Slashdot Mirror
Surprise, Windows Listed as Most Secure OS
david_g17 writes "According to a Symantec study reported by Information Week, Microsoft has the most secure operating system amongst its commercial competitors. The report only covered the last 6 months of vulnerabilities and patch releases, but the results place Microsoft operating systems above Mac OS X and Red Hat. According to the article, 'The report found that Microsoft Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006.' The article continues to mention the metrics used in the study (quantity and severity of vulnerabilities as well as the amount of time one must wait for the patch to be released)."
This discussion will go as follows.
Linux geeks will pound the boards about foul play and all the vulerabilities they would exploit if they werent to busy checking dependencies.
Mac fanboys will make fun of both citing how Symantec didnt like them in the first place, because Mac people dont buy Symantec products.
Windows geeks will state how this has always been the case, but because they are the more popular OS they are a bigger target.
And finally the old unix guys will flame about how none of these vulnerabilites would have happened if we would have stayed away from GUIs.
So now that we have got that out of the way we can bypass all the leg humping and mindless dribble and get down to the real discussion...can Microsoft keep it up? Personally as a network admin I have not been too nervous the last 6 months. Since the year of the blaster MS has done a pretty good job of making up for exploits and covering their asses. All is quiet on the homefront.
CS: It is all sink or swim...oh and did I mention there are sharks in that water?
Wait...I'm supposed to think that fewer patches makes for a safer operating system?
It has been disclosed that smoking a load of crack a day keeps the doctor away.
Something between the lines jumps out and bites your arm off. Soltan Gris / London
its a blue screen that tells you
IRQ_NOT_LESS_OR_EQUAL
never been infected while ive seen that on my screen
even in Vista !
I can picture that scene from Star Wars, where Obi Wan feels a disturbance in the force, except instead of thousands of voices being silenced, it's the sound of thousands of dyed-in-the-wool Linux geeks having an aneurysm.
:D
Just take a deep breath guys! If it's at all therapeutic, just remind everyon that Norton Antivirus sucks!
- Scott
Jusdging from the wretched work computer caused by Symantec, sure they must know what they're talking about.
In other news, doctor claims beer is good for you.
The article also notes (which the blurb does not) that Microsoft had the most critical or severe class of bugs, even by their own measurement standard. So yes, Microsoft has less fewer bugs (according to the article), but doesn't the severity of the bugs count for anything? Statements like these are why I don't use Symantec products on any of my Windows machines.
Isn't it windows users? Isn't windows the only OS in the world that needs the services of Symantec? Isn't Symantec releasing a study like this that finds their biggest customer the "most secure" to be fataly flawed just on the basis of conflict of interest alone?
The only thing I take fewer patches to mean is they haven't found enough bugs yet!
"Windows had the fewest number of patches and the shortest average patch development time of the five operating systems" = "Windows had the most trivial and easy to fix vulnerabilities that they have fixed with a few number of patches, from possible an unknown number of undiscovered vulnerabilities"
Read radical news here
After all... who needs to buy security products for the most secure commercial OS available to mankind?
If you are counting the number of patches... and you are saying Windows has the fewest number in the last 6 months than MacOS or RedHat... does that mean Windows is more secure?
What is this, 3rd grade?
I could stop patching Windows forever and it will be the bestest Operating System EV-ER! Like OMGWTFBBQ!
Seriously, Microsoft releases in cycles, has to perform a buttload of testing (because of the DNS patch which screwed over a lot of customers), and is slow to react to 0day problems that are brought up with theories and proofs. [They do a lot better when there is an active attack going on, I'll give you that].
I get SuSE patches for hundreds of installed packages just about every other day and install most of them automatically. The kernel I'll patch up once every 6 months or so.
Does that make me less secure than Windows? I don't know. I sure feel more secure about putting a fresh openSuSE 10.2 box on the internet unfirewalled than putting a Vista box on the Internet unfirewalled [I wonder if MSFT has actually performed this test with Vista... to see how long it takes before a basic Vista install gets compromised with the software firewall turned off].
"Symantec found 43 vulnerabilities in Mac OS X and a 66 day turnaround on fixes. Fortunately, only one was high priority"
I fail to see how this makes Windows more secure than Mac OS X.
All this proves is that MS has released the least patches and fixes - which fits with known facts such as that MS is working on a massive Service Pack for Vista to roll out a slew of them.
StarTrekPhase2 - The Five Year Mission Continues!
Symantec (who makes all of their profit from selling security products for Windows) says Windows is the way to go.
Patch release count is probably the worst security metric that you could come up with.
Competition Good, Monopoly Bad.
If we only count basic O/S errors, eg. standard windows installation and linux kernel with a bash shell, we found
-0 patches and discovered vulnerabilities for Linux
-5 for windows
No it won't get through, o.k., I get it:
If we count all the O/S errors and all the optional packages
-824234627876884595 (excluding minor ones) patches and 45348475623599439543534598245 serious errors for windows (including all the ported linux programs, e.g. cygwin based stuff also)
-591 errors for linux
no, no, that's a no go result.
Ok, wait,
Just mix the two together.
We found 0 O/S errors for windows
and fount 591 errors in linux including optional garbage nobody takes care and neighter installs them.
Steve Ballmer's chair throwing corps makes sure they get good reviews.. or else.
"Snatching defeat from the mouth of victory on a daily basis."
*Symantec* released the report. How many products does Symantec make for non-Windows OSs? Or was their research "Windows XP with Norton Internet Security Suite 2007 installed"?
This is not news. This is a Symantec marketing campaign disguised as a press release disguised as a research report.
Never mind the false conclusion that fewer patches = more secure. Never mind that both OS X (which had MOAB) and RHEL both include a lot more software than the base OS for Windows.
The road to tyranny has always been paved with claims of necessity.
Bot herders has named Windows as the most reliable operating system for hosting botnets and spam machines.
Congratulations all around Microsoft.
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
(rolls eyes) So that's why I should put down some cash for Norton Anti-Virus for Mac, right?
This space left intentionally blank.
...someone will tag the story with "defectivebydesign" and someone else will tag it with "no".
And you should have added "Those of us who think there is room in the world for both Windows, OSX and Linux will remain on the sidelines while another round of the holy wars is inconclusively decided."
I am rather looking forward to the comments from Apple users, though, and particularly whether they can best their own record for self-righteous indignation and incredulity.
Read Pynchon.
It's interesting to note that while OS X had 43 vulnerabilities(1 severe) and windows had 39 vulnerabilities(12 severe). So windows had more big threat security holes than OS X by 12 times. Maybe OS X's average patch time is higher because the vulnerabilities they had were less important to patch?
Mod me up, mod me down, do your worst you modding clown.
In MY day, we toggled programs into the front panel with SWITCHES, and we LIKED IT! Now get off my lawn, you damn kids.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
The interesting questions are:
If I've carefully kept up with updates on my servers, what percentage of the time have my machines been vulnerable?
What is the statistical probability that my servers will be broken into? Surely we can get pretty good data to answer this question.
Ask these questions for:
- RedHat with everything installed
- RedHat with minimal packages for running a web server (no gui, etc)
- Windows (gotta have that GUI!)
- OSX (ditto)
"The total number of reported vulnerabilities for Windows was lower than for others, therefore it is the most secure."
