Security Statistics and Operating System Conventional Wisdom 556
kev0153 writes "Microsoft Windows is more secure than you think, and Mac OS X is worse than you ever imagined. That is according to statistics published for the first time this week by Danish security firm Secunia. "Secunia is now displaying security statistics that will open many eyes, and for some it might be very disturbing news," said Secunia chief executive Niels Henrik Rasmussen. "The myth that Mac OS X is secure, for example, has been exposed." "
Before we all jump on the AdTI bandwagon... (Score:4, Informative)
It seems that it was Secunia which released lots of IE bugs, and that Microsoft has had scuffles with them before. Unless someone here has evidence that they got funding from MSFT since then, don't say that.
Straight from the horse's mouth (Score:5, Informative)
Secunia Virus Statistics [secunia.com]
Of course you'll notice the common Win32. in front of all of them.
Doesn't change the facts... (Score:5, Informative)
Black and White (Score:4, Informative)
This poll does not take into affect the time to resolution, effect of exploit, and how hard it was to actually perform the exploit. Honestly, all software has bugs, all software has exploits it is the result of those exploits that I am more concerned with. Quite often Apple finds and fixes exploits before their are programs in the wild to exploit them. The same goes for Open-Source software which I am sure that some of the OSX advisories were a result of given Apples embrace of OSS.
Ask an Apple user how many Viruses, pop-ups, and unexplained daemons they have had on their system. The number will almost always be 0.
Links to Some Graphs and Statistics (Score:2, Informative)
From the products [secunia.com] page of the Secunia web-site:
Re:Missing Stats? ??? (Score:5, Informative)
I don't know just where you were living, but Unix and Linux grew up on networked systems where multiple college students shared the same machines (well, Linux less than Unix here) because they were too expensive. Actually, Linux is almost an accidental beneficiary here. Linux used Unix as a role-model, and Unix grew up being attacked by hackers who wanted to play Space-Invaders or Cave or Hunt the Wumpus when their school accounts wouldn't cover it. And by Phd candidates trying for a few more runs on their thesis project. It's true these weren't *remote* exploits. They were local ones...where the attacker didn't have priviledged access. But that's the basis of all security. Once you do that, all you have to do is make remote connections a special case of local access.
Re:Before we all jump on the AdTI bandwagon... (Score:4, Informative)
Seriously... I believe I'm using the same account on my Windows XP box that the installer set up for me. I don't think I've ever had a single permissions issue with editing the registry, installing/uninstalling software, etc. Never been asked for my username/password, outside of logging in. On my Mac, on the other hand, any time I do anything remotely related to modifying the system, up pops a dialog asking for my username and password, and informing me what application is requesting this information.
Now, this dialog isn't anywhere near secure - I think it'd be trivial to put together a fake dialog that looks like it's some other application, but uses the information typed in to its own nefarious advantage. But it does give you the idea that Apple seems to be more concerned about security out of the box.
Re:Before we all jump on the AdTI bandwagon... (Score:3, Informative)
Re:Again Windows only vs. RedHat/SuSE plus apps? (Score:5, Informative)
The list of advisories for RedHat AS 3 is listed at the bottom and currently it contains 51 advisories and what they were issued for. I copied the list and sorted them so here you can see a list of exactly what they included:
Strange that..........CVS
ethereal
FreeRADIUS
gaim
glibc
gnupg
httpd
iproute
ipsec-tools
kdelibs
kdepim
kernel
krb5
lftp
LHA
libpng
libxml2
mod_python
mod_ssl
mozilla
Mutt
NetPBM
net-snmp
nfs-utils
OpenOffice
OpenSSL
PWLib
Quagga
rsync
slocate
squid
squirrelmail
sysstat
tcpdump
utempter
XFree86
As you can see a lots of these are what might be called non-OS components. I've had a quick look at XP Home and it doesn't even seem to include issues with IE which according to MS is an integral part of the OS unlike Linux and Mozilla, yet they happily bundled them together.
Re:Before we all jump on the AdTI bandwagon... (Score:3, Informative)
An unpatched OS X system can "get r00ted" by simply browsing to a websight. Safari has an extension association that would allow a page to call the command terminal and run any command desired. Oops, you're rooted. It has been patched, but so have most of the bugs viruses use in Windows.
Lies! Lies! Lies! (Score:5, Informative)
Re:Before we all jump on the AdTI bandwagon... (Score:2, Informative)
The Flatlander
Free Advice: Ignore LinuxInsider as a news source.
