Security Statistics and Operating System Conventional Wisdom

kev0153 writes "Microsoft Windows is more secure than you think, and Mac OS X is worse than you ever imagined. That is according to statistics published for the first time this week by Danish security firm Secunia. "Secunia is now displaying security statistics that will open many eyes, and for some it might be very disturbing news," said Secunia chief executive Niels Henrik Rasmussen. "The myth that Mac OS X is secure, for example, has been exposed." "

Welcome to Bizzaro World!

[Zorilla]

...where MS wants you to use Firefox and Mac OS X is less secure than Windows!

On a side note...

We would all like to thank the millions of dollars Microsoft invested in our research to bring it to the successful conclusion.

It took us a couple of tries to get the results so that they would give us the right answer, but eventually we figured out a way. Microsoft kept funding us all along the way.

Thank you!

Missing Stats?

[BearJ]

Ok, from my read of the article everything is roughly equally insecure, give or take. Question then becomes, how quickly are these problems responded to. Surely Microsoft as the largest company out there would be the quickest right?

right?

Re:Missing Stats?

[radicalskeptic]

The stats don't make sense to me. Here's what I see:

Windows XP Professional saw 46 advisories in 2003-2004, with 48% of vulnerabilities allowing remote attacks and 46% enabling system access, Secunia said.

So that would mean, multiplying 46 by 48% would give you the number of remote attacks, and multiplying 46 by 46% would give you the number of attacks enabling system access. So for Windows:

• 22.08 remote attacks.
• 21.16 system access attacks.

Don't ask me why they are not integers. I suppose that some advisorys covered more than one bug?

Now, for OS X:Of the 36 advisories issued in 2003-2004, 61% could be exploited across the internet and 32% enabled attackers to take over the system.

Using the same system as before, I got:

• 21.96 remote attacks.
• 11.52 system access attacks.

So they're saying OS X allows HALF of the number of attacks that can gain access to a system as XP, but their conclusion is that "The myth that Mac OS X is secure, for example, has been exposed"???Hmmm....

Re:Missing Stats?

[zhiwenchong]

I think it's just a case of their phrasing being misleading.

I believe they mean that
1) Windows is not as insecure as YOU THINK
2) Mac OS X is not as secure as YOU THINK (they assume Mac OS X users think that the operating system has 0 to few exploits)

They're not really saying that Windows is more secure than Mac OS X. But the way the said it -- well, sure could mislead a lot of people.

Re:Missing Stats?

[richie2000]

Why? Because we've only really GIVEN A FUCK about security for the last half a decade or so. Before that 99% of the worlds PCs were by themselves on a desk, or on some small 10mbit lan with a couple others.

I'm really tired of idiots on Slashdot that have no clue what the fuck they're talking about. Half a decade. Ptoii! I can start by going back 15 years and easily debunk your lies. At that time, most computers in this here world (disclaimer, I have no idea which world you're from - but you should phone home coz' your green-skinned momma is worried about you) were either in universities or corporations. I'm not counting the C= 64s, Atari ][ and Colecovisions here, kay? They have no bearing on the current crop of operating systems. UNIX does. VMS does. Access control and security were big back then - simply because schools with thousands of students had one 64k line to the world (for mail, ftp, gopher, archie and telnet) and diskspace measured in megs so there had to be ways to keep the students from eating it all up. They had to be kept from use the mainframes to play Nethack, to download ASCII pr0n and to chat on IRC instead of studying. Quotas, passwords, password policies, shadowing, encryption - all that jazz. It's not new. It's been around several decades. Half a decade... Maybe Microsoft haven't cared for it more than half a decade, but the world does not revolve around Redmond.

Security is not new. The problem is that Microsoft built DOS for single-user. It had no real security layer and that carried over into Windows 3.11, Windows 95 and all the way into ME. They had to preserve backwards compatibility, see? They had to maintain their monopoly and they could not let little things like end-user security get in the way of that goal.

Meanwhile, all the OSes that came from multi-user roots had a lot of that already built-in. They were network operating systems, built from a network-centric point of view. It wasn't tacked on afterwards like the TCP/IP stack for Windows 3.11. Remember that? It was a separate download.

Half a decade, my ass The Internet has been around and popularized by the WWW much longer than that. I've been building websites since 1995, kiddo. Were you even born back then? I used to log in remotely to SunView terminals and run the WhenHarryMetSally.aiff on my classmates' computers at full volume, that's a remote exploit if ever there was one! The Morris worm. Say no more, Squire!