Wow. That kind of logic would get you a failing grade in any undergraduate class. When TFA actually goes into the breakdown of "severe" versus "not severe." The article even says: and: So having 2 severe vulnerabilities makes it less secure than Windows having 12 severe vulnerabilities? Something doesn't add up. That's even assuming their numbers are correct, which I sincerely doubt. Another flaw in logic (that we've seen many times) is that the total number of publically disclosed vulnerabilities turns out to be higher for the development model that involves full-disclosure, rather than the one that involves hiding information as much as possible. This isn't exactly surprising, and says nothing about how many vulnerabilities actually exist.
Counting vulnerabilities seems like a very silly way to gauge security. It seems like a truer test would be to set up a machine (or rather, a statisically significant bunch of machines) and measure the average time to system compromise. Even this technique has its flaws, of course, but at least it's better than some arbitrary counting technique.
we haven't had "Windows Bug a Day Month" yet.
Coder's Stone: The programming language quick ref for iPad
or perhaps insightful ;)
:-D
maybe he's running the wrong BSD
if this is supposed to be a new economy, how come they still want my old fashioned money?
Yet another meaningless study. So Windows had fewer vulnerabilities in the latter half of 2006 and/or Microsoft got the patches out the fastest. No consideration for the severity of the vulnerabilities. When was the patch time counted from? When the vulnerability was first known to the vendor, or when it was first publicly disclosed?
All these studies are the same. They draw conclusions from stats that have only a tenuous relation to security. Why not try to measure something usable, like time for an unattended box to be owned, or the percent of installations of the OS that have been owned, etc.
"We don't sell any anti-virus or firewall software when people buy Linux."
Chris Mattern
Like the total count of all vulnerabilities, including all the little impossible to exploit ones, is important. Let's focus on the serious ones mentioned in their data.
High-severity security vulnerabilities in 2006
Windows: Q1/2=5 Q3/4=12 Total=17
RedHat Linux: Q1/2=1 Q3/4=2 Total=3
Mac OS X: Q1/2=3 Q3/4=1 Total=4
Now that's a summary I can agree with.
It would be interesting to see a report with the number of consoles in the field (break it out by commercial and private and windows version) and what percentage belong to a bot network. Wishful thinking since it would be very difficult to do.
For the commercial customers, Microsoft has kept that bread buttered. For the private/home customer, it appears to have been less so. We'll see how Vista fairs with home users.
Cancel or Allow?
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C1 bottles of beer on the wall. Take one down, pass it round... Oh, umm...
From 30 Rock: ...
Tracy Jordan: "Dr. Spaceman, is it true that bread eats away at your brain"
Dr. Spaceman: "We have no way of knowing , because the powerful bread lobby won't let me complete my research"
Tracy J.: "Well folks, bread will never maybe attack your brain again"
Seriously, what is up with this article. Is it an attempt at the Jedi mind trick?
Ethiopians are the healthiest people in the world because they see the fewest number of health care professionals.
So, where did the numbers come from? The original article makes it sound like Symantec got the numbers by counting the number of patches, but it's worse than that. According to the whitepaper, it's coming from volunteers (page 38): So, in short, Symantec chose the vulnerabilities based on what people in their mailing list told them. Later in the paper, it also discloses that they also got to pick the severity: So, what did they find, using self-generated vulnerability counts and self-generated severity levels? That's right - the one operating system that actually uses Symantec products is, of course, the one with the fewest vulnerabilities and shortest patch times.
Following the "number of patches = number of vulnerabilities" school of thought, though, does lead me to conclude that my Ubuntu box must be highly insecure and buggy - it keeps trying to update some random package or other almost daily!
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
This usually makes the "Windows is more secure" group STFU pretty quickly, for some reason. They also say "DOH!" just like Homer Simpson at least 4 times while I'm issueing my challenge. I'm really not entirely sure why...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
The RIAA releases a study that proves illegal downloading is the "gateway drug" to violent crime.
Dow Corning released a report that recommends that all women have breasts removed and get implants because the risk of cancer is significantly greater than the risk of the implants.
The US released study proving that the Iraq war has been won and any further battles or deaths are merely a figment of the deranged liberal imagination, as are all other issues of corruption or drug abuse.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
I'm reminded of a story someone once gave when talking about issues like this....
Two shipping company owners were talking over drinks one night comparing their businesses. This is the conversation they had...
One: "Last year we only had 3 accidents all year long"
Two: "We had 30"
One: "Wow, that's really bad. What are you doing to fix it?"
Two: "Let me ask you this. How many trucks do you have on the road?"
One: "10"
Two: "I have over 1000"
So sure, "other" commercial apps may have more flaws in a given month. But those "other" commercial apps have 100 times more applications that come packaged with the OS. So, if you do the actual math and come down with the number of flaws averaged against the amount of software packages available with the OS, I'll bet money that you're going to see that MS loses... again.
What a pointless comparison. All that we see is that Windows has finally caught up with other Desktop OSs in security. Desktop systems are insecure, period, so who really cares about which one is more secure. I see that there's no BSD in the list, not a single IBM OS, VMS, or any other Mainframe OS. This report completely fails to illustrate any useful information. Insecure machines can be protected with firewalls which run secure OSs, none of which were in this list (OpenBSD, anyone?). About all that can be said is that Windows has finally found a way to protect itself from the meddling of idiots, at the cost of the most annoying security system ever invented. All that, and I still doubt that any sort of stability could be achieved on a network running these three OSs exclusively, without the protection of at least one OS not in this report.
"Please describe the scientific nature of the 'whammy'" - Agent Scully
More secure than VMS, i5OS, or z/OS?
Redhat particularly, but also Mac, bundle more software. This means you have many more lower priority vulnerabilities because you have more LOC in userspace. Does a bug in VLC equate to an OS bug? How about Firefox? Can it be used to root your system? All grey areas. Given that, the total numbers of bugs are not surprising at all and the low number of high priority bugs is telling to the extent that patch numbers are a valid measure at all. Taking a while to fix higher numbers of low priority bugs isn't a big deal as long as the high priority bugs are dealt with quickly. That would be the obvious follow up question, which they did not apparently ask. Another obvious question is who reported the defects? Are these vendor provided numbers or third party (e.g. CERT) security alerts? Another question no one (except Sun) bothered to ask.
And of course:
As with previous periods, Microsoft Windows was the operating system that had the most vulnerabilities with associated exploit code and exploit activity in the wild. This may have pressured Microsoft to develop and issue patches more quickly than other vendors. Another pressure that may have influenced Microsoft's relatively short patch development time is the development of unofficial patches by third- parties in response to high-profile vulnerabilities.As always, the most secure computer is the one that is turned off, and unplugged from the network.
No security model is perfect, but I'd take any *nix for a web facing server any day.
So the little shield appeared on my desktop imploring me to update my XP2 system. Went through a validation check that didn't work with my default web browser (Firefox) because it doesn't support ActiveX controls (duh). The result - a shameless ad for Vista and Microsoft security applications! I keep this windows box to play around on while I dabble in Ubuntu and plan for my next computer - from Apple!
This sort of pointless flamebait article, and the Linux/Mac drivel that's sure to follow, is the reason why I'm this close to deleting Slashdot's feed from my feed reader. No wonder Slashdot is out of fashion now.
Only to idiots, are orders laws.
-- Henning von Tresckow
Wow. Windows 95 must be the most secure OS ever.
I haven't seen any patches for it in ages!
Have you tried turning it off and on again?
Microsoft makes our security software business very secure, says Semantics.
Microsoft has the most secure operating system amongst its commercial competitors.