Re:Until LM authentication is gone... (Score:5, Informative)
You can certainly turn it off, but unless you disable storing the LM hash, it's still available for cracking. In the wild, my experience is that LM hashes are available as a general rule (90% of the time or better). My insistance that LM authentication be removed outright is due to the "lazy admin" factor. So yes*, in practice, unless it is removed outright, many times it is still exploitable.
*Definately needs qualifying. Can you turn off LM effectively? (yes) Do admins do it? ('fraid not...)
Re:Until LM authentication is gone... (Score:5, Informative)
Bad example. There's a telnet service in Windows too.
Re:And whom funded this 'article' (Score:3, Informative)
Please. It's not that difficult.
"Who" is a subject. "Whom" is an object. A subject performs an action with a verb, an object receives the action of a verb. Prepositions take objects. I may have heard the term "subject of a preposition" but, grammatically, the subject of a preposition is an object.
"To whom am I speaking?"
"With whom do you speak?"
"Jenny and Michael spoke with those who did the crime."
"Who is that man on the bench?"
"Bill and Bob beat whom?"
"Who did Bill and Bob beat?"
"Who would you like to invite to the party which is being held in honor of whom?"
The last one pulls two questions out of one sentence and, while logically muddled, is grammatically correct.
Now, how does this relate here? Glad you asked! This is a forum on the internationally accessible internet
So how does this relate to an international forum? Because anyone with any grasp of any language is familiar with the concepts of subjects and objects around verbs. Honestly though I didn't really start to grasp the concept fully in English until after I had studied a foreign language. With that in mind I would expect that any foreigner who has studied English as a second language should find it very easy to pick out where the proper uses of "who" and "whom" are. It has nothing to do with dialect.
Re:Before we all jump on the AdTI bandwagon... (Score:4, Informative)
(Of course, if it turns out in the future that OS X has any privilege elevation bugs, all bets are off.)
Re:Missing Stats? (Score:5, Informative)
I'm really tired of idiots on Slashdot that have no clue what the fuck they're talking about. Half a decade. Ptoii! I can start by going back 15 years and easily debunk your lies. At that time, most computers in this here world (disclaimer, I have no idea which world you're from - but you should phone home coz' your green-skinned momma is worried about you) were either in universities or corporations. I'm not counting the C= 64s, Atari ][ and Colecovisions here, kay? They have no bearing on the current crop of operating systems. UNIX does. VMS does. Access control and security were big back then - simply because schools with thousands of students had one 64k line to the world (for mail, ftp, gopher, archie and telnet) and diskspace measured in megs so there had to be ways to keep the students from eating it all up. They had to be kept from use the mainframes to play Nethack, to download ASCII pr0n and to chat on IRC instead of studying. Quotas, passwords, password policies, shadowing, encryption - all that jazz. It's not new. It's been around several decades. Half a decade... Maybe Microsoft haven't cared for it more than half a decade, but the world does not revolve around Redmond.
Security is not new. The problem is that Microsoft built DOS for single-user. It had no real security layer and that carried over into Windows 3.11, Windows 95 and all the way into ME. They had to preserve backwards compatibility, see? They had to maintain their monopoly and they could not let little things like end-user security get in the way of that goal.
Meanwhile, all the OSes that came from multi-user roots had a lot of that already built-in. They were network operating systems, built from a network-centric point of view. It wasn't tacked on afterwards like the TCP/IP stack for Windows 3.11. Remember that? It was a separate download.
Half a decade, my ass The Internet has been around and popularized by the WWW much longer than that. I've been building websites since 1995, kiddo. Were you even born back then? I used to log in remotely to SunView terminals and run the WhenHarryMetSally.aiff on my classmates' computers at full volume, that's a remote exploit if ever there was one! The Morris worm. Say no more, Squire!
And what delusional script kidde MS astroturfers modded your crappy rant Insightful, we'll never know. Hell, I was ranting on the 'net in 1990! You'd think the art would have evolved since then...
This is an absurd way to calculate OS security (Score:3, Informative)
On anoter note, how about we tally the number of viruses and trojans for the different operating systems? This is one of the most important security problems facing businesses today. Gee, I think we'll see a MUCH different ratio for OS X vs. Windows XP.
I can't stand it when a security company comes up with skewed statistics in an effort to get press and web hits. The comparison of only the number and type of vendor bulletins is not an effective measurement of OS security.
