Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Statistics and Operating System Conventional Wisdom

Posted by CmdrTaco on from the you-ain't-kiddin dept.

kev0153 writes "Microsoft Windows is more secure than you think, and Mac OS X is worse than you ever imagined. That is according to statistics published for the first time this week by Danish security firm Secunia. "Secunia is now displaying security statistics that will open many eyes, and for some it might be very disturbing news," said Secunia chief executive Niels Henrik Rasmussen. "The myth that Mac OS X is secure, for example, has been exposed." "

7 of 556 comments (clear)

  1. Straight from the horse's mouth by paranode · · Score: 5, Informative

    These are the statistics that really matter:

    Secunia Virus Statistics

    Of course you'll notice the common Win32. in front of all of them.

  2. Re:Missing Stats? ??? by HiThere · · Score: 5, Informative

    All modern OS's suck from a security standpoint. Why? Because we've only really GIVEN A FUCK about security for the last half a decade or so. Before that 99% of the worlds PCs were by

    I don't know just where you were living, but Unix and Linux grew up on networked systems where multiple college students shared the same machines (well, Linux less than Unix here) because they were too expensive. Actually, Linux is almost an accidental beneficiary here. Linux used Unix as a role-model, and Unix grew up being attacked by hackers who wanted to play Space-Invaders or Cave or Hunt the Wumpus when their school accounts wouldn't cover it. And by Phd candidates trying for a few more runs on their thesis project. It's true these weren't *remote* exploits. They were local ones...where the attacker didn't have priviledged access. But that's the basis of all security. Once you do that, all you have to do is make remote connections a special case of local access.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  3. Re:Again Windows only vs. RedHat/SuSE plus apps? by robin_j · · Score: 5, Informative
    I can't see it metnioned in the article, and neither can I find the relevant stuff at secunia.com, but this is the first question I want to answered before I spend another 10 seconds on this: do the numbers actually compare Windows with RedHat/SuSE stripped down to what a plain Windows install does, or do they yet again include all the security advisories for the 3.000 (or whatever) packages included with the distros?

    The list of advisories for RedHat AS 3 is listed at the bottom and currently it contains 51 advisories and what they were issued for. I copied the list and sorted them so here you can see a list of exactly what they included:
    CVS
    ethereal
    FreeRADIUS
    gaim
    glibc
    gnupg
    httpd
    iproute
    ipsec-tools
    kdelibs
    kdepim
    kernel
    krb5
    lftp
    LHA
    libpng
    libxml2
    mod_python
    mod_ssl
    mozilla
    Mutt
    NetPBM
    net-snmp
    nfs-utils
    OpenOffice
    OpenSSL
    PWLib
    Quagga
    rsync
    slocate
    squid
    squirrelmail
    sysstat
    tcpdump
    utempter
    XFree86

    As you can see a lots of these are what might be called non-OS components. I've had a quick look at XP Home and it doesn't even seem to include issues with IE which according to MS is an integral part of the OS unlike Linux and Mozilla, yet they happily bundled them together.

    Strange that..........
  4. Re:Until LM authentication is gone... by pegr · · Score: 5, Informative

    Not sure I understand you. You seem to be implying that when LM auth is disabled (via local/group policy), it is still exploitable? This is news to me.

    You can certainly turn it off, but unless you disable storing the LM hash, it's still available for cracking. In the wild, my experience is that LM hashes are available as a general rule (90% of the time or better). My insistance that LM authentication be removed outright is due to the "lazy admin" factor. So yes*, in practice, unless it is removed outright, many times it is still exploitable.

    *Definately needs qualifying. Can you turn off LM effectively? (yes) Do admins do it? ('fraid not...)

  5. Re:Missing Stats? by richie2000 · · Score: 5, Informative
    Why? Because we've only really GIVEN A FUCK about security for the last half a decade or so. Before that 99% of the worlds PCs were by themselves on a desk, or on some small 10mbit lan with a couple others.

