Top 12 Operating Systems Vulnerability Survey

markmcb writes "Have you ever wondered how vulnerable your computer is from the first bit you write to the hard drive all the way until you have a fully patched system? If so, Matthew Vea has posted a concise summary of security strengths and shortcomings for twelve of the major operating systems of 2006/2007. In his summary, Matt tests each OS with widely available tools like nmap and Nessus, and notes responses at install, pre-patch, and post-patch times for each system. After the tedious job is done, he produces results that will make both the Apple and Windows communities cringe with regards to security. From the article: 'As far as straight-out-of-box conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities ... The UNIX and Linux variants present a much more robust exterior to the outside. Even when the pre-configured server binaries are enabled, each [Linux] system generally maintained its integrity against remote attacks.'"

No OpenBSD?

[sunwukong]

Considering that server OSs were examined, why no OpenBSD? Too "obvious"?

Re:No OpenBSD?

[soloport]

Considering that server OSs were examined, why no OpenBSD? Too "obvious"?

Title says, "Top 12"? (Am guessing.)

Calm your self...

[CasperIV]

Just because the study says something you don't want to hear is no reason to bash the study. There was a very legitimate goal in testing the systems right out of the box; Many users do not immediately download updates. I worked in tech support for a little while and still keep in contact with people in the field. The average Windows user is 6 months or more out of date, based on the calls received by tech support at an ISP I worked for. Whats worse is that many users buy a machine, then order an internet connection, but never get updates. There are several reasons why they don't, but the three most common I here are:
1) Ignorance (They don't know they need them)
2) Slow Connections (They don't want to wait 3 days for updates to download)
3) Incompatibility (They are afraid that if they download a patch from MS it will break something)

With 90% of the market being controlled by windows users and the majority of those users being nontechnical home users, you can see the problem. It is the exact reason the US tops the list for infected systems for viruses and spyware.

Re:

[howlingmadhowie]

a friend of mine calls himself a network-technician and works freelance for small companies. he uses windows 2000 as a server platform. he told me about a year ago, that he hasn't installed a single patch on any of the servers he looks after, because he's worring about breaking something. (i wonder what he actually does then?)

Re:

[Antique Geekmeister]

No, BSD is still quite active, including the one inside Apple these days. But the testers were probably unable to install OpenBSD on any hardware less than 8 years old: that OS does *not* have a sane installer or compatibility with a lot of more modern components.

Go ahead, get an off-the-shelf USB wheel-mouse working on OpenBSD without spending at least 2 days hand-building kernels and other components.

come on...

[cosmocain]

... i'm no M$-fanboy at all, but testing a 2001-XP against a end-2006 fedora is not actually making any sense. install a 2001-red hat to compare and then tell me the numbers. i'm quite sure that there are no breaches as severe as the lsass or rpc/dcom stuff, but this comparison just doesn't make any sense...

Re:come on...

[drinkypoo]

... i'm no M$-fanboy at all, but testing a 2001-XP against a end-2006 fedora is not actually making any sense. install a 2001-red hat to compare and then tell me the numbers.

My only complaint is that Windows XP should be tested as installed from SP2, since any XP CD distributed through authorized channels today has SP2 built in.

But you have to realize that Windows XP is the most common version of Windows in use today, and so it is reasonable to test it today...

Re:

[paganizer]

Can't test win2k; it was/is The Ultimate Operating System, and would put all others to shame. now that I'm done with the win2k fanboy comment... It would be near impossible to do this test right; no one in their right minds would suspect WinXP firewall of actually working, the first thing I do for people who i'm helping out is to kill it and (if they are not computer brain dead) install Tiny Personal Firewall, or (if they just can't figure out that whole "copy, paste" concept) Zonealarm. So unless you speci

Re:

[dpilot]

Maybe, maybe not. What do you get today when you buy a Retail copy of XP? Is SP2 slipstreamed, at the very least?

I recently reinstalled an XP machine for my sister-in-law, and when I was done with the recovery CD, I'm not sure if the system was at base, or at SP1. I had to install a pile of updates with numerous reboots, and THEN I was able to install SP2, plus then I went on to install yet more updates. Maybe I did it the hard way, maybe I'm a noob with Microsoft products, maybe it has something to do with

Re:

[pembo13]

It's not the testers fault that there's no Windows 2006.

Re:

[Anonymous Coward]

So only pay attention to the comparison from after the point SP2 is installed?

