaccurate - I'll blog with details to prove this soon...
​

Source: http://blogs.csoonline.com/windows_vista_90_day_vulnerability_report#comment-3123

I think he might have a valid point. I'm waiting for his follow-up post with the details. Will keep you guys posted.