Slashdot Mirror

I think the more important thing to note: all of the Opera flaws (to date) are fixed, there are still 2 open in FireFox, and 23 open in MS IE 6.x.

I think the more important thing to note: all of the Opera flaws (to date) are fixed, there are still 2 open in FireFox, and 23 open in MS IE 6.x.

I think the more important thing to note: all of the Opera flaws (to date) are fixed, there are still 2 open in FireFox, and 23 open in MS IE 6.x.

I can't disagree more ... Why? I'll tell you why:

1. I don't want to have bend over my fingers to type those freaking chinese characters or a Danish O with a slash, just to go to a website. No, URLs should be plain and simple. No accents, no weird characters. Everyone can read it, everyone can type it.

2. You might remember the unicode URL hack? Now, I don't want that to happen to me!

So instead of expanding the allowed characterset for URIs, they should limit it! In fact, they should limit URIs to 26 letters, 10 digits, and underscore, a dash and a dot (and the slashes of course) ... OK ok, and a few others like ~ and % ...

Great!

However, I wish they'd spend some more time fixing important security holes in their OS rather than writing articles. We still don't have a patch for this Extremely Critical vulnerability http://secunia.com/advisories/18963. And it's been a week now.

I'd rather have a secure OS running on my powerbook than a tutorial on some programming language I've never heard of before :) And yes, I am a programmer myself. But if I wanted to program in Ruby I'd probably have found a tutorial somewhere already.

P.S.: This is not intended as a flame, just as a question where Apple's priorities lie.

Not really. Actually, that's a myth too. Compare:

Apache 1.3: http://secunia.com/product/72/
Apache 2.0: http://secunia.com/product/73/

IIS 4.0: http://secunia.com/product/38/
IIS 5.0: http://secunia.com/product/39/
IIS 6.0: http://secunia.com/product/1438/

So it turns out you're actually better off running IIS.

Not really. Actually, that's a myth too. Compare:

Apache 1.3: http://secunia.com/product/72/
Apache 2.0: http://secunia.com/product/73/

IIS 4.0: http://secunia.com/product/38/
IIS 5.0: http://secunia.com/product/39/
IIS 6.0: http://secunia.com/product/1438/

So it turns out you're actually better off running IIS.

Not really. Actually, that's a myth too. Compare:

Apache 1.3: http://secunia.com/product/72/
Apache 2.0: http://secunia.com/product/73/

IIS 4.0: http://secunia.com/product/38/
IIS 5.0: http://secunia.com/product/39/
IIS 6.0: http://secunia.com/product/1438/

So it turns out you're actually better off running IIS.

Not really. Actually, that's a myth too. Compare:

Apache 1.3: http://secunia.com/product/72/
Apache 2.0: http://secunia.com/product/73/

IIS 4.0: http://secunia.com/product/38/
IIS 5.0: http://secunia.com/product/39/
IIS 6.0: http://secunia.com/product/1438/

So it turns out you're actually better off running IIS.

Not really. Actually, that's a myth too. Compare:

Apache 1.3: http://secunia.com/product/72/
Apache 2.0: http://secunia.com/product/73/

IIS 4.0: http://secunia.com/product/38/
IIS 5.0: http://secunia.com/product/39/
IIS 6.0: http://secunia.com/product/1438/

So it turns out you're actually better off running IIS.

Isn't this old news? We were all told to uncheck the open safe downloads box back in 2004.
http://secunia.com/advisories/11622/

I don't know what the evidence for this claim is, but my (warm app, cold cache) tests on a few sites showed Camino to range from similar to slower than Safari.

and apparently is more secure than Safari.

Read the Secunia article - this isn't a Safari security hole, it's an underlying platform issue and can be exploited in other ways.
Besides, the Mozilla family browsers have had their share of security holes.

*Woooooooooooooooooosh*

That was the sound of a joke going over your head - did you feel your hair part?

And seriously, this isn't any bigger than any number of social engineering security vulnerabilities that take advantage of some flaw or shortcoming in any other OS...

Did you even read the vulnerability?

Visiting a malicious webiste can cause arbitrary code to run on your mac. This is not a social engineering trick - its true that it will only run at user priviliges - but that is going to be little consolation if you're home directory is trashed.

If by "browse smartly" you mean "only visit one or two well-known sites and go noplace else", then I agree, you probably won't get hit. But one of the points they made in this study was that spyware installed itself in a 'drive-by' fashion, with or without user interaction. Sometimes those suckers come from 3rd part ads on well-known sites, so it's hard to cover that particular vector of attack altogether. I suppose if you disabled ActiveX, Java and Flash, you might only come across malware in the case of exploitation of some unpatched flaw in IE or in Windows ... but we all know how on-the-ball Microsoft is for security, so that's not a problem, right? Right?

If by "browse smartly" you mean "only visit one or two well-known sites and go noplace else", then I agree, you probably won't get hit. But one of the points they made in this study was that spyware installed itself in a 'drive-by' fashion, with or without user interaction. Sometimes those suckers come from 3rd part ads on well-known sites, so it's hard to cover that particular vector of attack altogether. I suppose if you disabled ActiveX, Java and Flash, you might only come across malware in the case of exploitation of some unpatched flaw in IE or in Windows ... but we all know how on-the-ball Microsoft is for security, so that's not a problem, right? Right?

I have had lengthly discussions with some of my old workmates at Microsoft, and my new ones here (at a "Microsoft zomby") and they always try to laud how Microsoft OS is so much better and more secure. We even have some Linux servers here.
When I start hearing about all this, I simply say, "See Secunia (http://secunia.com/) and then come talk to me."
Basically, Secunia breaks it all down to # of vulnerabilities. Then they break that number down to # of critical, etc.
While some versions of Linux have more vulnerabilities, they have far fewer CRITICAL vulnerabilities than Windows. And the Time to Fix the vulnerabilities in Linux is measured is in days, not weeks or months as it is in Windows.
All the reporting is done. Graphs and colors, enough to appease any "higher management" or "executive"...