Re:

[melonman]

Also,

The UNIX and Linux variants present a much more robust exterior to the outside

might be true until you install most PHP apps in non-CGI mode, whereupon in most cases you've set up a race condition as to who runs admin.php first, and that's if your end user remembers to turn off execution permissions after running the script, and, if (s)he doesn't, your entire machine is compromised because every single PHP app is running under the same users...

Re:

[itlurksbeneath]

So... Red Hat is to blame for a more secure system just because they put out more than a couple of updates a decade?

Concise?

[jonknee]

Matthew Vea has posted a concise summary of security strengths and shortcomings for twelve of the major operating systems of 2006/2007.

Concise? Forgive me, but I was expecting a table or something that makes it easy to see the results. Instead it's 20 printed pages. I'd hate to see the expanded version!

Re:Concise?

[solevita]

Who reads printed pages anyway? Just scroll down and read the relevant test results for every OS. No need to read all the blurb about when XP was first released or in what university BSD first came about; just scroll down and read every bit that starts "Nmap". You'll get through it very quickly.

It was much nicer than most stories that make it to the front page; I didn't have to keep clicking the next page button every 50 words. It was good stuff, there were no ads (although I do run adblock) and a great deal of easy to read information.

Let's just hope that /. provides us with more of these.

Re:

[jonknee]

I just used printed pages to measure the length, I didn't actually print it out. By your logic everything is concise, just skip to the end.

Stupid Comparison

[Archangel Michael]

Okay, We all know that 2001 version of XP, totally unpatched is vulnerable. Duh

I update all my WinXP installs OFFLINE, making sure that they are FULLY patched and running the latest AV before putting them on the wire. The issue is that Microsoft doesn't make it easy to do this, and I have to use third party products to properly secure their systems before they go online. (90+ Patches from SP2?????)

To me, that is the greatest of all faults.

Not A Stupid Comparison

[drinkypoo]

The reason it is not a stupid comparison is that Microsoft doesn't make it easy to do, so most people do it online. Granted, most of us do it from behind a firewall, but a compromised machine on your network listening to DHCP requests and responses might very well hack your ass in moments.

Re:

[InsertCleverUsername]

Parent makes an important point. I think the MS automatic updates are a great help to Joe Average User, but if they wanted to do things right, MS would lock down almost all networking other than HTTP connections to update.microsoft.com until the fresh install was fully patched.

Re:

[drinkypoo]

Now the individual post-last-SP patches, those are a pain to do offline mainly because there are so many of them.

That's what I'm talking about. I comment in another location that they should be testing against the SP2 version because if you get XP today, that's what you're installing.

But the period between SP2 and the patches, that's a time when the machine is typically on the 'net and potentially vulnerable.

Re:

[drinkypoo]

RTFA, mate. The article covers (from install to final use) Windows XP, WindowsXP SP2, Windows Vista Ultimate. Yes, he does cover Service Pack 2.

RTFC[omment], pal. He installs non-SP2 XP, and then patches up to SP2. If you get Windows XP today, you will be getting it with SP2a integrated by Microsoft. This is not what he installed.

It's true that an older XP user will be installing a pre-SP2 edition of XP if they do a reinstall, so there is some merit to his test methodology. But it would make more sense to

This is a survey of security?

[MonGuSE]

Since when does throwing up 12 boxes and running a quick nessus scan over them count as a security survey?

Re:

[SatanicPuppy]

THAT is what I was thinking.

"I ran Nessus and then nmap, and this is what it said." Ooo, let me bow to your geekdom. And then he picks a raw version of XP...that's so unfair there aren't even words...Seriously, most of those flaws were fixed years ago, and you can't even buy XP like that anymore.

It would have been totally appropriate

[sheldon]

If Windows had come out as the worst.

Since it did not, we here at /. must do our best to totally discredit the survey.

It's no worse than anyone else's.

[jd]

This does not make it good - Nessus is hardly the top-of-the-line in security scanners, for a start - but the alternative methods being used are no better. The counting method (add up all of the announcements made) tends to lead to Linux getting the same flaw counted once per distribution, not once per package, resulting in gross overcounting. The Open Source community is also generally better at announcing flaws, whereas commercial vendors won't necessarily report a flaw if it gets covered by a patch or up

Re:

[Bert64]

Some of those nessus issues identified are false positives... Like the rpc.cmsd hole on solaris etc, this is a really old vulnerability that existed in solaris versions 7 and earlier.
Also, they missed the recent solaris telnet vulnerability (telnet -l -froot host).
Finally, they say that OSX was insecure out of the box, even tho it had no services turned on by default and they had to explicitely enable them.

