Forgot your password?
typodupeerror
Security Windows Linux

6 Months On, Vista Security Still Besting Linux 478

Posted by kdawson
from the maybe-because-nobody's-using-it dept.
Martin writes "Great report on security vulnerabilities for MS/Linux/OS X. This is a revised version of the one Jeff Jones did back on March 21: Windows Vista — 90 Day Vulnerability Report. This time he did what the Linux community had asked. Everyone complained that he did the report based on a full Linux distro including optional components, not on just a base OS install. So this time he did both; Vista still came out on top. I was shocked that Apple was even on the list as I believed all those Mac commercials!"
This discussion has been archived. No new comments can be posted.

6 Months On, Vista Security Still Besting Linux

Comments Filter:
  • Fine... (Score:5, Interesting)

    by Progman3K (515744) on Wednesday June 27, 2007 @08:01AM (#19661319)
    Point me at the problems in Linux and I'll fix them.

    What? Can't do that with Vista?

    I'll take Linux, thank you.
    • Re:Fine... (Score:5, Insightful)

      by gravos (912628) on Wednesday June 27, 2007 @08:08AM (#19661379) Homepage
      So what are you waiting for exactly? You could fix them today and then prove the author wrong. Oh wait, maybe you couldn't...
    • Re:Fine... (Score:5, Informative)

      by toleraen (831634) on Wednesday June 27, 2007 @08:14AM (#19661429)
      Here ya go! [linuxsecurity.com] Let me know when you're finished, thanks!
      • by Technician (215283) on Wednesday June 27, 2007 @09:20AM (#19661969)
        I looked at the user comments at the bottem of the article. One juicy tidbit was to this link..

        http://www.microsoft-watch.com/content/security/mi crosoft_is_counting_bugs_again.html [microsoft-watch.com]

        The biggest bug in Windows is between the chair and keyboard. The item in question is gullable, has admin privilages, and can run widely dispensed Windows specific code. As a sample of this, just look at the members of any botnet and the OS in use.

        Anything that doesn't run Windows code and has the default of not running admin is more secure than patched Windows in most cases.

        Vista still runs Windows code, it's biggest fault, but it seems to be driving towards better system security and user permissions.
        • Count the botnets? (Score:3, Insightful)

          by gr8_phk (621180)
          Could someone count the botnets out there per operating system? I don't care so much about vulnerabilities so much as all the spam I get from compromised machines. Or put another way, it's not the holes but the number of active exploits that we should be counting.
          • by Technician (215283) on Wednesday June 27, 2007 @01:26PM (#19665361)
            it's not the holes but the number of active exploits that we should be counting.

            I agree. The trouble is nobody wants to point fingers because they might get slapped. Read any of the news articles regarding the millions of bots in botnets. Every one of them I could find said "PCs". Not one article mentioned an operating system or version that was compromised. I searched Google, Yahoo, and anyplace else I could to find out if the bots had something in common such as Firefox, AIM, Flash 9, or a paticular OS. The details were sparse. If anything was mentioned it was Internet Explorer exploits and compromised websites. A search on the compromised websites gave the same generic results. About the only commonality was SQL with no mention of what flavor such as My-SQL or MS-SQL There was no mention of OS, web server or anything else. I hate thin articles when I am trying to avoid common exploits. If I can't use one SQL, can I use the other and which is which?

            From the articles, I get the feeling I can't use a PC as a client with IM and I can't use an SQL enabled webserver. Other than that, there is very little hard data on botnets in the news.
    • Re:Fine... (Score:5, Insightful)

      by kjart (941720) on Wednesday June 27, 2007 @08:26AM (#19661523)

      Wait, assuming both assumptions here are true (i.e. Windows has fewer vulnerabilities and you would fix all security problems brought to you in Linux), you would still rather _personally_ fix a lot of bugs over having a more secure platform (again, big assumption there)?