Be honest and matter-of-fact about it. Tell them the truth and hope that they are smart enough to realize how this will help the company.

You can say impressive things without lying. For instance, you can say (if it happens to be true): "I trust Linux for my home computer and all my important files." That alone means alot. Or you can say "if I were asked to place a $1000 bet on a computer OS that would run without getting infected with viruses or crashing for a whole year (while connected to the net!) I would place the bet on Linux instead of Windows."

Or, you can point out other projects/companies. For instance, according to top500.org, in 2005, 390 of the top 500 super-computers were using Linux. That means that 78% of super-computers run Linux. For instance, the world's most powerful computer is IBM Blue Gene, and it uses Linux for its I/O nodes (more info here). Also, Google's gigantic, powerful, and distributed search engine runs using over 60,000 Linux machines (more info here, here, and on Google's Research page). The fact that big, complicated, and highly successful operations use Linux shows what it can do. In the case of Google, it shows that they trust it to deliver the security they need.

You can urge them to get a second opinion. For instance, tell them to look over Secunia's report on Windows XP compared to Ubuntu 5.10.

Ultimately, however, all you can do is provide them with an honest assessment of Linux' strengths and weaknesses, and point out in what ways the media reports are wrong. If they respect your opinion, then they'll make the right choice. If they refuse to listen to reason, then there is nothing you can do. People who are more interested in media sound-bites than expert discussion are essentially impossible to convince of anything they don't already believe. Don't waste your time, and don't buy company stock.

Be honest and matter-of-fact about it. Tell them the truth and hope that they are smart enough to realize how this will help the company.

You can say impressive things without lying. For instance, you can say (if it happens to be true): "I trust Linux for my home computer and all my important files." That alone means alot. Or you can say "if I were asked to place a $1000 bet on a computer OS that would run without getting infected with viruses or crashing for a whole year (while connected to the net!) I would place the bet on Linux instead of Windows."

Or, you can point out other projects/companies. For instance, according to top500.org, in 2005, 390 of the top 500 super-computers were using Linux. That means that 78% of super-computers run Linux. For instance, the world's most powerful computer is IBM Blue Gene, and it uses Linux for its I/O nodes (more info here). Also, Google's gigantic, powerful, and distributed search engine runs using over 60,000 Linux machines (more info here, here, and on Google's Research page). The fact that big, complicated, and highly successful operations use Linux shows what it can do. In the case of Google, it shows that they trust it to deliver the security they need.

You can urge them to get a second opinion. For instance, tell them to look over Secunia's report on Windows XP compared to Ubuntu 5.10.

Ultimately, however, all you can do is provide them with an honest assessment of Linux' strengths and weaknesses, and point out in what ways the media reports are wrong. If they respect your opinion, then they'll make the right choice. If they refuse to listen to reason, then there is nothing you can do. People who are more interested in media sound-bites than expert discussion are essentially impossible to convince of anything they don't already believe. Don't waste your time, and don't buy company stock.

Be honest and matter-of-fact about it. Tell them the truth and hope that they are smart enough to realize how this will help the company.

You can say impressive things without lying. For instance, you can say (if it happens to be true): "I trust Linux for my home computer and all my important files." That alone means alot. Or you can say "if I were asked to place a $1000 bet on a computer OS that would run without getting infected with viruses or crashing for a whole year (while connected to the net!) I would place the bet on Linux instead of Windows."

Or, you can point out other projects/companies. For instance, according to top500.org, in 2005, 390 of the top 500 super-computers were using Linux. That means that 78% of super-computers run Linux. For instance, the world's most powerful computer is IBM Blue Gene, and it uses Linux for its I/O nodes (more info here). Also, Google's gigantic, powerful, and distributed search engine runs using over 60,000 Linux machines (more info here, here, and on Google's Research page). The fact that big, complicated, and highly successful operations use Linux shows what it can do. In the case of Google, it shows that they trust it to deliver the security they need.

You can urge them to get a second opinion. For instance, tell them to look over Secunia's report on Windows XP compared to Ubuntu 5.10.

Ultimately, however, all you can do is provide them with an honest assessment of Linux' strengths and weaknesses, and point out in what ways the media reports are wrong. If they respect your opinion, then they'll make the right choice. If they refuse to listen to reason, then there is nothing you can do. People who are more interested in media sound-bites than expert discussion are essentially impossible to convince of anything they don't already believe. Don't waste your time, and don't buy company stock.

http://secunia.com/advisories/18649/

thanks anyway!

"...we have audited our code and found it unable to satisfactorily reproduce these APIs to our developers' disappointment. Further testing will be necessary to bring our product in line with user expectations."

I'm actually not a huge fan of Microsoft products, but I don't really see what my software preferences have to do with anything. My favorite OS is OSX, but it's also one of the least secure (in the sense not, perhaps, that I'm most likely to be pwned--the lack of popular use of my choice OS helps prevent that--but in the sense that Apple has among perhaps the worst security response procedures in software development today. I asked you for statistics simply because you made a claim without any evidence to back it up.

I was taking issue specifically with your statement, "but in reality, it's easier to crack a proprietary box." You have a good example above. You show some open source software that's more secure than some closed source software. And I agree; open source does not inherently make one less secure. But that's not what you said; what you said was that closed source is inherently less secure--which is equally false. For example, IIS6 had 2 vulnerabilities since 2004, while Apache2 had 30 vulnerabilities since 2002.

Whether the source is available is a factor, but it's far from the only factor in how secure a product is. For one thing, good fuzzing can be as or more effective than source code analysis, so despite what Mitnick says, having access to the source doesn't always mean a whole lot. But this doesn't mean that open source is more secure, either; the benefits of the open source model can just as easily be outweighed by the costs. Open source software does indeed have many eyes, but some projects don't have many good eyes (think PHPNuke).

And aside from questions of code quality from hobbyists and non-professionals (not to mention the lack of individual accountability), there's always the possibility of intentionally vulnerable patch submissions (this was attempted with Linux a while back; for all we know it's actually happened, too).