Macs Still Safe in Default State

[adavies42]

The guaranteed-to-be-overlooked key point: all the Mac vulnerabilities exist in services that are off by default. Yes, it's annoying that Apple isn't faster at patching them (and other known local holes), but it still beats the hell out of XP's default state on first boot.

Re:

[EraserMouseMan]

Yea, but what's the very first thing you do after the first boot? Right, get latest updates. So 1hr after first boot Mac is not beating the hell out of XP.

Re:

[dpilot]

But unless you're already behind a firewall of some sort, 1 hour is more than long enough to be compromised, BEFORE the updates are done.

Re:

[Slightly Askew]

unless you're already behind a firewall of some sort

Exactly, and how are you going to get that firewall installed on XP SP2 before you are able...to...uh, never mind.

Re:

[crayiii]

come on, you're saying that in 1 friggen hour, while I'm downloading SP2 on a new XP box that I'm going to be "infected?" Sounds a little far fetched to me...

Re:

[Anonymous Coward]

Um...Yes. That's exactly what is being said. RTFA! or RRTFA. Machines have been infected in as little as 20 SECONDS!

Re:

[Mister Whirly]

XP SP2 comes with built-in firewall turned on by default, the XP CDs out now are slipstreamed XP2 version. So, to answer your (albeit facetious)question, the firewall is already enabled before you go online to get the rest of the patches. Not bulletproof but better than nothing.

Re:

[Antique Geekmeister]

Run your Windows in a virtual environment, behind a firewall in the virtual server. Then use the updated OS image as your canonical installation image.

This would work better if it were easier to register the license keys remotely, but it's workable.

Re:Macs Still Safe in Default State

[Cheefachi]

I think what the parent poster was saying was that by default OS X has many services that can be compromised turned off and they remain turned off no matter how many times you perform an update or reboot. The article mentioned that all these services were manually turned on to perform the test so out of the box OS X is so secure they didn't even bother to test it out of the box.

Re:Macs Still Safe in Default State

[vux984]

The article mentioned that all these services were manually turned on to perform the test so out of the box OS X is so secure they didn't even bother to test it out of the box.

But then they conclude OSX is rife with vulnerabilty during the patching process, which is pretty misleading if you ask me.

Re:

[NateTech]

Yeah, his testing was rife with this kind of inconsistency. If you're looking to see if things are hackable during the install, you can't pick and choose the services you turn on after the install and then run your scans.

Definitely biased. Loved that FreeBSD had nothing at all turned on... and got perfect goo-goo-gah-gah wonderful text.

Whatever. He's a tard. Moving right along...

Re:

[Ingerod]

True, but as far as I can tell the only vulnerability even with the services specified switched on is the possibility to gather usernames by guessing them. See http://www.vnutz.com/content/exploit/Nessus_Apple_ OSX_Tiger_10.4.8_Vulnerabilities.html [vnutz.com]. Nessus ranks them as low at worst. Nothing to be too excited about.

Windows XP SP2 is a bit worse with one high risk allowing for remote code execution. All in all, not too bad compared to Win XP SP1. Both OSes are secure enough for desktop use. (As long as you

Re:

[Bert64]

Cups only listens on localhost by default until you turn on printer sharing... Cups is always running, wether you have a printer configured or not.
And in order to share printers with other systems, of course it needs to listen on the network, there's no way around that.

Nessus and Nmap

[demonbug]

It seems that this "analysis" is rather over-dependent on Nessus. The article even points out that the tools used couldn't actually see any vulnerabilities (at least for the most up do date versions of the OSes), rather those listed were based on the "database" of vulnerabilities from Nessus. Seems like it would have been equally useful just to look in the Nessus database in the first place.

Re:

[jimicus]

The only realistic alternative (if you want to do such a scan without spending thousands on commercial software) is to start testing for vulnerabilities by hand.

Granted, this can, in the right hands, be a means of finding new vulnerabilities. But it's a hell of a lot more work and if you're only interested in known problems - why bother when someone else has already scripted the lot?

IMO, a well-maintained server's weakest link these days is stuff like weak passwords (for anything which requires user authen

Obligatory missing option post.

[Dusty]

What no OpenVMS [hp.com] analysis?

Re:Obligatory missing option post.

[$RANDOMLUSER]

Ha ha. My favorite oxymoron: "Open VMS". The question isn't really "Can you break in?" but "Why would you want to?".

MacOS X vs. UNIX?