    I'm really tired of idiots on Slashdot that have no clue what the fuck they're talking about. Half a decade. Ptoii! I can start by going back 15 years and easily debunk your lies. At that time, most computers in this here world (disclaimer, I have no idea which world you're from - but you should phone home coz' your green-skinned momma is worried about you) were either in universities or corporations. I'm not counting the C= 64s, Atari ][ and Colecovisions here, kay? They have no bearing on the current crop of operating systems. UNIX does. VMS does. Access control and security were big back then - simply because schools with thousands of students had one 64k line to the world (for mail, ftp, gopher, archie and telnet) and diskspace measured in megs so there had to be ways to keep the students from eating it all up. They had to be kept from use the mainframes to play Nethack, to download ASCII pr0n and to chat on IRC instead of studying. Quotas, passwords, password policies, shadowing, encryption - all that jazz. It's not new. It's been around several decades. Half a decade... Maybe Microsoft haven't cared for it more than half a decade, but the world does not revolve around Redmond.

    Security is not new. The problem is that Microsoft built DOS for single-user. It had no real security layer and that carried over into Windows 3.11, Windows 95 and all the way into ME. They had to preserve backwards compatibility, see? They had to maintain their monopoly and they could not let little things like end-user security get in the way of that goal.

    Meanwhile, all the OSes that came from multi-user roots had a lot of that already built-in. They were network operating systems, built from a network-centric point of view. It wasn't tacked on afterwards like the TCP/IP stack for Windows 3.11. Remember that? It was a separate download.

    Half a decade, my ass The Internet has been around and popularized by the WWW much longer than that. I've been building websites since 1995, kiddo. Were you even born back then? I used to log in remotely to SunView terminals and run the WhenHarryMetSally.aiff on my classmates' computers at full volume, that's a remote exploit if ever there was one! The Morris worm. Say no more, Squire!

    And what delusional script kidde MS astroturfers modded your crappy rant Insightful, we'll never know. Hell, I was ranting on the 'net in 1990! You'd think the art would have evolved since then...

    --
    Money for nothing, pix for free
  6. Re:Missing Stats? by burnin1965 · · Score: 5, Informative

    And simply reading the article is exactly what this Microsoft shill is expecting everyone to do.

    This may be asking alot, but I'd like everyone to dig a little deeper and actual go to the secunia.com website and poke around at the statistics yourself. What you will find is that the guy who wrote this article is either too damned lazy to fully research his topic or he is intentionally using these statistics inaccurately in order to prove a false point.

    For those who don't have the time to find out for themselves what the statistics REALLY say, here is what I found:

    In the secunia.com statistics for Windows XP there is only a single exploit related to Internet Explorer. That sounds pretty good but its also blatantly false.

    In fact, if you dig a little deeper into the statistics on their web site you discover that Internet Explorer 6 from 2003 to 2004 had 40 advisories by itself with 98% allowing remote attack and 31% enabling system access.

    secunia.com/product/11/

    So taking into account all the IE vulnerabilities instead of grouping them into one advisory we suddenly discover that Microsoft Windows XP Proffessional had 86 advisories from 2003 to 2004 with 71% allowing remote attacks and 38% enabling system access!

    Now some will say "not fair" because IE is a seperate application. All I can tell you is that if you actually looked at the statistics you would already know that the OSX and linux statistics include security advisories for ALL applications included in with the OS. So it is only fair to also include ALL Windows applications that come with Windows.

    So in conclusion, when I include the vulnerabilities of just one single Windows application the number of exploits in Windows is around double what you have with the likes of OSX or linux. I suspect that including other Windows applications that were excluded from the Windows statistics everyone will begin to understand why Windows is a haven for worms and viruses.

    I don't think I will be migrating from my Mac OSX and linux installs any time soon.

    burnin

  7. Vulnerabilities vs Advisories by AYeomans · · Score: 5, Informative
    Note very carefully, they count advisories only once, even though they may include multiple vulnerabilities.

    The Windows XP Pro list includes:

    • Microsoft Windows 14 Vulnerabilities
    • Microsoft Windows RPC/DCOM Multiple Vulnerabilities
    • Microsoft Windows ASN.1 Library Integer Overflow Vulnerabilities
    • Microsoft Windows RPCSS Service DCOM Interface Vulnerabilities
    contain 14 + 4 + 2 + 3 = 23 vulnerabilities but Secunia only count 4 advisories. So the count is now 65 acknowledged vulnerabilities for XP Pro. Not including those silently fixed, nor the 38 vulnerabilities in Internet Explorer 6 alone.

    Actually, Secunia tend to publish alerts based the vendor bulletins. There are better sources for collated vulnerability information, such as Sintelli (free) or TruSecure (fee) which have far higher totals.

    --
    Andrew Yeomans