I never said Windows was more secure (not that your Secunia statistics close the book on that discussion), but it's just one example, anyway. Your assertion was universal--that open source is always more secure than proprietary solutions, which is just clearly an indefensible position.

The only people who actually believe that are zealots. This isn't about what model I prefer or what products I use. Politics--or religious zeal--are not anywhere near my mind when I'm writing code.

And I apologize if my "put up or shut up" phrase insulted you. I was recovering from shock at the unbelievable levels of stupidity in that thread. If you're not stupid, you don't deserve my ire.

I'm actually not a huge fan of Microsoft products, but I don't really see what my software preferences have to do with anything. My favorite OS is OSX, but it's also one of the least secure (in the sense not, perhaps, that I'm most likely to be pwned--the lack of popular use of my choice OS helps prevent that--but in the sense that Apple has among perhaps the worst security response procedures in software development today. I asked you for statistics simply because you made a claim without any evidence to back it up.

I was taking issue specifically with your statement, "but in reality, it's easier to crack a proprietary box." You have a good example above. You show some open source software that's more secure than some closed source software. And I agree; open source does not inherently make one less secure. But that's not what you said; what you said was that closed source is inherently less secure--which is equally false. For example, IIS6 had 2 vulnerabilities since 2004, while Apache2 had 30 vulnerabilities since 2002.

Whether the source is available is a factor, but it's far from the only factor in how secure a product is. For one thing, good fuzzing can be as or more effective than source code analysis, so despite what Mitnick says, having access to the source doesn't always mean a whole lot. But this doesn't mean that open source is more secure, either; the benefits of the open source model can just as easily be outweighed by the costs. Open source software does indeed have many eyes, but some projects don't have many good eyes (think PHPNuke).

And aside from questions of code quality from hobbyists and non-professionals (not to mention the lack of individual accountability), there's always the possibility of intentionally vulnerable patch submissions (this was attempted with Linux a while back; for all we know it's actually happened, too).

I never said Windows was more secure (not that your Secunia statistics close the book on that discussion), but it's just one example, anyway. Your assertion was universal--that open source is always more secure than proprietary solutions, which is just clearly an indefensible position.

The only people who actually believe that are zealots. This isn't about what model I prefer or what products I use. Politics--or religious zeal--are not anywhere near my mind when I'm writing code.

And I apologize if my "put up or shut up" phrase insulted you. I was recovering from shock at the unbelievable levels of stupidity in that thread. If you're not stupid, you don't deserve my ire.

"Er, do you have evidence, citations, anything to back your claim? Or should we just trust you because a man named tkrotchko can't be wrong?"

Actually, my name is Tom, and I never claimed to be infallible. But Mitnick's claims simply don't pass the sniff test, and don't stand up to even my back-of-the-envelope analysis.

"Show me the evidence or shut up."

Wow. A charmer. I understand you like MS stuff (I do too), and that may cause you to look at their efforts with a less than critical eye.

Are you looking for anecdotal or statistical evidence??

I'm not a great writer, and so I'll just pull some stuff together that you're free to rip apart.

Let's take a look here:
      http://secunia.com/product/1173/

I'll summarize for you:

Windows 2003 vulnerabilities were remotely exploitable 61% of the time, further the Criticality pie-chart shows that Windows exploits were highly or extremely critical 39% of the time.

By contrast, Red Hat shows a smaller amount of exploitable vulnerabilities, both locally and more important remotely.

Let's look at what happened in the alerts from US-CERT:
        * 22 Technical Cyber Security Alerts were issued in 2005
        * 11 of those alerts were for Windows platforms
        * 3 were for Oracle products
        * 2 were for Cisco products
        * 1 was for Mac OS X
        * None were for Linux

I think a really good, fair summary is here:
    http://blogs.zdnet.com/Murphy/index.php?p=501

And I apologize for giving you a blog, but it's late.

Lets look beyond Linux to the BSD's. Let's take NetBSD, this is widely considered the most secure OS because it was built on a foundation of security. There have been no exploits that I'm aware of on this platform for years, and yet the source is widely available. How can that be? The source is there, there must be an exploit? If not, that seems to completely discredit Mitnick's point.

If we move on to Windows XP workstation, there are still significant numbers of pre-SP2 installs, which are *inherently* vulnerable just being attached to the Internet without a hardware firewall. Its a fair bet that almost all of these boxes have been exploited and serve as a zombie for some n'er-do-well to exploit.

Lets push these statistics aside. Windows is closed and proprietary and Linux/BSD is not. Mitnick's claims that OSS is easier to exploit is not borne out either statistically, or by simple analysis of what's going on. Windows is arguable more exploitable that Red Hat, and it is inarguable the BSD's are more secure than Windows as a server. IIS was singled out as something that should not be used by large enterprises by the Gartner group, hardly an OSS advocate.

Where's the beef here? Like I said, Mitnick is a smart guy, but he doesn't appear to have facts on his side.

Now I've put up, and I will shut up, for this is one of those rare times that I believe I am inarguably correct.

Get real... Apache's an appealing target. Which web server has more exploits for it? IIS.

You sure about that?

IIS6: 2 vulnerabilities since 2004 Apache2: 30 vulnerabilities since 2002

Seems possible that the correlation between open source and security is not as close as the correlation between good development practices and security. Windows (and IIS) was for a long time plagued with bad development practices; many open source projects have the same problems (even popular ones, like PHP). That, more than open/closed source, seems to be the deciding factor.

Get real... Apache's an appealing target. Which web server has more exploits for it? IIS.

You sure about that?

IIS6: 2 vulnerabilities since 2004 Apache2: 30 vulnerabilities since 2002

Seems possible that the correlation between open source and security is not as close as the correlation between good development practices and security. Windows (and IIS) was for a long time plagued with bad development practices; many open source projects have the same problems (even popular ones, like PHP). That, more than open/closed source, seems to be the deciding factor.

http://secunia.com/product/2634/#advisories_2003

You obviously have not been watching vulnerabilities under OSX, otherwise you would have noticed the png and quicktime vulnerabilites or perhaps the recent Java for OSX vulnerabilities. OSX has a terrible security record, so far they have gotten lucky that they are not a big enough target for the script kiddies and hackers in general.