Hello Captain Obvious - Microsoft has no (viable) commercial competitors.
OS/2 died long ago. Macs don't actually compete with Microsoft (their user base not only doesn't overlap much, but largely counts as antagonistic toward one another). Linux and BSD don't count as "commercial" OSes, however much Novell and RedHat might want to pretend. What exactly does that leave?
Money would have been better spent on fixing the client upgrade for their corporate SAV product. 7+ years and over 4 versions is a bit long.
And before anybody says they've never had a problem: I have and it is not consistent. Symantec support knows about it and they've acknowledged it as an on-going problem. They have tools, public and private, that are supposed to help but they don't always work.
The summary is that over the last 6 months, Windows had the fewest number of bugs (regardless of severity) and took the shortest amount of time to fix them.
a)What is not mentioned is that Windows had the most number of severe bugs. Windows had 12, OS X 1. But it didn't mention how many severe bugs Linux had.
b. Also what isn't noted is methodology. The time between bug and patch is mentioned but not whether time is between the bug being discovered or being announced. With open source, almost all bugs are announced when they are discovered. With closed source, it is not the same. MS has in the past sat on bugs for months, years before announcing them much less working on them.
c. This only covers the last 6 months. Why only 6 months? Surely a more representative sample would be years. In this case, MS doesn't look so good. Didn't BSD have it's 2nd bug in a decade recently?
Well, there's spam egg sausage and spam, that's not got much spam in it.
First, was the scope of comparison unfair? For example, did they include Thunderbird security holes for Linux while ignoring Outlook for Windows?
Second, is RedHat's patch speed representative of the most popular Linux distros? For example, how does Debian's or Ubuntu's speed compare?
Third, when claiming an OS as "most secure", shouldn't a big disclaimer indicate that others such as Debian, FreeBSD, OpenBSD, etc. would probably score higher?
Most Secure of the Following:
Windows Vista
RedHat Linux
Mac OS X
HP UX
Solaris
Yeah, but it's Symantec. I don't know anyone *with a brain* (key point) in the IT biz that trusts those guys anymore. The number of times their "research" and "advacements" have failed and caused my entire campus to go down for days at a time is uncanny. I certainly wouldn't believe that, nor would anyone actually concerned with security engineering.
There's a REASON government offices are banning their products.
So in a few months, how will Vista compare? Will it have to have a lot of patches that take awhile to develop, because it's new? According to this metric, that would make it less secure than XP, contradicting MS's claims. But, hey, maybe it won't need lots of patches, after all.
Stop! Dremel time!
Apparently the Windows machine in question had its power cable knocked out by the cleaning crew about six months ago. . .
I am a believer of momentum and curves.
dick sucking faggots should all move to europe
As others have pointed out: Symantec is in business to sell "security" software for the Windows platform. Nothing more needs to be said in that regard.
Also, as others have pointed out, the metric of "Number of Patches" released is pretty much worthless. If this was a serious security test of Vista, it would have employed port scanners, malicious web pages, and assorted other threats stacked up against a default installation of the OS, on known hardware, with Vista's "security" features enabled in a known way.
For consistency's sake, the same attacks would need to be carried out against default installs of not just Linux, but OpenBSD, FreeBSD, NetBSD, and others. Then, and ONLY then, if Windows came out unscathed ahead of all those others (HA!) could it possibly be considered "most secure."
For that matter, the term "most secure" is meaningless without context. Most secure as a server? A workstation? With what skill level of user behind it?
This study seems to be, as the Immoral Bird might have put it, "lots of sound and fury, signifying nothing."
In fact, if it showed up on Usenet, it would most likely be considered a lame attempt at trolling, and subsequently killfiled.
Keep the peace(es).
Bruce Lane, KC7GR,
Blue Feather Technologies
I think it was in Jan 2004 when Windows 2003 just got really in general release and people started using it. The reps from Microsoft stated they were really focusing on security and he mentioned (I kid you not) that the corporate culture at MS to lean towards usability vs security would be tough to change and it would be like 'turning the Titanic'. Pretty funny.
But the real funny aspect / announcement was that MS was so focused on security that they would really make an effort to issue less security announcements and releases in the coming year. That's right - they decided to use the metric of announcements of security flaws as something they were going to use to measure their security improvements. So, as long as they issue less 'leaks' on the problems, they would be achieving their goals of being more secure.
This sort of 'study' seems to validate the MS thinking. Ignorance is bliss. I think I will go break the fuel gauge on my car so I will never run out of gas and kick the dashboard in to break the speedometer so I will never get a speeding ticket. Woo hoo!
The greatest revenge in life is massive success.
the fewest number of patches and the shortest average patch development time
I think some people might happen to agree on the first part of this claim - although a low number of patches doesn't mean there hasn't been a larger number of problems that should've been patched. The second part... well, let's put it this way, time is relative, thus a period of time might seem shorter to ones than to some others, more so if there's nothing to compare to, which is not the case. So, let's just change that claim to something like a number of patches and an average patch development time.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
Since it's so secure, I will stop buying Simantec products on al my 340 Windows equipped computers, such a great OS don't need Simantec solutions anymore.
Symantec's net income mysteriously increased by $10 million....In other news, Microsoft's net income shows a decrease of $10 million. Upon investigation of Microsoft's income statement, "other expenses" showed an increase of $10 million...
how does less patches == more secure?
seems to me the opposite would be the case.
Someone else mentioned IIS and I thought it was worth mentioning, appropos of parent's remarks, that it's been years since the last really serious IIS vulnerability. In the last two years or so it actually has a better security record than Apache, especially Apache with PHP installed (Apache of course has a really good security record too, but IIS has been stellar).
Look at Secunia's page on IIS 6.0, which is 3 or 4 years old: 3 vulnerabilities total, all patched and none of them seriously critical.
Have you patched your Norton Antivirus on your Windows servers? If not, you might want to read this http://www.kb.cert.org/vuls/id/404910/.
"Be grateful for what you have. You may never know when you may lose it."
Consider that Symantec already gets plenty of business from Windows users, and will unquestionably continue to do so. Who's not buying Symantec security products? Linux and Mac users. So, march out the report claiming that Linux and Mac are dangerously unsafe.
Symantec says that Windows is the most secure operating system. Why, then, would a windows user buy Symantec's products if that user is running the most secure commercial OS?
How is the number of patches that Microsoft chooses to fix a good metric? I doubt this is the case, but what if the engineers were sitting around saying "holy crap, these problems are all hard! who wants to get some coffee?" and never got around to releasing patches?
Oh, a lesson in history from Mr. I'm my own grandpa.
Remember, this is Microsoft. Ignorance is strength, not bliss.
While I don't think Windows is the most secure OS, its not fair to compare the number of patches released by a Linux packaging system to the number released by Microsoft for their base OS. The various repositories include every conceivable type of software for Linux and updates for that software while I assume Symantec (no I didn't read the article) is referring to updates just for Windows, not every piece of software on Windows. Your comparison only makes sense if you compare the SUSE repository software updates with every Windows software update.
And not as Funny g'damnit, thats about as concise an analogy to explain this entire article i've seen.
Ice Cream has no bones.
I mean they are basically saying "we're in the wrong business" - great way to drive your stock price down and end up with a whole bunch of investor law suits ....
Symantec has all the street cred of a pimply-faced 17-year old driving his mom's Lexus SUV. Seriously.
This is a sig. It is like every other sig in the world, except that it is mine, and it is different.