[Anonymous Brave Guy]

As far as straight-out-of-box conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities ... The UNIX and Linux variants present a much more robust exterior to the outside.

Hmm... MacOS X bad... UNIX good.

Presumably this contradiction is resolved by noting that on MacOS X, the vulnerable services are off by default, so MacOS X is in fact ripe with vulnerabilities out of the box, yet still presenting a robust exterior?

Nice Cherrypicking

[AKAImBatman]

As far as straight-out-of-box conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities ... The UNIX and Linux variants present a much more robust exterior to the outside.

The article also says:

By default, Apple OS X does not have its built-in servers enabled. For testing the standard binaries, [available services] were all enabled through the Preferences tool. After enabling the services, Nmap identified the freshly opened ports and Nessus found only a user enumeration vulnerability in the HTTP server.

Out of the box, OS X is highly secure. You make the active decision to risk remote exploits when you enable these services.

For OS X Server, they had this to say for it, "Out of the box":

During installation, Nmap fingerprinted the setup TCP/IP stack as OS X 10.3 or 10.4 and identified an open SSH port. Nessus did not identify any external vulnerabilities.

The lesson to be learned here is that an open connection is a potentially exploitable one. So don't open connections unless you're sure you want to do so. The second part of that lesson is if you're going to enable a remote port, make sure your security patches are up to date. "Out of the box" software is only secure for a short period of time.

Re:Nice Cherrypicking

[SCHecklerX]

The lesson to be learned here is that an open connection is a potentially exploitable one. So don't open connections unless you're sure you want to do so. The second part of that lesson is if you're going to enable a remote port, make sure your security patches are up to date. "Out of the box" software is only secure for a short period of time.

Which is one reason it's so hard to secure a windows system. Who knows what half of those listening services actually do and what depends on them.

Also, you missed the third part, which is to configure the services you do need conservatively (ie, configure apache to not allow methods you do not use for your site, disable anonymouse FTP, or if needed lock its permissions and probably chroot it, etc).

Security isn't *too* hard if you have admins that actually listen to their lead security guy:

1. Run only the services that you need
2. Configure those services securely
3. Keep those services patched

Yes, there is a lot more to security, and how services are used factors into your response in how to mitigate any known problems, but the sysadmin security stuff boils down to the above list.

Re:

[stratjakt]

Who knows what half of those listening services actually do and what depends on them.

I do, lots of people do.

Which one do you have a question about?

It's not that hard to learn Windows.

Re:

[L0rdJedi]

And I suppose you read all the source code of all the services you run on your Linux box before you run them? I also suppose that you compile everything from source, but only after pouring through all the sources to make sure it's only doing what it says it's doing?

I guess you don't use your computer for much.

Re:

[Mister Whirly]

"Who knows what half of those listening services actually do and what depends on them."

People that are serious about security and don't want their boxes compromised.... For instance, me.
An OS service is an OS service - figuring out *nix services is no easier or harder than figuring out Windows services.

Re:

[jeffasselin]

Reading this strange blurb, I couldn't figure out how they'd arrive at the conclusion that OS X had more remotely exploitable vulnerabilities active before patching than say Linux or other UNIX variants, since it doesn't even expose any services to the outside by default!

Reading this, though, where they say they just "enabled all the services" shows that the methodology in this analysis is pretty bad. Did they also enable SMB and AFP file sharing services on the other systems? Enable Apache/IIS?

Re:

[fazookus]

"Although OS X features a robust implementation of IPFW (Internet Protocol FireWall), it was not enabled."

So they take a secure machine and start services to make it less secure, but they can't be bothered to turn on the firewall?

Odd...

Re:

[mhall119]

They disabled the firewall on Windows XP SP2 and Vista Ultimate, and opened up ports on the Fedora and Suse firewalls for the services they were testing, the point was to test the binaries as well, not just the firewall. So stop acting like they treated OS X unfairly.

Re:

[PygmySurfer]

If they'd installed Solaris correctly, they'd have had the same out-of-box results - The Solaris 10 installer asks if you want to enable all of the services that were enabled by default on previous Solaris versions, or if you'd like to lock the box down and only have SSH enabled.

Relying on Nessus alone isn't much use anyway - basically all it does is compare banner output to what's in it's database. If you apply a patch that doesn't update the banner (say a patch backported to a previous version), Nessus w

Re:

[Doctor Memory]

If they'd installed Solaris correctly, they'd have had the same out-of-box results

Well, it's not their fault the Solaris installer works correctly. Maybe if it had a defective one like Fedora...