(oh and when you look at the page below make special note that many of these advisories are for MULTIPLE vulnerabilites in your so called secure OS)

http://secunia.com/product/96/

You're quite defensive. Honestly, I didn't bother to read your entire posting but:

"See the recent WMF vulnerability for another example of this. "Hey, let's make it so that a picture file can execute code!""

You make it seem like vulnerabilities in image formats are a MS only issue...
See: http://secunia.com/product/3439/?period=2006#advis ories

The only operating system I'd come out and say has a superior overall security posture than Windows, Linux, OSX, FreeBSD, Solaris or any other main stream OS is OpenBSD. But who wants to use OBSD for anything other than a server? Not me.

I visit a lot of Security websites (its my job) to learn about the latest security threats to systems under my care. One of the best I have found it Secunia http://secunia.com/

Secunia has a listing of all Computer Operating Systems and their vulnerabilities. It also tracks the severity of those vulnerabilities, and how long it takes to get them fixed.

When comparing the Microsoft Windows family of operating systems to other systems, it appears that, while Microsoft doesn't have the largest number of vulnerabilities, it has the highest severity of vulnerabilities and it takes Microsoft longer to fix the vulnerabilities than it does, say Red Hat Linux, for instance.

My question is:
How accurate is Secunia's perspective on the security, vulnerability, and patch-up process of Microsoft's family of computer operating systems?

AND, if their information is accurate, why does it appear that Windows is more security-challenged than its competitors, like Red Hat, when it comes down to severity of the vulnerability and the time required to patch the vulnerability?

Short version: Would you please tell us how you evaluate timely release of your security patch and thorough testing of that same patch, and how you decide the release date?

A bit longer version:

Microsoft is often criticized of long delivery time of the patches for critical vulnerabilities of Windows and its related components, such as Internet Explorer. Indeed, it is not unusual for Microsoft to take months to release a patch for a known ciritical security vulnerability (for example this one). This makes a stark contrast with patch releases of many open source projects (such as Linux kernel) that are very quick to release their fixes.

On the other hand, many of us understand that any software has to be tested before it is released to public. And here comes the compromise between thorough testing and quick, timely delivery. Since it is impossible for anybody to do the testing against all possible configuration of Windows, somebody has to say, at some stage, that the risk of most of the users being exposed for extended time is far greater than the risk of some of the obscure functionality of Windows (and thus some users' system) broken by the patch.

This can be a tricky decision, though, and it all depends on some coorporate/project/whatever policy. So my questions are the following:

1. Who makes the decision to release a specific patch at some specific date for a critical security bug?

2. Is there any reward for that decision maker when the timely release of the patch is believed to have saved millions of Windows PCs from being owned?

3. Is there any punishment for that decision maker when the patch unfortunately breaks somebody's system and he/she complains (like lost revenue of one million dollars per hour because some unknown printer driver stopped working)?

4. Do you think your current decision making process is working well?

4a. If so, why is Microsoft often criticized for not releasing patches in a timely manner?

4b. If not, what are you planning to improve the process?

Sort of.

In the year since Firefox hit 1.0, it's received much more attention from people trying to find security vulnerabilities than Mozilla ever did. (Check out Secunia for some examples.) On the other hand, a lot of that attention was from researchers, Mozilla's had a good track record at fixing them, and there hasn't been much in the way of exploitation of those vulnerabilities.

So it's clearly possible to craft attacks for MacOS-X. But Mac market share is so tiny that few bother. Back before the PowerPC transition, when Apple had more market share, there were more Mac viruses. "Back in the late 1980s, viruses used to be a much bigger problem on Macs than on PCs. We here at F-Secure used to have an antivirus product for Mac but discontinued it after the macro viruses died out".

There have been some gaping holes in MacOS-X browsers that allowed execution of remote code. But nobody bothered to exploit them. Or so it is thought. There's always the possibility of quiet exploits that extract some useful information from the target, ship it somewhere, then clean up and exit.

Faulty logic.

The biggest always gets the most scrutiny, and it's not linear. It's a matter of bang for the buck. Why target Mac with 5%, when you can target Windows with 90% just as easily? More than 90% of the attackers will use that logic, and thus you get (near) 100% of the viruses for the OS with 90% of the market share.

Still don't believe me? Check out IIS vs. Apache. IIS is the buggy, horrible mess, right? Nope. IIS 6 has two vulnerabilities, neither serious, both fixed. Apache 2.0.x has 30, 7% unpached, 36% 'moderately critical' or higher. Is this because IIS is so incredibly secure, or is it because Apache has the lion share of Webservers?

Faulty logic.

The biggest always gets the most scrutiny, and it's not linear. It's a matter of bang for the buck. Why target Mac with 5%, when you can target Windows with 90% just as easily? More than 90% of the attackers will use that logic, and thus you get (near) 100% of the viruses for the OS with 90% of the market share.

Still don't believe me? Check out IIS vs. Apache. IIS is the buggy, horrible mess, right? Nope. IIS 6 has two vulnerabilities, neither serious, both fixed. Apache 2.0.x has 30, 7% unpached, 36% 'moderately critical' or higher. Is this because IIS is so incredibly secure, or is it because Apache has the lion share of Webservers?

Having read the whole thing, I do think that Steve may be jumping to conclusions a bit too quickly.

I think that we ARE talking about the SETABORTPROC vuln that everyone has been talking about; Steve just finds that the vuln doesn't work quite the same way that he was expecting. It seems that Steve is basing his accusation on the fact that he had to set the length field of the code containing WMF record to 1 (an illegal value) in order to get his code to execute. While this seems odd (and sounds like a "magic value"), there is likely a better explanation. Here's one possibility... The advisory from Secunia at http://secunia.com/advisories/18255/ says that the embedded code executes when any error is detected in parsing the WMF file (not only [or ever?] when canceling printing). Maybe the SETABORTPROC function was originally intended for printing but was overloaded to handle parse error callbacks? Depending on how the parsing code was written, it may treat the invalid length value as such a parsing error, but may have already indexed the the beginning of the code block (since it knows the length of the record header) - it just doesn't know when the code block ends. It can then start executing the code block, even though it is an error in the code block's record that caused the error. I wonder if the code block would execute if the correct length was specified but the NEXT record in the WMF contained a similar error (like an invalid length field).

