Slashdot Mirror
Surprise, Windows Listed as Most Secure OS
david_g17 writes "According to a Symantec study reported by Information Week, Microsoft has the most secure operating system amongst its commercial competitors. The report only covered the last 6 months of vulnerabilities and patch releases, but the results place Microsoft operating systems above Mac OS X and Red Hat. According to the article, 'The report found that Microsoft Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006.' The article continues to mention the metrics used in the study (quantity and severity of vulnerabilities as well as the amount of time one must wait for the patch to be released)."
This discussion will go as follows.
Linux geeks will pound the boards about foul play and all the vulerabilities they would exploit if they werent to busy checking dependencies.
Mac fanboys will make fun of both citing how Symantec didnt like them in the first place, because Mac people dont buy Symantec products.
Windows geeks will state how this has always been the case, but because they are the more popular OS they are a bigger target.
And finally the old unix guys will flame about how none of these vulnerabilites would have happened if we would have stayed away from GUIs.
So now that we have got that out of the way we can bypass all the leg humping and mindless dribble and get down to the real discussion...can Microsoft keep it up? Personally as a network admin I have not been too nervous the last 6 months. Since the year of the blaster MS has done a pretty good job of making up for exploits and covering their asses. All is quiet on the homefront.
CS: It is all sink or swim...oh and did I mention there are sharks in that water?
Wait...I'm supposed to think that fewer patches makes for a safer operating system?
its a blue screen that tells you
IRQ_NOT_LESS_OR_EQUAL
never been infected while ive seen that on my screen
even in Vista !
The article also notes (which the blurb does not) that Microsoft had the most critical or severe class of bugs, even by their own measurement standard. So yes, Microsoft has less fewer bugs (according to the article), but doesn't the severity of the bugs count for anything? Statements like these are why I don't use Symantec products on any of my Windows machines.
"Windows had the fewest number of patches and the shortest average patch development time of the five operating systems" = "Windows had the most trivial and easy to fix vulnerabilities that they have fixed with a few number of patches, from possible an unknown number of undiscovered vulnerabilities"
Read radical news here
Surely you've jumped the gun. This is March 22. April 1st isn't for a few days.
After all... who needs to buy security products for the most secure commercial OS available to mankind?
If you are counting the number of patches... and you are saying Windows has the fewest number in the last 6 months than MacOS or RedHat... does that mean Windows is more secure?
What is this, 3rd grade?
I could stop patching Windows forever and it will be the bestest Operating System EV-ER! Like OMGWTFBBQ!
Seriously, Microsoft releases in cycles, has to perform a buttload of testing (because of the DNS patch which screwed over a lot of customers), and is slow to react to 0day problems that are brought up with theories and proofs. [They do a lot better when there is an active attack going on, I'll give you that].
I get SuSE patches for hundreds of installed packages just about every other day and install most of them automatically. The kernel I'll patch up once every 6 months or so.
Does that make me less secure than Windows? I don't know. I sure feel more secure about putting a fresh openSuSE 10.2 box on the internet unfirewalled than putting a Vista box on the Internet unfirewalled [I wonder if MSFT has actually performed this test with Vista... to see how long it takes before a basic Vista install gets compromised with the software firewall turned off].
"Symantec found 43 vulnerabilities in Mac OS X and a 66 day turnaround on fixes. Fortunately, only one was high priority"
I fail to see how this makes Windows more secure than Mac OS X.
Symantec (who makes all of their profit from selling security products for Windows) says Windows is the way to go.
Patch release count is probably the worst security metric that you could come up with.
Competition Good, Monopoly Bad.
Steve Ballmer's chair throwing corps makes sure they get good reviews.. or else.
"Snatching defeat from the mouth of victory on a daily basis."
*Symantec* released the report. How many products does Symantec make for non-Windows OSs? Or was their research "Windows XP with Norton Internet Security Suite 2007 installed"?
This is not news. This is a Symantec marketing campaign disguised as a press release disguised as a research report.
Never mind the false conclusion that fewer patches = more secure. Never mind that both OS X (which had MOAB) and RHEL both include a lot more software than the base OS for Windows.
The road to tyranny has always been paved with claims of necessity.
Bot herders has named Windows as the most reliable operating system for hosting botnets and spam machines.
Congratulations all around Microsoft.
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
...someone will tag the story with "defectivebydesign" and someone else will tag it with "no".
And you should have added "Those of us who think there is room in the world for both Windows, OSX and Linux will remain on the sidelines while another round of the holy wars is inconclusively decided."
