Slashdot Mirror
Top 12 Operating Systems Vulnerability Survey
markmcb writes "Have you ever wondered how vulnerable your computer is from the first bit you write to the hard drive all the way until you have a fully patched system? If so, Matthew Vea has posted a concise summary of security strengths and shortcomings for twelve of the major operating systems of 2006/2007. In his summary, Matt tests each OS with widely available tools like nmap and Nessus, and notes responses at install, pre-patch, and post-patch times for each system. After the tedious job is done, he produces results that will make both the Apple and Windows communities cringe with regards to security. From the article: 'As far as straight-out-of-box conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities ... The UNIX and Linux variants present a much more robust exterior to the outside. Even when the pre-configured server binaries are enabled, each [Linux] system generally maintained its integrity against remote attacks.'"
As far as straight-out-of-box conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities
The difference is, the exploits for the mac just work, but you have to trick a stupid windows user into running them to hack XP.
Also, Macs are Jimmy Fallon-esque metrosexuals.
I don't need no instructions to know how to rock!!!!
where is the 'duh' tag on this one?
Browse at -1 to keep an eye out for abuses.
Considering that server OSs were examined, why no OpenBSD? Too "obvious"?
... i'm no M$-fanboy at all, but testing a 2001-XP against a end-2006 fedora is not actually making any sense. install a 2001-red hat to compare and then tell me the numbers. i'm quite sure that there are no breaches as severe as the lsass or rpc/dcom stuff, but this comparison just doesn't make any sense...
Yes, I still use BeOS more than OS X. BeOS has never had a remote hole and it is much better than *nix & Windows for graphic applications. I also maintain my own patches since it is no longer updated.
/., I thought this was a 'News for Nerds' site...
C'mon
I'm always astonished that these OS security articles pretty much always leave out the Unix-type OS most focused on security (i.e. OpenBSD). This always leaves me wondering about the credibility of the review in general. It's like he's looking for champion of fuel-efficiency, but only testing sports cars and SUVs.
First they stumble through the server role wizard enabling default options that no respectable admin would do.
Also, it appears they roll over the SP1 and SP2 upgrades, which does apply to many updaters, but for a long time, native SP1 and SP2 installs block the inbound network until the first iteration of windows updates completes.
2003 is not perfect, but you really have to work to fuck it up, unlike XP.
Concise? Forgive me, but I was expecting a table or something that makes it easy to see the results. Instead it's 20 printed pages. I'd hate to see the expanded version!
Okay, We all know that 2001 version of XP, totally unpatched is vulnerable. Duh
I update all my WinXP installs OFFLINE, making sure that they are FULLY patched and running the latest AV before putting them on the wire. The issue is that Microsoft doesn't make it easy to do this, and I have to use third party products to properly secure their systems before they go online. (90+ Patches from SP2?????)
To me, that is the greatest of all faults.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Since when does throwing up 12 boxes and running a quick nessus scan over them count as a security survey?
The guaranteed-to-be-overlooked key point: all the Mac vulnerabilities exist in services that are off by default. Yes, it's annoying that Apple isn't faster at patching them (and other known local holes), but it still beats the hell out of XP's default state on first boot.
Media that can be recorded and distributed can be recorded and distributed.
-kfg
It seems that this "analysis" is rather over-dependent on Nessus. The article even points out that the tools used couldn't actually see any vulnerabilities (at least for the most up do date versions of the OSes), rather those listed were based on the "database" of vulnerabilities from Nessus. Seems like it would have been equally useful just to look in the Nessus database in the first place.
The reason it is not a stupid comparison is that Microsoft doesn't make it easy to do, so most people do it online. Granted, most of us do it from behind a firewall, but a compromised machine on your network listening to DHCP requests and responses might very well hack your ass in moments.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
What no OpenVMS analysis?
Hmm... MacOS X bad... UNIX good.
Presumably this contradiction is resolved by noting that on MacOS X, the vulnerable services are off by default, so MacOS X is in fact ripe with vulnerabilities out of the box, yet still presenting a robust exterior?
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
The article also says:
Out of the box, OS X is highly secure. You make the active decision to risk remote exploits when you enable these services.
For OS X Server, they had this to say for it, "Out of the box":
The lesson to be learned here is that an open connection is a potentially exploitable one. So don't open connections unless you're sure you want to do so. The second part of that lesson is if you're going to enable a remote port, make sure your security patches are up to date. "Out of the box" software is only secure for a short period of time.
