Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

6 Months On, Vista Security Still Besting Linux

Posted by kdawson on Wed Jun 27, 2007 07:58 AM
from the maybe-because-nobody's-using-it dept.
Security Operating Systems Software Windows Linux
Martin writes "Great report on security vulnerabilities for MS/Linux/OS X. This is a revised version of the one Jeff Jones did back on March 21: Windows Vista — 90 Day Vulnerability Report. This time he did what the Linux community had asked. Everyone complained that he did the report based on a full Linux distro including optional components, not on just a base OS install. So this time he did both; Vista still came out on top. I was shocked that Apple was even on the list as I believed all those Mac commercials!"
+ -
story

Related Stories

[+] Technology: Vista Security Claims Debunked 315 comments
An anonymous reader writes "Apparently Microsoft still hasn't learned that counting vendor acknowledged vulnerabilities isn't a good way to establish the security of an OS. As an analysis of Microsoft's claims on Full Disclosure shows, we see that the methodology used was badly flawed. A bug in Firefox (not to mention emacs), counts as a flaw for Linux, while IE bugs get ignored on Vista's chart. Then we see that vulnerabilities aren't vulnerabilities when they're security-challenged features such as Vista's Teredo. Also, there's far too little consideration given to severity, given that it stoops to counting even extra access restrictions on a file in OSX to have something to show. In short, the original Microsoft analysis was good PR and poor research."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

6 Months On, Vista Security Still Besting Linux 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Fine... (Score:5, Interesting)

    by Progman3K (515744) on Wednesday June 27 2007, @08:01AM (#19661319)
    Point me at the problems in Linux and I'll fix them.

    What? Can't do that with Vista?

    I'll take Linux, thank you.

    • Re:Fine... (Score:5, Insightful)

      by gravos (912628) on Wednesday June 27 2007, @08:08AM (#19661379) Homepage
      So what are you waiting for exactly? You could fix them today and then prove the author wrong. Oh wait, maybe you couldn't...

    • Re:Fine... (Score:5, Informative)

      by toleraen (831634) on Wednesday June 27 2007, @08:14AM (#19661429)
      Here ya go! [linuxsecurity.com] Let me know when you're finished, thanks!

      • Re:Exploited verses exploits (Score:5, Informative)

        by Technician (215283) on Wednesday June 27 2007, @09:20AM (#19661969)
        I looked at the user comments at the bottem of the article. One juicy tidbit was to this link..

        http://www.microsoft-watch.com/content/security/mi crosoft_is_counting_bugs_again.html [microsoft-watch.com]

        The biggest bug in Windows is between the chair and keyboard. The item in question is gullable, has admin privilages, and can run widely dispensed Windows specific code. As a sample of this, just look at the members of any botnet and the OS in use.

        Anything that doesn't run Windows code and has the default of not running admin is more secure than patched Windows in most cases.

        Vista still runs Windows code, it's biggest fault, but it seems to be driving towards better system security and user permissions.

    • Re:Fine... (Score:5, Insightful)

      by kjart (941720) on Wednesday June 27 2007, @08:26AM (#19661523)

      Wait, assuming both assumptions here are true (i.e. Windows has fewer vulnerabilities and you would fix all security problems brought to you in Linux), you would still rather _personally_ fix a lot of bugs over having a more secure platform (again, big assumption there)?

    • Re:Fine... (Score:5, Insightful)

      by b1ufox (987621) on Wednesday June 27 2007, @08:44AM (#19661667) Homepage Journal
      Looks like Mr Jeff Jones works at Redmond.

      https://209.34.241.68/user/Profile.aspx?UserID=780 3 [209.34.241.68]

      No wonder Windows Vista is best in his review.

      I am not convinced, next please Mr Jones.

      • Re:Fine... (Score:5, Interesting)

        by Ravnen (823845) on Wednesday June 27 2007, @08:51AM (#19661727)
        A good argument against this myth is made in a Guardian article [guardian.co.uk] from a couple of years ago about OpenOffice, which includes the following comment about external contributions, i.e. those not made by the 100 or so full-time developers paid by Sun to develop it:

        But what about the innumerable volunteers who can download the code and fix what they like? They take one look at the effort involved and run. OpenOffice is an extremely complex mountain of source code. As far as I know, in the five years it has been available as open source, not one contribution to the program has come from amateurs. The outsiders who have provided input have been full-time professionals employed by Linux companies to help make the software credible.

      • Re:Fine... (Score:5, Insightful)

        by walt-sjc (145127) on Wednesday June 27 2007, @09:25AM (#19662009)
        I suspect you've fallen into the falacy that just because people can look at the source, people actually do.

        It's a fallacy? Shit. I guess that all these years that I have been working on open source software, fixing bugs, adding features, has actually been a big long dream. I'll wake up and finally see that I've been living in the Matrix, and finally see Bill G in his true Borg form hanging over me grinning...