He may very well be correct that someone has intentionally included this mechanism as a backdoor, but he is being premature in making such claims without first consulting the people who have a lot more experience with this vuln than he does. By the way, MS gives access to their source code to a LOT of outside parties - I'm sure that Steve could have found someone to take a look for him.

I don't mean to make an ad hominem attack (this podcast is actually fairly accurate - just jumps to conclusions), but Steve isn't exactly known for being a respected researcher in the security industry - he's a bit of a poser and sensationalist/alarmist. My gut feel is that Steve is continuing on his sensationalist streak, jumping to conclusions and trying to drum up more excitement. He frequently hypes issues to crazy levels and tries to make himself look like a hero/expert. In fact, he usually offers little insight and often tries to pass off regurgitation (often inaccurate) as original research. Just listen to him in this recording talking about "rolling up his sleeves" and "wrote all my own code", etc. Look up his stuff on nano-probes (http://grc.com/np/np.htm) for some funny stuff. I am a security professional and can tell you that much of his writing is BS and/or hyped/obfuscated wording for technologies and techniques that have been in common usage for years and years before he writes about them. I just can't help but take Steve's claims with a grain of salt.

How many security problems has Windows 2003 had ?

http://secunia.com/product/1174/#advisories lists 8 out of 76 vulnerabilites as 'unpatached'. I have a feeling that Windows 2003 is also vulnerable to the new, critical WMF problems (yes, the ones discovered AFTER the previous one was patched last week.) XP complaint is here: http://secunia.com/advisories/10968/

Either way, the answer is 'a lot'.

Why not compare Redhat ES 3.0 with Windows 2003?
http://secunia.com/product/1174/#advisories_2003
http://secunia.com/product/2535/#statistics_soluti on

Notice something interesting with Redhat ES 3.0? 0 unpatched. 31% system access bugs, versus 55% for Windows 2003. And notice the nature of the vulnerabilities? Things like cups, or curl. Or Realplayer (wtf?). Why aren't realplayer vulnerabilities included for 2003? Surely the vast majority of ES 3.0 installs do NOT include realplayer. *shrug*.

Is 2003 doing better than XP? Yes, perhaps. Then again, NT is doing better than 2003. So that's not "technically" improvement.

The problem is that bug counting gets you no where. Far more useful is number of compromised installations over time. This a metric that reflects administrator competance as well of 'ease of lockdown'. As far as I know, the Unix or Unix-like platform has greater deployment as a server than Windows 2003, or other Windows platforms.

Why is this a fair comparison? Why is it fair to group Linux with Unix?

Exactly how many of those secunia vulnerabilities is a "Linux Kernel" vulnerability? On Redhat ES 3.0, 13. The rest exist in GNU/Unix platform utilies, or utterly weird stuff that _shouldn't_ be included like OpenOffice.org.

I mean, what the hell: http://secunia.com/advisories/12546/

OpenOffice.org is going to be exploited on a Solaris server as much as it will be on a Redhat server. Either not at all (not installed), or in exactly the same fashion (installed).

So lemme use the famous MS marketshare argument. If Microsoft servers had greater marketshare than Unix or Unix-like platforms, than perhaps Microsoft Windows would have a greater number of vulnerabilities discovered. Sadly, even though Microsoft has LESS marketshare than Unix or Unix-like platforms, the number of critical vulnerabilities, remote vulnerabilities, and unpatched vulnerabilities are greater.

Windows 2003 is no security nirvana. Better than XP? Perhaps. But not by much, and only by exclusion of certain software and disabled services.

Most of the system has been recompiled to thwart buffer-overflow style attacks.
Still, just what do you propose they do to "fix" all the Windows XP machines out there ?
Grand. I don't care that they recompiled most of the system. Vulnerabilities continue to abound.

What do I propose? Fucked if I know. If I had a good security solution for MS, I'd sell it to them for billions.

Step one, don't release Vista in the same state that the latest Visual Studio was released in. http://minimsft.blogspot.com/2005/11/hey-sharehold ers-vs-2005-is-fantastic.html

Yes, Vista is really, really late. No, I haven't been following Vista's development very closely, because I find MS's press releases as having far too much marketspeak for the average human, and all the Vista "previews" are fluff pieces.

If Vista is released in a state similar to Visual Studio 2005, which is MS's latest "major" (and rushed) release, Vista will be a security disaster.

How many security problems has Windows 2003 had ?

http://secunia.com/product/1174/#advisories lists 8 out of 76 vulnerabilites as 'unpatached'. I have a feeling that Windows 2003 is also vulnerable to the new, critical WMF problems (yes, the ones discovered AFTER the previous one was patched last week.) XP complaint is here: http://secunia.com/advisories/10968/

Either way, the answer is 'a lot'.

Why not compare Redhat ES 3.0 with Windows 2003?
http://secunia.com/product/1174/#advisories_2003
http://secunia.com/product/2535/#statistics_soluti on

Notice something interesting with Redhat ES 3.0? 0 unpatched. 31% system access bugs, versus 55% for Windows 2003. And notice the nature of the vulnerabilities? Things like cups, or curl. Or Realplayer (wtf?). Why aren't realplayer vulnerabilities included for 2003? Surely the vast majority of ES 3.0 installs do NOT include realplayer. *shrug*.

Is 2003 doing better than XP? Yes, perhaps. Then again, NT is doing better than 2003. So that's not "technically" improvement.

The problem is that bug counting gets you no where. Far more useful is number of compromised installations over time. This a metric that reflects administrator competance as well of 'ease of lockdown'. As far as I know, the Unix or Unix-like platform has greater deployment as a server than Windows 2003, or other Windows platforms.