Javascript + Nintendo DSi = DSiCade
I can run Nessus too!
Note that on both MacOS X and MacOS X Server, there was a clean installation, followed by specific USER ACTIONS to ENABLE services. Thus it should not be a surprise if you turn on the Web service, for example, you now respond on port 80.
Now once you enable a service, it's legitimate to then analyze the exposed service for vulnerabilities, and I found that information interesting.
But it should have been clearly established that the vulnerabilities noted in Mac OS X are for services that the user specifically enabled. The general description does not call this out, and I think that the conclusions are flawed because of this.
dave
An OS that was shipped in 2006 SHOULD have far fewer out-of-the-box holes than one that was shipped 6 years ago *coughXPcough*.
The "interesting" releases are the releases most likely to be installed by someone doing a fresh install today.
This usually means what he buys at the store, downloads as an ISO, or installs from the network plus any patches he can easily download, put on a CD or USB stick, and install prior to connecting the machine to a network. For example, for most Windows products this means the latest service pack or hotfix roll-up.
Also: After testing Service Pack 2, one more round of patches were applied using Windows Update In general this is not the best methodology. Frequently one patch prerequisites another patch.
A better methodology would be to install a round, test for remote exploits, then continue with additional rounds of patching until there were no more patches available. Report the results at each stage.
In this particular case, it's okay because Upon rebooting, the patched Windows XP system did not exhibit any remotely accessible vulnerabilities (even with the firewall disabled).
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The conclusion mentions that linux and unix are more secure but have a higher learning curve for desktop users. Is that why he enabled daemons that no desktop user would ever run? On public facing servers I (and many other admins) manually compile/patch software, outside of the OS package manager.
What was he setting out to prove?
Well FFS if you're testing out-of-the-box security, OpenBSD wins it all. I mean say what you will about this metric, 10 years with only two holes in the default install, it still shames the others.
It's just like saying "your-favorite-distro was not detected until telnetd was installed and root password was set to 'password'". Stupid.
And yes, I am a Vista user.
First off, they roll them out to the channel.
That means if I bought XP at a store 3 months ago, it would come with SP2 already in it.
Second off you can download the SP and burn your own CD fairly easily. Well, you do have to have a computer and maybe IE handy but that's not a handicap if you already have a Windows machine around.
Now the individual post-last-SP patches, those are a pain to do offline mainly because there are so many of them.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I'll admit that I've only looked through the macosx vulnerability section in any detail, but I'm certainly not experiencing anything like the cringing promised by the writeup.
The upshot seemed to be that even when the examiner intentionally turned on every service and did not enable the firewall, the only vulnerabilities found were two timing-based user-enumeration attacks.
That's... that's the big shocking secret? That if I go out of my way to ask my system to be considerably less secure than its default configuration, Mallory out there can find out the names of accounts on my system? Quick, somebody get me some smelling salts!
Linux is the most secure OS if you're a linux security geek. The preceding message was brought to you by a linux security geek.
This article was amateurish at best.
It's hard to tell - maybe I'm pro-mac because I never had to clean my family's mac from malware and virus infestation, unlike the previous Windows computer, but what is always with the anti-mac posts when it comes to viruses and crap?
Yead, duh -- in theory and limited circumstance they can get viruses and malware like any other computer - but in practice this happens far less than Windows. I don't get the feeling of superiority here from the Windows community - their computers get pwned daily and they feel smug over a theoretical situation on the other side.
BTW: I personally don't have a mac (but thank Steve that I don't have to maintain a computer for the family anymore and they like the Mac > Linux, otherwise I would be in Windows hell) but run Ubuntu - I wasn't happy to see that it is vulnerable too - and am working to close those ports. But my computer hold little that is of interest - otherwise I would be running something like SELinux or whatever.
Then somehow this
The immediately following sentence
So how does "straight-out-of-box vulnerable" and "after enabling built-in services" make any sense?
Sure there's pre-patch vulnerabilities for all 2 year old OS' out there... hardly makes me cringe however.
Cwm, fjord-bank glyphs vext quiz
This article *CLEARLY* points out that neither OSX client or server is vulnerable to ANY attack in it's default state. The summary at the end is bogus because it clearly contradicts his own findings.
One you turn on every bell and whistle you *might* disclose usernames on the system or be able to crash daemons, but non appear to allow a virus to propagate.