I am rather looking forward to the comments from Apple users, though, and particularly whether they can best their own record for self-righteous indignation and incredulity.
Read Pynchon.
It's interesting to note that while OS X had 43 vulnerabilities(1 severe) and windows had 39 vulnerabilities(12 severe). So windows had more big threat security holes than OS X by 12 times. Maybe OS X's average patch time is higher because the vulnerabilities they had were less important to patch?
Mod me up, mod me down, do your worst you modding clown.
In MY day, we toggled programs into the front panel with SWITCHES, and we LIKED IT! Now get off my lawn, you damn kids.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
The interesting questions are:
If I've carefully kept up with updates on my servers, what percentage of the time have my machines been vulnerable?
What is the statistical probability that my servers will be broken into? Surely we can get pretty good data to answer this question.
Ask these questions for:
- RedHat with everything installed
- RedHat with minimal packages for running a web server (no gui, etc)
- Windows (gotta have that GUI!)
- OSX (ditto)
"The total number of reported vulnerabilities for Windows was lower than for others, therefore it is the most secure."
Wow. That kind of logic would get you a failing grade in any undergraduate class. When TFA actually goes into the breakdown of "severe" versus "not severe." The article even says: and: So having 2 severe vulnerabilities makes it less secure than Windows having 12 severe vulnerabilities? Something doesn't add up. That's even assuming their numbers are correct, which I sincerely doubt. Another flaw in logic (that we've seen many times) is that the total number of publically disclosed vulnerabilities turns out to be higher for the development model that involves full-disclosure, rather than the one that involves hiding information as much as possible. This isn't exactly surprising, and says nothing about how many vulnerabilities actually exist.
Counting vulnerabilities seems like a very silly way to gauge security. It seems like a truer test would be to set up a machine (or rather, a statisically significant bunch of machines) and measure the average time to system compromise. Even this technique has its flaws, of course, but at least it's better than some arbitrary counting technique.
"We don't sell any anti-virus or firewall software when people buy Linux."
Chris Mattern
Like the total count of all vulnerabilities, including all the little impossible to exploit ones, is important. Let's focus on the serious ones mentioned in their data.
High-severity security vulnerabilities in 2006
Windows: Q1/2=5 Q3/4=12 Total=17
RedHat Linux: Q1/2=1 Q3/4=2 Total=3
Mac OS X: Q1/2=3 Q3/4=1 Total=4
Now that's a summary I can agree with.
Cancel or Allow?
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C1 bottles of beer on the wall. Take one down, pass it round... Oh, umm...
Ethiopians are the healthiest people in the world because they see the fewest number of health care professionals.
This usually makes the "Windows is more secure" group STFU pretty quickly, for some reason. They also say "DOH!" just like Homer Simpson at least 4 times while I'm issueing my challenge. I'm really not entirely sure why...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
What a pointless comparison. All that we see is that Windows has finally caught up with other Desktop OSs in security. Desktop systems are insecure, period, so who really cares about which one is more secure. I see that there's no BSD in the list, not a single IBM OS, VMS, or any other Mainframe OS. This report completely fails to illustrate any useful information. Insecure machines can be protected with firewalls which run secure OSs, none of which were in this list (OpenBSD, anyone?). About all that can be said is that Windows has finally found a way to protect itself from the meddling of idiots, at the cost of the most annoying security system ever invented. All that, and I still doubt that any sort of stability could be achieved on a network running these three OSs exclusively, without the protection of at least one OS not in this report.
"Please describe the scientific nature of the 'whammy'" - Agent Scully
More secure than VMS, i5OS, or z/OS?
Redhat particularly, but also Mac, bundle more software. This means you have many more lower priority vulnerabilities because you have more LOC in userspace. Does a bug in VLC equate to an OS bug? How about Firefox? Can it be used to root your system? All grey areas. Given that, the total numbers of bugs are not surprising at all and the low number of high priority bugs is telling to the extent that patch numbers are a valid measure at all. Taking a while to fix higher numbers of low priority bugs isn't a big deal as long as the high priority bugs are dealt with quickly. That would be the obvious follow up question, which they did not apparently ask. Another obvious question is who reported the defects? Are these vendor provided numbers or third party (e.g. CERT) security alerts? Another question no one (except Sun) bothered to ask.
And of course:
As with previous periods, Microsoft Windows was the operating system that had the most vulnerabilities with associated exploit code and exploit activity in the wild. This may have pressured Microsoft to develop and issue patches more quickly than other vendors. Another pressure that may have influenced Microsoft's relatively short patch development time is the development of unofficial patches by third- parties in response to high-profile vulnerabilities.As always, the most secure computer is the one that is turned off, and unplugged from the network.