On the face of it, 12 severe for windows and 2 severe for Linux is farking spectacular considering the amount of security review the source code of major application for Linux gets.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
A more accurate measurment might be: average time to system compromise / number of attacks.
stop trusting Symantec as well.
TOP DSLR Cameras Reviews of the top DSLRs
Um...they looked at the number of patches released? I don't see how that says Windows is more secure. It just says Windows doesn't patch as much. Which could quite possibly mean it's less secure.
Digg and Slashdot had the same headline on the top of their feed at the same time! With nothing but parrot comments squawking agreement below that on both sites! What was the difference between Slashdot and Digg again? I forgot. Oh, yes, I remember: It's cheaper to buy Digg.
Fuck all you hypocrites.
Say Windows consists of the kernel, the graphical user interface, printer support, file sharing, user/rights management and a few other things build in. If you'd translate that to a gnu/linux distribution like Red Hat, it would be the linux kernel, X, cups, samba, pam and a few other packages. Now did they even think about that or are they just comparing thousands of free software packages with the small number of components that come with windows? Even if they did take it into account, I think the high nr of severe flaws in windows makes it a looser, not red hat or os x.
Everytime you kill a kitten, god masturbates.
Microsoft Windows had the fewest number of patches and the shortest average patch development time
So, Apple took 66 days on average to fix its problems. Only 1 of those problems was serious; the other 42 weren't. The times are averages, remember. Could be that the one serious problem took 5 days and some of the others took 100 days. So what? I think the serious problems usually get handled first, right?
Microsoft had 12 serious problems to fix and 39 overall. Took a shorter time overall because Microsoft also goes after serious problems first. The other problems were put on the back burner.
This makes total sense. The only numbers to take away from this article are that 30% of Microsoft's problems were serious, compared to 2% of Apples, and 1% of Red Hat's.
This is seriously ridiculous. I mean, the Win OS is so bad it shouldn't even be connected to the Internet when used in military settings ... unless you use the Tubes that MSFT provides for $100,000 a foot ...
-- Tigger warning: This post may contain tiggers! --
They're basing how secure it is by how little it's fixed? Couldn't that just mean that they're not fixing the holes and hoping that nobody will notice them?
It seems this a biased report. Red hat should have been ranked higher than Microsoft. Maybe Microsoft reached into it's limitless reserve and bribed the reviewer into a more favorable report. Well, if you are some Tech guy that needs to make a decision about which OS to use for your company, please for the love of God review everything before submitting your proposal. I would hate for you to have a vulnerable server ready to be exploited.
Every geek has some sort of website, programming or computer project. Here's mine: www.youtasteit.com . What's yours?
ofcourse windwos is more secure, did you not see the artical a few days ago when they said BSD just had a flaw. i mean 2 flaws in a decade why that is one every 5 years. people would complain but it's free. I down know how they plan to stay in the market with such a vuneralble product /sarcasm
so redhat had 208 bugs? how many of those were in the extra packages that arent part of the base operating system?
last i checked, most linux distributions have a "few" more software packages available than windows comes with
Most secure eh?
Tell that to my mother in law who nearly just had her bank account cleaned out by someone who logged in to it and set up a wire transfer to a fake/genuine account in a neighbouring city.
The bank suspects that a key-logger swiped her bank login details. I'm not surprised, my wife's parents PC has so much spyware and crap on it, I'm surprised it runs at all.
Luckily, the transaction flagged as 'suspicious' and the bank put a hold on it, until she could be contacted.
-- "It's not stalking if you're married!" My Wife.
It makes sense that the best locks were made by
the company that makes locks for people who
are compelled to live in crime ridden neighborhoods.
Hell freezes over.
I've thought of a new tag to use for situations like these: "chaching"
I don't care. I like Linux. I like it better than Windows. This doesn't mean it is any less secure than it was before this study came out. I am going to keep using it. I don't really care what studies come out about Windows.
My beliefs do not require that you agree with them.
The crackers and virus writers will slowly find it more difficult to target windows and will slide over to Apple and Linux. If that does not happen, then it would indicate that Windows is NOT more secure.
Spammers go on any system that they can. In addition, crackers are looking for info would persue servers such as Mainframes and *nix if they could. But as it is, they have focused on Windows because it has been SO damn easy, not because there were more of them. After all, where would you look for money: john doe's PC, or the systems at amazon, Wells Fargo, walmart (note the FAQ on this for those of you not in the know), and sams club? If yu can not get to where the big money is, then you go for the easy money.
I prefer the "u" in honour as it seems to be missing these days.
So Mac OS X, which had only one vulnerability rated high priority and none rated severe, lost to Windows, which had 12? This makes no sense to me. I'm open minded, but this seems like the real surprise is these peoples' definition of "most secure." Mac OS X had more total vulnerability, but the vast majority were non-severe, moderate or low priority, compared to Microsoft's offering, more than 25% of whose vulnerabilities were severe or high priority. I'd like to know how long it took apple to fix its one high priority vulnerability. I'll bet it was fast. Anyhow, this is a crazy analysis.
Currently hooked on AMP
Breaking news: Windows vulnerability allowed a hacker to leak out the stub of Symantec's prepared joke for April 1st.
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
Tell me again how a more secure Windows OS becomes good news for Symantec.
Because you have to believe Windoze can be secure before you waste money on it or Symantic.
Friends don't help friends install M$ junk.
But you could always try Plan 9 or one of its derivatives. I was always hoping to see that take off.
The strange thing here is that they say Windows has six times as many severe vulnerabilities and conclude "... therefore Windows is *more* secure than Linux
spyware doesn't count right?
cause I've gotten none in the last 6 months on my linux box.
While my roomate has gotten a shit load on his windows box.
I'm really, really tired of this nonsense. Quite simply, these studies aren't conducted in a scientific manner. While they assess Microsoft's Windows' vulnerabilities, they don't take into account the vulnerabilities in things like ISS, MS SQL, et cetera, because they do not ship with Windows and are reported on forums such as SecurityFocus as different products. Meanwhile, they're including the vulnerabilities of the sum of the components on RedHat and using the same metrics for assessment. I suspect they're doing the exact same for MacOS - granted, I have no personal knowledge of whether or not Apple ships Apache, mysql, and the like with their OS, but I'd give the probability as High - at least significantly more software than is available from Microsoft. Assessing the vulnerability of their respective whole product, without adjusting for the product with the least common denominator (in terms of included software and ability) is, quite simply, dishonest.
The end result is that this is bad press for pretty much everyone but Microsoft. I imagine Apple and the various linux distributions could benefit greatly by making a 'core OS' release, while at the same time including their applications under the same warranty/service agreement, or marketing them as separate products unshackled from the OS, which you could then purchase bundled. IE, "RedHat Server" and "RedHat Desktop", and then you could bolt on "RedHat Web Server", "RedHat Database", etc. so that they could be assessed fairly in these 'studies'.
Question: why was Debian not on the top of that list? From everything I've seen, Debian has the fastest turnaround for patches for system-integral software, or close to it. They easily trump Microsoft in this regard. Yet, their software repository is massive, including most known open source software.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
It amazes me that a company would have the nerve to publish a report like that after the methodology has been so discredited. Who do they think they are fooling?
Friends don't help friends install M$ junk.