Matthew should lunch "Nmap & Nessus: How they work togheter" test instead of
presented one. Those tests just told me tips about what information, Nessus specially,
has in its database, nothing beyond that.
many vulnerable services are disabled by default, for example that telnetd
on Slackware 11.0 and many others.
Nice try says me nothing.
Please mod: Deny.
The reality today is most home and small business non-dialup users have a NAT firewall. Most larger businesses have a regular firewall.
Either way, if you configure it to block incoming connections to the new machine and the rest of your network is uninfected and well-protected, you can almost always download patches safely.
Some OSes even come with inbound ports turned off by default using the built-in firewall.
If this is you, then "remotely exploitable vulnerability on an unpatched system" is pretty meaningless.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I read the article and I'm sorry I did. What a waste of time. There are a couple of good ideas, probably the best of which is testing the security of systems as you're installing the OS, because if the installation procedure isn't secure, you're screwed. But beyond that, the article fails to make a distinction between using a machine as a server versus usage as personal desktop machine.
If you're testing servers, then by all means turn on httpd, pop3d, smtpd, etc. But there is a good reason why these services aren't turned on by default, and that's because the vast majority of computer users don't run their own servers. Furthermore, what percentage of people using plain Windows XP or Mac OS X are going to be running servers versus someone running FreeBSD or Linux. And then in the article they make the effort to turn on these servers, but they won't bother to turn on the built-in firewall. Oh well, like I said the article is a waste of time.
It seems that in order to make the article more sensational, or to satisfy their agenda, they decided to cherry-pick the configuration to facilitate getting the results they want. It's pathetic.
Agreed. The premise of the article all around was rather foolish. They deliberately and rather randomly made adjustments to lower security but none to raise them, including turning on some legacy services on some platforms that have not been used since people threw sharpened sticks at each other and their only test was the vulnerability database of one product. Obviously Vista wouldn't show up because it is rather new and no exploits have had time to develop, and obviously the UNIX variants would come up with mostly the same results because they share source code.
Disabling the firewall on Vista was rather foolish and not enabling it on OS X, while making other changes equally so. That being said, Apple is still nuts for not enabling the firewall by default (technically it is enabled and running, but its configuration is empty).
I would have liked to see the results of MacOS X after the 10.4.9 update, since it resolved a lot of security vulnerabilities.
Menzoberranzan Networks
Yeah i'm talking to you. The wannabe computer programmer who thinks they are good at computers because they can click around the computer enough times and find the reboot button and 'fix' an inherently flawed windows system. You think you're cool because you can pirate photoshop but not know anything about it, get Microsoft Office for free but have the literacy of a 1st grader when writing a paper, and get a copy of Norton Anti-virus because your inherently flawed system is useless without Administrative privileges. Get a clue, you are not smart, you are just a corporate sheep for a company that will bury you if you ever tried to write any software that did anything remotely useful. You are a clickaround and all you know if your ugly gray existence that is Windows.
/dev/random > Windows.com
Want the sourcecode to windows vista?
head -n 1000000
I would like to see something different: a breakdown of proactive security measures taken by OS (or available in the OS) as a way of mitigating security issues. Security problems will pop up no matter what (whether in the OS or third-party software), and I'd like to see what OS do to prevent or reduce the impact of exploitation.
For example, WinXP SP2 introduced stack randomization and various other enhancements. Solaris has an option to mark parts of the stack non-executable. Third-party extensions like grsec and Bastille allow Linux to be hardened in a way which prevents race conditions, buffer overflows and more. This is a very much simplified list -- but that's exactly why I'd like to see a better breakdown.
I love how people tend to think Computers are simple machines, like a potato peeler or something. They're complex machines, and there's people who do not take that into account. The minute you do anything with a computer (even after it's "secured") you run the risk of lowering your security.
... plenty of security is your behavior. And many people don't even realize things they do have any kind of adverse impact.
... why didn't they take into account any other factors? Say vulnerabilities in the different implementations of the TCP stacks.
I bet if I went and bought a nice new shiny sports car, and drove 200 mph into a brick wall, I would die. Geez! How insecure is that? I mean after all I have to engage the seatbelt? It wasn't engaged when I bought the car!
I guess my point is
This article should have been called "A list of default services running on different OSs that sometimes you have to enable manually".
I mean, we're talking security
More Nerd, less "news" please.