    • Re:Fine... (Score:5, Insightful)

      by b1ufox (987621) on Wednesday June 27, 2007 @08:44AM (#19661667) Homepage Journal
      Looks like Mr Jeff Jones works at Redmond.

      https://209.34.241.68/user/Profile.aspx?UserID=780 3 [209.34.241.68]

      No wonder Windows Vista is best in his review.

      I am not convinced, next please Mr Jones.

    • Re:Fine... (Score:4, Funny)

      by Skapare (16644) on Wednesday June 27, 2007 @08:50AM (#19661723) Homepage

      What? Can't do that with Vista?

      "No user serviceable parts inside"

    • by Shivetya (243324)
      Because, most likely you cannot, more than likely someone else won't, and even then you might not apply the fix should it become available.

      Its human nature. Its far easier to take an easy shot at someone else other than act. Oh sure I can say I will fix it, but fact is its easier to say so on some message board that take the action.

      Look, with Vista they have a vested interest in correcting the bugs. For those in Linux I cannot overcome I can only hope someone else sees it as important enough to warrant a
  • fp (Score:5, Funny)

    by Anonymous Coward on Wednesday June 27, 2007 @08:02AM (#19661329)

    Jeff Jones ... This time he did what the Linux community had asked.

    He went and f*cked himself?

    • Useless studies (Score:5, Insightful)

      by Vicegrip (82853) on Wednesday June 27, 2007 @08:41AM (#19661655) Journal
      Since Open Source rigorously discloses every flaw known in it, what is the value of comparisons of one Vendor's chosen disclosures versus that which is 100% transparent?

      None

      Microsoft only discloses what it has to and is often at odds with security researchers about problems only to be proven wrong later. One claim from a blog was that Vista shipped with 60,000 bugs. How many of those are documented for the public?

      I can say that on my test certified Vista machine, brand new from Dell, I've already seen the network card totally disappear from the system only to reappear again an hour later. The Broadcom diagnostic tool reported no hardware issues. The Explorer shell still crashes/stalls frequently. Files get locked with no way aside from a reboot to unlock them. Wifi fails to reconnect to the same network it was previously connected to when sspi broadcast for that network is disabled. I just tried restoring a hibernated laptop, previously connected to a domain. Black screen & hard reboot.

      Beyond that, on this brand new machine, specced for Vista. Vista is SLOW.

      MS, concentrate on making Vista better instead of having people do useless studies. kthnxbye
      • Re: (Score:3, Funny)

        by plague3106 (71849)
        One claim from a blog was that Vista shipped with 60,000 bugs.

        OMG IT MUST BE TRUE ONE BLOG REPORTED IT OMG!!!!111!!!11
        • Re: (Score:3, Informative)

          by pogson (856666)
          It is well known that FLOSS has fewer bugs per 1000 lines of source code. The bloat that went into Vista brought in plenty of bugs to be sure. Key differences between Linux and M$ stuff:
          • M$ gets stuff determined by the sales department. We know how well salesmen design systems.
          • Linux is designed to be modular so the complexity of each piece is less. M$ has stuff where the browser installs code, printing a document can cause pieces of the file to be executed, etc.
          • There are far more projects in FLOSS tha
      • Re:Useless studies (Score:5, Interesting)

        by sYkSh0n3 (722238) on Wednesday June 27, 2007 @09:24AM (#19661995) Journal
        Sorry bout the offtopic, but i've been noticing the problems you were talking about on EVERY new dell i've seen in the last few months. XP and Vista. So I dont know that you can attribute all your problems to the OS. I think a lot of it has to do with all the crap they install. (ug, defending vista...i feel dirty)

        But i'd still rather run Ubuntu. Anybody who thinks installing windows is easier than linux, hasn't installed feisty fawn. My last 4 windows installs have come up in 640x480 4bit because the video card wasn't recognized, the sound didn't work, and the network card didn't work. Not to mention it took forever to install. I boot ubuntu on the same machine (in minutes) and everything works perfectly. In fact, the feisty fawn install disk has become part of my windows install. I boot the live cd, download the drivers i need to my thumbdrive, reboot into windows and install them. Point being: Not only is Linux EASIER to install, it's made Windows EASIER to install too. now THATS a good operating system.
  • by poptones (653660)
    One comment and it's already dead - and not a cache link to be seen. Oh well, tune in tomorrow...
    • Sorry - the previous google cache link was to the 90 day writeup, not the 6 month writeup. Here's the text of the 6 month writeup... (site is very slow right now).