Why is this a fair comparison? Why is it fair to group Linux with Unix?

Exactly how many of those secunia vulnerabilities is a "Linux Kernel" vulnerability? On Redhat ES 3.0, 13. The rest exist in GNU/Unix platform utilies, or utterly weird stuff that _shouldn't_ be included like OpenOffice.org.

I mean, what the hell: http://secunia.com/advisories/12546/

OpenOffice.org is going to be exploited on a Solaris server as much as it will be on a Redhat server. Either not at all (not installed), or in exactly the same fashion (installed).

So lemme use the famous MS marketshare argument. If Microsoft servers had greater marketshare than Unix or Unix-like platforms, than perhaps Microsoft Windows would have a greater number of vulnerabilities discovered. Sadly, even though Microsoft has LESS marketshare than Unix or Unix-like platforms, the number of critical vulnerabilities, remote vulnerabilities, and unpatched vulnerabilities are greater.

Windows 2003 is no security nirvana. Better than XP? Perhaps. But not by much, and only by exclusion of certain software and disabled services.

Most of the system has been recompiled to thwart buffer-overflow style attacks.
Still, just what do you propose they do to "fix" all the Windows XP machines out there ?
Grand. I don't care that they recompiled most of the system. Vulnerabilities continue to abound.

What do I propose? Fucked if I know. If I had a good security solution for MS, I'd sell it to them for billions.

Step one, don't release Vista in the same state that the latest Visual Studio was released in. http://minimsft.blogspot.com/2005/11/hey-sharehold ers-vs-2005-is-fantastic.html

Yes, Vista is really, really late. No, I haven't been following Vista's development very closely, because I find MS's press releases as having far too much marketspeak for the average human, and all the Vista "previews" are fluff pieces.

If Vista is released in a state similar to Visual Studio 2005, which is MS's latest "major" (and rushed) release, Vista will be a security disaster.

How many security problems has Windows 2003 had ?

http://secunia.com/product/1174/#advisories lists 8 out of 76 vulnerabilites as 'unpatached'. I have a feeling that Windows 2003 is also vulnerable to the new, critical WMF problems (yes, the ones discovered AFTER the previous one was patched last week.) XP complaint is here: http://secunia.com/advisories/10968/

Either way, the answer is 'a lot'.

Why not compare Redhat ES 3.0 with Windows 2003?
http://secunia.com/product/1174/#advisories_2003
http://secunia.com/product/2535/#statistics_soluti on

Notice something interesting with Redhat ES 3.0? 0 unpatched. 31% system access bugs, versus 55% for Windows 2003. And notice the nature of the vulnerabilities? Things like cups, or curl. Or Realplayer (wtf?). Why aren't realplayer vulnerabilities included for 2003? Surely the vast majority of ES 3.0 installs do NOT include realplayer. *shrug*.

Is 2003 doing better than XP? Yes, perhaps. Then again, NT is doing better than 2003. So that's not "technically" improvement.

The problem is that bug counting gets you no where. Far more useful is number of compromised installations over time. This a metric that reflects administrator competance as well of 'ease of lockdown'. As far as I know, the Unix or Unix-like platform has greater deployment as a server than Windows 2003, or other Windows platforms.

Why is this a fair comparison? Why is it fair to group Linux with Unix?

Exactly how many of those secunia vulnerabilities is a "Linux Kernel" vulnerability? On Redhat ES 3.0, 13. The rest exist in GNU/Unix platform utilies, or utterly weird stuff that _shouldn't_ be included like OpenOffice.org.

I mean, what the hell: http://secunia.com/advisories/12546/

OpenOffice.org is going to be exploited on a Solaris server as much as it will be on a Redhat server. Either not at all (not installed), or in exactly the same fashion (installed).

So lemme use the famous MS marketshare argument. If Microsoft servers had greater marketshare than Unix or Unix-like platforms, than perhaps Microsoft Windows would have a greater number of vulnerabilities discovered. Sadly, even though Microsoft has LESS marketshare than Unix or Unix-like platforms, the number of critical vulnerabilities, remote vulnerabilities, and unpatched vulnerabilities are greater.

Windows 2003 is no security nirvana. Better than XP? Perhaps. But not by much, and only by exclusion of certain software and disabled services.

Most of the system has been recompiled to thwart buffer-overflow style attacks.
Still, just what do you propose they do to "fix" all the Windows XP machines out there ?
Grand. I don't care that they recompiled most of the system. Vulnerabilities continue to abound.

What do I propose? Fucked if I know. If I had a good security solution for MS, I'd sell it to them for billions.

Step one, don't release Vista in the same state that the latest Visual Studio was released in. http://minimsft.blogspot.com/2005/11/hey-sharehold ers-vs-2005-is-fantastic.html

Yes, Vista is really, really late. No, I haven't been following Vista's development very closely, because I find MS's press releases as having far too much marketspeak for the average human, and all the Vista "previews" are fluff pieces.

If Vista is released in a state similar to Visual Studio 2005, which is MS's latest "major" (and rushed) release, Vista will be a security disaster.

How many security problems has Windows 2003 had ?

http://secunia.com/product/1174/#advisories lists 8 out of 76 vulnerabilites as 'unpatached'. I have a feeling that Windows 2003 is also vulnerable to the new, critical WMF problems (yes, the ones discovered AFTER the previous one was patched last week.) XP complaint is here: http://secunia.com/advisories/10968/

Either way, the answer is 'a lot'.

Why not compare Redhat ES 3.0 with Windows 2003?
http://secunia.com/product/1174/#advisories_2003
http://secunia.com/product/2535/#statistics_soluti on

Notice something interesting with Redhat ES 3.0? 0 unpatched. 31% system access bugs, versus 55% for Windows 2003. And notice the nature of the vulnerabilities? Things like cups, or curl. Or Realplayer (wtf?). Why aren't realplayer vulnerabilities included for 2003? Surely the vast majority of ES 3.0 installs do NOT include realplayer. *shrug*.

