6 Months On, Vista Security Still Besting Linux 478
Martin writes "Great report on security vulnerabilities for MS/Linux/OS X. This is a revised version of the one Jeff Jones did back on March 21: Windows Vista — 90 Day Vulnerability Report. This time he did what the Linux community had asked. Everyone complained that he did the report based on a full Linux distro including optional components, not on just a base OS install. So this time he did both; Vista still came out on top. I was shocked that Apple was even on the list as I believed all those Mac commercials!"
What about the user experience? (Score:5, Insightful)
Re:Fine... (Score:5, Insightful)
Of course it will (Score:5, Insightful)
When i see a windows system and linux system that do exactly the same things have the same purpose software installed on them i can see the viability of the test.
Further, malware runs rampet in Windows, nearly 50% of Vista's vulns were not patched, where regardless of how many Linux has they get fixed when found. More secure? You tell me is a nightclub more secure when the bouncer only kicks out half the troublemakers whole a tougher and meaner club down the street deals with all of them?
The real security test will be outside the lab (Score:1, Insightful)
Look! (Score:5, Insightful)
Nothing to see here, please move along...
On the back of recent news (Score:5, Insightful)
Sometimes I see Open Source kicking itself in the face with all the transparency it offers, yet I'm overwhelmed with a sense of pride and happiness that communities can develop such a transparent process in the public eye.
Discovering problems and exploiting them in a closed source product is quite a daunting task - I'd say almost 4 times as much work as exploiting a system where you can compile debug symbols into the binary, and nothing short of 1000 times harder than if you had the source code. What these "reports" and discoveries show is that layers of obfuscation act to confuse people as to the actual level of vulnerability you're exposed to.
There are many vulnerability hunters out there, now, employed by governments across the world simply to "dive in" at a deepend of closed applications looking for exploitable code - closed source simply means that only wealthy, bigger teams will be successful. Open Source means that anyone can help thwart these hunters, makes vulnerability research fair game, and most importantly, accepts community involvement into the fixing and pre-emptive policy that makes OS software better software.
Matt
Security through obscurity? (Score:5, Insightful)
So, when Linux had fewer vulnerabilities, it was because it was obscure. When Vista has fewer vulnerabilities, it's because it's fundamentally more secure. I'm not trying to be sarcastic here - it may very well be *true*. It's just something to keep in mind as you watch the never-ending stream of these 'vulnerability/exploit' reports come out every few months.
Re:Fine... (Score:2, Insightful)
I suspect you've fallen into the falacy that just because people can look at the source, people actually do. If you really want some stuff to fix, believe me, there's no end of stuff to throw your way.
No, still not a good comparison (Score:5, Insightful)
- The 'reduced feature set' used for the comparison still contains a lot of software not include with windows
- All information is based on what the company behind the software discloses. I believe that not all holes in Vista that MS knows about are disclosed. It is also not unlikely that what Microsoft calls 'critical' is not the same as what Canonical calls 'critical'. In any case, different measures are used for the different OS's, and you can't compare things that are measured in different ways.
- The usual 'less known holes != safer' discussion...
I personally don't know which OS is safer, but based on these numbers, I am not going to draw any conclusions.
Jan
Re:easier to use as well (cue the fanboys) (Score:4, Insightful)
Run whatever the fuck you want.
Selective use of facts I think... (Score:5, Insightful)
It's not a measure of how secure the OSes are - it's a measure of how secretive the makers of the OSes are.
A few points (Score:3, Insightful)
2. Linux is easily available to all. Plus people identifying security holes are helping out, they do it to improve the product. They would do this for Windows too, but they don't have access to the code.
3. Mac OS uses a lot of open source tools, gcc, samba etc.. these have bugs and holes identified from time to time. So Apple naturally has to plug them.
Re:What about the user experience? (Score:2, Insightful)
It's LITERALLY a paraphrasing of a Mac advert. The article is about security, and they've done some work and found some evidence that Vista's not as evil as some people think.