      Windows Vista - 6 Month Vulnerability Report
      Submitted by Jeff Jones on Thu, 2007-06-21 11:53. Topic(s): | Client | Corporate Management | Information Security | Operating Systems

      I was somewhat surprised (but pleased) at the level of interest back when I published my Windows Vista - 90 Day Vulnerability Report. It was about the earliest span of
      • For those that only want the executive summary, here is a key chart that shows the publicly disclosed High severity vulnerabilities during the first 90 days of availability, broken down by vulns fixed and vulns unfixed. Note that this chart is showing the reduced Linux builds that exclude non-default and optional components without equivalents on WIndows. (clicking the chart also gets you to the full report.)
        (Emphasis added.)

        So, how does he account for all the silent patching that Microsoft is doing? [zdnet.com]. (Link complements of Groklaw.)
        More on Google [google.com].

        Honestly, how can one really compare Windows against Linux when Microsoft is patching things silently? It's not a fair comparison to any vendor because you don't know what got fixed; let alone what was actually problematic. When you have one community disclosing every bug, and another disclosing only those that become high-profile for them - or likely to become high-profile since they were disclosed by others or something like that - you will not get a fair comparison.

        So, if he really wants to do a fair comparison, he should get internal reports from Microsoft about their bugs, security and otherwise. Yes, CVE and similar hold the security vulnerability bugs; and you can do a comparison iff you get the security bugs that Microsoft found internally and didn't bother to report - then you would have a level set of reports.
  • by s31523 (926314) on Wednesday June 27, 2007 @08:05AM (#19661361)
    Sure, if EVERY action you do prompts a "You are clicking your mouse, cancel or allow", or some other message, sure that is security, but then you are left with a crappy user experience. I think Linux and Mac have got a better balance between allowing actions in user mode without authorization and actions requiring authorization.
    • Re: (Score:3, Insightful)

      by spyrochaete (707033)
      From my limited experience with SuSE and Ubuntu, Linux is even less user-friendly in this manner. In the best case scenarios the OS prompts the user for a root password right in the GUI. Worst case scenario, the user has to figure out a sudo command line command. I don't know how these tasks are handled on Mac.

      Either the user is prompted about administrative tasks or he is not. Vista lets you toggle this option off if you desire, but I for one appreciate this burden. The average computer user doesn'
    • by Apocalypse111 (597674) on Wednesday June 27, 2007 @10:37AM (#19662891) Journal
      Its been said before, but I guess I'll repeat it since it hasn't yet been mentioned here: after 2 weeks of clicking "allow" for every action, its no longer a security feature for the average user.

      "Ok, lets start up Excel and get to work..."
      "excel.exe is trying to run, allow or deny?" "Allow"
      "mssrv.exe is trying to run, allow or d..." "*heavy sigh* Allow..."
      "trojan.exe is tryi..." "Allow already!"
      "deleteallfiles.e...." "Dammit just let me at my spreadsheets already! ALLOW ALLOW ALLOW!"
  • by Farfnagel (898722) on Wednesday June 27, 2007 @08:07AM (#19661375)
    ...as popular as Linux, then it will be targeted, too. Or something like that.
  • Update. (Score:4, Informative)

    by Anonymous Coward on Wednesday June 27, 2007 @08:08AM (#19661381)
    http://www.microsoft-watch.com/content/security/mi crosoft_is_counting_bugs_again.html [microsoft-watch.com] Updated response "Jeff Jones Vista security progress."
  • Wakeup call (Score:2, Funny)

    by Anonymous Coward
    This should be a wakeup call to all those businesses holding back on Vista migration. Vista is clearly the better choice.

