6 Months On, Vista Security Still Besting Linux 478
Martin writes "Great report on security vulnerabilities for MS/Linux/OS X. This is a revised version of the one Jeff Jones did back on March 21: Windows Vista — 90 Day Vulnerability Report. This time he did what the Linux community had asked. Everyone complained that he did the report based on a full Linux distro including optional components, not on just a base OS install. So this time he did both; Vista still came out on top. I was shocked that Apple was even on the list as I believed all those Mac commercials!"
Google cache version (Score:4, Informative)
Text only:
http://216.239.51.104/search?q=cache:l2ZWLi31QdIJ
Wrong cache link - full text here (Score:3, Informative)
Windows Vista - 6 Month Vulnerability Report
Submitted by Jeff Jones on Thu, 2007-06-21 11:53. Topic(s): | Client | Corporate Management | Information Security | Operating Systems
I was somewhat surprised (but pleased) at the level of interest back when I published my Windows Vista - 90 Day Vulnerability Report. It was about the earliest span of time I thought might give us some indicators, and the indicators did look good. (Though, I did not give us an "A+", in spite of some of the attributions
Six months is a much more interesting time frame, and gives us the opportunity to see if the early trend indicators are holding up, or if the early signs of progress were a short-term gain. Also, I thought it was worth going a little deeper in the analysis to look at the total fixed and unfixed vulns as I did last time, plus these additional views:
* Include a comparison view of Linux distribution workstation builds that exclude vulnerabilities non-default optional components as well as OpenOffice and other applications that do not have equivalents on Windows XP.
* Include a comparison view that excludes Low and Medium severities to just focus on High severity vulnerabilities fixed and unfixed in the first 6 months, and
* A comparison view that combines both of these
For the full details, or to print the report, you can download the report in pdf.
For those that only want the executive summary, here is a key chart that shows the publicly disclosed High severity vulnerabilities during the first 90 days of availability, broken down by vulns fixed and vulns unfixed. Note that this chart is showing the reduced Linux builds that exclude non-default and optional components without equivalents on WIndows. (clicking the chart also gets you to the full report.)
High Severity Vulns, Fixed and Unfixed in First 6 Months of Windows, Red Hat, Novell SUSE, Ubuntu, Apple Mac
The results of the analysis show that Windows Vista continues to show a trend of fewer total and fewer High severity vulnerabilities at the 6 month mark compared to its predecessor product Windows XP (which did not benefit from the SDL) and compared to other modern competitive workstation OSes (which also did not benefit from an SDL-like process).
If you share the opinion that Windows and applications ported to Windows get a higher level of researcher scrutiny than other OSes, then the 6-month results are even more positive. If you don't share that opinion, then they still stand on their own
Read, Enjoy, Forward.
Best regards ~ Jeff
Full Disclosure: I work for Microsoft - read my previous blog post, Exactly how biased am I?.
Also, I'd like to make a shameless plug for my other blog, http://blogs.technet.com/security [technet.com], where I sometimes post more personal entries such as The Saga of My Luggage & British Air and Building My Windows Vista Media Center - Part 1 - The System.
Update. (Score:4, Informative)
Criticism of Report (Score:2, Informative)
Looks like there are several errors with the method the blogger used to evaluate security flaws
lies, damned lies and... (Score:5, Informative)
Re:Fine... (Score:5, Informative)
Re:Fine... (Score:1, Informative)
>
>you see on windows ur guaranteed your app will work across all versions on linux forget about it
No, you're not guaranteed that your app will work on all versions at all. And, to boot, you have to F aorund with all the other problems that every single Windows user out there is well familiar with - you included.
Do you want an OS where none of that exists? An OS where there is a single, universal way of both containing and "installing" apps? Go try Mac OS X.
Yet another meaningless "study" (Score:3, Informative)
Re:Fine... (Score:3, Informative)
Its a very old trick thats been on unix for years. you make an install shell script, you put a tag that signifies the end of it, then you appaend the tgz of the package you want to install.
Set this installer to executable and voila you have a self extracting installer - feel free to add gui's etc.
You might be familiar with the concept - pretty much every installer you use on windows employs this kind of system - its not exactly difficult to create or use.
Personally though I much prefer apt-get and
Re:lies, damned lies and... (Score:4, Informative)
If an issue is found in open source software, it is typically published openly and patched. If the original author finds an issue, he will fix it and tell people about it so his end users can patch themselves.
By contrast, if a vulnerability is found internally to microsoft it will still get fixed, but the fix will be rolled in with other fixes. It won't get published, and microsoft won't admit to the vulnerability unless it's already public. A good example being the ASN.1 vulnerability from a couple of years back, there were actually 2 issues fixed in the same patch, but microsoft only admitted to one of them because the other wasnt public. It was found later by reverse engineering the update.
