Slashdot Mirror
MS Security Chief Says Windows is Safer Than Linux
Kip Winger writes "Mike Nash, Microsoft's Chief Security Executive, has made claims that Windows is more secure than Linux. In a recent online chat, he staunchly defended Microsoft's record on security, basing part of his argument on how Windows Server 2003's 15 patches in the past year are far less than what RedHat or SuSE have had to endure." He also mentioned the recent purchase of Sybari and their Antivirus product.
Windows 2003 Currently, 5 out of 44 Secunia advisories, is marked as "Unpatched" in the Secunia database. Red Hat rrently, 0 out of 133 Secunia advisories, is marked as "Unpatched" in the Secunia database. I think I would rather take a system that is all patched then one that is Unpatchable.
he maybe forgot that both distributions he mention comes with tons of software that windows does not, so comparison is at least stupid...
This actually brings up an interesting point. Does Windows have less bugs (I know, I know) than these Linux distros? Or are Red Hat and Novell more proactive to fix the bugs they do have?
Actually, I think a more important question is, how significant of a security risk are the respective bugs?
The claim is that MS had less vulnerabilities than various Linux distros. Yet, I'd be willing to bet many of the Windows security holes are big enough to drive a truck through. Remote exploits and the like. If the Linux vulnerabilities were rather obscure and difficult to exploit (especiallly remotely), then the comparison is apple to oranges and clearly FUD (surprise surprise)
Beauty is in the eye of the beerholder.
Hopefully the Linux community can move forward with SELinux, or some other system that has mandatory access controls. Once that is properly in place Linux will have a significant tangible security advantage over Windows.
Yes Fedora currently has SELinux in the default install. Unfortunately they have had to use a fairly permissive policy because too many applications and libraries don't properly respect the sort of security bounds that ought to be in place. Right now SELinux on Fedora is like user account permissions on Windows. While it is technically there, the majority of applications simply aren't written with it in mind (eg. all those Windows apps that need to run as Administrator), so in practice it doesn't do much.
SELinux is done though, and Fedora has integrated it in nicely (including into the rpm system). What is needed now is for all those open source developers out there to realise that there is a new level of security, other than just filem permissions, that they need to consider and respect. If they can just restrict where they write files to, and what files they want to access to the minimum required that would be great. If they can compartmentalize operations so that each can run as a seperate process with least privilege all the better. This is work that needs to be done though.
Once such things are seriously in place all this harping by Microsoft about "Windows being more secure" will be so obviously the hot air that it is that we won't even have to worry about it anymore.
Jedidiah.
Craft Beer Programming T-shirts
This is one of the problems with "Linux", people compare Windows, the OS, to Linux, the kernel. I bet most of the patches from Red Hat were non-kernel related patches. However this is the beast that will have to be dealt with soon, because as soon as a company like Red Hat or Suse or who ever has a bad patch year it is going to bring down the whole Linux community, economically. It's just like Martha Stewart and how her company went in the tank because her name was attached to it. The name Linux is tied to closely to the OS's, that is my point.
Here's another example of making stats say what you want.
Sure, WINDOWS only had 15 patches in the last year however. IE6 had how many (at least anotehr 18-24), Remote desktop connection on 2k3 Server had 2 security fixes, IIS had about 6 patches....
Need I continue?
Fact is, yes, Windows had 12 updates in a year, but it's components had many more.
And also looking at the time from exploit discovery to fix, not lookin good for them there either.
DarkMantle I been bored, so I started a blog.
So long as installers run without requiring passwords, and I have to give my daughter administrator privileges to run Disney games, Windows is in for a lot of hurt in the security domain because there's really no way to control what users, and by proxy the programs they run, muck with.
I mean, it's so bad right now that whole markets spawned to supply band-aids for the lack of basic protections (anti-virus, anti-spyware), and to rebuild broken systems as quickly as possible (ghost). That's pathetic, particularly since Microsoft had the ability to do a much better job of securing their systems since the release of Windows NT in 1993, and it's been mainstream since XP. It's not that they couldn't do it, it's that they didn't.
jim frost
jimf@frostbytes.com
While Windows popularity does increase it's attractiveness for malware writers, I don't think that is the only reason. Look at Apache vs. IIS. Apache has something like 69% of the market while IIS has about 21% (Feb 2005 Netcraft numbers). Better than a three to one ratio. Yet look how many viruses/worms there are from each. Hint: my (really quick) research showed about 14-16 (depends on how you count them) for IIS and 1-2 for Apache.