(From TFA, describing the Fedora testing):

Despite the previous configuration prompts, the chosen servers [FTP, Mail, NFS, SSH, Samba, HTTPS, telnet and HTTP] were still not enabled.

Fedora's so security-conscious, it won't start services that might get compromised! Next release, they may improve security by simply not shipping any network drivers... ;)

Did anyone else find it odd that they went out of their way to load the entire Solaris distribution, but cherry-picked the Fedora options they loaded? No, I guess I'm not either...

big deal...

[MrJerryNormandinSir]

I can run Nessus too!

Read carefully what was done on MacOS X

[david.emery]

Note that on both MacOS X and MacOS X Server, there was a clean installation, followed by specific USER ACTIONS to ENABLE services. Thus it should not be a surprise if you turn on the Web service, for example, you now respond on port 80.

Now once you enable a service, it's legitimate to then analyze the exposed service for vulnerabilities, and I found that information interesting.

But it should have been clearly established that the vulnerabilities noted in Mac OS X are for services that the user specifically enabled. The general description does not call this out, and I think that the conclusions are flawed because of this.

          dave

Re:

[drinkypoo]

But it should have been clearly established that the vulnerabilities noted in Mac OS X are for services that the user specifically enabled. The general description does not call this out, and I think that the conclusions are flawed because of this.

The FA is quite explicit in telling you that they enabled various services.

Are you complaining about the summary?

Re:

[pammon]

No, he's complaining about the article's conclusions. For example:

As far as "straight-out-of-box" conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities.

To most people, "straight out of box" means "without screwing around with things." That is not the sense in which they are using it. In fact, they plainly state about OS X that "the issues were not remotely accessible" earlier in the article.

And to most people, "straight out of the box" doesn't mean "a box you bought a year ago." There was no excuse for testing a pre-10.4.8 version of Mac OS X Server, but no equally old versions of L

Re:Read carefully what was done on MacOS X

[samkass]

I think their analysis is fundamentally flawed once they put MacOS X and UNIX into separate buckets. Almost everything they tested on MacOS X is based on the UNIX underpinnings of MacOS X, and at that level MacOS X *is* UNIX (with 10.5, they even went through the trouble of getting it certified as such). It's not like they were testing Cocoa or the GUI.

Any remote network vulnerability that treats MacOS X as anything other than another UNIX distro has built-in bias.

Re:

[Mr.Ned]

"But it should have been clearly established that the vulnerabilities noted in Mac OS X are for services that the user specifically enabled. The general description does not call this out, and I think that the conclusions are flawed because of this."

They applied the same standard and procedure to FreeBSD. Nessus revealed *zero* vulnerabilities. It's all great and fine to disable services by default, but what happens when you want to use those services?

Re:

[david.emery]

p.s. Consistent with the "in 2006" methodology, all available patches at the time of the experiment were applied, resulting in MacOS X.4.8. Since then Apple has released X.4.9.

It would be an interesting follow-up to see if these vulnerabilities are fixed. This would establish that

(a) if you're up-to-date for OS X, you are or are not still at risk, and

(b) Apple is slower than the Linux alternatives in patching known vulnerabilities (but does fix them)

Since many of the tested services are built on Open Sou

Re:

[mhall119]

I believe every system tested, except Windows XP and Vista, included specific user actions to enable services. OS X was not treated unfairly and I don't see how the conclusions are flawed because of this.

Note that the article didn't call services listening on their appropriate port a vulnerability.

Re:

[david.emery]

1. I agree with and am concerned by the vulnerabilities mentioned in the article when MacOS X services are enabled, especially after Software Update is run (and the OS is expected to be fully up-to-date.) So that's not my problem with the article (but it is my problem with Apple now...)

2. My problem is this statement in the summary:

As far as "straight-out-of-box" conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities.

If you install MacOS X or MacOS X Server out-of-the-box, and do NOT enable any services, then MacOS X has a very different vulnerability profile than Windows.

If you do the ne

Be careful jumping to conclusions on prepatched OS

[davidwr]

When it comes to prepatched or out-of-the-box configurations, be very careful jumping to conclusions.

An OS that was shipped in 2006 SHOULD have far fewer out-of-the-box holes than one that was shipped 6 years ago *coughXPcough*.

The "interesting" releases are the releases most likely to be installed by someone doing a fresh install today.

This usually means what he buys at the store, downloads as an ISO, or installs from the network plus any patches he can easily download, put on a CD or USB stick, and instal

Vista was not visible...