Is 2003 doing better than XP? Yes, perhaps. Then again, NT is doing better than 2003. So that's not "technically" improvement.

The problem is that bug counting gets you no where. Far more useful is number of compromised installations over time. This a metric that reflects administrator competance as well of 'ease of lockdown'. As far as I know, the Unix or Unix-like platform has greater deployment as a server than Windows 2003, or other Windows platforms.

Why is this a fair comparison? Why is it fair to group Linux with Unix?

Exactly how many of those secunia vulnerabilities is a "Linux Kernel" vulnerability? On Redhat ES 3.0, 13. The rest exist in GNU/Unix platform utilies, or utterly weird stuff that _shouldn't_ be included like OpenOffice.org.

I mean, what the hell: http://secunia.com/advisories/12546/

OpenOffice.org is going to be exploited on a Solaris server as much as it will be on a Redhat server. Either not at all (not installed), or in exactly the same fashion (installed).

So lemme use the famous MS marketshare argument. If Microsoft servers had greater marketshare than Unix or Unix-like platforms, than perhaps Microsoft Windows would have a greater number of vulnerabilities discovered. Sadly, even though Microsoft has LESS marketshare than Unix or Unix-like platforms, the number of critical vulnerabilities, remote vulnerabilities, and unpatched vulnerabilities are greater.

Windows 2003 is no security nirvana. Better than XP? Perhaps. But not by much, and only by exclusion of certain software and disabled services.

Most of the system has been recompiled to thwart buffer-overflow style attacks.
Still, just what do you propose they do to "fix" all the Windows XP machines out there ?
Grand. I don't care that they recompiled most of the system. Vulnerabilities continue to abound.

What do I propose? Fucked if I know. If I had a good security solution for MS, I'd sell it to them for billions.

Step one, don't release Vista in the same state that the latest Visual Studio was released in. http://minimsft.blogspot.com/2005/11/hey-sharehold ers-vs-2005-is-fantastic.html

Yes, Vista is really, really late. No, I haven't been following Vista's development very closely, because I find MS's press releases as having far too much marketspeak for the average human, and all the Vista "previews" are fluff pieces.

If Vista is released in a state similar to Visual Studio 2005, which is MS's latest "major" (and rushed) release, Vista will be a security disaster.

How many security problems has Windows 2003 had ?

http://secunia.com/product/1174/#advisories lists 8 out of 76 vulnerabilites as 'unpatached'. I have a feeling that Windows 2003 is also vulnerable to the new, critical WMF problems (yes, the ones discovered AFTER the previous one was patched last week.) XP complaint is here: http://secunia.com/advisories/10968/

Either way, the answer is 'a lot'.

Why not compare Redhat ES 3.0 with Windows 2003?
http://secunia.com/product/1174/#advisories_2003
http://secunia.com/product/2535/#statistics_soluti on

Notice something interesting with Redhat ES 3.0? 0 unpatched. 31% system access bugs, versus 55% for Windows 2003. And notice the nature of the vulnerabilities? Things like cups, or curl. Or Realplayer (wtf?). Why aren't realplayer vulnerabilities included for 2003? Surely the vast majority of ES 3.0 installs do NOT include realplayer. *shrug*.

Is 2003 doing better than XP? Yes, perhaps. Then again, NT is doing better than 2003. So that's not "technically" improvement.

The problem is that bug counting gets you no where. Far more useful is number of compromised installations over time. This a metric that reflects administrator competance as well of 'ease of lockdown'. As far as I know, the Unix or Unix-like platform has greater deployment as a server than Windows 2003, or other Windows platforms.

Why is this a fair comparison? Why is it fair to group Linux with Unix?

Exactly how many of those secunia vulnerabilities is a "Linux Kernel" vulnerability? On Redhat ES 3.0, 13. The rest exist in GNU/Unix platform utilies, or utterly weird stuff that _shouldn't_ be included like OpenOffice.org.

I mean, what the hell: http://secunia.com/advisories/12546/

OpenOffice.org is going to be exploited on a Solaris server as much as it will be on a Redhat server. Either not at all (not installed), or in exactly the same fashion (installed).

So lemme use the famous MS marketshare argument. If Microsoft servers had greater marketshare than Unix or Unix-like platforms, than perhaps Microsoft Windows would have a greater number of vulnerabilities discovered. Sadly, even though Microsoft has LESS marketshare than Unix or Unix-like platforms, the number of critical vulnerabilities, remote vulnerabilities, and unpatched vulnerabilities are greater.

Windows 2003 is no security nirvana. Better than XP? Perhaps. But not by much, and only by exclusion of certain software and disabled services.

Most of the system has been recompiled to thwart buffer-overflow style attacks.
Still, just what do you propose they do to "fix" all the Windows XP machines out there ?
Grand. I don't care that they recompiled most of the system. Vulnerabilities continue to abound.

What do I propose? Fucked if I know. If I had a good security solution for MS, I'd sell it to them for billions.

Step one, don't release Vista in the same state that the latest Visual Studio was released in. http://minimsft.blogspot.com/2005/11/hey-sharehold ers-vs-2005-is-fantastic.html

Yes, Vista is really, really late. No, I haven't been following Vista's development very closely, because I find MS's press releases as having far too much marketspeak for the average human, and all the Vista "previews" are fluff pieces.

If Vista is released in a state similar to Visual Studio 2005, which is MS's latest "major" (and rushed) release, Vista will be a security disaster.

Actually, it wasen't BeanBunny that lumped the various 'Nixes and 'Nix-like OSes into one catageory - it was CERT. Also, the CERT list include all vulnerabilities for all software running on an OS, not just the os themselves. Also , its only a list - no mention of how severe a given vulnerability is.

To really get a picture of how the OSes themselves stack up in comparison to one another with respect to vulnerabilities, try Secunia. They list vulnerabilities, and how severe a vulneraiblity is, and why a given vulnerability is a problem, along with other interesting and relavent info about vulnerabilities.