Now I'm an XP user, and will be until Vista is a lot older and more settled - that's if I ever install it. But just as I haven't jumped on the 'zomg it looks pretty I need it' bandwagon, I won't jump on the 'Vista is evil' bandwagon. I'll judge it on its merits.
As for the 'cancel or allow' ads, I know I'd prefer to click 'allow' once in a while than 'allow' my system to be compromised. It might get annoying, but I'm a guy who likes to be safe and not sorry.
Re:Fine... (Score:5, Insightful)
Wait, assuming both assumptions here are true (i.e. Windows has fewer vulnerabilities and you would fix all security problems brought to you in Linux), you would still rather _personally_ fix a lot of bugs over having a more secure platform (again, big assumption there)?
Actually, he supposedly == them (Score:3, Insightful)
What is needed is for a Linux distro guy who has good knowledge of Windows (or perhaps somebody from wine) to re-do this report. And if it shows that MS did a better job on addressing security, I would suggest that the distro's need to get their act together. For the last 5 years, the windows fanboys have ran around saying that the # of windows is the attraction for security problems, while those in the know, say it has to do with ease of cracking. If this report is real, then Linux just went below MS and that will attract the vermin to us. IOW, we MUST remain above MS in terms of security to prevent having the security attacks that MS has.
As someone who does not know that much about this (Score:5, Insightful)
But the survey listed also shows Windows XP as the second most secure operating system of the ones surveyed.
I can believe that Microsoft improved their security with Vista. But if they also tell me their security was great with Windows XP, I have to conclude that they're fudging the numbers.
Useless studies (Score:5, Insightful)
None
Microsoft only discloses what it has to and is often at odds with security researchers about problems only to be proven wrong later. One claim from a blog was that Vista shipped with 60,000 bugs. How many of those are documented for the public?
I can say that on my test certified Vista machine, brand new from Dell, I've already seen the network card totally disappear from the system only to reappear again an hour later. The Broadcom diagnostic tool reported no hardware issues. The Explorer shell still crashes/stalls frequently. Files get locked with no way aside from a reboot to unlock them. Wifi fails to reconnect to the same network it was previously connected to when sspi broadcast for that network is disabled. I just tried restoring a hibernated laptop, previously connected to a domain. Black screen & hard reboot.
Beyond that, on this brand new machine, specced for Vista. Vista is SLOW.
MS, concentrate on making Vista better instead of having people do useless studies. kthnxbye
Re:Fine... (Score:5, Insightful)
https://209.34.241.68/user/Profile.aspx?UserID=780 3 [209.34.241.68]
No wonder Windows Vista is best in his review.
I am not convinced, next please Mr Jones.
Re:easier to use as well (cue the fanboys) (Score:2, Insightful)
Run whatever the fuck you want.
Because the spambots that have pretty much ruined email are running on window machines.
Re:Wow (Score:2, Insightful)
Re:What about the user experience? (Score:1, Insightful)
Re:Fine... (Score:3, Insightful)
Now, go the other way (XP -> 95 or 2.x.x -> 1.x.x). Neither will work very well. Something required will very likely be missing.
Layne
Re:What about the user experience? (Score:3, Insightful)
Either the user is prompted about administrative tasks or he is not. Vista lets you toggle this option off if you desire, but I for one appreciate this burden. The average computer user doesn't get any smarter when important stuff is authorised clandestinely. It's important for people to be aware of and take action on things like spyware, trojans, and other unintended attempts to install software.
Re:Fine... (Score:5, Insightful)
It's a fallacy? Shit. I guess that all these years that I have been working on open source software, fixing bugs, adding features, has actually been a big long dream. I'll wake up and finally see that I've been living in the Matrix, and finally see Bill G in his true Borg form hanging over me grinning...
Of course not EVERYONE looks at the source for every app, but collectively there are a HUGE number of people looking at and working with the source for just about every app out there. Unfortunately, not everyone working on open source is a qualified professional, and we do see some horrible code out there, but it's no worse than a lot of the commercial code I've seen over the years.
But back to the report. It's a shell game. Microsoft, having a closed development model, may have HUNDREDS of high threat level flaws that are UNDISCLOSED but may be known about by black-hat hackers. Open source by nature is ALWAYS disclosed. MS also has a habit of rating their flaws at a lower threat level than third party security researchers rated it. Yep, just goes to show that you can prove anything with statistics.