[jernejk]

From TFA:

In order to identify any Vista services present, it was necessary to disable the default firewall after booting into the system for the first time. After disabling Vista's firewall, Nmap was able to identify three open ports for Windows networking and correctly fingerprinted the system Windows Vista.

Sorry, but what's the point in doing this? Out of the box, vista comes with no open ports. Deal!

It's just like saying "your-favorite-distro was not detected until telnetd was installed and root password was set to 'password'". Stupid.

And yes, I am a Vista user.

Completely inconsistent

[evought]

Agreed. The premise of the article all around was rather foolish. They deliberately and rather randomly made adjustments to lower security but none to raise them, including turning on some legacy services on some platforms that have not been used since people threw sharpened sticks at each other and their only test was the vulnerability database of one product. Obviously Vista wouldn't show up because it is rather new and no exploits have had time to develop, and obviously the UNIX variants would come up with mostly the same results because they share source code.

Disabling the firewall on Vista was rather foolish and not enabling it on OS X, while making other changes equally so. That being said, Apple is still nuts for not enabling the firewall by default (technically it is enabled and running, but its configuration is empty).

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[evought]

Also, (I'm just being curious here) can you define "empty configuration"? Is ipfw in OSX set up to "default to allow" by default?o

Yep. This is what 10.4.x has it set to when the firewall is 'off':

00010 divert 8668 ip from any to any via en0
65535 allow ip from any to any

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[evought]

Thanks. Though your answer and the AC's answer above contradict each other I get the feeling that yours is correct. From the first rule, I assume that OSX also uses natd and has it on but doing nothing by default too? It seems weird to me to have both the ipfw and natd on by default...and doing nothing. In FreeBSD, I can load them up and shut them down on the fly after boot-up. Can you not do this in OSX? Forgive my stupid questions. I really need to get a hold of one of the G5s we have here and work and play with it.

natd is running on this system, but I also have Internet Sharing enabled. I don't know if turning it off actually disables natd or just adjusts the settings (have to try it some time). I do know that if I enable the firewall, Internet Sharing stops functioning, so the firewall rules are not modified by the presence of Internet Sharing. I am working on a custom ipfw config to correct this. To me, this is a big Apple screwup, since their is no mention anywhere in the settings that the firewall does not or s

Re:

[Mister Whirly]

Please mod:Flogging Dead Horse

Wait, why am I cringing?

[Onan]

I'll admit that I've only looked through the macosx vulnerability section in any detail, but I'm certainly not experiencing anything like the cringing promised by the writeup.

The upshot seemed to be that even when the examiner intentionally turned on every service and did not enable the firewall, the only vulnerabilities found were two timing-based user-enumeration attacks.

That's... that's the big shocking secret? That if I go out of my way to ask my system to be considerably less secure than its default configuration, Mallory out there can find out the names of accounts on my system? Quick, somebody get me some smelling salts!

Cringe?

[CODiNE]

Hardly.

By default, Apple OS X does not have its built-in servers enabled. For testing the standard binaries, Personal File Sharing, Windows Sharing, Personal Web Server, Remote Login, FTP Access, Apple Remote Desktop, Remote Apple Events and Printer Sharing were all enabled through the Preferences tool. Although OS X features a robust implementation of IPFW (Internet Protocol FireWall), it was not enabled.53 After enabling the services, Nmap identified the freshly opened ports and Nessus found only a user enumeration vulnerability in the HTTP server.

Then somehow this :

As far as straight-out-of-box conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities

The immediately following sentence :

Even before enabling the servers, Windows based machines contain numerous exploitable holes allowing attackers to not only access the system but also execute arbitrary code. Both OS X and Windows were susceptible to additional vulnerabilities after enabling the built-in services.

So how does "straight-out-of-box vulnerable" and "after enabling built-in services" make any sense?
Sure there's pre-patch vulnerabilities for all 2 year old OS' out there... hardly makes me cringe however.

Re:

[_Sharp'r_]

One thing to note is that they followed this same install-then-turn-on-common-services approach with all the OSes.

For example, the result after they did that on FreeBSD 6.2 was "None of the service binaries exhibited any vulnerabilities to remote exploits."

So while its not a valid part of a "default-install-only" test, it is an interesting benchmark of what if you then run some common services.

In general, however, you're right, there are methodology changes they could have made to make the testing much more

Hardware firewall is your friend

[davidwr]

The reality today is most home and small business non-dialup users have a NAT firewall. Most larger businesses have a regular firewall.