This is a little ironic considering I've just scrubbed KB929338 off a bunch of systems that suddenly (after an 3:00 AM drive-by update) started bluescreening and/or refusing to boot. But that probably didn't count as a virus in the stats.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
The audit trail for this year's award for Best Distorting Headline:
However, that same section concludes "The risk of exploitation in the wild is a major driving force in the development of patches. As with previous periods, Microsoft Windows was the operating system that had the most vulnerabilities with associated exploit code and exploit activity in the wild (emphasis mine). This may have
Ahhaaahhaaaaahhaaaaaaaaahhhhaaaaaaa
Guess who wants in on Vista
War is Peace
Ignorance is Strength
Windows is Secure
and
Windows is the most secure operating system. Windows has ALWAYS been the most secure operating system.
Mind you, I hear that he is pretty insecure ...
Or for that matter, how about ProDOS for the Apple //e? Well what do you know -- not ONE single security vulnerability found in ProDOS in 2006 -- wow it must be the most secure OS ever!
Sorry, that goes to the preface, not Dennis' 'anti-forward'. It's not available in html online, but it is in the pdf I posted in my parent comment. Apologies.
I'm guessing this has nothing to do with the fact that Antivirus software, as it exists today, has little to no place on the Mac or Linux desktop, simply because the relative need is negated by those systems' inherently superior security mechanisms. By this I mean user accounts without world-write access that aren't completely disabled by default.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Windows - 39, 12 severe, average 21 day fix
0 209.html
Mac - 49, 1 severe, average 66 day fix
Red Hat - 208, 2 severe, average 13 day fix
I know that Red Hat is patching more than just the OS, we are talking about people who patch little things like gaim or libfoo.so (microsoft still hasn't patched Office since Feb. http://research.eeye.com/html/alerts/zeroday/2007
Wow, I don't care what they claim in the report. Hats off to Red Hat!
Bringing liberty to the masses. - http://freetalklive.com/
So what do you think those other 42 vulnerabilities do? Make your Mac smell like sunshine?
Windows has 93.05%* market share. Mac has 6.38%* market share. That means there are almost 15 times the amount people possibly trying to break Windows security yet it has less vulnerabilities and took less time to release patches.
In fact Mac users were left vulnerable on average over 2 months longer than Windows users. This is not a small margin and this is definitely not what Apple's commercials are selling people.
*OS Marketshare
Where is the comparison against OpenBSD?
Change is certain; progress is not obligatory.
It's the humor that keeps me coming back to Slashdot. "Windows is the most secure OS." Straight outta The Onion, guys. I'm rollin' on the floor here.
From the last 6 month period of 2006:
Windows: 39, 12 severe, average 21 day fix
OSX: 49, 1 severe, average 66 day fix
Red Hat: 208, 2 severe, average of 58 day fix
For the first 6 months of 2006:
Windows: 22, average 13 day fix
OSX: 21, average 37 day fix
Red Hat: 42, average 13 day fix
So, it seems you confused the two periods a little.
Also in the article:
The number of patches means nothing. I remember when my kids were preschool age and they thought if they had more coins they had more money. Just before that age many kids think if they break a cookie in half they double the number of cookies they have.
So you want an "In Soviet Russia joke"? They used to assign a quota to steel mills that was to produce so many tons of steel per year. As you would guess the mills produced mostly thick plate and very little sheet metal on the other hand glass factory output was measured in square meters so theyu made very thin glass.
So if we start measuring security in terms of the number of patches people will find very stupid ways to score high
The only reasonable way to measure security is in terms of real world failures. How often does a user get one of those stupid pop-up ads or a virus or whatever.
All you have to do is max out the firewalls and not allow anything to be installed. If you are still having problems just disconnect it form the internet. Turning it off makes a Windows machine even more secure.
Let's multiply the number of vulnerabilities by the average number of days unpatched.
Windows: 819 unpatched-days
Mac: 2,838 unpatched-days
Let's say that each "severe" vuln. is 5X as bad as a non-severe vuln. Here are the new numbers:
Windows: 1,827 unpatched-days
Mac: 3,102 unpatched-days
Windows still blows OSX away.
You act like you don't care about how long your system remains vulnerable. In a world where no security patches are ever created, yes, the only thing that matters is how severe the holes are. But frankly if I had an OS that had 200 "severe" vulnerabilities and each was patched 1hr after they were discovered, guess what? That OS would be the most secure. The simple numbers indicate that OSX remains vulnerable almost twice as much as Windows (even after weighting the severe vulns 5X).
Why was it important to state that "Symantec [is] no friend of Microsoft"? Was it to make Symantec's claims more approvable? That article seems a bit biased. If windows had the fewest number of patches, could it simply be because it's closed source and vulnerabilities were just not found but are still there? Shortest time to develop something doesn't necessarily mean that a proper job is done. "no, security, defectivebydesign, microsoft, windows" seems right, although strange use of commas.
Q: What exactly does the speed and number of patches that Microsoft issue have to do with determining the actual security of a system?
A: Nothing.
I'd be more impressed with any sort of figure based of the number of actual detected backdoors and intrusions.
...so the *least* number of patches indicates the more secure OS???
The OS that gets repaired the least...?
That the OS with the most viruses to worry about, is also the one that spends the most time working on virus protection? That's bloody amazing!
May be the problem is not Windows vs Linus vs Macintosh. Maybe the problem is journalist baiting.... (Everyone wants to be "Alan Berg.") I don't know which OS is most secure. But after reading this goob, passing for journalism, I don't know any more. I do know my experience with my OS of choice and it does not match the "information" in this artcle.
Absolutely pathetic. This is one of the worst security articles of all time. Setting up an argument with questionable data and posting it for attention.
A matter of simple computing evolution...
MS has taken the biggest hit and done some of the stupidest things when it comes to enforcing OS security.
Take WinXP, the NT security is rather good, but not enforced so MS screwed their users and let developers cross boundaries by not understanding security. Hence XP started out as a security nightmare to the point MS pulled development on Windows 2003 server to reorganize with a security first model.
Mistakes MS have made in strange ways helped the entire industry, at the very least as an example of 'how not' to do things in an OS. So when IE or XP would get hit with exploit, a lot of these exploits had potential to exist in other OSes and browsers. MS gets the lumps, and everyone benefits to ensure they don't do what MS did wrong.
However, there comes a point when known vulnerabilities decrease rapidly. And this is what is happening here.
1) MS has gotten better about security, better code, better compilers, better implementation.
2) Known categories of exploits are better known now than ever.
3) Apple took some hits this last year with some of their arrogance, their ads were the equivalent of Bush saying 'Bring em on'.
So as all OSes are closing in on an optimal level of security, the amount of problems to be found will continue to decrease. Not only in Windows but all OSes.
Also new general categories of how to exploit computers are found, they will have less of an impact as people are now paying attention, even MS.
Apple will have a few bad months ahead still, as they currently don't have the security focus yet that they need to, because they put too much stake in the BSD foundation but overlook the actual Mac code running on top of it. (Very much like MS was with NT in the 90s, as its security was far above consumer versions of Windows and like OSX immune to many of the 'common' exploits of the time. So just as NT learned its lesson that Win32 needed to be super secure as well, OSX will need to comb through a lot of the upper layers of OSX.)
I do think Apple is is getting this, so just give them a few months or a year and their numbers should be back to the norm for patches and exploits and once again be in line with all other OSes.
The bad news about the capping of exploit concepts is that MS probably will continue to remain competitive with a low number of exploits, just as all OSes are maturing to the same levels of security. This means running MS OSes won't be a security concern in the future, and the advantages of using previously more secure OSes will no longer be a great reason to move from MS to these platforms.