        Of course not EVERYONE looks at the source for every app, but collectively there are a HUGE number of people looking at and working with the source for just about every app out there. Unfortunately, not everyone working on open source is a qualified professional, and we do see some horrible code out there, but it's no worse than a lot of the commercial code I've seen over the years.

        But back to the report. It's a shell game. Microsoft, having a closed development model, may have HUNDREDS of high threat level flaws that are UNDISCLOSED but may be known about by black-hat hackers. Open source by nature is ALWAYS disclosed. MS also has a habit of rating their flaws at a lower threat level than third party security researchers rated it. Yep, just goes to show that you can prove anything with statistics.

        Here is a statistic for you... 99%+ of all the probing I get on the external side of the corp network are from windows boxes according to fingerprint analysis. Since most probing is done via compromised machines (botnet), and that windows has less than a 99% market share, that leaves me with one conclusion. The numbers are similar for spam.

        How many vulnerabilities are known about and fixed in a certain time frame is meaningless. What would be meaningful, but an impossible statistic to gather, is exactly what percentage of installed Linux and Windows machines are currently compromised and being actively exploited (member of a botnet.) I've heard estimates that up to 50% of all windows machines are infected with serious malware of some sort or another...

  • fp (Score:5, Funny)

    by Anonymous Coward on Wednesday June 27 2007, @08:02AM (#19661329)

    Jeff Jones ... This time he did what the Linux community had asked.

    He went and f*cked himself?

    • Useless studies (Score:5, Insightful)

      by Vicegrip (82853) on Wednesday June 27 2007, @08:41AM (#19661655) Journal
      Since Open Source rigorously discloses every flaw known in it, what is the value of comparisons of one Vendor's chosen disclosures versus that which is 100% transparent?

      None

      Microsoft only discloses what it has to and is often at odds with security researchers about problems only to be proven wrong later. One claim from a blog was that Vista shipped with 60,000 bugs. How many of those are documented for the public?

      I can say that on my test certified Vista machine, brand new from Dell, I've already seen the network card totally disappear from the system only to reappear again an hour later. The Broadcom diagnostic tool reported no hardware issues. The Explorer shell still crashes/stalls frequently. Files get locked with no way aside from a reboot to unlock them. Wifi fails to reconnect to the same network it was previously connected to when sspi broadcast for that network is disabled. I just tried restoring a hibernated laptop, previously connected to a domain. Black screen & hard reboot.

      Beyond that, on this brand new machine, specced for Vista. Vista is SLOW.

      MS, concentrate on making Vista better instead of having people do useless studies. kthnxbye

      • Re:Useless studies (Score:5, Interesting)

        by sYkSh0n3 (722238) on Wednesday June 27 2007, @09:24AM (#19661995) Journal
        Sorry bout the offtopic, but i've been noticing the problems you were talking about on EVERY new dell i've seen in the last few months. XP and Vista. So I dont know that you can attribute all your problems to the OS. I think a lot of it has to do with all the crap they install. (ug, defending vista...i feel dirty)

        But i'd still rather run Ubuntu. Anybody who thinks installing windows is easier than linux, hasn't installed feisty fawn. My last 4 windows installs have come up in 640x480 4bit because the video card wasn't recognized, the sound didn't work, and the network card didn't work. Not to mention it took forever to install. I boot ubuntu on the same machine (in minutes) and everything works perfectly. In fact, the feisty fawn install disk has become part of my windows install. I boot the live cd, download the drivers i need to my thumbdrive, reboot into windows and install them. Point being: Not only is Linux EASIER to install, it's made Windows EASIER to install too. now THATS a good operating system.

  • What about the user experience? (Score:5, Insightful)

    by s31523 (926314) on Wednesday June 27 2007, @08:05AM (#19661361)
    Sure, if EVERY action you do prompts a "You are clicking your mouse, cancel or allow", or some other message, sure that is security, but then you are left with a crappy user experience. I think Linux and Mac have got a better balance between allowing actions in user mode without authorization and actions requiring authorization.

  • If Vista ever gets..... (Score:5, Funny)

    by Farfnagel (898722) on Wednesday June 27 2007, @08:07AM (#19661375)
    ...as popular as Linux, then it will be targeted, too. Or something like that.

  • Of course it will (Score:5, Insightful)

    by oztiks (921504) on Wednesday June 27 2007, @08:09AM (#19661391)
    This is stupid, Linux as a distro is a complete solution from A-Z ... Vista is a bit of a solution as its just an operating system with limited services. Why did he do it to Vista anyway? shouldn't he be doing it to a server edition of Windows?

    When i see a windows system and linux system that do exactly the same things have the same purpose software installed on them i can see the viability of the test.

    Further, malware runs rampet in Windows, nearly 50% of Vista's vulns were not patched, where regardless of how many Linux has they get fixed when found. More secure? You tell me is a nightclub more secure when the bouncer only kicks out half the troublemakers whole a tougher and meaner club down the street deals with all of them?