    Greets

    UbuntuBoy
  • Of course it will (Score:5, Insightful)

    by oztiks (921504) on Wednesday June 27, 2007 @08:09AM (#19661391)
    This is stupid, Linux as a distro is a complete solution from A-Z ... Vista is a bit of a solution as its just an operating system with limited services. Why did he do it to Vista anyway? shouldn't he be doing it to a server edition of Windows?

    When i see a windows system and linux system that do exactly the same things have the same purpose software installed on them i can see the viability of the test.

    Further, malware runs rampet in Windows, nearly 50% of Vista's vulns were not patched, where regardless of how many Linux has they get fixed when found. More secure? You tell me is a nightclub more secure when the bouncer only kicks out half the troublemakers whole a tougher and meaner club down the street deals with all of them?
    • THe problem is that he is like me; He does not know the enemies OS. So, what he did, was pick through the OS install and decided what sounds like it belongs and what does not.

      What is needed is for a Linux distro guy who has good knowledge of Windows (or perhaps somebody from wine) to re-do this report. And if it shows that MS did a better job on addressing security, I would suggest that the distro's need to get their act together. For the last 5 years, the windows fanboys have ran around saying that the #
  • This seems to (Score:2, Interesting)

    by kid_oliva (899189)
    Contradict another post on the front page http://it.slashdot.org/article.pl?sid=07/06/27/001 8252/ [slashdot.org]. If Vista is on top than how could Microsoft Security be one of the worst jobs? What are they doing too good of a job???
  • Look! (Score:5, Insightful)

    by Eddi3 (1046882) on Wednesday June 27, 2007 @08:09AM (#19661397) Homepage Journal
    Look, Everybody! A company is trying to use statistics to make themselves look good, when that's not necessarily the case!

    Nothing to see here, please move along...
  • by arun_s (877518) on Wednesday June 27, 2007 @08:10AM (#19661401) Homepage Journal
    This has already been analysed at microsoft-watch [microsoft-watch.com], and several flaws are pointed out there, the most basic one being that counting flaws is not a good measure of security anyway.
    • by Bert64 (520050) <bert@slash d o t . f i renzee.com> on Wednesday June 27, 2007 @08:51AM (#19661731) Homepage
      Reported issues is also an unfair comparison.
      If an issue is found in open source software, it is typically published openly and patched. If the original author finds an issue, he will fix it and tell people about it so his end users can patch themselves.
      By contrast, if a vulnerability is found internally to microsoft it will still get fixed, but the fix will be rolled in with other fixes. It won't get published, and microsoft won't admit to the vulnerability unless it's already public. A good example being the ASN.1 vulnerability from a couple of years back, there were actually 2 issues fixed in the same patch, but microsoft only admitted to one of them because the other wasnt public. It was found later by reverse engineering the update.
  • by QX-Mat (460729) on Wednesday June 27, 2007 @08:12AM (#19661411)
    On the back of recent news that less than half of Vista "issues" have been patched, yet alone publicly announced, we get another article touting the merits of two things that can't be directly compared.

    Sometimes I see Open Source kicking itself in the face with all the transparency it offers, yet I'm overwhelmed with a sense of pride and happiness that communities can develop such a transparent process in the public eye.

    Discovering problems and exploiting them in a closed source product is quite a daunting task - I'd say almost 4 times as much work as exploiting a system where you can compile debug symbols into the binary, and nothing short of 1000 times harder than if you had the source code. What these "reports" and discoveries show is that layers of obfuscation act to confuse people as to the actual level of vulnerability you're exposed to.

    There are many vulnerability hunters out there, now, employed by governments across the world simply to "dive in" at a deepend of closed applications looking for exploitable code - closed source simply means that only wealthy, bigger teams will be successful. Open Source means that anyone can help thwart these hunters, makes vulnerability research fair game, and most importantly, accepts community involvement into the fixing and pre-emptive policy that makes OS software better software.