Market share alone does not guarantee more attacks!
"Even with the relatively large number of bulletins we released this week, we compare favorably," he said. "Year-to-date for 2005, Microsoft has fixed 15 vulnerabilities affecting Windows Server 2003. In the same time period, for just this year, Red Hat Enterprise Linux 3 users have had to patch 34 vulnerabilities and SuSE Enterprise Linux 9 users have had to patch over 78 vulnerabilities."
Put identity in the browser.
Is it just me or was the story about 10 stories down about how spyware can disable Microsoft's Antispyware and take your cc #s, passwords, etc. I have been using a copy of linux on one of my exposed servers for several years without patching and without any significant security configuration at boot and it runs like a dream! [Although I like my OpenBSD machines better :-D]
http://www.brentcastle.com
Red Hat currently, 0 out of 133 Secunia advisories
Based on flaws in 64 different packages out of a total of 477 packages.
Lets compare that against the Windows Server 2003 Enterprise edition. All of these defects are against the core Windows operating system. You have to go to the other Microsoft products to find out the numbers for those.
Lets pick another Microsoft release - say Microsoft Windows 2000 Advanced Server. Oh dear - currently, 16 out of 79 Secunia advisories are marked as "Unpatched" in the Secunia database.
Or say Microsoft Office XP. Currently, 2 out of 14 Secunia advisories are marked as "Unpatched" in the Secunia database.
Another - lets try Microsoft Internet Explorer 6 - surely there must be a fully patched MS product out there! Currently, 18 out of 77 Secunia advisories are marked as "Unpatched" in the Secunia database.
Pick something enterprise critical - say SQL Server 2000. Currently, 1 out of 10 Secunia advisories is marked as "Unpatched" in the Secunia database.
Doesn't really look good.
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
Secunia shows 3 vulnerabilities for IIS6.
Which version of Apache? Secunia shows different stats for Apache 1.3 than Apache 2 with the later showing more regularity.
Your numbers are off. And the numbers alone don't tell the whole story. You'd be better off doing a bit more digging before resting with that conclusion. Though, to be honest, I can see the argument being made.
Switch to grub.
It's got the great advantage of being able to boot any kernel you have, as long as it can access the partition. Screwed up configuration, kernel with a bad filename, etc, all don't matter when you can load any kernel you want from grub's command line.
It's a bit strange in some things, like that it counts disks starting at 0 and not 1, but overall it's quite nice when you get used to it, and it's definitely a lot better than LILO when something unexpected happens.
Screwed up configuration, kernel with a bad filename, etc, all don't matter
:)
It can also boot Windows on an IDE drive that isn't primary master too, something that Windows can't seem to manage by itself.
Usually the make install of a new kernel reruns LILO anyway. I use LILO on some servers and GRUB on others.
/etc/rc.d/ or using chkconfig.
Usually a bigger issue is that you installed some critical service but forgot to enable it either by dropping symlinks into
When one of my servers needs any new services installed or kernels patched, I actually schedule reboot testing. In fact essentially all of my reboots are due to this testing. It does cut into uptime but it means that when I need it, it will be up.
LedgerSMB: Open source Accounting/ERP
YUM does not differentiate between security patches and new versions released for other reasons. Therefore these 200 updates could be 200 upgrades.
Also I think that Linux is more securable than Windows. It is not a matter of not being a target, it is a matter of having more modularization in your system so that it is more possible to reasonably secure the computer against attackers and protect critical data in the event that a service is compromised.
LedgerSMB: Open source Accounting/ERP
There is this classic confusion about classifying bugs. There is a fundamental difference between "linux" patches, as they call them, and kernel patches. The linux core has a relatively low number of security flaws. Even when they do, the severity of the patch is far lower since most bugs won't give you root level access. Unlike the windows bugs that typically will give you root/administrator rights. The distrobutions may have a lot more bugs, but they also include thousands of open source applications.
If you want to compare bug numbers, it's only realistic when you count the number of bugs in the kernel compared to the windows base OS.
WURD!!
This week's set of Windows patches requires the machine to reboot. I'm about to give a presentation, so I click on the 'Reboot Later' button. Ten minutes into the presentation, the full-screen presentation reverts to window-sized, and the 'You need to reboot' message pops up again.