No security model is perfect, but I'd take any *nix for a web facing server any day.
Wow. Windows 95 must be the most secure OS ever.
I haven't seen any patches for it in ages!
Have you tried turning it off and on again?
The summary is that over the last 6 months, Windows had the fewest number of bugs (regardless of severity) and took the shortest amount of time to fix them.
a)What is not mentioned is that Windows had the most number of severe bugs. Windows had 12, OS X 1. But it didn't mention how many severe bugs Linux had.
b. Also what isn't noted is methodology. The time between bug and patch is mentioned but not whether time is between the bug being discovered or being announced. With open source, almost all bugs are announced when they are discovered. With closed source, it is not the same. MS has in the past sat on bugs for months, years before announcing them much less working on them.
c. This only covers the last 6 months. Why only 6 months? Surely a more representative sample would be years. In this case, MS doesn't look so good. Didn't BSD have it's 2nd bug in a decade recently?
Well, there's spam egg sausage and spam, that's not got much spam in it.
As others have pointed out: Symantec is in business to sell "security" software for the Windows platform. Nothing more needs to be said in that regard.
Also, as others have pointed out, the metric of "Number of Patches" released is pretty much worthless. If this was a serious security test of Vista, it would have employed port scanners, malicious web pages, and assorted other threats stacked up against a default installation of the OS, on known hardware, with Vista's "security" features enabled in a known way.
For consistency's sake, the same attacks would need to be carried out against default installs of not just Linux, but OpenBSD, FreeBSD, NetBSD, and others. Then, and ONLY then, if Windows came out unscathed ahead of all those others (HA!) could it possibly be considered "most secure."
For that matter, the term "most secure" is meaningless without context. Most secure as a server? A workstation? With what skill level of user behind it?
This study seems to be, as the Immoral Bird might have put it, "lots of sound and fury, signifying nothing."
In fact, if it showed up on Usenet, it would most likely be considered a lame attempt at trolling, and subsequently killfiled.
Keep the peace(es).
Bruce Lane, KC7GR,
Blue Feather Technologies
I think it was in Jan 2004 when Windows 2003 just got really in general release and people started using it. The reps from Microsoft stated they were really focusing on security and he mentioned (I kid you not) that the corporate culture at MS to lean towards usability vs security would be tough to change and it would be like 'turning the Titanic'. Pretty funny.
But the real funny aspect / announcement was that MS was so focused on security that they would really make an effort to issue less security announcements and releases in the coming year. That's right - they decided to use the metric of announcements of security flaws as something they were going to use to measure their security improvements. So, as long as they issue less 'leaks' on the problems, they would be achieving their goals of being more secure.
This sort of 'study' seems to validate the MS thinking. Ignorance is bliss. I think I will go break the fuel gauge on my car so I will never run out of gas and kick the dashboard in to break the speedometer so I will never get a speeding ticket. Woo hoo!
Since it's so secure, I will stop buying Simantec products on al my 340 Windows equipped computers, such a great OS don't need Simantec solutions anymore.
Symantec's net income mysteriously increased by $10 million....In other news, Microsoft's net income shows a decrease of $10 million. Upon investigation of Microsoft's income statement, "other expenses" showed an increase of $10 million...
Someone else mentioned IIS and I thought it was worth mentioning, appropos of parent's remarks, that it's been years since the last really serious IIS vulnerability. In the last two years or so it actually has a better security record than Apache, especially Apache with PHP installed (Apache of course has a really good security record too, but IIS has been stellar).
Look at Secunia's page on IIS 6.0, which is 3 or 4 years old: 3 vulnerabilities total, all patched and none of them seriously critical.
Symantec says that Windows is the most secure operating system. Why, then, would a windows user buy Symantec's products if that user is running the most secure commercial OS?
How is the number of patches that Microsoft chooses to fix a good metric? I doubt this is the case, but what if the engineers were sitting around saying "holy crap, these problems are all hard! who wants to get some coffee?" and never got around to releasing patches?
Oh, a lesson in history from Mr. I'm my own grandpa.
While I don't think Windows is the most secure OS, its not fair to compare the number of patches released by a Linux packaging system to the number released by Microsoft for their base OS. The various repositories include every conceivable type of software for Linux and updates for that software while I assume Symantec (no I didn't read the article) is referring to updates just for Windows, not every piece of software on Windows. Your comparison only makes sense if you compare the SUSE repository software updates with every Windows software update.