    Matt
  • by mgkimsal2 (200677) on Wednesday June 27, 2007 @08:12AM (#19661415) Homepage
    One canard trotted out by MS defenders *used* to be "Windows has more vulnerabilities discovered because it's so popular, everyone attacks it!". Watch for that line to be modified in the coming months as more MS proponents switch to "it's more secure by design". Keeping the "only more vulnerabilities discovered because it's so widely installed" would imply that Vista is not widely installed/used, which is not good PR.

    So, when Linux had fewer vulnerabilities, it was because it was obscure. When Vista has fewer vulnerabilities, it's because it's fundamentally more secure. I'm not trying to be sarcastic here - it may very well be *true*. It's just something to keep in mind as you watch the never-ending stream of these 'vulnerability/exploit' reports come out every few months.
  • by jhdevos (56359) on Wednesday June 27, 2007 @08:15AM (#19661437) Homepage
    There are still a lot of problems with this 'comparison'. For instance:

    - The 'reduced feature set' used for the comparison still contains a lot of software not include with windows
    - All information is based on what the company behind the software discloses. I believe that not all holes in Vista that MS knows about are disclosed. It is also not unlikely that what Microsoft calls 'critical' is not the same as what Canonical calls 'critical'. In any case, different measures are used for the different OS's, and you can't compare things that are measured in different ways.
    - The usual 'less known holes != safer' discussion...

    I personally don't know which OS is safer, but based on these numbers, I am not going to draw any conclusions.

    Jan
  • by Anonymous Coward on Wednesday June 27, 2007 @08:21AM (#19661483)
    He's not comparing vulnerabilities - he's comparing vulnerability disclosures.

    It's not a measure of how secure the OSes are - it's a measure of how secretive the makers of the OSes are.
    • Re: (Score:3, Insightful)

      by mgiuca (1040724)
      So... what you're saying is it's a measure of how closed off the codebase is? And Vista beat Linux? No way!
  • A few points (Score:3, Insightful)

    by gilesjuk (604902) <giles.jones@NOspam.zen.co.uk> on Wednesday June 27, 2007 @08:24AM (#19661505)
    1. Vista isn't exactly in widespread use. The sort of people who poke holes in Windows and use it for spam bots etc will concentrate on XP for now as it is much easier. The anti-piracy and activation make pirating Vista a little harder, again this means the low life will not use it for a while.

    2. Linux is easily available to all. Plus people identifying security holes are helping out, they do it to improve the product. They would do this for Windows too, but they don't have access to the code.

    3. Mac OS uses a lot of open source tools, gcc, samba etc.. these have bugs and holes identified from time to time. So Apple naturally has to plug them.
    • Re: (Score:3, Interesting)

      1. Vista isn't exactly in widespread use. The sort of people who poke holes in Windows and use it for spam bots etc will concentrate on XP for now as it is much easier. The anti-piracy and activation make pirating Vista a little harder, again this means the low life will not use it for a while.

      It's in use way more than is Linux:
      http://marketshare.hitslink.com/report.aspx?qprid= 2 [hitslink.com]
      Vista: 3.74%
      Linux: 0.70%

      And here are status for Germany, which would be more friendly to Linux than Vista:
      http://www.webhits.de/we [webhits.de]

  • by niiler (716140) on Wednesday June 27, 2007 @08:33AM (#19661605) Journal
    I've been running Linux as my desktop exclusively now for about five years. No viruses. No worms. No adware. Oh yeah, and it's free as in beer. The security on it just works. My vendor sets up the firewall for the appropriate level of paranoia "out of the box". Tools for system auditing (chrootkit, nmap, etc...) are usually installed by default. When windows can do all this for free, I'll give it another go. But until then, any such study I see is largely theoretical.
    • Re: (Score:3, Informative)

      by freeweed (309734)
      My vendor sets up the firewall for the appropriate level of paranoia "out of the box".

      My Linux "vendor" (and most of them, these days) doesn't even set up a firewall at all. Because they don't need to. Because with a default desktop install, there's nothing to firewall off - no listening network ports.

