Slashdot Mirror
Security Statistics and Operating System Conventional Wisdom
kev0153 writes "Microsoft Windows is more secure than you think, and Mac OS X is worse than you ever imagined. That is according to statistics published for the first time this week by Danish security firm Secunia. "Secunia is now displaying security statistics that will open many eyes, and for some it might be very disturbing news," said Secunia chief executive Niels Henrik Rasmussen. "The myth that Mac OS X is secure, for example, has been exposed." "
...and everyone says that Microsoft is paying Secunia to do this, etc. (like with AdTI, though AdTI really is getting funding from MSFT, different story), read this: http://www.linuxinsider.com/story/32370.html
It seems that it was Secunia which released lots of IE bugs, and that Microsoft has had scuffles with them before. Unless someone here has evidence that they got funding from MSFT since then, don't say that.
These are the statistics that really matter:
Secunia Virus Statistics
Of course you'll notice the common Win32. in front of all of them.
Statistics don't change the facts that after running Mac OS X since it's inception, I've not had one OS X virus, or any of these exploits used against my machines. And the stats don't take into account not just how quickly a patch is released, but how quickly the users of that OS patch it.
-- oldthinkers unbellyfeel ingsoc
as a Mac OSX user I have to defend my lil OS that could.
This poll does not take into affect the time to resolution, effect of exploit, and how hard it was to actually perform the exploit. Honestly, all software has bugs, all software has exploits it is the result of those exploits that I am more concerned with. Quite often Apple finds and fixes exploits before their are programs in the wild to exploit them. The same goes for Open-Source software which I am sure that some of the OSX advisories were a result of given Apples embrace of OSS.
Ask an Apple user how many Viruses, pop-ups, and unexplained daemons they have had on their system. The number will almost always be 0.
All modern OS's suck from a security standpoint. Why? Because we've only really GIVEN A FUCK about security for the last half a decade or so. Before that 99% of the worlds PCs were by
I don't know just where you were living, but Unix and Linux grew up on networked systems where multiple college students shared the same machines (well, Linux less than Unix here) because they were too expensive. Actually, Linux is almost an accidental beneficiary here. Linux used Unix as a role-model, and Unix grew up being attacked by hackers who wanted to play Space-Invaders or Cave or Hunt the Wumpus when their school accounts wouldn't cover it. And by Phd candidates trying for a few more runs on their thesis project. It's true these weren't *remote* exploits. They were local ones...where the attacker didn't have priviledged access. But that's the basis of all security. Once you do that, all you have to do is make remote connections a special case of local access.
I think we've pushed this "anyone can grow up to be president" thing too far.
The list of advisories for RedHat AS 3 is listed at the bottom and currently it contains 51 advisories and what they were issued for. I copied the list and sorted them so here you can see a list of exactly what they included:
Strange that..........CVS
ethereal
FreeRADIUS
gaim
glibc
gnupg
httpd
iproute
ipsec-tools
kdelibs
kdepim
kernel
krb5
lftp
LHA
libpng
libxml2
mod_python
mod_ssl
mozilla
Mutt
NetPBM
net-snmp
nfs-utils
OpenOffice
OpenSSL
PWLib
Quagga
rsync
slocate
squid
squirrelmail
sysstat
tcpdump
utempter
XFree86
As you can see a lots of these are what might be called non-OS components. I've had a quick look at XP Home and it doesn't even seem to include issues with IE which according to MS is an integral part of the OS unlike Linux and Mozilla, yet they happily bundled them together.
Not sure I understand you. You seem to be implying that when LM auth is disabled (via local/group policy), it is still exploitable? This is news to me.
You can certainly turn it off, but unless you disable storing the LM hash, it's still available for cracking. In the wild, my experience is that LM hashes are available as a general rule (90% of the time or better). My insistance that LM authentication be removed outright is due to the "lazy admin" factor. So yes*, in practice, unless it is removed outright, many times it is still exploitable.
*Definately needs qualifying. Can you turn off LM effectively? (yes) Do admins do it? ('fraid not...)
Bad example. There's a telnet service in Windows too.
I'm really tired of idiots on Slashdot that have no clue what the fuck they're talking about. Half a decade. Ptoii! I can start by going back 15 years and easily debunk your lies. At that time, most computers in this here world (disclaimer, I have no idea which world you're from - but you should phone home coz' your green-skinned momma is worried about you) were either in universities or corporations. I'm not counting the C= 64s, Atari ][ and Colecovisions here, kay? They have no bearing on the current crop of operating systems. UNIX does. VMS does. Access control and security were big back then - simply because schools with thousands of students had one 64k line to the world (for mail, ftp, gopher, archie and telnet) and diskspace measured in megs so there had to be ways to keep the students from eating it all up. They had to be kept from use the mainframes to play Nethack, to download ASCII pr0n and to chat on IRC instead of studying. Quotas, passwords, password policies, shadowing, encryption - all that jazz. It's not new. It's been around several decades. Half a decade... Maybe Microsoft haven't cared for it more than half a decade, but the world does not revolve around Redmond.
Security is not new. The problem is that Microsoft built DOS for single-user. It had no real security layer and that carried over into Windows 3.11, Windows 95 and all the way into ME. They had to preserve backwards compatibility, see? They had to maintain their monopoly and they could not let little things like end-user security get in the way of that goal.