I mean they are basically saying "we're in the wrong business" - great way to drive your stock price down and end up with a whole bunch of investor law suits ....
Symantec has all the street cred of a pimply-faced 17-year old driving his mom's Lexus SUV. Seriously.
This is a sig. It is like every other sig in the world, except that it is mine, and it is different.
So Mac OS X, which had only one vulnerability rated high priority and none rated severe, lost to Windows, which had 12? This makes no sense to me. I'm open minded, but this seems like the real surprise is these peoples' definition of "most secure." Mac OS X had more total vulnerability, but the vast majority were non-severe, moderate or low priority, compared to Microsoft's offering, more than 25% of whose vulnerabilities were severe or high priority. I'd like to know how long it took apple to fix its one high priority vulnerability. I'll bet it was fast. Anyhow, this is a crazy analysis.
Currently hooked on AMP
Tell me again how a more secure Windows OS becomes good news for Symantec.
Because you have to believe Windoze can be secure before you waste money on it or Symantic.
Friends don't help friends install M$ junk.
The strange thing here is that they say Windows has six times as many severe vulnerabilities and conclude "... therefore Windows is *more* secure than Linux
The audit trail for this year's award for Best Distorting Headline:
However, that same section concludes "The risk of exploitation in the wild is a major driving force in the development of patches. As with previous periods, Microsoft Windows was the operating system that had the most vulnerabilities with associated exploit code and exploit activity in the wild (emphasis mine). This may have
Ahhaaahhaaaaahhaaaaaaaaahhhhaaaaaaa
Guess who wants in on Vista
War is Peace
Ignorance is Strength
Windows is Secure
and
Windows is the most secure operating system. Windows has ALWAYS been the most secure operating system.
Windows - 39, 12 severe, average 21 day fix
0 209.html
Mac - 49, 1 severe, average 66 day fix
Red Hat - 208, 2 severe, average 13 day fix
I know that Red Hat is patching more than just the OS, we are talking about people who patch little things like gaim or libfoo.so (microsoft still hasn't patched Office since Feb. http://research.eeye.com/html/alerts/zeroday/2007
Wow, I don't care what they claim in the report. Hats off to Red Hat!
Bringing liberty to the masses. - http://freetalklive.com/
All you have to do is max out the firewalls and not allow anything to be installed. If you are still having problems just disconnect it form the internet. Turning it off makes a Windows machine even more secure.
So, before we start trashing a href="http://Symantec.com">Symantec... Has anyone actually read the threat report? I didn't see anywhere that they ranked the Operating Systems in order of Most to Least secure. Also, the report makes no claim that Windows is the most secure. The Article by Internetnews says that, not Symantec. I mean, if I'm wrong, please point out where it says this in the actual report.
If I make a report that says 5000 people die in swimming pools every year, and 100 people die from base jumping, that doesn't mean I am saying that swimming is more dangerous than base jumping. If internetnews comes along and says that, well, that's their misguided interpretation.
The report gives the facts. The article takes the facts and manipulates them to say something that isn't implied. Only an idiot would make those conclusions.
A more accurate measurement might be: average time to system compromise / number of attacks.
Any real world test would be better than this silly patch counting, but the number usually reported is time to ownership. People don't really care about how many attempts it takes to break a system as much as they care about how often they need to do things. It might take an attacker 100,000 tries to brute force a password, what matters is how long it took. The trick is to make sure your network looks like a typical network and to describe those conditions so others can compare.
The usual result of tests like that is that Windoze machines are taken down in as little as four minutes with a half life of 12 minutes. Red Hat, out of the box, takes three or four months.
The Honeynet Project has all sorts of studies to further enlighten you. The bottom line is the result: More than 25% of Windoze computers are part of a bot net that's screwing everyone. It happens faster than you can download patches that won't really do you any good anyway.
Friends don't help friends install M$ junk.
1) How many of those vulnerabilities on MacOS X are impossible to exploit?
2) How many of them deal with applications which are bundled but disabled by default (e.g., Apache, OpenSSH)?
3) What constitutes a "critical" vulnerability? What is the relative threat level?
4) How many of those exploits were "in the wild" in terms of use?
Your method of generating "unpatched days" is also suspect. First, severity doesn't factor into the number of days and is a *really* bad multiplier in this case. It exaggerates without providing any useful information.
Second, if I have a trivial "vulnerability" that is impossible to exploit and a real show stopper arrive on my desk at the same time, and I fix the critical one first but let the other linger for 4 months, it gives me an average right between the two... despite that one of them was a trivial issue that never gets exploited in the wild.