      Sorry, Microsoft, but until you get to this point, you're going to be more vulnerable. It's only a matter of time before someone compromises a software firewall.
  • by Snowspinner (627098) <philsand.ufl@edu> on Wednesday June 27, 2007 @08:39AM (#19661641) Homepage
    I approach this as someone who does not know a tremendous amount about how to measure security flaws, or what various security flaws really mean...

    But the survey listed also shows Windows XP as the second most secure operating system of the ones surveyed.

    I can believe that Microsoft improved their security with Vista. But if they also tell me their security was great with Windows XP, I have to conclude that they're fudging the numbers.
    • by secPM_MS (1081961) on Wednesday June 27, 2007 @11:56AM (#19664079)
      XP RTM and XP SP1 predated the security push and had security issues. XP SP2 was a major release (and caused compatability issues) that greatly improved the security status. At roughly the same time Microsoft hardened Windows 2003 with the SP1 release. Microsoft STRONGLY encouraged customer's moving to XP SP2 and W2K3 SP1. Unless they specifically refer to XP RTM or SP1, when Microsoft people refer to XP, they are referring to SP2.

      Too many of these comparisons are apples and oranges things. If you run you Ubuntu box as root, you are heading for trouble. Running Windows as an administrator also exposes the user to significantly enhanced risk. If you are concerned with this risk, run as a normal user. I do. Your risk will be much lower. Vista makes it much easier to run as a normal user. My wife and kids have normal user accounts on our modern machine. I will be trying to "upgrade" my old XP box (an older Win ME box I upgraded to XP with an additional 512 MB of RAM 3 years ago) to Vista home basic for the improved security support.

  • Did I miss something (Score:5, Informative)

    by MECC (8478) * on Wednesday June 27, 2007 @09:02AM (#19661839)


    Rather than take his word for it why not just check at Secunia. [secunia.com]

    Vista [secunia.com]

    Vendor Microsoft

    Product Link View Here (Link to external site)

    Affected By 10 Secunia advisories

    Unpatched 20% (2 of 10 Secunia advisories)

    Most Critical Unpatched
    The most severe unpatched Secunia advisory affecting Microsoft Windows Vista, with all vendor patches applied, is rated Not critical


    Ubuntu 6.06 [secunia.com]

    Vendor Canonical Ltd.

    Product Link View Here (Link to external site)

    Affected By 147 Secunia advisories

    Unpatched 0% (0 of 147 Secunia advisories)

    Most Critical Unpatched
    There are no unpatched Secunia advisories affecting this product, when all vendor patches are applied.


    • Re: (Score:3, Interesting)

      by djupedal (584558)
      OS X [secunia.com]

      Vendor Apple

      Product Link View Here [apple.com] (Link to external site)

      Affected By 104 Secunia advisories

      Unpatched 5% (5 of 104 Secunia advisories)

      Most Critical Unpatched
      The most severe unpatched Secunia advisory affecting Apple Macintosh OS X, with all vendor patches applied, is rated Less critical

  • by HangingChad (677530) on Wednesday June 27, 2007 @09:05AM (#19661867) Homepage

    I'd just like to say I'm thrilled to be able to say this.

    If Vista was a bigger percentage of the PC market, there would be more exploits for it.

    Pay back's a bitch, ain't it?

  • by gig (78408) on Wednesday June 27, 2007 @10:06AM (#19662503)
    These comparisons are a joke. The number of bugs or vulnerabilities itself is completely meaningless because of the wide variety of issues you can have. For example, would you rather have 10 vulnerabilities that each enable a malicious Web site to crash your browser, or 1 vulnerability that enables a malicious Web site to browse your local disk?

    Vista still encourages users to run with higher privileges than necessary, and the platform is still host to over 99% of the viruses and malware ever created. It is not even recommended to run Windows without third-party security enhancements such as anti-virus. Many will tell you to run it only in a virtualizer, not on bare hardware, so you can wipe the Windows "disk" every night and start fresh the next day. In fact, Microsoft will tell you to do that, it's what VirtualPC is for.

    Anyone who believes this crap deserves Vista. Enjoy.