Yes, you can drag the window off to the left or right of the screen so that it doesn't annoy, but how many users know to do that? Clicking 'Later' makes the box go away for a while (or click 'Now' and lose what you were doing, oops). There is no preference to make the delay longer, or not pop up at all.
The issues addressed in the parent are easily solved. The 'Reboot Now' message is not. I'll reboot when I'm good and ready, and not a moment before, so stop bothering me!
Yeah, they scan you to make sure you're not posting through a proxy. Without asking of course, which is pretty fucking rude.
History also shows that any lie that is repeated enough becomes indistinguishable from the truth.
The Big Lie was invented by the French in the 12th century and made infamous in modern times by the Germans. I don't think the problem is uniquely American.
[Set Cain on fire and steal his lute.]
Although I use Firefox for 95% of my browsing because I consider it more secure for everyday browsing and more resilient against spyware, I do not use Firefox for my Internet banking. I use IE instead as it is more secure and bug free in that regard.
I use use Internet banking sites one for a regular bank and one for Internet only bank. For one of them however, Firefox has a ugly bug where using the keypad and double clicking the button results in 3 of the same number being input. Although not a security risk it has caused a number of invalid logins. The keypad was implemented as a security feature against key loggers more than a year ago.
The other one has a serious security bug, where after logging out, all I have to do is press the back button enough times and Firefox will prompt me to resubmit POST data(the login) and it will log me right back into Internet banking without having to type in my account number or password. This happens even though I am accessing a secure site, and despite the fact that Firefox was instructed to not cache passwords.
In addition numerous rendering bugs causes some features of my banking to be unusable.
Yeah, it's a piece of piss to setup a local repository on a server and then point all the other machines to update from that, and you'll find the tools (e.g. apt-move) to do this in your favourite distro :)
GP is Yet Another Silly Windows Cluebie (YASWC).
"The number of Unix installations has grown to ten, with more expected." (Unix Programmer's Manual, 2nd ed.; june 1972)
Since Microsoft brought up server operating systems, let's compare Microsoft Windows Server 2003 Enterprise Edition with IIS 6 and Red Hat Enterprise Linux 3 Advanced Server with its default suite of servers (apache, etc.)
For WS2003-EE, microsoft.com reveals 12 security bulletins for 2005:
In addition, Secunia lists 5 unpatched security holes and 1 partial fix:
So it looks like the WS2003-EE/IIS6 combination has been subject to 12 patches in 2005 caused by 16 vulnerabilities with an average criticality of 2, plus 6 unpatched or partially patched vulnerabilities with an average criticality of 4.
Since I'll be getting rid of KDE and Mozilla vulns with RHEL because they're not really used on back-room servers, I'll toss out the IE and HTML Help ones here. That leaves 8 updates patching 10 security holes and an average severity of 2, plus 5 unpatched holes of low severity (mostly local).
Now on to Red Hat Enterprise Linux 3 Advanced Server, for which redhat.com lists 22 advisories for 2005 (more abbreviated list format):
So so far in 2005, RHEL3-AS has been hit with 22 patches, consisting of 53 individual vulnerabilities of unknown criticality (they didn't say). Taking out the ones effecting packages that aren't part of the base system (that don't really have any match on a backroom Windows server), that still leaves 14 updates fixing 41 vulnerabilities. Secunia, however, shows none unpatched.
The Secunia site has some good comparative charts, showing that from 1993-today, WS2003 has been hit with fewer problems, with a fewer percentage remotely exploitable, but with a highe
WeRelate.org - wiki-based genealogy
ssh trustixbox.localnet -lnonroot
su
swup --upgrade --silent;swup --install swupcron
ssh debianbox.localnet -lnonroot
su
echo apt-get upgrade>>/etc/cron.daily/aptupdate
yeah so it's not ideal, but it's automatic.
You can buy this from Red Hat. You've been able to buy it from Red Hat for years. It's called Red Hat Network and it's part of all their commercial Linux offerings (might be optional on the cheap stuff). You will need to pay extra if you want to manage all this locally (ie without client machines having Internet access).
It lets you tell individual machines, groups of machines or all the machines to install the patches, allows you to schedule the install (so you can do 5000 workstations during an at-risk period) and you control all this from any machine with a web browser.
Click... "Hmm, all 500 workstations have oustanding security fixes", click "Looks like there's an upgrade to the PDF viewer", click "I'll schedule that for tonight", click "Yes, I really want do that", click, "Great, now back to some real work", close browser tab.
It also manages hardware inventory, does rollbacks, and has lots of other sweet features.