  • Look! (Score:5, Insightful)

    by Eddi3 (1046882) on Wednesday June 27 2007, @08:09AM (#19661397) Homepage Journal
    Look, Everybody! A company is trying to use statistics to make themselves look good, when that's not necessarily the case!

    Nothing to see here, please move along...

  • lies, damned lies and... (Score:5, Informative)

    by arun_s (877518) on Wednesday June 27 2007, @08:10AM (#19661401) Homepage Journal
    This has already been analysed at microsoft-watch [microsoft-watch.com], and several flaws are pointed out there, the most basic one being that counting flaws is not a good measure of security anyway.

  • On the back of recent news (Score:5, Insightful)

    by QX-Mat (460729) on Wednesday June 27 2007, @08:12AM (#19661411)
    On the back of recent news that less than half of Vista "issues" have been patched, yet alone publicly announced, we get another article touting the merits of two things that can't be directly compared.

    Sometimes I see Open Source kicking itself in the face with all the transparency it offers, yet I'm overwhelmed with a sense of pride and happiness that communities can develop such a transparent process in the public eye.

    Discovering problems and exploiting them in a closed source product is quite a daunting task - I'd say almost 4 times as much work as exploiting a system where you can compile debug symbols into the binary, and nothing short of 1000 times harder than if you had the source code. What these "reports" and discoveries show is that layers of obfuscation act to confuse people as to the actual level of vulnerability you're exposed to.

    There are many vulnerability hunters out there, now, employed by governments across the world simply to "dive in" at a deepend of closed applications looking for exploitable code - closed source simply means that only wealthy, bigger teams will be successful. Open Source means that anyone can help thwart these hunters, makes vulnerability research fair game, and most importantly, accepts community involvement into the fixing and pre-emptive policy that makes OS software better software.

    Matt

  • Security through obscurity? (Score:5, Insightful)

    by mgkimsal2 (200677) on Wednesday June 27 2007, @08:12AM (#19661415) Homepage
    One canard trotted out by MS defenders *used* to be "Windows has more vulnerabilities discovered because it's so popular, everyone attacks it!". Watch for that line to be modified in the coming months as more MS proponents switch to "it's more secure by design". Keeping the "only more vulnerabilities discovered because it's so widely installed" would imply that Vista is not widely installed/used, which is not good PR.

    So, when Linux had fewer vulnerabilities, it was because it was obscure. When Vista has fewer vulnerabilities, it's because it's fundamentally more secure. I'm not trying to be sarcastic here - it may very well be *true*. It's just something to keep in mind as you watch the never-ending stream of these 'vulnerability/exploit' reports come out every few months.

  • No, still not a good comparison (Score:5, Insightful)

    by jhdevos (56359) on Wednesday June 27 2007, @08:15AM (#19661437) Homepage
    There are still a lot of problems with this 'comparison'. For instance:

    - The 'reduced feature set' used for the comparison still contains a lot of software not include with windows
    - All information is based on what the company behind the software discloses. I believe that not all holes in Vista that MS knows about are disclosed. It is also not unlikely that what Microsoft calls 'critical' is not the same as what Canonical calls 'critical'. In any case, different measures are used for the different OS's, and you can't compare things that are measured in different ways.
    - The usual 'less known holes != safer' discussion...

    I personally don't know which OS is safer, but based on these numbers, I am not going to draw any conclusions.

    Jan

  • Selective use of facts I think... (Score:5, Insightful)

    by Anonymous Coward on Wednesday June 27 2007, @08:21AM (#19661483)
    He's not comparing vulnerabilities - he's comparing vulnerability disclosures.

    It's not a measure of how secure the OSes are - it's a measure of how secretive the makers of the OSes are.
  • I approach this as someone who does not know a tremendous amount about how to measure security flaws, or what various security flaws really mean...

    But the survey listed also shows Windows XP as the second most secure operating system of the ones surveyed.

    I can believe that Microsoft improved their security with Vista. But if they also tell me their security was great with Windows XP, I have to conclude that they're fudging the numbers.

  • Did I miss something (Score:5, Informative)

    by MECC (8478) * on Wednesday June 27 2007, @09:02AM (#19661839)


    Rather than take his word for it why not just check at Secunia. [secunia.com]

    Vista [secunia.com]

    Vendor Microsoft

    Product Link View Here (Link to external site)

    Affected By 10 Secunia advisories

    Unpatched 20% (2 of 10 Secunia advisories)

    Most Critical Unpatched
    The most severe unpatched Secunia advisory affecting Microsoft Windows Vista, with all vendor patches applied, is rated Not critical


    Ubuntu 6.06 [secunia.com]

    Vendor Canonical Ltd.

    Product Link View Here (Link to external site)

    Affected By 147 Secunia advisories

    Unpatched 0% (0 of 147 Secunia advisories)

    Most Critical Unpatched
    There are no unpatched Secunia advisories affecting this product, when all vendor patches are applied.


All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.