Interesting time to publish the report (Score:3, Informative)
Interesting time to publish this - right between last week's IIS/IE [us-cert.gov] multiple [washingtonpost.com] exploits [slashdot.org] and this week's Evaman Worm outbreak [slashdot.org].
Now that CERT [washingtonpost.com] and the Dept. of Homeland Security [yahoo.com] both recommend consumers abandon Intenet Explorer, can we get them to recommend dropping Outlook Express?
Re:Missing Stats? (Score:5, Informative)
This may be asking alot, but I'd like everyone to dig a little deeper and actual go to the secunia.com website and poke around at the statistics yourself. What you will find is that the guy who wrote this article is either too damned lazy to fully research his topic or he is intentionally using these statistics inaccurately in order to prove a false point.
For those who don't have the time to find out for themselves what the statistics REALLY say, here is what I found:
In the secunia.com statistics for Windows XP there is only a single exploit related to Internet Explorer. That sounds pretty good but its also blatantly false.
In fact, if you dig a little deeper into the statistics on their web site you discover that Internet Explorer 6 from 2003 to 2004 had 40 advisories by itself with 98% allowing remote attack and 31% enabling system access.
secunia.com/product/11/ [secunia.com]
So taking into account all the IE vulnerabilities instead of grouping them into one advisory we suddenly discover that Microsoft Windows XP Proffessional had 86 advisories from 2003 to 2004 with 71% allowing remote attacks and 38% enabling system access!
Now some will say "not fair" because IE is a seperate application. All I can tell you is that if you actually looked at the statistics you would already know that the OSX and linux statistics include security advisories for ALL applications included in with the OS. So it is only fair to also include ALL Windows applications that come with Windows.
So in conclusion, when I include the vulnerabilities of just one single Windows application the number of exploits in Windows is around double what you have with the likes of OSX or linux. I suspect that including other Windows applications that were excluded from the Windows statistics everyone will begin to understand why Windows is a haven for worms and viruses.
I don't think I will be migrating from my Mac OSX and linux installs any time soon.
burnin
Re:And whom funded this 'article' (Score:3, Informative)
It is commonly accepted now to use "who" in place of "whom". "Whom" is still ok, but "who" is no longer wrong when used in the same way. So unless you're still using "thy" and "thou" in everyday speech, you have no ground on which to bitch
Ah, the wonders of a dynamic language!
Re:LM Hash Info (Score:5, Informative)
I've used LC and you're right, it works pretty well. It's also ungodly expensive and the serial number is tied to your hardware, so using it on another machine requires tech support "blessing". LC5 is licensed in truly bizarre ways, and did I mention that it's ungodly expensive?
For the same or better brute forcing speed, lower cost, no hassles moving to another machine, and generally a more polite program, try SamInside [insidepro.com] Best $40 LM hash cracker around.
Now for a "free" instant password cracker, use Rainbow Tables, a db of password/hashes that does all the brute forcing up front. For details, check out my journal. I'm soliciting participants to help generate the 128GB of data needed. Other than the pain of generating and storing all that data, it's free and extremely fast.
Re:Patches do not equal problems. (Score:3, Informative)
Problem with that, is that you also won't be able to run stats on your site with Analog or another tool, if you want to see which search engines folks are using to get to it. For almost everyone that doesn't matter, but sometimes it'd be nice to be able to show that like for a marketing site, or whatever. I just do a quick grep -v of a few strings before running through analog, so I can still get the search engine info (how folks found the site) without all of the M$ worm/virus stuff.
Not potential, it is a study problem (Score:3, Informative)
secunia.com/product/11/ [secunia.com]
Sorry Windows lovers, its time to face the facts, your OS of choice and associated applications are a haven for worms and viruses not because there are so many of you, its because the software is crap.
burnin
Re:Missing Stats? (Score:3, Informative)
Vulnerabilities vs Advisories (Score:5, Informative)
The Windows XP Pro list includes:
- Microsoft Windows 14 Vulnerabilities
- Microsoft Windows RPC/DCOM Multiple Vulnerabilities
- Microsoft Windows ASN.1 Library Integer Overflow Vulnerabilities
- Microsoft Windows RPCSS Service DCOM Interface Vulnerabilities
contain 14 + 4 + 2 + 3 = 23 vulnerabilities but Secunia only count 4 advisories. So the count is now 65 acknowledged vulnerabilities for XP Pro. Not including those silently fixed, nor the 38 vulnerabilities in Internet Explorer 6 alone [secunia.com].Actually, Secunia tend to publish alerts based the vendor bulletins. There are better sources for collated vulnerability information, such as Sintelli [sintelli.com] (free) or TruSecure [trusecure.com] (fee) which have far higher totals.