Here is a statistic for you... 99%+ of all the probing I get on the external side of the corp network are from windows boxes according to fingerprint analysis. Since most probing is done via compromised machines (botnet), and that windows has less than a 99% market share, that leaves me with one conclusion. The numbers are similar for spam.
How many vulnerabilities are known about and fixed in a certain time frame is meaningless. What would be meaningful, but an impossible statistic to gather, is exactly what percentage of installed Linux and Windows machines are currently compromised and being actively exploited (member of a botnet.) I've heard estimates that up to 50% of all windows machines are infected with serious malware of some sort or another...
Re:Fine... (Score:3, Insightful)
Open source programs are typically not well-commented and searchable enough for a capable outsider to improve upon without significant investment of time.
Re:Fine... (Score:3, Insightful)
as far as source code. so many people want to pick a package install and use in minutes , thats why we have broadband and binaries. expecting a new user or even a semi experienced user to
But power users are adept to it. With issues like the above I guess I can see why Linux would be less secure then Windows Vista. Vista took the idiot out of idiot users to the best of any ones ability. Hopefully we don't see this on Linux , I enjoy my freedom on it.
Re:Wrong cache link - full text here (Score:5, Insightful)
So, how does he account for all the silent patching that Microsoft is doing? [zdnet.com]. (Link complements of Groklaw.)
More on Google [google.com].
Honestly, how can one really compare Windows against Linux when Microsoft is patching things silently? It's not a fair comparison to any vendor because you don't know what got fixed; let alone what was actually problematic. When you have one community disclosing every bug, and another disclosing only those that become high-profile for them - or likely to become high-profile since they were disclosed by others or something like that - you will not get a fair comparison.
So, if he really wants to do a fair comparison, he should get internal reports from Microsoft about their bugs, security and otherwise. Yes, CVE and similar hold the security vulnerability bugs; and you can do a comparison iff you get the security bugs that Microsoft found internally and didn't bother to report - then you would have a level set of reports.
Re:Sorry, I have to laugh. (Score:2, Insightful)
Re:What about the user experience? (Score:3, Insightful)
Cluebat time. The "researcher" is a Microsoft employee. Is is basically PR from marketing. When you have a closed development model, you can't compare it with an open model like this. How many UNDISCLOSED flaws were there in Windows that have been silently fixed or are still waiting to be fixed? With statistics, I can "prove" that Windows causes brain damage and Erectile Dysfunction. Does that make it true?
It is a meaningless report that the uninformed / gullible will use to say "See! See! Windows is more secure! Microsoft tells us so!"
Re:Selective use of facts I think... (Score:3, Insightful)
But I thought XP was more secure than Vista! (Score:2, Insightful)
Re:Fine... (Score:5, Insightful)
Goddammit, Sir, why did you have to post after I used all my mod points? You have provided, not only for the OSS world but developers in general, the single most important point when it comes to maintainability.
I run several servers and desktop systems. Some open, some closed. I have tons of source code, some for open systems, some for closed systems where I participate as a maintainer, developer, or reviewer. Much of the OSS stuff is unusuable except by the team that developed it. Yes, an outsider can come in, look at the code and study it but he/she is going to spend a ton of time "getting up to speed". The only batches of code that I've been able to instantly access and work with are those from projects/developers who decided that they would rather take 3 months to turn out well commented and tested code rather than take 3 weeks to churn and burn crap code that is only marginally better than old BASIC spaghetti code.
Re:Fine... (Score:2, Insightful)
Using your logic, it's impossible for an enduser to find a security hole in Windows.
Article's Premise is Fatally Flawed (Score:5, Insightful)
The temporary absence of security issues with Vista means nothing because neither the scope nor the scale of exploits is known. That is commonly described by the phrase "security through obscurity."
History has shown that Microsoft's approach to security is to talk a good game. Period. While I do not doubt Microsoft has hired excellent security programmers, their contributions don't make it through the management gauntlet.