And what delusional script kidde MS astroturfers modded your crappy rant Insightful, we'll never know. Hell, I was ranting on the 'net in 1990! You'd think the art would have evolved since then...

Re:Missing Stats?

[burnin1965]

And simply reading the article is exactly what this Microsoft shill is expecting everyone to do.

This may be asking alot, but I'd like everyone to dig a little deeper and actual go to the secunia.com website and poke around at the statistics yourself. What you will find is that the guy who wrote this article is either too damned lazy to fully research his topic or he is intentionally using these statistics inaccurately in order to prove a false point.

For those who don't have the time to find out for themselves what the statistics REALLY say, here is what I found:

In the secunia.com statistics for Windows XP there is only a single exploit related to Internet Explorer. That sounds pretty good but its also blatantly false.

In fact, if you dig a little deeper into the statistics on their web site you discover that Internet Explorer 6 from 2003 to 2004 had 40 advisories by itself with 98% allowing remote attack and 31% enabling system access.

secunia.com/product/11/

So taking into account all the IE vulnerabilities instead of grouping them into one advisory we suddenly discover that Microsoft Windows XP Proffessional had 86 advisories from 2003 to 2004 with 71% allowing remote attacks and 38% enabling system access!

Now some will say "not fair" because IE is a seperate application. All I can tell you is that if you actually looked at the statistics you would already know that the OSX and linux statistics include security advisories for ALL applications included in with the OS. So it is only fair to also include ALL Windows applications that come with Windows.

So in conclusion, when I include the vulnerabilities of just one single Windows application the number of exploits in Windows is around double what you have with the likes of OSX or linux. I suspect that including other Windows applications that were excluded from the Windows statistics everyone will begin to understand why Windows is a haven for worms and viruses.

I don't think I will be migrating from my Mac OSX and linux installs any time soon.

burnin

Mac OSX and Linux - face the facts

The Mac and Linux communities need to accept the fact that Windows, however much you might HATE Microsoft, is more secure.

How many independent reports have we seen that come to the same conclusion? 10? 20? The head in the sand approach won't work. The "Microsoft Shill" theory doesn't hold water.

No, it is time for the Linux community to address these issues and bring Linux back up to the level of Windows.

And by the way, I'm a cybersecurity consultant, so I know what I'm talking about.

Re:Mac OSX and Linux - face the facts

[mangu]

How many independent reports have we seen that come to the same conclusion?

I once read that Hitler ordered a report made, signed by a hundred scientists, proving that Einstein was wrong. When they asked Einstein about it, he answered "if I was wrong, one scientist alone would be able to prove it".

Again Windows only vs. RedHat/SuSE plus apps?

[Knuckles]

I can't see it metnioned in the article, and neither can I find the relevant stuff at secunia.com, but this is the first question I want to answered before I spend another 10 seconds on this: do the numbers actually compare Windows with RedHat/SuSE stripped down to what a plain Windows install does, or do they yet again include all the security advisories for the 3.000 (or whatever) packages included with the distros?

Re:Again Windows only vs. RedHat/SuSE plus apps?

[robin_j]

I can't see it metnioned in the article, and neither can I find the relevant stuff at secunia.com, but this is the first question I want to answered before I spend another 10 seconds on this: do the numbers actually compare Windows with RedHat/SuSE stripped down to what a plain Windows install does, or do they yet again include all the security advisories for the 3.000 (or whatever) packages included with the distros?

The list of advisories for RedHat AS 3 is listed at the bottom and currently it contains 51 advisories and what they were issued for. I copied the list and sorted them so here you can see a list of exactly what they included:
CVS
ethereal
FreeRADIUS
gaim
glibc
gnupg
httpd
iproute
ipsec-tools
kdelibs
kdepim
kernel
krb5
lftp
LHA
libpng
libxml2
mod_python
mod_ssl
mozilla
Mutt
NetPBM
net-snmp
nfs-utils
OpenOffice
OpenSSL
PWLib
Quagga
rsync
slocate
squid
squirrelmail
sysstat
tcpdump
utempter
XFree86

As you can see a lots of these are what might be called non-OS components. I've had a quick look at XP Home and it doesn't even seem to include issues with IE which according to MS is an integral part of the OS unlike Linux and Mozilla, yet they happily bundled them together.

Strange that..........

Straight from the horse's mouth

[paranode]

These are the statistics that really matter:

Secunia Virus Statistics

Of course you'll notice the common Win32. in front of all of them.