MS was a lot slower than they should have ever been, especially with XP. Vista shows a lot of signs of MS 'getting it' to also help against the social engineering exploits as well as fundamental changes in the way Vista works. XP SP2 did a rather good job of stopping the Windows Security leak in the boat as the number of patches since it was relased have kept decreasing in mass amounts. Also the work from Windows 2003 server security refocus helped XP SP2, as well as made Windows 2003 server the most secure server OS MS ever produced.
And if everyone keeps paying attention, to not only their own OS projects, but exploits found in other OSes, there is no reason everyone shouldn't be able to keep ahead of the curve for the first time in mainstream computing.
Symantec is a company that lives from the customers need to patch with 3rd party products the holes of the operating system.
Knowing what pays Symantecs profits, let's have a look at the potential market:
- Are Linux users likely to buy Symantec Software?
On average, clearly not. For one thing, they'll rather use open source tools for their security needs. The other thing is that the security architecture of Linux makes many attack types impossible that are common under windows.
- Are Mac users likely to buy Symantec Software?
On average, clearly not. St. Jobs preached to them that their OS is unbreakable and thus they don't feel the need for 3rd party security software like Symantec's stuff
- So who's buying this stuff?
Windows users, because they live under the constant fear that their system can be 0wn3d by a h4x0r. They distrust Microsoft and thus buy Symantec stuff.
-So What would happen if the windows users switched to Linux or Mac OS X?
Hard times for Symantec, they'd sell much less of their stuff.
-So what is Symantec's interest?
To keep people under windows. So on one hand, Symantec tells them "your windows is unsafe, you need to buy our products" and on the other hand: "don't you dare switch to an os where you wouln't need our products. because, ahm, ahm, they're even less secure than windows !"
...is that they studied HPUX and not AIX....
the reason nobody hacks AIX is that without smitty nobody can use it.
The problem with Windows security isn't about the OS, it's about the tech IQ of its users. Sit that same dumb office drone in front of a Linux desktop and he/she/it will find a Linux email virus... SOMEWHERE!
On the other hand, take a brilliant coder/admin/all-around-fantastic-techie such as myself, and watch me use Windows with skill and grace... no virus or spyware scanner in sight, yet my machine is clean and exploit-free. I rely on Microsoft to keep their shit code clean, and I rely on myself to not to stupid things.
There is nothing in the world that can protect stupid users from themselves.
-Billco, Fnarg.com
I think that a better metric to determine the most secure OS, would be to count how many companies earn money by writing code to work around the security problems. Companies like Symantric, Norton Antivirus, etc.
If the OS has enough security problems that a large number of companies can make a profit in this manner, then I wouldn't consider it secure. Or, you can use dollars earned by the antivirus companies for each OS.
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
Is the fact that people release such a report funnier than the fact than many people will believe it?
:)
I'm the kind of guy that has on his private network a physically passive sniffer running OpenBSD ("physically" as in "it is physically impossible that information leaves the sniffer and goes on the LAN, for the sniffer is behind a one-way tap/cable").
I run Linux for my servers and my workstation but I don't have that many nice things to say on most Linux distro and how Linux is usually configured by default (and actually I've got some pretty nasty things to say about several of the four 'LAMP' letter, which I consider a quite mediocre setup from a security point of view).
But when was the last time I was reading here about that Windows Gozi trojan that went unnoticed for 3 months from dec 2006 to feb 2007? Infecting how many systems? Stealing how many confidential (medical etc.) data? What's that spam problem yet? Those botnets of countless of Windows machines? Those reports stating 1 out of every 5 Windows system is considered to be rooted?
Windows the most secure OS? People still dare to write such reports and other people still believe that?
I find it really funny
Symantec et al. have absolutely no motive to promote an actually secure operating system. If there was some hypothetical future version of Windows written by the magical code fairies that was actually secure, they would go out of business.
But hey, Windows Vista is way more secure for your bank account.
Symantec Decides to Close Shop, after finding that there are no serious vulnerabilities in Windows (their bread-winner) and other commercial operating systems in the market. I wonder why they still continue to release "System Guard", "Symantec Antivirus" and other products for this platform after their study has shown that there are no more critical flaws.
Seriously, Is Symantec intending to close shop? Publicity is good, but this is terrible.
No Greater Friend, No Greater Enemy! (Lucius Cornelius Sulla)
Personally I feel that the total # of bugs reported is a pretty meaningless statistic - after all, we don't know what % of the total population they represent - but I do find the ratio of severe / total for each OS to be interesting:
- for Windows, there is a 12/39 = approx 30% chance that if you find a bug, it'll be "severe" (whatever that means)
- for Mac, there is a 1/49 = approx. 2% chance that it'll be severe
- for RHEL, there is a 2/208 = approx 0.9% chance that it'll be severe
Or, Windows is 15x more likely to have a severe bug than a Mac which is 4x more likely than RHEL (and, Windows is 60x more likely than RHEL).
So, before we start trashing a href="http://Symantec.com">Symantec... Has anyone actually read the threat report? I didn't see anywhere that they ranked the Operating Systems in order of Most to Least secure. Also, the report makes no claim that Windows is the most secure. The Article by Internetnews says that, not Symantec. I mean, if I'm wrong, please point out where it says this in the actual report.
If I make a report that says 5000 people die in swimming pools every year, and 100 people die from base jumping, that doesn't mean I am saying that swimming is more dangerous than base jumping. If internetnews comes along and says that, well, that's their misguided interpretation.
The report gives the facts. The article takes the facts and manipulates them to say something that isn't implied. Only an idiot would make those conclusions.
A more accurate measurement might be: average time to system compromise / number of attacks.
Any real world test would be better than this silly patch counting, but the number usually reported is time to ownership. People don't really care about how many attempts it takes to break a system as much as they care about how often they need to do things. It might take an attacker 100,000 tries to brute force a password, what matters is how long it took. The trick is to make sure your network looks like a typical network and to describe those conditions so others can compare.
The usual result of tests like that is that Windoze machines are taken down in as little as four minutes with a half life of 12 minutes. Red Hat, out of the box, takes three or four months.
The Honeynet Project has all sorts of studies to further enlighten you. The bottom line is the result: More than 25% of Windoze computers are part of a bot net that's screwing everyone. It happens faster than you can download patches that won't really do you any good anyway.
Friends don't help friends install M$ junk.
No, here's how the discussion goes.
Every other OS is laughing loudly because we've never had to rebuild entire systems from a stack of CDs, a really fast connection and a long list of 25 digit codes caused frequently and frequently caused from the ravages of one or more of the tens of thousands of viruses and trojans or what have you. Right now I know a number of people who are rebuilding servers and streaming audio servers from the attack of a virus. What are those systems? All of them Windows.
Windows is the only OS that I know that mimics organized religion.
The lowly parishioners blindly follow the priests. They genuflect on command and don't understand anything about the workings or its leaders. You can change them but you have to ride in on horse back and slaughter most of the village first. The Priests all have an interest in keeping things the way they are as they have invested an lifetime reading partial code or documentation only to find god is dead. The High Priests know how bad things are but have all signed NDAs and refuse to talk about it. And God? Enough about him.
--More people are forced to use Windows than any other operating system.
Lets see... looks like $ymantec is sucking up to M$ again... what crap. $ymantec wants to be the third party security hack and have its hands in M$ kernel... which is bogus from all security standpoints... so they hype up M$ as the *most* secure OS out there... GIVE ME A BREAK!