Another way to highlight my point:
When you buy a windows-equipped box will you:
1: Use email on win32 without an antivirus application?
2. Go on the internet on win32 without a firewall?
3. Run win32 without a NAT?
I propose the following experiment instead:
Computer 1: Linux desktop distro immediately after install with no firewall script.
Computer 2: Vista equipped PC straight out of the box with the windows supplied firewall disabled.
Computer 3: Mac OSX straight out of the box.
Run tripwire on all three machines and put them directly on the internet. (aka no NAT)
That might be a better way to compare default security of OS's.
Re:Fine... (Score:5, Insightful)
Most end-users wouldn't recognise a security issue if it was walking in the middle of the street, naked, waving a huge vlag that had "Security Issue" printed in bold on it.
Re:Fine... (Score:3, Insightful)
Most of this is primarily the result of belligerent users who continually demanded unjustifiable changes or refused to provide a complete set of specifications from the outset. Fortunately, this particular way of thinking is changing and future projects will not be held captive by ego-maniacal users with unrealistic or constantly changing demands.
However, to the point, I highly doubt that any sort of management or user pressure is the reason behind the terrible state of so many open source code bases, so I have to wonder if the amateur hacking that is the nature of so many of the bit players and niche pieces of the third party support system isn't a bigger problem than the commercial issues it attempts to solve. Does adding more people really make a difference when most of those people are not even remotely close to being skilled enough to understand what role they're needed in?
I like me some BSD and OpenOffice and PostgreSQL, but those are all major projects that are designed following a very structured, traditional development paradigm. I have to seriously doubt the efficacy of designing outside of those constraints and, thus, have to seriously question just what value open source development really adds. Is it really a way to develop a better system, or is it just a "nice thing" on the side after the more traditional development processes have created a stable product that the more traditional development processes will continue to provide the bulk of support for?
I'm going to have to go with the latter. Open source is nice, open source is not really better. I think the notion that "more eyes" are on it is dubious at best, given that only a very tiny number of those eyes are going to be truly skilled and dedicated enough to actually understand what they're looking at.
Re:Fine... (Score:3, Insightful)
Find, publish, and fix a bug in Linux or an O/S app. Fine, thank you very much. Find and publish the existance of a bug in Windows (particularly if you are bound by any sort of source code NDA) and you risk getting sued. Forget about fixing it. Only Microsoft can do that. If they choose not to, its not possible for disgruntled users to fork a distro and do it themselves.
Agreed, but... (Score:3, Insightful)
I would point out that if you are on a deadline for delivery, things get cut. Its just business. Managers fully support good documentation, well planned naming conventions, well structured code, etc... Just so long as it doesn't interfere with getting the product out the door on time.
And... FWIW... I also have tons of source (both open and closed source) to maintain, modify, w/e...
Count the botnets? (Score:3, Insightful)
Re:Fine... (Score:2, Insightful)
Strange, I've been running Vista for about 18 months now, and I've had very little trouble in getting random bits of software to install. Generally, what problems I do run into can be fixed by running the initial install with admin privileges. Granted, I don't run a lot of games which is probably where most of the problems will lie. But graphics, multimedia, office and general productivity apps (both commercial and open source) have all worked without problems.
Comment removed (Score:3, Insightful)
Re:Fine... (Score:3, Insightful)
Flaw in argument (Score:5, Insightful)
- He compares OS vulnerabilities of the first 90 days since first release. This doesn't tell us which OS is the most secure at this moment. Merely, it tells that more recent OS's have undergone more testing prior to release.
- He notes 125 known issues with RHEL prior to release compared to 0 for Windows Vista, but of course no vulnerabilities are known prior to release as Vista is closed source and has not been available for public scrutiny, while RHEL is built on available open source code.
But that's not all, differences in how bugs are classified may make some OS's appear more secure - it is known that Microsoft has classified vulnerabilities as bugs thus reducing the "official vulnerability number". Without a strictly uniform and independent classification scheme for bugs, there is simply no data to compare.