Counting advisories is skewed

[upsidedown_duck]

One problem with counting only advisories is simply that there are different levels of transparency to users and developers among Windows XP, Linux, Solaris, and Mac OS X. One thing the study doesn't mention (which is unknowable, so they conveniently brush it off as unimportant) is how many covered-up or known-only-by-crackers vulnerabilities exist in each platform.

Also, why didn't the study mention OpenBSD? What about default configurations? Where the documented vulnerabilities always relevant or were they very obscure (e.g., service X used by three people in Greenland)?

I think this article smells biased.

They neglect to mention..

[EMR]

That OS X doesn't have any network service running when first installed!!.. Nothing, nada, zilch, zippo.. In order to get exploited you need to have something running that accepts connections.. The default install of the Mac OS X doesn't have a thing. Where as Windows has way too much enabled and exposed.. Most linux systems now days, while they may have some things running, most are only listenting to the internal host (not accessible outside the computer) and they default enable the firewall.

Potential study problem

[Synn]

The study compares security alerts between OSes, but one problem with that is that at least under Linux vendors not only release alerts for the core OS, but for applications as well.

If The Gimp has a security issue a Linux vendor will issue an alert for it.

If Photoshop has a security issue, MS won't inform you.

Also most alerts I see for Linux are pro-active, someone finding a bug that may be exploitable. Most alerts I see for MS are reactive, pluging a hole that has been exploited. That's the primary difference between open and closed source software. Not the number of bugs found, but when they're found and how fast they get fixed.

Correlation vs Mechanism

[laudney]

In research, it's vital to differentiate between correlation and mechanism. Stating that Linux and Mac OS/X are less secure than Windows based on kindergarten-level integer comparison is correlation: i.e. following/duplicating superficial attributes of known objects in hope of getting the same results in other objects. This is almost always baseless and useless. It's more important to undertand the underlying hidden reasons, or mechanisms: Windows security problems stem from awful designs in OS, such as integration of all sorts of applications into kernel space for speed acceleration. Whilst Linux and Mac OS/X security problems are mostly from mis-configurations.

Security reporting worse than you ever imagined

[Frater+219]

The reported study discusses the number and claimed severity of official security advisories for different systems. The factitious claims being made do not address the following problems:

Different suppliers report vulnerabilities differently. Consider every "cumulative update" you've seen, and every "multiple vulnerabilities in $product" advisory from CERT. A supplier which is more honest and meticulous about vulnerability reporting may have more advisories but better security -- while one which batches up several bugs in a single advisory will underreport.

A system which includes more software may have more advisories, even though most advisories do not affect most computers running that system. In Windows, a database server is a separate product whose advisories would not be counted against "Windows". Many Linux systems include at least two database servers, but they are not turned on by default. If a hole in MS SQL doesn't count against Windows, should one in mySQL count against Red Hat?

Unpatched vulnerabilities may go for months without the release of an official advisory. For instance, a number of holes in Internet Explorer have been known and discussed within the security community well in advance of any official advisory from Microsoft.

Systems which have better default system-wide security settings (e.g. packet filtering, services turned off by default) may have all kinds of "vulnerabilities" that can't actually be exploited. For instance, Mac OS X includes OpenSSH, but it's turned off until the user asks for it. A hole in OpenSSH cannot be exploited on a default-install Mac system.

Leaving it up to the supplier to decide if something is a "vulnerability" or a "feature" leads to underreporting. Take CD autorun, for instance, which allows the installation of spyware when a (mostly-)audio CD is inserted into a Windows PC. A security-conscious user regards this as a vulnerability, but the supplier regards it as a beneficial feature.

Some of the most common attacks -- such as viruses -- rely on social engineering, and on "features" that are not classed as "vulnerabilities". However, these attacks are also more prominent on some systems than on others. Any comparative assessment of security which discounts the most common attacks blinds itself to a wide segment of the security landscape.

Re:Missing Stats? ???

[HiThere]

All modern OS's suck from a security standpoint. Why? Because we've only really GIVEN A FUCK about security for the last half a decade or so. Before that 99% of the worlds PCs were by

I don't know just where you were living, but Unix and Linux grew up on networked systems where multiple college students shared the same machines (well, Linux less than Unix here) because they were too expensive. Actually, Linux is almost an accidental beneficiary here. Linux used Unix as a role-model, and Unix grew up being attacked by hackers who wanted to play Space-Invaders or Cave or Hunt the Wumpus when their school accounts wouldn't cover it. And by Phd candidates trying for a few more runs on their thesis project. It's true these weren't *remote* exploits. They were local ones...where the attacker didn't have priviledged access. But that's the basis of all security. Once you do that, all you have to do is make remote connections a special case of local access.

Re:Until LM authentication is gone...