Did I miss something (Score:5, Informative)
Rather than take his word for it why not just check at Secunia. [secunia.com]
Vista [secunia.com]
Ubuntu 6.06 [secunia.com]
Re:Fine... (Score:5, Informative)
It's a pretty contrived review.
The bulk of it has already been debunked here http://seclists.org/fulldisclosure/2007/Jun/0528.h tml [seclists.org]
Re:Useless studies (Score:3, Informative)
see Cyberinsecurity at http://www.ccianet.org/filings/cybersecurity/cyber insecurity.pdf [ccianet.org]
see release-critical bugs at http://bugs.debian.org/bugs/release-critical [debian.org]
Where have you seen transparent quality control like that at M$?
Re:Fine... (Score:3, Informative)
If you haven't noticed but there is only one "distro" of Windows, unless you want to count MCE, etc as another "distro".
I wish that was true. Good luck installing a random piece of software on Vista. It probably won't work. What about people who still use 98/ME, most software isn't compatible. Forget installing antivirus, a new scanner, or a new printer on an old version of Windows. You better watch or for the very same things on Vista, because there are still a ton of compatibility issues.
Now on to the biggest issue with your statement. Every Linux distro is a different operating system. Asking for installers to be universal is like asking for software built for Windows to install on Linux. Why don't application installers for Windows work consistently with WinXP, Win2003, WinVista, and WinCE? Oh yeah, because they are different operating systems.
Re:Exploited verses exploits (Score:5, Informative)
http://www.microsoft-watch.com/content/security/m
The biggest bug in Windows is between the chair and keyboard. The item in question is gullable, has admin privilages, and can run widely dispensed Windows specific code. As a sample of this, just look at the members of any botnet and the OS in use.
Anything that doesn't run Windows code and has the default of not running admin is more secure than patched Windows in most cases.
Vista still runs Windows code, it's biggest fault, but it seems to be driving towards better system security and user permissions.
Re:Fine... (Score:5, Informative)
I am not convinced, next please Mr Jones.
Someone else didn't like the numbers either and provided this link;
http://www.microsoft-watch.com/content/security/m
There are more patches in a month than there are fixed patches in the count.
Re:Fine... (Score:5, Informative)
1) They wont accept outside contributions unless you sign their paperwork.
2) I have personally contributed, so I know that at least 1 person from outside has contibuted
Re:Fine... (Score:3, Informative)
Re:Useless studies (Score:1, Informative)
Hmm, yet you have no proof of anything, just that you think Vista is bloated. Sorry, there's nothing 'to be sure' about in your statement.
M$ gets stuff determined by the sales department. We know how well salesmen design systems.
So you're claiming that salesmen are doubling as software architechs at MS?
Linux is designed to be modular so the complexity of each piece is less. M$ has stuff where the browser installs code, printing a document can cause pieces of the file to be executed, etc.
Windows is modular as well. The browser installing code is an ActiveX control, FF has the same capabilities.
There are far more projects in FLOSS than there are coders in M$. More manpower, with properly filtered output results in more correct code.
Sorry, having more coders does not mean that the code ends up more correct. Another logic fallacy here..
If a bug bugs me, I can look at the code, file a bug report, or suggest a patch. There is no way that can be done with M$'s way of doing things. Vista release was as buggy as a Linux release candidate.
You can file a bug report with MS as well. Whether or not you understand the code, and how it all interrelates is debatable though. Your claim that Vista RTM is as buggy as a Linux RC is again nothing more than a statement you claim to be true with no actual facts. For myself, and many others, Vista has been exteremely stable. I've not had a single issue since I've installed the OS.
see Cyberinsecurity at http://www.ccianet.org/filings/cybersecurity/cybe
see release-critical bugs at http://bugs.debian.org/bugs/release-critical [debian.org]
Where have you seen transparent quality control like that at M$?
So transparent I can't even see it, as both of those links result in a 404. I don't need a bug list (although its there for any patch) to determine if an OS is buggy or not, I can see that by simply using the OS.
Re:Fine... (Score:5, Informative)
Vista still running malware as root (Score:4, Informative)
Vista still encourages users to run with higher privileges than necessary, and the platform is still host to over 99% of the viruses and malware ever created. It is not even recommended to run Windows without third-party security enhancements such as anti-virus. Many will tell you to run it only in a virtualizer, not on bare hardware, so you can wipe the Windows "disk" every night and start fresh the next day. In fact, Microsoft will tell you to do that, it's what VirtualPC is for.
Anyone who believes this crap deserves Vista. Enjoy.