FLR
Just because the study says something you don't want to hear is no reason to bash the study. There was a very legitimate goal in testing the systems right out of the box; Many users do not immediately download updates. I worked in tech support for a little while and still keep in contact with people in the field. The average Windows user is 6 months or more out of date, based on the calls received by tech support at an ISP I worked for. Whats worse is that many users buy a machine, then order an internet connection, but never get updates. There are several reasons why they don't, but the three most common I here are:
1) Ignorance (They don't know they need them)
2) Slow Connections (They don't want to wait 3 days for updates to download)
3) Incompatibility (They are afraid that if they download a patch from MS it will break something)
With 90% of the market being controlled by windows users and the majority of those users being nontechnical home users, you can see the problem. It is the exact reason the US tops the list for infected systems for viruses and spyware.
If Windows had come out as the worst.
/. must do our best to totally discredit the survey.
Since it did not, we here at
This article was authored by a troll. It compares OSes of varying and inconsistent ages in the most vulnerable configurations possible, and calls that "out of the box".
Please elaborate on this. I'm not a Linux lover and I have noticed quite the opposite.
I've been sitting here as root for 12 years now. Nothing. My son has while installing W2K been attacked to the point I ended up downloading all the packs and updates so he could even install the puppy.
No contest.
come on, you're saying that in 1 friggen hour, while I'm downloading SP2 on a new XP box that I'm going to be "infected?" Sounds a little far fetched to me...
Next time you think that you're going to be overlooked for a one hour period and your as-yet unpatched box is safe because of that, try logging all the traffic knocking at your door for a one hour period- after you've patched, of course.
Just an hour's worth of the httpd logs on a machine stuck out into the net can net a hefty amount of logfile when it gets busy, making it seem that every script kiddy in the world is checking to see if your door is locked (almost exclusively poking around for Windows exploits).
An hour? I'd say you have closer to five minutes before the horde descends to see if your forgot to lock the door- if you're lucky.
Test "tests" run are plain silly. Open ports do not mean vulnerabilities. Open services do not mean vulnerabilities as long as the authorization functions of the services work. In other words: Using completely patched systems all of the systems had 0 vulnerabilities.
/.
This was the most stupid and moot article in ages on
winXP is inside the support cycle. He could even test Win2000 since it is still supported. A big number of corporations run Win2000 today ("if it ain't broke...") not to mention the ones still running Win98.
Also, (I'm just being curious here) can you define "empty configuration"? Is ipfw in OSX set up to "default to allow" by default?
"Empty" as in, "Nothing to see here. Move along. Shoo! Go away! I can't hear you!" i.e.- The default for undefined ports or those associated with services that aren't running is Deny. You can change that behavior of the firewall and add allowed ports through the Sharing system preference (which drove me nuts the first time I played with OS X, 'cause I was looking for configuration files and missed the bright, shiny 'Just Works!" button).
To determine the security of the systems out of the box, he changed almost every system from the out-of-the-box configuration.
He also included classic Mac OS in the test, even though this isn't even installed out of the box on any Mac, and won't run on any Mac shipped in at least three years. Why didn't he include Windows 98 and NT4 in his collection as well?
While there are an enormous variety of operating systems to choose from, only four "core" lineages exist in the mainstream - Windows, OS X, Linux and UNIX.
There's six mainstream lineages left, and they're NT5, 4BSD, Linux, System V, VMS, and whatever IBM's calling their systems architecture this week.
He lists lots of open ports for macs. Some that he lists are actually not open on the default mac config, so it's weird that they show up on the nmap scan. When I scan my own box I don't see these.
Now for vulnerabilities there is exactly one on a mac. are you ready. cause this one is soooo scarey:
"Nessus: The web server permits user enumeration through evaluating the time response to fail on particular queries."
wow! I'm shakin.
Some drink at the fountain of knowledge. Others just gargle.
Hmmm, did you even read the article??? They tested the initial XP install, then installed SP2 and tested that release, and then rolled the system up to the current patch level, and tested that also.
Each OS was tested independently.
The OSes were not compared with others, nor was there an attempt to choose sides or suggest one OS is better than another...
Ok so let me get this correct, in order for his scanners to even detect Vista on the network he had to totally disable the built in firewall.
The list of open ports was THREE.
No vulnerablities were detected even with the firewall totally OFF.
Seems like (for now) Vista wins this one.
Nah. Mac fanbois with their 50 accounts per person and lack of anything better to do than hype an OS just because they think it's cool outnumber everyone else.
Who the f*ck cares about OpenVMS?
Have you ever wondered how vulnerable your computer is from the first bit you write to the hard drive all the way until you have a fully patched system?