    • by weicco (645927) on Wednesday June 27, 2007 @01:14PM (#19665175)

      Vista still encourages users to run with higher privileges than necessary

      What the heck are you smoking? I'm running Vista with normal user rights (before Vista I did same with XP) and last time when I needed elevated rights was when I installed SQL Server 2005 Express some month ago. UAC prompted for administrator password, I entered it, installer continued and so on. In no way I was using higher privileges that I needed. Or do you have some magical way to install system wide components with normal user rights?

      If Vista is asking admin password every other minute then you are doing some seriously wrong! There's no need for after initial configurations to elevate to admin privileges unless you are doing some system wide stuff. And if you turned off UAC go back to your Linux or whatever you like and have a nice day.

    • Re: (Score:3, Informative)

      by SEMW (967629)

      Vista still encourages users to run with higher privileges than necessary

      "Encourages"? How exactly does it do that? I don't even know how to enable the root account on Vista -- I think it involves gpedit -- it's certainly disabled by default. With the "administrator" account, you're running with a standard user token all the time except when you elevate, which is done on a task-by-task basis. How is this "encourag[ing] users to run with higher privileges than necessary"?

  • by mpapet (761907) on Wednesday June 27, 2007 @10:20AM (#19662665) Homepage
    The fundamental failure with the phrase "Vista is still more secure..." starts with the incontrovertible fact that Windows is shipped as a black box.

    The temporary absence of security issues with Vista means nothing because neither the scope nor the scale of exploits is known. That is commonly described by the phrase "security through obscurity."

    History has shown that Microsoft's approach to security is to talk a good game. Period. While I do not doubt Microsoft has hired excellent security programmers, their contributions don't make it through the management gauntlet.

    Another way to highlight my point:

    When you buy a windows-equipped box will you:
    1: Use email on win32 without an antivirus application?
    2. Go on the internet on win32 without a firewall?
    3. Run win32 without a NAT?

    I propose the following experiment instead:
    Computer 1: Linux desktop distro immediately after install with no firewall script.
    Computer 2: Vista equipped PC straight out of the box with the windows supplied firewall disabled.
    Computer 3: Mac OSX straight out of the box.
    Run tripwire on all three machines and put them directly on the internet. (aka no NAT)

    That might be a better way to compare default security of OS's.
  • We give up, we'll go home now, and install Norton Antivirus and Windows Defender with the rest of the lemmings.

    The *only* way to "measure" security is to "measure" breakins. You can talk about technological advances in architecture, but abstracting security to bug counting is goofy. Linux systems don't get broken into, because there simply aren't ways to get at them, particularly on the desktop. With things like AppArmor and SELinux your browser is isolated from other processes, every distro ships with the "desktop" version locked down (100% firewalled) by default, and samba, cups, and the other common network daemons (ntp? ssh?) are mature suites with excellent security histories.

    I can't get the article to open, but I'm curious as to the vulnerabilities which he counted. How many of them actually have real world applications?

    Here is how I would come up with a synthetic benchmark of security:
    1. Admit that it will be synthetic, and is ultimately an exercise in mental masturbation
    2. Count the bugs.
    3. Remove all bugs that have no possibility to be exploited, and all "fixed" bugs.
    4. Separate bugs into "server" and "desktop" bugs.
    5. Multiple bugs by an index number between 0 and 1, with 0 being harmless bugs, and 1 being bugs that give you "root".
    6. Total up bug indexes.
    7. Now, count all fixed bugs (excluding impossible to exploit ones), multiple by a "damage index" (see #5), then multiple by (Time to fix bug, measured from release of software)/(Time software has been released). Add this to your result from #6.
    8. Voila! You've now posted something that will most likely compete favorably with MS's bug number. It will also still be totally useless.
  • lets be fair... (Score:3, Interesting)

    by pjr.cc (760528) on Wednesday June 27, 2007 @10:29AM (#19662787)
    Lets give Jobs, et al time to produce their own twisted statistics to prove exactly the same thing for their own OS's.

    just remember there are 3 types of lies, "lies, damn lies and statistics".