Either way, if you configure it to block incoming connections to the new machine and the rest of your network is uninfected and well-protected, you can almost always download patches safely.

Some OSes even come with inbound ports turned off by default using the built-in firewall.

If this is you, then "remotely exploitable vulnerability on an unpatched system" is pretty meanin

Re:

[raddan]

All "hardware" firewalls run software. Most of them run some variant of BSD or Linux. E.g., of the two "hardware" firewalls we bought at work ("enterprise-grade"), both were actually modified versions of FreeBSD.

You can skip the hardware firewall if you use a better OS.

Re:

[thewils]

When someone ships a hardware firewall solution based on Windows, I'll start to feel comfortable running it as an OS. I'm not holding my breath though. Until that time, I feel more comfortable running my Fedora Core 6 at home.

Re:

[The Cisco Kid]

"Hardware" firewall means the firewall is a different piece of hardware than the one it is trying to protect.

So-called 'software' firewalls that run on the same machine they are protecting are crap.

A properly configured bsd or linux box doesnt need a seperate firewall.

No comptetent person with any clue whatsoever would ever consider putting a Windows box on the net without a seperate ("hardware") firewall protecting it, assuming they have any reason to run a Windows box to begin with. (Eg their boss/spouse/

Re:

[raddan]

Which is exactly what I said the first time around.

We need a comparison of pro-active security

[twistah]

I would like to see something different: a breakdown of proactive security measures taken by OS (or available in the OS) as a way of mitigating security issues. Security problems will pop up no matter what (whether in the OS or third-party software), and I'd like to see what OS do to prevent or reduce the impact of exploitation.

For example, WinXP SP2 introduced stack randomization and various other enhancements. Solaris has an option to mark parts of the stack non-executable. Third-party extensions like grs

Dangerous "Out of the Box"

[Cytlid]

I love how people tend to think Computers are simple machines, like a potato peeler or something. They're complex machines, and there's people who do not take that into account. The minute you do anything with a computer (even after it's "secured") you run the risk of lowering your security.

I bet if I went and bought a nice new shiny sports car, and drove 200 mph into a brick wall, I would die. Geez! How insecure is that? I mean after all I have to engage the seatbelt? It wasn't engaged when I bought

I find his methodology bizarre.

[argent]

To determine the security of the systems out of the box, he changed almost every system from the out-of-the-box configuration.

He also included classic Mac OS in the test, even though this isn't even installed out of the box on any Mac, and won't run on any Mac shipped in at least three years. Why didn't he include Windows 98 and NT4 in his collection as well?

While there are an enormous variety of operating systems to choose from, only four "core" lineages exist in the mainstream - Windows, OS X, Linux and UNIX.

There's six mainstream lineages left, and they're NT5, 4BSD, Linux, System V, VMS, and whatever IBM's calling their systems architecture this week.

Mainstream OS architectures

[LinuxParanoid]

[other agreeable/worthwhile comments skipped]

There's six mainstream lineages left, and they're NT5, 4BSD, Linux, System V, VMS, and whatever IBM's calling their systems architecture this week.

IBM kinda has two, right? You probably mean z/OS [wikipedia.org] IBM's mainframe OS successor to MVS, but there's also i5/OS aka OS/400 [wikipedia.org] which has a unique and interesting (imho) object-oriented system architecture. Last I checked IBM sold $1 billion of the latter every year (OS+hardware). Oh, and there's VM/CMS [wikipedia.org] which is what all th

Vista?

[MSFanBoi2]

Ok so let me get this correct, in order for his scanners to even detect Vista on the network he had to totally disable the built in firewall.

The list of open ports was THREE.

No vulnerablities were detected even with the firewall totally OFF.

Seems like (for now) Vista wins this one.

Re:

[mhall119]

Ok so let me get this correct, in order for his scanners to even detect Vista on the network he had to totally disable the built in firewall.

The list of open ports was THREE.

No vulnerablities were detected even with the firewall totally OFF.

Seems like (for now) Vista wins this one.

Vista wins?
How exactly did Vista do better than the desktop setup of OSX, Fedora, Suse or Ubuntu? Heck, even FreeBSD with all it's 12+ services running and no firewall had no vulnerabilities. If you consider being as good as eve

He should have tested the mouse as a security risk

[Locutus]

News out today is that Windows( including Vista ) has another security risk in the animated mouse code. That's right, another one. The previous one was in early 2005 and I guess their Trustworthy Computing people forgot to look at the rest of the animated mouse code cause they moved it right into Windows Vista.