Re:Until LM authentication is gone... (Score:5, Informative)
Funny. I cracked the administrator password of XP (Pro, on a domain, with encrypted hashes), *without* admin access (that was the reason I cracked it - I needed admin access!).
What I did, was boot Knoppix, and copy over the SYSTEM and SAM registry hives. Most apps will crack with just the SAM hive. However, the SYSTEM hive contains the encryption key to the SAM hive, and a little app known as SAMinside (another l0phtcrack app), *does* understand how to crack this more secure hash.
Heck, there was a way to do it, so you could get the hashes, import them into l0phtcrack and use it to crack.
All it took were a couple of demo/shareware apps (l0phtcrack, SAMinside), and a Knoppix CD (to get at SAM and SYSTEM hives, via NTFS driver). And a 3rd party machine.
And no, none of those apps would work on the machine in question - locked down. I cracked it on my own Win2k machine.
Non-braindead analysis (Score:2, Informative)
To get the reported "36 advisories" for Mac OS X, they have to count 2002, 2003, and 2004. See for yourself: . Yet to get the reported "46 advisories" for Windows XP Professional, they have to count only 2003 and 2004. They left out an entire year. Count Windows over the same years as they're counting Mac OS X, and Windows XP Professional has 61 advisories.
They lump together all versions of Mac OS X, including Server. For example, the sendmail bug only affects 10.2.x and 10.1.x, not 10.3.x, which does not ship with sendmail. And the Apache 2 bug only affects Mac OS X Server. Yet they only consider one version of Windows, Windows XP Professional. It would take too long to figure out all the bugs they left out on Windows, but one category is easy: Microsoft IIS, their equivalent to Apache (which they considered on the Mac), has ten advisories listed over 2002-2003-2004. So that brings the total to 71.
They throw in Quicktime bugs for the Mac, but leave out Windows Media Player on Windows. That's 2 more for Windows, bringing its total up to 73.
And it gets a lot worse. They happily throw in the Safari bugs into the Mac OS X list, but they only throw in one IE bug into the Windows list. Go to the IE 6 page and see for yourself. There's 54 bugs listed on their Internet Explorer 6 page for 2002-2003-2004; their web browser alone is more vulnerable than all of Mac OS X put together. That brings the Windows total up to 127, more than three and a half times the Mac OS X.
If they scrutinized Windows the same way they did the Mac, it wouldn't look so "surprising" at all. It would just confirm what we've all known: the Mac isn't perfect, but it's a heck of a lot better than Windows.
Re:Missing Stats? (Score:3, Informative)
No. For a comparison of the concepts, get to a Linux shell somewhere and compare "man su" to "man 2 setuid" (setuid is a system call, not a program itself).
Windows implements something very much like "su", the "runas" command (on a Windows command prompt, "runas /?" for usage). This runs the requested application as another user. It also requires knowing the other user's password (I seem to recall you need to know the password even for a privilege downgrade, but I could well be wrong about that bit). So, the ability to runas (or su) implies root/Administrator access to the system in question, since you must have that password to do it.
OTOH, POSIX systems also implement setuid, which allows a processes's effective userid and groupid to be changed. A famous example of this is sudo, where root can allow certain programs normally requiring root access to be run by non privileged users. To my knowledge Windows has no such facility: if I want to schedule a task requiring Administrator access, I must save the Administrator password in whatever Windows calls its cron table -- but more to the point, I must know it in the first place. If I can do anything privileged on a Windows machine, I can do everything privileged.
Allowing a true sudo/setuid would be a HUGE step towards securing Windows -- in my opinion it's the biggest step Microsoft should take if they want Windows to be a serious choice for the corporate desktop. I know AD Group Policies allow control almost as fine-grained as setuid and setgid, but this still leaves several problems:
Interesting Statistics Analysis... (Score:2, Informative)
Did anyone else notice this creative trick to NOT display the statistics for Windows XP?
I dunno about you guys... but to me, it isn't the "percentage" of bugs that allow system comprimise, but how many, period. =P I love it how people can bend statistics to make their favorite (or their sponsor) company look better.
Anyone know the missing statistic from the article?
Re:Here are the numbers. (Score:1, Informative)