Ichthus
I'm certain that Microsoft is doing a much better job now with security than they have in the past, but this "study" sure doesn't support the headline.
Your Servant, B. Baggins
MS-Windows XP (home or Pro - SP2 only?)
MS-Windows Server (2001 or 2003)
MS-Vista (Release or Beta)
(remember NT, 98, 96 are all unsupported and will never be patched)
Compared to which version of OS-X?
Compared to which version of RedHat?
Point is that XP is about to be superseeded by Vista. XP is at the end of its lifecycle - compared to OS-X (Tiger) which is a more recent. Software that is nearer the end of it's lifecycle should be more mature and have a need for fewer patches.
-CF
...will point out that the number of flaws found is not a reliable measure of how secure an OS is because it depends on how hard you looked and how easy it is to find flaws for a given OS. For example having access to the source code will undoubtedly make it a lot easier to find flaws but Windows probably has more people looking.
Cooking the numbers does not change reality one bit. Count the total infected machines on the Internet then divide by the total number of that type of OS and see who is more secure. Of course just detecting a rootkit installed on a Windows box will cause you problems because there are a lot out there with no way to even detect them yet. Yea, like I am going to believe a virus scanner company's stats that cant even detect an infection! Go figure.
Information Week use F5 Big-IP servers and Apache?
Everyone knows that Windows is insecure--no report will really change that piece of zeitgeist. However, this report indicates that everyone else is even more vulnerable.
This line of argument doesn't discourage users from needing anti-virus on Windows, it's just trying to encourage the purchase for other platforms. Symantec wins both ways.
Symantec has been rambling nonsense about how windows and proprietary software are more secure for a couple years now. How long ago was their last shocking report about how insecure open source and linux are?
Symantec has invested millions to get in bed with Microsoft and gain insider information into the workings of the OS. They are tied to the platform. Not to mention they are an anti-virus company and windows is the only platform with a large enough virus problem to keep them in business. If any other platform came to dominate the market Symantec would be out of business.
Other than that, they aren't biased at all.
I want some of whatever they are smoking.
"Better delusions through chemistry",as they say.
I'm surprised no one has bothered to point out the fact that it is in Symantec's interest for people to use windows. They don't sell their products to *nix/OSX users.
So they say Windows is more secure to convince a few gullible people to buy into the platform. Then those sorry souls who believed them get infected and end up needing an antivirus product (if they haven't bought one already). Oh, gee.... look who they might go to with their cash at that point.
Why is the former better than the latter? If the right "maliciously crafted qt movie" gains elevated privileges, doesn't the severity depend on what it does with those privliges? If it uses it's newfound ability to run code, the right code will be every bit as damaging as a buffer overflow in the TCP/IP stack. It might be a little more work for the individual creating the exploit, but does the amount of work needed to create an exploit really matter to the exploited system? Easier exploits have a larger community of people who could potentially exploit them, but if you're exploited, that no longer matters. Just a thought...
Oh, yeah, that' right *it doesn't exist expect to protect Windows boxes*. You know, when reality is in total opposition to your theory and/or study, maybe there is something wrong with your methodology? Is it possible that you just aren't measuring the right things? Because if Symantec is right, they are missing a huge market opportunity. On the other hand, given AV companies history of alarmist headlines, perhaps they are trying to create a new market to replace the old one that Microsoft is eating for lunch?
Isn't Windows insecure by design?
Slashdot = Sarcasm
I'm not sure I get what you infer. Are you saying there should be a statue of limitations to the idiocy of your average /. user?
when someone tells that Windows is safer than Mac OS and RedHat the most possible thing happened is that he maybe get some boxes and he made himself a good parrot for the benefit of Microsoft. The truth is not only for security but for major things (like windows and multiprocessing) are stolen from Mac and Linux... Bill and all the people using MS Windows must drink for the health of Apple because from this company are stolen all the goods of windows made by MS and all the goods of multi-user and multi-process are stolen from Linux. This is the only truth and all the other is paid parrots...
;-)
Thanks
*You are about to read a slashdot article, deny or accept*
Accept
My Vista OS is so secure! I haven't has any viruses yet! You could ask more out of an OS right?
*You are trying to reply to a slashdot article, deny or accept*
Accept
UbuntuDupe is a well known troll. He is trying to get karma so that he can troll some more. Don't fall for it.
The thing about Linux distributions as a whole is that you have the option during OS install about what packages you want to install. This means that if security is a concern, you can go through the package selection during the OS install, and pick what you want to install in the first place. This means that for those who do this, if you don't need a mail transport agent on the machine, you have the option to leave it out in many cases. By limiting what packages you install on the machine, security can improve.
Debian as a good example of this breaks up the distribution into different categories, from base packages(the required stuff), to optional. If base has a security bug, there is a patch for it VERY VERY VERY quickly in most situations. If it is an obscure package, then it may take longer to be patched, but at the same time, because it isn't in "base", not everyone will have that package installed, so it's impact can be questioned.
If you go with a default package selection for what you want to use your machine for, then there WILL be a bunch of packages installed as a part of that set. Again though, that doesn't affect everyone with that distribution, just those who go with that type of install.
Microsoft doesn't provide the option during install to select what we want or don't want installed. If it is a desktop machine without a wireless card, Microsoft will not only install the Wireless Zero Configuration service, but will turn the thing on. If there is a security hole in it, even those who shouldn't have to care will need to be concerned.
So, if you run Linux, and you don't install a web browser, then you will be free of any "critical" bugs that may be announced for the web browser in question. So, even if you have Redhat and there is a critical bug announced, there is the potential that it won't apply to everyone who has a Redhat based system.
I make a living resetting passwords and permissions. Recovering data from "encrypted" partitions under Windows. Removing McAfee and Symantec products that corrupt and slow down systems.
We all know the "most secure" statement is bull. It's just a shame they didn't focus on educating their customers on good habits instead of reassuring them it's "secure"
Dude, saying that makes you look like a compleat mouthbreather. One who is trying to be funny, and failing.
Speaking of Usenet, how is NANAE these days?
Commercial OS vendors: where are Sun (commercial *nix), HP (commercial *nix), IBM (AS/xxx & OS/2)?
Or was this meant only for desktop services. In which case RHEL should be discounted because it is more geared towards server usage than the desktop.
The best weapon of a dictatorship is secrecy, but the best weapon of a democracy should be the weapon of openness.
In reality, the problem with counting the number of vulnerabilities this way is silly. Technically, we will never know all of the vulnerabilities of Microsoft products. What I mean is, when you install that SP or patch you only know SOME of the things it's fixing. How many times in the IT world have we installed a patch or whatever and something else totally breaks, totally unrelated, totally not documented. Tell me again why an Office update needs to update the TCP stack without telling me? etc. etc. etc.