My competitor, on the other hand, fixes the trivial bug first and the critical bug in two months. In the meantime an exploit goes into the wild. His "average" is better than mine and he'll show up as better using the pseudometrics you are using with multipliers. Which is more secure?
Attempting to generate bad metrics from bad metrics doesn't seem like the way to go here.
Integrate Keynote and LaTeX
Actually Symantec's place on the Mac is that every six months or so they do a big FUD campaign against Mac security, trying to scare up demand for an all-purpose software package that will "secure your Mac." Their best argument is always "you never know".
I love how Symantec's current position is that Windows should stay broken and insecure so that it doesn't destroy the Windows utilities market.
Symantec has been rambling nonsense about how windows and proprietary software are more secure for a couple years now. How long ago was their last shocking report about how insecure open source and linux are?
Symantec has invested millions to get in bed with Microsoft and gain insider information into the workings of the OS. They are tied to the platform. Not to mention they are an anti-virus company and windows is the only platform with a large enough virus problem to keep them in business. If any other platform came to dominate the market Symantec would be out of business.
Other than that, they aren't biased at all.
I'm surprised no one has bothered to point out the fact that it is in Symantec's interest for people to use windows. They don't sell their products to *nix/OSX users.
So they say Windows is more secure to convince a few gullible people to buy into the platform. Then those sorry souls who believed them get infected and end up needing an antivirus product (if they haven't bought one already). Oh, gee.... look who they might go to with their cash at that point.
Oh, yeah, that' right *it doesn't exist expect to protect Windows boxes*. You know, when reality is in total opposition to your theory and/or study, maybe there is something wrong with your methodology? Is it possible that you just aren't measuring the right things? Because if Symantec is right, they are missing a huge market opportunity. On the other hand, given AV companies history of alarmist headlines, perhaps they are trying to create a new market to replace the old one that Microsoft is eating for lunch?
I for one welcome our bedtime attacking ghost overlords.
- created an anti-virus signature that filled up your hard drive with DIR000?? folders
- has such tenacious application installs it usually takes a reformat to get them removed
- recognizes other anti-virus applications as virus activity
- purchased Ghost a few years ago and has yet to move it forward AT ALL.
- purchased Veritas last year (maybe 2) and has nearly halted all progress on that product.
Yeah, Symantec knows what it's doing.
I searched the CVE and found the following results within the same time period that Symantec did there report:
HP-UX 14 vulnerabilities
OS X 5 vulnerabilities
Microsoft Windows 59 vlnerabilities
Solaris 8 vulnerabilities
A search of US-CERT produces the following results:
HP-UX 14 vulnerabilities
OS X 1454 vulnerabilities
Microsoft Windows 459 vulnerabilities
Solaris 28 vulnerabilities
These were the exact terms I searched
Now think why a security company would overinflate that amount of ulnerabilities that have been found in various operating systems, perhaps because they sell security products and it is in the interest of their business model?
You mean people actually BELIEVE these ratings issued by a company that has a vested interest in selling security software? Obviously, Symantec is still keen to spook Mac and Linux users into buying its redundant software.
On the bottom of page 39 they define the Red Hat operating systems as: "Red Hat Linux (including enterprise versions and Red Hat Fedora)" No wonder it came out with the most vulnerabilities. One vulnerability would be counted 7 times (RHEL 2.1, 3, 4 and Fedora 3, 4, 5, and 6) instead of the one instance it should have been counted as. I don't understand why Fedora would be lumped under the Red Hat flag either. Its obviously going to have more vulnerabilities simply because it has code that's closer to the cutting edge. Red Hat waits for Fedora to flush out many of these types of bugs so they can offer a secure OS to its customers. Secondly Red Hat doesn't offer support of Fedora and doesn't have an obligation to release patches for it. Counting those numbers in their totals really skews the counts.
Basically Microsoft decided to build NT as an open system (meaning standards-compliance especially with the standards of the Open Group). Some of the standards (POSIX, for example) were only barely usable, while others (DCE/RPE) became the basis for everything. At the same time, Windows use Kerberos on Domains by default, so they never implemented the security part of the spec.
DCE/RPC underlies all DCOM calls. And OLE is built on DCOM. Note that this means that you cannot turn this network service off. If it breaks, so do all manner of other things (like, for example, parts of the control panel, the clipboard, and the like). So essentially everything in Windows goes through a message bus with inadequate security.
Firewalls only buy you so much when you are up against this.
LedgerSMB: Open source Accounting/ERP