Didn't Infoweek read the (long) list at all ?
Part of the list:
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)

There are MANY vulnerabilities with updates counted as different and there are many containing with the word "multiple vulnerabilities" in their name.

I cleaned the list removing the updates and the correct amount for Windowses is 672 (not 812) and Unixes and all the rest OS's 1034 (not 2328).

It's yet stupid and misleading to combine all Windows OS'es in one pile and the rest in the other. And even more stupid is to count pathced and unpatched vulnerabilities together!
See the http://secunia.com/product/ for clearly categorized advisories.

The amounts "Unpatched" of "Total advisories"
    25 109 Microsoft Windows XP Home Edition
    29 124 Microsoft Windows XP Professional
    14 63 Linux Kernel 2.6.x
    0 2 Ubuntu Linux 5.10
    1 182 Debian GNU/Linux 3.1
    0 84 Fedora Core 4
    0 230 Mandrakelinux 10.1
    0 63 Apple Macintosh OS X
Notice that some OS-versions are older than others. (The total count should be divided with the time.)

Of course the criticality should be counted too.
I checked Linux Kernel 2.6 unpatched vulnerabilities and none of them can be used remotely, 7 (of 14) was DoS and 7 where the local user could potentially escalate privileges or get sensitive information.
Of the Win XP Home Ed I unpatched vulnerabilities 11 out (of 25 total unpatched) could be remotely exploited.

Based on the above I come to the conclusion that Brian Krebs is either spreading FUD intentionally or plain stupidity. But what is the reason for Slashdot to do it ?

BTW The story is duplicate:
http://it.slashdot.org/article.pl?sid=05/12/31/081 2210&tid=172

Here are a few graphs from secunia for the periods 2003-2006 that I think speak volumes:

Windows XP Pro
Mac OS X

Here are a few graphs from secunia for the periods 2003-2006 that I think speak volumes:

Windows XP Pro
Mac OS X

Well, I don't use MS Windows so I don't know much about it, but I seem to remember reading something strange about an exploitable *colour* on MS Windows systems: http://secunia.com/advisories/16004, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2005-1219

It's stupid and misleading to combine all Windows OS'es in one pile and the rest in the other.
See the http://secunia.com/product/ for clearly categorized advisories.

The amounts "Unpatched" of "Total advisories"
  25 109 Microsoft Windows XP Home Edition
  29 124 Microsoft Windows XP Professional
  14 63 Linux Kernel 2.6.x
  0 2 Ubuntu Linux 5.10
  1 182 Debian GNU/Linux 3.1
  0 84 Fedora Core 4
  0 230 Mandrakelinux 10.1
  0 63 Apple Macintosh OS X
Notice that some OS-versions are older than others. (The total count should be divided with the time.)

Of course the criticality should be counted too.
I checked Linux Kernel 2.6 unpatched vulnerabilities and none of them can be used remotely, 7 (of 14) was DoS and 7 where the local user could potentially escalate privileges or get sensitive information.
Of the Win XP Home Ed I unpatched vulnerabilities 11 out (of 25 total unpatched) could be remotely exploited.

Linux-distribution advisories include advisories of all software not just the OS-specific (as is the case with all Windows-os advisories).

Based on the above I come to the conclusion that Brian Krebs is either spreading FUD intentionally or plain stupidity.

"Windows Server 2003 - Enterprise Edition vs. Red Hat Enterprise Linux
Who has the most unpatched flaws and the better ratio in that one? I'm really not sure."

Lets take a look at this (I'll let someone else do the rest of them):
WS2003
76 advisories issued total.
37 in 2005.
12% unpatched.
3% extremely critical.
http://secunia.com/product/1173/

Red Hat Enterprise Linux ES4
136 advisories issues totoal.
136 in 2005.
0% unpatched.
1% extremely critical.
http://secunia.com/product/4668/

Linux has more advisories (especially per year), although Windows has more unpatched. In fairness to both companies, both do a good job patching the more severe vulnerabilities (the unpatched ones on Windows are of low criticality, except this most recent WMF exploit).

Despite the cries that Linux is more secure than Windows, it's certainly not a slam dunk. Some would have you believe that Linux has only 1 or 2 advisories, while Windows 5789 of them per year. But really they both have advisories, about on par with each other. The WMF exploit is a big issue, but short of that, I'd have most people actually take a look at the unpatched advisories, and look at both products with open eyes. I think you'll leave thinking they're not as far part as some believe, but they both have work to do.

"Windows Server 2003 - Enterprise Edition vs. Red Hat Enterprise Linux
Who has the most unpatched flaws and the better ratio in that one? I'm really not sure."

Lets take a look at this (I'll let someone else do the rest of them):
WS2003
76 advisories issued total.
37 in 2005.
12% unpatched.
3% extremely critical.
http://secunia.com/product/1173/

Red Hat Enterprise Linux ES4
136 advisories issues totoal.
136 in 2005.
0% unpatched.
1% extremely critical.
http://secunia.com/product/4668/

Linux has more advisories (especially per year), although Windows has more unpatched. In fairness to both companies, both do a good job patching the more severe vulnerabilities (the unpatched ones on Windows are of low criticality, except this most recent WMF exploit).

Despite the cries that Linux is more secure than Windows, it's certainly not a slam dunk. Some would have you believe that Linux has only 1 or 2 advisories, while Windows 5789 of them per year. But really they both have advisories, about on par with each other. The WMF exploit is a big issue, but short of that, I'd have most people actually take a look at the unpatched advisories, and look at both products with open eyes. I think you'll leave thinking they're not as far part as some believe, but they both have work to do.

If you went as far as looking up the counts on secunia then why didn't you take it one-click further and look at the number of unpatched vulnerabilities and the criticality of the vulerabilties?

Yes, simply counting vulnerabilities is idiotic, but for you to then claim that linux is not any more secure than windows is disingenous, at best. Take at look at the stats!

http://secunia.com/product/22/?period=2005#statist ics
http://secunia.com/product/16/?period=2005#statist ics