Re:Fine... (Score:5, Informative)
Fantastic sleuthing! here I was reading the article like a chump:
Re:Yet another meaningless "study" (Score:3, Informative)
My Linux "vendor" (and most of them, these days) doesn't even set up a firewall at all. Because they don't need to. Because with a default desktop install, there's nothing to firewall off - no listening network ports.
Sorry, Microsoft, but until you get to this point, you're going to be more vulnerable. It's only a matter of time before someone compromises a software firewall.
I guess us Linux people got it all wrong (Score:4, Informative)
The *only* way to "measure" security is to "measure" breakins. You can talk about technological advances in architecture, but abstracting security to bug counting is goofy. Linux systems don't get broken into, because there simply aren't ways to get at them, particularly on the desktop. With things like AppArmor and SELinux your browser is isolated from other processes, every distro ships with the "desktop" version locked down (100% firewalled) by default, and samba, cups, and the other common network daemons (ntp? ssh?) are mature suites with excellent security histories.
I can't get the article to open, but I'm curious as to the vulnerabilities which he counted. How many of them actually have real world applications?
Here is how I would come up with a synthetic benchmark of security:
1. Admit that it will be synthetic, and is ultimately an exercise in mental masturbation
2. Count the bugs.
3. Remove all bugs that have no possibility to be exploited, and all "fixed" bugs.
4. Separate bugs into "server" and "desktop" bugs.
5. Multiple bugs by an index number between 0 and 1, with 0 being harmless bugs, and 1 being bugs that give you "root".
6. Total up bug indexes.
7. Now, count all fixed bugs (excluding impossible to exploit ones), multiple by a "damage index" (see #5), then multiple by (Time to fix bug, measured from release of software)/(Time software has been released). Add this to your result from #6.
8. Voila! You've now posted something that will most likely compete favorably with MS's bug number. It will also still be totally useless.
Re:Fine... (Score:3, Informative)
It's not the most professional writing I've seen, but I believe most of the points made are valid.
There's another commentary here. http://www.microsoft-watch.com/content/security/mi crosoft_is_counting_bugs_again.html [microsoft-watch.com]
Re:Fine... (Score:4, Informative)
In addition to this, the truth is that at least 9 in 10 submissions which we did evaluate were rejected for various reasons, not the least of which were that many of the implementations were horribly ugly even when they did manage to pass all the other criteria. The people whose submissions got looked at most seriously were those who contributed regularly. My eventual development partner hounded me literally for months before I took him seriously (he was a pretty abrasive guy on the surface, with a lot of criticism for my work, and this turned me off to him at first).
The fact is that there's no way most OSS developers have the time to look at the submission of every Tom, Dick, and Harry. The way to get noticed is to provide features which are innovative, well coded, make sense (so many of our submissions were simply bad ideas), and to persevere. We want partners, not dump and run developers.
Re:Fine... (Score:3, Informative)
If you can get past the troll, the bad grammar, and the general idiocy, there lies one, and I mean just one, good point: While you and I may appreciate the command line's power, or the ease of apt-get, etc...how do most people install software on Windows? They download it and run the setup file from their desktop. That's how I do it. I don't think I have ever been able to install programs that simply on my Ubuntu box.
Yes, I find it easy to type "sudo apt-get install xxxxx" but let's face it, not everyone is gonna do that. Even when people make legitimate, well worded, polite comments here or elsewhere complaining about the perceived difficulty of installing software, invariably someone provides a little bash script or command to perform the desired function. Trouble is, these types of replies miss the point entirely. At best, the person who posts them is trying to be helpful but just doesn't get that many people are scared of the CLI. At worst, he is trying to be an arrogant jerk. I hope you wouldn't have replied that way if the poster had actually voiced his concern in a proper way. Those kinds of replies reinforce the negative stereotypes about the F/OSS community.
Re:Vista still running malware as root (Score:3, Informative)
Re:What about the user experience? (Score:4, Informative)
Re:Fine... (Score:3, Informative)
Re:Fine... (Score:1, Informative)
And you've fallen for the fallacy that the almost-daily security updates we get from Ubuntu, for example, aren't the result of people fixing things?
Keep abusing your neurons like that, and you'll go blind.
another study by microsoft, for microsoft (Score:3, Informative)
[2] "Jeffrey R. Jones, a self-described "security guy" who works at Microsoft's security division"
[3] "an overview of Microsoft's progress in improving security by Jeffrey R. Jones, Senior Director - Microsoft Security Business Unit."
[1] - http://articles.techrepublic.com.com/5100-1035_11
[2] - http://www.boxxet.com/Windows_Vista/Windows_Vista
[3] - http://www.microsoft.com/technet/security/secnews