A reasonable comparison would compare the OS's vulnerability issues the past 90 days, that is with fully patched systems. Known issues that have not yet been patched should not be included as this simply is caused by the longer time for scrutiny of older OS's. Secondly, bugs must be classified in a coherent manner: Remote root, remote user, local root, local user, DOS etc...
This document is useless in the discussion of which OS is the most secure to run as of today. There is no way that a conclusion can me made in favour of any OS on the list.
It appears that OpenBSD remains the most secure system, and I bet FreeBSD is a strong contender.
Re:As someone who does not know that much about th (Score:4, Insightful)
Too many of these comparisons are apples and oranges things. If you run you Ubuntu box as root, you are heading for trouble. Running Windows as an administrator also exposes the user to significantly enhanced risk. If you are concerned with this risk, run as a normal user. I do. Your risk will be much lower. Vista makes it much easier to run as a normal user. My wife and kids have normal user accounts on our modern machine. I will be trying to "upgrade" my old XP box (an older Win ME box I upgraded to XP with an additional 512 MB of RAM 3 years ago) to Vista home basic for the improved security support.
Re:Fine... (Score:3, Insightful)
I'd be willing to bet that OSS has a lot more competent eyes looking for issues in the code than any closed-source software, regardless of whether Joe User can read the source or not.
Re:Fine... (Score:4, Insightful)
Re:Vista still running malware as root (Score:4, Insightful)
What the heck are you smoking? I'm running Vista with normal user rights (before Vista I did same with XP) and last time when I needed elevated rights was when I installed SQL Server 2005 Express some month ago. UAC prompted for administrator password, I entered it, installer continued and so on. In no way I was using higher privileges that I needed. Or do you have some magical way to install system wide components with normal user rights?
If Vista is asking admin password every other minute then you are doing some seriously wrong! There's no need for after initial configurations to elevate to admin privileges unless you are doing some system wide stuff. And if you turned off UAC go back to your Linux or whatever you like and have a nice day.
Re:Exploited verses exploits (Score:1, Insightful)
Report is misleading (Score:3, Insightful)
Since the Linux effort is open, all issues are reported and fixed in the open, with an effort made to report and fix as much as possible, which ensures software quality. Since proprietary systems are not open, their issues are not reported and fixed in the open. As a matter fact, a fewer number of fixes does not in itself indicate a lesser number of problems, or better software quality. On the contrary, a lesser number of fixes may indicate a lesser percent of problems being found, reported and fixed, which implies a lesser quality of software. A fewer number of fixes can be as much due to failing to fix vulnerabilities due to not finding them, or not having them reported.
Therefore, data presented in this report indirectly suggests that the open-source process is better at ensuring software quality.
Re:Count the botnets? (Score:5, Insightful)
I agree. The trouble is nobody wants to point fingers because they might get slapped. Read any of the news articles regarding the millions of bots in botnets. Every one of them I could find said "PCs". Not one article mentioned an operating system or version that was compromised. I searched Google, Yahoo, and anyplace else I could to find out if the bots had something in common such as Firefox, AIM, Flash 9, or a paticular OS. The details were sparse. If anything was mentioned it was Internet Explorer exploits and compromised websites. A search on the compromised websites gave the same generic results. About the only commonality was SQL with no mention of what flavor such as My-SQL or MS-SQL There was no mention of OS, web server or anything else. I hate thin articles when I am trying to avoid common exploits. If I can't use one SQL, can I use the other and which is which?
From the articles, I get the feeling I can't use a PC as a client with IM and I can't use an SQL enabled webserver. Other than that, there is very little hard data on botnets in the news.
Re:Count the botnets? (Score:4, Insightful)
When you are attacked by a bot-net, all you know is the packets you have received. Any application or OS information that these contain could easily be forged.
It *would* be nice to know. This doesn't mean that reliable knowledge is available.
Re:Exploited verses exploits (Score:3, Insightful)
That doesn't explain why web server exploits hit IIS much more then apache which STILL has more installations. The widest net possible idea is less important then building your OS' security foundation on shifting sand. Windows has had terrible security because it was built on a foundation of sand. It has taken them years and years to go back and build a secure foundation that the OS can rest on.