6 Months On, Vista Security Still Besting Linux

Martin writes "Great report on security vulnerabilities for MS/Linux/OS X. This is a revised version of the one Jeff Jones did back on March 21: Windows Vista — 90 Day Vulnerability Report. This time he did what the Linux community had asked. Everyone complained that he did the report based on a full Linux distro including optional components, not on just a base OS install. So this time he did both; Vista still came out on top. I was shocked that Apple was even on the list as I believed all those Mac commercials!"

Fine...

[Progman3K]

Point me at the problems in Linux and I'll fix them.

What? Can't do that with Vista?

I'll take Linux, thank you.

This seems to

[kid_oliva]

Contradict another post on the front page http://it.slashdot.org/article.pl?sid=07/06/27/001 8252/ [slashdot.org]. If Vista is on top than how could Microsoft Security be one of the worst jobs? What are they doing too good of a job???

Re:easier to use as well (cue the fanboys)

[Aladrin]

I guess you know you're trolling, and that why you posted AC. I'm going to bite anyhow, even though I know better.

Yes, Linux is not entirely user friendly yet. No denying that. But maybe you mean 1%, as you said... It's not really a good troll your way.

And yes, apt-get is a -lot- easier. Why? Because you left the steps out on the Windows side where you search for some utility on the web and have to wade through search results that mean nothing and attempt to find what you want, or you could just apt-get install it. 1 step, not several.

As for your game installation example, maybe you should pick something actually made FOR Linux, instead of hacked onto it later. Darwinia, for example: http://www.darwinia.co.uk/downloads/demo_linux.htm l [darwinia.co.uk]

Check out those complicated instr... err, no. You just download and run the file. Okay, you have to make it executable first. Just a bit of security there. At least it didn't ask you 'cancel or allow?' about 5 times.

Including the steps to set up video properly is a bit disingenuous unless you include the steps for Windows as well. Including finding and downloading the proper drivers for sound, video, motherboard chipset, etc. Is it easier on Windows? A bit, yes. But the steps still exist.

Re:easier to use as well (cue the fanboys)

[Broken scope]

....
I installed quake 3 On my first day of Linux. Copied the files from the disk, ran the linux stuff for Id. IN all I had to use 3 maybe 4 commands total, and the only web site I went to was Ids site. It was basically the first thing I installed after doing my redhat installation. I never really got into using linux, but its not the quagmire you for believe it to be.

Re:Fine...

[stevey]

People do though, thats the thing.

I've spotted many security issues, and the fact that we see more reported every week is proof enough that people do look at the source. If nobody looked we'd have no new reports, right?

Re:Fine...

[Ravnen]

A good argument against this myth is made in a Guardian article [guardian.co.uk] from a couple of years ago about OpenOffice, which includes the following comment about external contributions, i.e. those not made by the 100 or so full-time developers paid by Sun to develop it:

But what about the innumerable volunteers who can download the code and fix what they like? They take one look at the effort involved and run. OpenOffice is an extremely complex mountain of source code. As far as I know, in the five years it has been available as open source, not one contribution to the program has come from amateurs. The outsiders who have provided input have been full-time professionals employed by Linux companies to help make the software credible.

Sorry, I have to laugh.

[Shivetya]

Because, most likely you cannot, more than likely someone else won't, and even then you might not apply the fix should it become available.

Its human nature. Its far easier to take an easy shot at someone else other than act. Oh sure I can say I will fix it, but fact is its easier to say so on some message board that take the action.

Look, with Vista they have a vested interest in correcting the bugs. For those in Linux I cannot overcome I can only hope someone else sees it as important enough to warrant a fix. Thats the crux of it. Sure I could do it, if I had time, if I had the knowledge, if I had the resources. Saying "with Linux you can just change it" is akin to handing someone a bunch of parts and telling them if they don't like the car they can fix it. Being able to use something, having an generalized knowledge of how it works, is all a far cry from being able to actually change it.

So while cheap shots at MS are the forte of many we can't forget that just because its open source, its linux, that we have the power. The opening is there, just don't expect someone to walk through it

Re:Fine...

[ari_j]

Maybe if they thought of outside developers as outside contributors rather than amateurs, more people would be willing to put in some effort.

Re:Useless studies

[sYkSh0n3]

Sorry bout the offtopic, but i've been noticing the problems you were talking about on EVERY new dell i've seen in the last few months. XP and Vista. So I dont know that you can attribute all your problems to the OS. I think a lot of it has to do with all the crap they install. (ug, defending vista...i feel dirty)

But i'd still rather run Ubuntu. Anybody who thinks installing windows is easier than linux, hasn't installed feisty fawn. My last 4 windows installs have come up in 640x480 4bit because the video card wasn't recognized, the sound didn't work, and the network card didn't work. Not to mention it took forever to install. I boot ubuntu on the same machine (in minutes) and everything works perfectly. In fact, the feisty fawn install disk has become part of my windows install. I boot the live cd, download the drivers i need to my thumbdrive, reboot into windows and install them. Point being: Not only is Linux EASIER to install, it's made Windows EASIER to install too. now THATS a good operating system.

Faulty Logic

[mpapet]

Yes, the OpenOffice code base is complex. Show me another application as functionally complex with a similar architecture that's easy to fix.