    Not that im claiming he's wrong mind you, just that history has proven to be a battle of seemingly erroneous statistics stacked on top of one another that seem to claim totally different things.

    Is it going to make me switch to vista? no... But i cant say i really care either, probably the most insecure part of my home server is the code i've written for it!
  • Flaw in argument (Score:5, Insightful)

    by erik_norgaard (692400) on Wednesday June 27, 2007 @11:53AM (#19664023) Homepage
    There are several fundamental flaws in the arguments in this article:

    - He compares OS vulnerabilities of the first 90 days since first release. This doesn't tell us which OS is the most secure at this moment. Merely, it tells that more recent OS's have undergone more testing prior to release.

    - He notes 125 known issues with RHEL prior to release compared to 0 for Windows Vista, but of course no vulnerabilities are known prior to release as Vista is closed source and has not been available for public scrutiny, while RHEL is built on available open source code.

    But that's not all, differences in how bugs are classified may make some OS's appear more secure - it is known that Microsoft has classified vulnerabilities as bugs thus reducing the "official vulnerability number". Without a strictly uniform and independent classification scheme for bugs, there is simply no data to compare.

    A reasonable comparison would compare the OS's vulnerability issues the past 90 days, that is with fully patched systems. Known issues that have not yet been patched should not be included as this simply is caused by the longer time for scrutiny of older OS's. Secondly, bugs must be classified in a coherent manner: Remote root, remote user, local root, local user, DOS etc...

    This document is useless in the discussion of which OS is the most secure to run as of today. There is no way that a conclusion can me made in favour of any OS on the list.

    It appears that OpenBSD remains the most secure system, and I bet FreeBSD is a strong contender.
  • by alexfromspace (876144) on Wednesday June 27, 2007 @01:20PM (#19665265) Homepage Journal
    This report is seriously misleading. The conclusions made do not follow from facts presented without employing logical fallacies. The data presented in the report measures amount of fixes made. The basic fallacy involves the assumption that just because a fix is not made, there no critical need for one. As a matter fact, a lesser number of fixes may indicate failure to find, report, and fix problems rather than absence of problems.

    Since the Linux effort is open, all issues are reported and fixed in the open, with an effort made to report and fix as much as possible, which ensures software quality. Since proprietary systems are not open, their issues are not reported and fixed in the open. As a matter fact, a fewer number of fixes does not in itself indicate a lesser number of problems, or better software quality. On the contrary, a lesser number of fixes may indicate a lesser percent of problems being found, reported and fixed, which implies a lesser quality of software. A fewer number of fixes can be as much due to failing to fix vulnerabilities due to not finding them, or not having them reported.

    Therefore, data presented in this report indirectly suggests that the open-source process is better at ensuring software quality.
  • Reading closely... (Score:3, Interesting)

    by KillerBob (217953) on Wednesday June 27, 2007 @05:06PM (#19668419)
    It does make Vista look good, doesn't it? Until you look at the table, and notice that it only mentions serious security flaws that are fixed, and serious security flaws that have been disclosed but not fixed yet. It doesn't mention serious security flaws that have not yet been disclosed....
  • by bl8n8r (649187) on Wednesday June 27, 2007 @08:28PM (#19670279)
    [1] "By Jeffrey R. Jones Director, Microsoft Security Business and Technology Unit"
    [2] "Jeffrey R. Jones, a self-described "security guy" who works at Microsoft's security division"
    [3] "an overview of Microsoft's progress in improving security by Jeffrey R. Jones, Senior Director - Microsoft Security Business Unit."

    [1] - http://articles.techrepublic.com.com/5100-1035_11- 5173565.html [com.com]
    [2] - http://www.boxxet.com/Windows_Vista/Windows_Vista_ News_Researcher_Says_Vista_The_Most_Secure_OS.6304 6006.details [boxxet.com]
    [3] - http://www.microsoft.com/technet/security/secnews/ articles/itproviewpoint031004.mspx [microsoft.com]

The first version always gets thrown away.

Working...