I did see where McAfee said that Firefox on Windows blocked this so I'm only guessing that it's yet another Windows w/Internet Explorer flaw since one of the temp fixes is to turn off html rendering i

Oracle on classic Mac OS? I don't think so.

[ckd]

Nessus "found" that the Mac OS 9.2.2 box had a vulnerability [nessus.org] that would allow an attacker to crash, or run code in, the Oracle 9i application server?

Since Oracle 9i doesn't even run on Mac OS 9.2.2, I don't think this is likely to be a big concern.

Re:

[MrNemesis]

Oracle won't run? Sounds like a classic denial of service attack to me. ;)

And they didn't even mention Rendezjour?

[biftek]

So, they had to explicitly enable all of ftp, samba, afp etc for OS X to get something to show, yet didn't even notice MDNS/Rendzejour (port 5353) open out of the box? Mongs.

Re:SAY IT AINT SO JOE

[iangoldby]

The difference is, the exploits for the mac just work, but you have to trick a stupid windows user into running them to hack XP.

That's not remotely funny -- even with the firewall disabled.

Re:

[Jaqenn]

I thought it was funny, but maybe because I had a co-worker who always went on about how everything on the mac 'just works'.

Re:SAY IT AINT SO JOE

[kgbspy]

PC user: Macs suck. You can't play games on them, you can't get any good software for them; really, nobody supports Macs. Mac user: Yeah, but at least we don't get viruses. PC user: See? Not even virus writers support Macs!

Re:

[Anonymous Coward]

This article *CLEARLY* points out that neither OSX client or server is vulnerable to ANY attack in it's default state. The summary at the end is bogus because it clearly contradicts his own findings.

One you turn on every bell and whistle you *might* disclose usernames on the system or be able to crash daemons, but non appear to allow a virus to propagate.

Re:

[The Great Pretender]

"but what is always with the anti-mac posts when it comes to viruses and crap?

Probably it's something to do with Mac's add campaign pointing out all the flaws in Windows, while implying that Mac's have no flaws. People love to pick holes in pompous statements. It's sort of like the US pointing their finger at Chinas human rights abuses all the time and then the US wondering why people get excited when others show the US is also abusing human rights. (Disclaimer: I don't believe that operating system flaws

Re:What about 10.4.9?

[drinkypoo]

I ran nessus 2.2.8 (on Ubuntu Feisty) with all included plugins active, against an up-to-date MacOSX 10.4.9 system which is sitting just to my right. The system has Windows Sharing, Remote Login, and FTP Access turned on. The closest it came to a vulnerability was with netbios-ns (137/udp) and it said "If you do not want to allow everyone to find the NetBios name of your computer, you should filter incoming traffic to this port." Hope this is something like what you wanted to know.

Re:

[drinkypoo]

Well, I should just make someone else do it, but okay. Methodology: I set a wacky (keyboard-smashing) password for Xgrid, because leaving no password would be stupid. Everything else has default options unless I needed to set them before (which is to say, I MIGHT potentially have chosen non-default options for ssh, ftp, and normal sharing. But I don't think I did. Not very scientific but it's in the interest of full disclosure.

- Number of hosts which were alive during the test : 1
- Number of security

Open port |service!= vulnerability

[Anonymous Coward]

Test "tests" run are plain silly. Open ports do not mean vulnerabilities. Open services do not mean vulnerabilities as long as the authorization functions of the services work. In other words: Using completely patched systems all of the systems had 0 vulnerabilities.

This was the most stupid and moot article in ages on /.

Re:

[NtroP]

If you read the article it states that there are *NO* ports open on a default OS X client install. They manually enabled *EVERY* remote service after boot and then scanned it. So, my Mom is safe. She'll never go to System Preferences and enable all those things. My brother, OTOH, is probably not. He pokes around everywhere :-) However, I feel more confident having him poke around with OS X than I would with Windows.

Re:

[fahrbot-bot]

Linux is the most secure OS if you're a linux security geek.

For all other geeks, there's OpenBSD :-)

[Sorry, couldn't resist!]

Re:

[Max Littlemore]

This is certainly more insightful than flamebait. TFA is a flawed comparison of OSes that appears designed to make UNIX variants, and in particular Linux, look good. It actually works against the whole movement to blindly support these studies, or moderate comments like the parent in a purely partisan way without actually thinking about them in context. It supports the the view that Linux users are irrational zealots.

Can somebody with mod points please, in the absence of a +0 Uncomfortable But True moderat