You also sweep away all of the *many* other ways to participate in a project to help it along.

Finally, nearly all OSS projects are driven by one or two people coding with other contributions (testing, bug reports, documentation, packaging, translations) kicking the projects into high-gear. There are a few that are so big the leaders code contribution is a small part, but that's the rare exception.

OT Rant: OO.org team: please move to GTK+.

Re:Did I miss something

[djupedal]

OS X [secunia.com]

Vendor Apple

Product Link View Here [apple.com] (Link to external site)

Affected By 104 Secunia advisories

Unpatched 5% (5 of 104 Secunia advisories)

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Apple Macintosh OS X, with all vendor patches applied, is rated Less critical

obligatory humor

[Gary W. Longsine]

Good grief! It's been YEARS!!! since we first heard about the superior nature of Linux/UNIX security, and we still see a crapflood of articles about it every time there is a slow news day, like when all the information about the first generation iPhone finally emerges and there are no more iPhone stories in the queue, then BAMMO! Right on schedule, another story about LINUX vs. Windows security. This story is even a TROLL, all on with a headline about Vista besting Linux. What crap! ENOUGH with these LINUX/Windows security shootout stories, already!

lets be fair...

[pjr.cc]

Lets give Jobs, et al time to produce their own twisted statistics to prove exactly the same thing for their own OS's.

just remember there are 3 types of lies, "lies, damn lies and statistics".

Not that im claiming he's wrong mind you, just that history has proven to be a battle of seemingly erroneous statistics stacked on top of one another that seem to claim totally different things.

Is it going to make me switch to vista? no... But i cant say i really care either, probably the most insecure part of my home server is the code i've written for it!

Re:Fine...

[RonnyJ]

If nobody looked we'd have no new reports, right?

If this were true, we'd have no third-party reports on closed source software, but that's clearly not the case.

I acknowledge some people will look at the source, but finding a vulnerability and fixing it (and testing the fix) are two completely different things.

Re:No, still not a good comparison

[t0rkm3]

He not only works for MS but is the director of security strategy.

So, this is self-performance review. I'm guessing he's vying for a pay raise.

Re:Fine...

[ciggieposeur]

How does Microsoft Speech API ActiveX control remote buffer overflow exploit for WinXP SP2 [linuxsecurity.com] translate to a Linux exploit?

Re:A few points

[I'm Don Giovanni]

1. Vista isn't exactly in widespread use. The sort of people who poke holes in Windows and use it for spam bots etc will concentrate on XP for now as it is much easier. The anti-piracy and activation make pirating Vista a little harder, again this means the low life will not use it for a while.

It's in use way more than is Linux:
http://marketshare.hitslink.com/report.aspx?qprid= 2 [hitslink.com]
Vista: 3.74%
Linux: 0.70%

And here are status for Germany, which would be more friendly to Linux than Vista:
http://www.webhits.de/webhits/browser.htm [webhits.de]
Vista: 1.0%
Linux: 0.5%

Re:Exploited verses exploits

[Technician]

I'm going to cast the widest net possible.

Windows (older versions but common exploit) hides known extentions by default. Users are admins by default. Opening MyNakedWife.jpg.exe was an exploit that nailed many a Windows user. No warning of any kind was given, the software was installed.

Linux by default nobody runs as root. Ubuntu takes it up a notch. Even if the .exe were hidden, clicking on a .jpg.exe does not run the program. You get asked if you want to save it to disk or what program to use to open it, or in some cases, do you want to launch the program. Getting a prompt instead of viewing the photo is a major clue to a Linux user that the Windows user never got.

You think if Joe Sizpack was running Linux he _wouldn't_ click that file promising him "free smileys" or constantly keep his stuff up to date?

With Linux much like modern Windows, they phone home and look for updates. Being offered an update from a 3rd party is still a problem for Windows users and less so for Linux users. Example.. Go to any flash site without flash installed. The untrusted site may or might not send you to get the official flashplayer. In linux, you have to follow the instructions to go to Adobe and get the tarball for the flashplayer 9, then unpack, and install. It's a little more work, but you generaly get it from a trusted source.

Another common Windows exploit requiring a fault between the chair and keyboard used fake picutres of Windows error messages. Clicking the little x in the corner of the box is as much of an install button as the rest of the photo. This was also a common Windows social engineering trick to get the clueless to click on the install button. Linux does not install root level software by a click on a webpage when not running root. Since most Linux users don't run root, this exploit is broken. The exception is Firefox plug-ins that users can install in their browser.

Short attention span Windows users who can one click install your botnet software for you are easy to find. There are millions of them. Even if there were as many Linux users as Windows users, you would find many fewer willing to follow your social engineering.

Maybe you know some Linux exploits of the fault between the chair and keyboard that is as simple as hidden extensions, executible IM messages, and webpage install buttons disguised as a error dialog box that I should know about. If you do, fill me in..

Reading closely...

[KillerBob]

It does make Vista look good, doesn't it? Until you look at the table, and notice that it only mentions serious security flaws that are fixed, and serious security flaws that have been disclosed but not fixed yet. It doesn't mention serious security flaws that have not yet been disclosed....