Meanwhile, all the OSes that came from multi-user roots had a lot of that already built-in. They were network operating systems, built from a network-centric point of view. It wasn't tacked on afterwards like the TCP/IP stack for Windows 3.11. Remember that? It was a separate download.
Half a decade, my ass The Internet has been around and popularized by the WWW much longer than that. I've been building websites since 1995, kiddo. Were you even born back then? I used to log in remotely to SunView terminals and run the WhenHarryMetSally.aiff on my classmates' computers at full volume, that's a remote exploit if ever there was one! The Morris worm. Say no more, Squire!
And what delusional script kidde MS astroturfers modded your crappy rant Insightful, we'll never know. Hell, I was ranting on the 'net in 1990! You'd think the art would have evolved since then...
Money for nothing, pix for free
And simply reading the article is exactly what this Microsoft shill is expecting everyone to do.
This may be asking alot, but I'd like everyone to dig a little deeper and actual go to the secunia.com website and poke around at the statistics yourself. What you will find is that the guy who wrote this article is either too damned lazy to fully research his topic or he is intentionally using these statistics inaccurately in order to prove a false point.
For those who don't have the time to find out for themselves what the statistics REALLY say, here is what I found:
In the secunia.com statistics for Windows XP there is only a single exploit related to Internet Explorer. That sounds pretty good but its also blatantly false.
In fact, if you dig a little deeper into the statistics on their web site you discover that Internet Explorer 6 from 2003 to 2004 had 40 advisories by itself with 98% allowing remote attack and 31% enabling system access.
secunia.com/product/11/
So taking into account all the IE vulnerabilities instead of grouping them into one advisory we suddenly discover that Microsoft Windows XP Proffessional had 86 advisories from 2003 to 2004 with 71% allowing remote attacks and 38% enabling system access!
Now some will say "not fair" because IE is a seperate application. All I can tell you is that if you actually looked at the statistics you would already know that the OSX and linux statistics include security advisories for ALL applications included in with the OS. So it is only fair to also include ALL Windows applications that come with Windows.
So in conclusion, when I include the vulnerabilities of just one single Windows application the number of exploits in Windows is around double what you have with the likes of OSX or linux. I suspect that including other Windows applications that were excluded from the Windows statistics everyone will begin to understand why Windows is a haven for worms and viruses.
I don't think I will be migrating from my Mac OSX and linux installs any time soon.
burnin
For those of you still on a Microsoft platform: I've heard that L0phtcrack works wonders reversing an LM hash on modern hardware.
I've used LC and you're right, it works pretty well. It's also ungodly expensive and the serial number is tied to your hardware, so using it on another machine requires tech support "blessing". LC5 is licensed in truly bizarre ways, and did I mention that it's ungodly expensive?
For the same or better brute forcing speed, lower cost, no hassles moving to another machine, and generally a more polite program, try SamInside Best $40 LM hash cracker around.
Now for a "free" instant password cracker, use Rainbow Tables, a db of password/hashes that does all the brute forcing up front. For details, check out my journal. I'm soliciting participants to help generate the 128GB of data needed. Other than the pain of generating and storing all that data, it's free and extremely fast.
I wouldn't call that a hole in Safari, since it affected Mozilla too (bmo 243699). It was a hole in the OS. Mozilla now disallows links to help: URLs to work around that hole, btw.
The shareholder is always right.
The Windows XP Pro list includes:
- Microsoft Windows 14 Vulnerabilities
- Microsoft Windows RPC/DCOM Multiple Vulnerabilities
- Microsoft Windows ASN.1 Library Integer Overflow Vulnerabilities
- Microsoft Windows RPCSS Service DCOM Interface Vulnerabilities
contain 14 + 4 + 2 + 3 = 23 vulnerabilities but Secunia only count 4 advisories. So the count is now 65 acknowledged vulnerabilities for XP Pro. Not including those silently fixed, nor the 38 vulnerabilities in Internet Explorer 6 alone.Actually, Secunia tend to publish alerts based the vendor bulletins. There are better sources for collated vulnerability information, such as Sintelli (free) or TruSecure (fee) which have far higher totals.
Andrew Yeomans
Yes, what you say is true, but in order to obtain LM hashes, you must be either a domain admin (for AD retrieval) or a local admin.
Funny. I cracked the administrator password of XP (Pro, on a domain, with encrypted hashes), *without* admin access (that was the reason I cracked it - I needed admin access!).
What I did, was boot Knoppix, and copy over the SYSTEM and SAM registry hives. Most apps will crack with just the SAM hive. However, the SYSTEM hive contains the encryption key to the SAM hive, and a little app known as SAMinside (another l0phtcrack app), *does* understand how to crack this more secure hash.
Heck, there was a way to do it, so you could get the hashes, import them into l0phtcrack and use it to crack.
All it took were a couple of demo/shareware apps (l0phtcrack, SAMinside), and a Knoppix CD (to get at SAM and SYSTEM hives, via NTFS driver). And a 3rd party machine.
And no, none of those apps would work on the machine in question - locked down. I cracked it on my own Win2k machine.