[pegr]

Not sure I understand you. You seem to be implying that when LM auth is disabled (via local/group policy), it is still exploitable? This is news to me.

You can certainly turn it off, but unless you disable storing the LM hash, it's still available for cracking. In the wild, my experience is that LM hashes are available as a general rule (90% of the time or better). My insistance that LM authentication be removed outright is due to the "lazy admin" factor. So yes*, in practice, unless it is removed outright, many times it is still exploitable.

*Definately needs qualifying. Can you turn off LM effectively? (yes) Do admins do it? ('fraid not...)

That depends upon how you count it.

[khasim]

In the Forrester report referenced in that article, they only STARTED counting from the time Microsoft PUBLICLY admitted to a problem.

Which, in many cases, was when Microsoft had a patch ready.

But www.eeye.com had reported security holes to Microsoft for MONTHS before a patch was made available.

In other words, if Microsoft NEVER admitted PUBLICLY to a security hole, that security hole would NEVER be counted in the Forrester report.

http://www.eeye.com/html/research/upcoming/index .h tml

For the current listing.

With Open Source software, the vulnerability is usually discussed on the mailing list.

So, if a hole is discovered in Linux, and discussed on the mailing list and a patch is released 48 hours later.....

And then Red Hat releases a .rpm 24 hours later...

Forrester would count that as a 3 day delay.

You take the medium threat from www.eeye.com that is 49 days overdue (actually informed 109 days ago) and Microsoft releases a patch the same day Microsoft admits to the hole....

Forrester would count that a 1 day or less delay.

# Advisories != # Vulnerabilities != Security Risk

[Trevin]

There are two major things wrong with this article, which have been touched on by other posters. One is that the number of vulnerabilities is different than the number of advisories, because advisories can cover multiple vulnerabilities.

The second is that (as other posters have covered) Linux distributors post advisories and bug fixes for all software bundled with their distribution, not just the kernel and core libraries. Looking at the list of MS Windows XP advisories, all I see are the core components, with the glaring omission of Internet Explorer (which these days is in fact a core component of the operating system).

Telnet? You're missing the point

[minion]

Until telnetd is totally removed (not just turned off) from Linux, Linux will not be secure. There are just too many exploits involving telnet to take Linux seriously.

Bad example. There's a telnet service in Windows too.

When was the last time telnet was exploitable? telnet is sniffable. Big deal, so is imap, pop3, smtp, http, you name it. Sniffing should not count against an OS - its a problem with the protocol, which is inherint to all internet based OSes. Heck, lets just say anything that uses TCP/IP is too insecure for internet access.

Here's an example:

RHSA-2004:174-09
Fix: utempter local exploit.

Ok. A local exploit. Granted, an exploit, but still, its a local exploit. This is what these so called "secuity" groups need to realize - webservers on the DMZ typically don't have local access for joebob to login to. Typically, they have ports 80,443, and maybe 22 open. So now, all of those 60+ exploits attributed to Red Hat become 0 (thats Zero, with a 0). True, Red Hat had more published advisories than Windows did in the same time period, but Windows didn't ship with nearly the amount of software Red Hat did, and no "sysadmin" is going to put a box on the DMZ, running every service on the box, with no firewall. It just doesn't happen.

So all of these so called security groups can shove it, because thats not real world security. Why don't they do a study on how many linux/unix sys admins patch their boxes diligently vs how many windows admins bothered to patch their boxes with patches available months before code red and other internet problems plagued the internet?

PS: On Windows, it'd be port 3389 (remote desktop), not port 22... And BOTH services (ssh and rdp) have had remote exploits available, so you can't retort with the "ssh is insecure" BS.

Vulnerabilities vs Advisories

[AYeomans]

Note very carefully, they count advisories only once, even though they may include multiple vulnerabilities.

The Windows XP Pro list includes:

• Microsoft Windows 14 Vulnerabilities
• Microsoft Windows RPC/DCOM Multiple Vulnerabilities
• Microsoft Windows ASN.1 Library Integer Overflow Vulnerabilities
• Microsoft Windows RPCSS Service DCOM Interface Vulnerabilities

contain 14 + 4 + 2 + 3 = 23 vulnerabilities but Secunia only count 4 advisories. So the count is now 65 acknowledged vulnerabilities for XP Pro. Not including those silently fixed, nor the 38 vulnerabilities in Internet Explorer 6 alone.

Actually, Secunia tend to publish alerts based the vendor bulletins. There are better sources for collated vulnerability information, such as Sintelli (free) or TruSecure (fee) which have far higher totals.