A lot of security wholes are worse than they should be simply because people don't understand, or find it inconvenient to run at a lower privileged level. Most unix vulnerabilities are going to be contained by the user that they are ran under. For me personally, I run "every" service in a jail separate from the host environment. I can do this from read only images, or mounted directories, and preserve write privs to JUST the jail. If the jail gets attacked, I can just restore it from one of the backed up images I make of it nightly. With windows, you don't have this kind of separation where an app can be ran outside of the host environment. With windows also, most users run as a admin user with or without knowing it. This makes small attacks that could be reduced to virtually nothing a real serious issue as it has complete control now. Vista was a step in the right direction as far as users running with escalated privileges, but it has already been shown that there are ways around those warnings and that they 'COULD' be faked. Another problem is the users themselves. You can have the most secure OS in the world, but your weakest link is always going to be the user. Does it matter if you get a popup saying "STOP! you are about to install a virus that will cause death and mayhem across the world, and release nuclear munitions into the air with unknown targets!!!" if the person doesn't even read it and clicks the OK button out of habit? Most unix users are unix users because they know it and took the time to learn something. They also are mostly aware running as root for your user is dangerous. Most windows users can't be bothered to type in a password, or be bothered actually researching an app before installing. Security is only as good as the mentality of the users, and windows doesn't instill that mentality thus reducing it in my eyes to a much lower position of security.
Windows security is baked-in, so you get that fresh baked security goodness...
I lost my sig...
- created an anti-virus signature that filled up your hard drive with DIR000?? folders
- has such tenacious application installs it usually takes a reformat to get them removed
- recognizes other anti-virus applications as virus activity
- purchased Ghost a few years ago and has yet to move it forward AT ALL.
- purchased Veritas last year (maybe 2) and has nearly halted all progress on that product.
Yeah, Symantec knows what it's doing.
The missus' box got to the point where it was literally unusable - boot-up took at least 5 minutes, and never quite got to a stable state where you could open anything useful. Pulled off all Symantec crap (and a few rubbish utilites she'd installed) and behold! The damn thing works like it did when it was first built.
I don't know much about AV - I leave that to the software - but I know that rendering a perfectly decent computer unusable is an unacceptable irony. (AVG works like a charm, btw).
Meta will eat itself
I searched the CVE and found the following results within the same time period that Symantec did there report:
HP-UX 14 vulnerabilities
OS X 5 vulnerabilities
Microsoft Windows 59 vlnerabilities
Solaris 8 vulnerabilities
A search of US-CERT produces the following results:
HP-UX 14 vulnerabilities
OS X 1454 vulnerabilities
Microsoft Windows 459 vulnerabilities
Solaris 28 vulnerabilities
These were the exact terms I searched
Now think why a security company would overinflate that amount of ulnerabilities that have been found in various operating systems, perhaps because they sell security products and it is in the interest of their business model?
Or translated into common language: "We at Symantec make more money selling software to plug Windows security holes than any other platform. Please buy Windows, we really like it." :)
"A cynic is what an idealist calls a realist" - Sir Humphrey Appleby
...the most feared words in IT Support, when on the topic of security and viruses, "but I have Norton!" Can't tell you how many times I hear that from customers/clients who bring me PCs riddled with common and some not so common viruses that virtually any other AV software would have stopped at the door. Not to mention that removing norton is nothing short of an exercise in futility. Which I guess brings the biggest question of all... how is Symantec (creators of Norton) able to comment on security, when its own security software is a known security issue?
Ever heard of IRC botnets twitter? Ones that tend to run on *nix shells using eggdrop and such? They're pretty large, by most measures.
IRC is a communications channel, not a disease vector. Infected Windoze computers log onto IRC so they can be controlled. It's a way of disguising the controller's identity and I'm sure there are better ways by now.
eggdrop, from what I remember from telephone modem days, was a program that echoed nonsense into IRC channels so the phone company would not hang up the line.
Do you have any real gnu/Linux infections you can point to?
Friends don't help friends install M$ junk.
... since I just read the other day that Windows Vista already is susceptible to about 230,000 bugs, viruses and spyware, Linux (the article didn't mention which distro) had about 700 and Macintosh OSX had "less than seven" known ones that were difficult to implement.
If having 230,000 holes is considered "more secure", the other operating systems better get on the stick and introduce more holes into their security so that they'll be more secure than Windows... wait... that didn't make any sense.
But it does make you wonder who paid for this study.
You mean people actually BELIEVE these ratings issued by a company that has a vested interest in selling security software? Obviously, Symantec is still keen to spook Mac and Linux users into buying its redundant software.
It took about 1/2 hour to stop laughing at this one.. Seriously the guy who claimed this at Symantic understands what he said? (I wonder how much he got paid to say it).
I am sorry, but the security flaws for RedHat include "ALL" software packages. The majority of users do not have most of these packages installed unless they know how to "rpm -i" or "rpm -U" from media. Even those of us who do, would only have some of those packages installed. I for instance may have to watch for a MySQL bug, but I don't care about a Postgres bug because I don't have it installed.
Sure, RedHat notification covers all products too, because they do not know what the end user will descide to use.
It's really sad, but Redhat and other Linux distros may have to look at how they broadcast bugs, fixes, and notifications simply to shut up the M$ leg humping squads.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Its about time Microsoft get recognized for this, especially since they skipped their last Patch Tuesday and all. Doing that didn't skew the numbers at all, I'm sure.
Why do they measure the number of fixes rather than the number of problems ?
Something to do with productivity - let's see...
From a Real World perspective - if there are 10% fewer vulnerabilities in an MS Windows system and they are cleared up twice as fast but Windows is used on 90% of the desktops, this still means 90% of the spam mail I get comes from Windows Zombie networks. Makes no difference to me how secure Windows is. I care about issues like these:
When will the existing Zombie networks be disabled?
When will the vulnerabilities that allow new Zombies to be created be fixed?
Windows *needs* to be more secure than all the other less pervasive platforms - trouble is it needs to be *much* more secure than them and it is nowhere near secure enough to mitigate the problems that it is continuing to cause to productivity and resource availability.
That is what the only person I knew to use egg drop ever did with it. He was and still is a M$ user. Looking up eggdrop, was fun but it did not find the run away gnu/linux viruse you claimed it was. Have you found any of those outside a lab yet?
Friends don't help friends install M$ junk.
On the bottom of page 39 they define the Red Hat operating systems as: "Red Hat Linux (including enterprise versions and Red Hat Fedora)" No wonder it came out with the most vulnerabilities. One vulnerability would be counted 7 times (RHEL 2.1, 3, 4 and Fedora 3, 4, 5, and 6) instead of the one instance it should have been counted as. I don't understand why Fedora would be lumped under the Red Hat flag either. Its obviously going to have more vulnerabilities simply because it has code that's closer to the cutting edge. Red Hat waits for Fedora to flush out many of these types of bugs so they can offer a secure OS to its customers. Secondly Red Hat doesn't offer support of Fedora and doesn't have an obligation to release patches for it. Counting those numbers in their totals really skews the counts.
Basically Microsoft decided to build NT as an open system (meaning standards-compliance especially with the standards of the Open Group). Some of the standards (POSIX, for example) were only barely usable, while others (DCE/RPE) became the basis for everything. At the same time, Windows use Kerberos on Domains by default, so they never implemented the security part of the spec.
DCE/RPC underlies all DCOM calls. And OLE is built on DCOM. Note that this means that you cannot turn this network service off. If it breaks, so do all manner of other things (like, for example, parts of the control panel, the clipboard, and the like). So essentially everything in Windows goes through a message bus with inadequate security.
Firewalls only buy you so much when you are up against this.
LedgerSMB: Open source Accounting/ERP
yes but... the test was devised by the number of hacks for the OS and the number of days it took to fix them and Mac's only had one but it took them 60 somenthing days to fix them
*** The Reaper Of Souls ***
I'm sure that begs a question, but I'm not sure which one.
Mostly of security of system is in user (administrator) use and configuration.