Who says you have to write to a disk before your computer becomes insecure? Aside from the fact that devices with only a Flash memory may also have vulnerabilities, hardware design flaws are a commonly ignored potential attack vector.
(Yes, I'm aware that the title is "Top 12 Operating Systems Vulnerability Survey." And no, I didn't RTFA - this is Slashdot, after all.)
Just because it can't be explained doesn't mean it isn't true. Science fits into reality... not the other way around.
News out today is that Windows( including Vista ) has another security risk in the animated mouse code. That's right, another one. The previous one was in early 2005 and I guess their Trustworthy Computing people forgot to look at the rest of the animated mouse code cause they moved it right into Windows Vista.
y /935423.mspx
I did see where McAfee said that Firefox on Windows blocked this so I'm only guessing that it's yet another Windows w/Internet Explorer flaw since one of the temp fixes is to turn off html rendering in MS Outlook and that's probably the MS IE code there too.
pretty sad when a mouse can open security holes so far into the system. Supposedly, MS Vista does somewhat contain this but I'm not sure if that is with a standard install.
So tell your friends to watch where their mouse has been.
http://www.microsoft.com/technet/security/advisor
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
No, it's proof that there are more and more Microsoft shills around. Microsoft must be getting desperate, as their shills are becoming more and more laughable and pathetic.
Did you think that up all by yourself? You're such a smart kid. Do you need help with your book reports?
the NPG electrode was replaced with carbon blac
I refuse
to believe
that
Ubuntu is more secure than Slackware.
Have been living in a dream all these years?
Do not. Touch. Down.
thats fine and dandy. how about some suggestions to how we can keep our boxes secure?
If history repeats itself, why can't we study the future?
From a revenue perspective, this isn't the list of "2006's flagship operating systems." I'd like to see a survey of the operating systems used to run the businesses that affect my daily life (businesses like banks and credit card companies). This is the realm of z/OS, HP-UX, i5/OS, and AIX. However, I'm sure that these systems are buried so deep behind firewalls, that vulnerability scans don't even make sense.
But the writer got the Windows tests WRONG. He tested by installing Windows XP without a Service Pack and then upgrading to SP2. He found lots of open ports before the SP and that's what he's reporting. That is clearly silly, as you can't buy XP without SP2 embedded today, and you can't buy a machine without it preinstalled. Testing XP without a service Pack would be like testing an Apple with OS9. Same thing when he tests Windows Server 2003 without Service Pack 1 or Service Pack 2. Yes, the tester later reports the effects of installin the Service Pack (whith are much better) but reporting the service pack less results is just plain misleading.
On the flip-side, because Windows and OS/X are used more frequently, there are more security experts (white hat and black hat) searching for ways to break the code. It also means that it is much more profitable for commercial scanner products (not used in this case, but I'm talking in general) to concentrate on gathering methods for these OS'. If it cost half as much to gain as many methods for Linux, but only 4% of potential customers gave a damn, why would any security vendor bother? The return on investment would be terrible!
The practical upshot is that none of the methods being used to conduct these kinds of surveys gives you a useful picture. It would take a concerted effort to use multiple methods (and multiple approaches to each) to build up a good enough image to winnow out the false or misleading. Whilst a major security vendor could probably afford the time and resources to do this, again it's return on investment. Who is going to pay for a better study? Managers? No. If Gartner said that the sky was purple and pilchards grew in trees, managers would typically believe it, even if every pilchard expert on the planet worked together to produce a mega-report refuting Gartner line-by-line.
What about the Open Source folk? Surely they'd respond positively. I'd like to believe that, but I never did see Tripwire respond to the Internet Audit, which claimed that binaries were altered without Tripwire detecting it. (And how come there are no host intrusion detectors or network intrusion detectors configured as standard on most Linux distros?) There is also evidence that OpenBSD's track record on dealing with DoS attacks is nowhere near as good as it is with holes that would allow actual machine access. Hey, I'd consider myself above average on Open Source advocacy, but the bottom line is that there isn't this overwhelming, universal passion for Doing The Right Thing in the Open Source world. It's better than in many sectors, but there are plenty of security sinners out there in F/L/OSS-land.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Nessus "found" that the Mac OS 9.2.2 box had a vulnerability that would allow an attacker to crash, or run code in, the Oracle 9i application server?
Since Oracle 9i doesn't even run on Mac OS 9.2.2, I don't think this is likely to be a big concern.
You may not agree with the conclusions. But there's some smart overview thinking here.
who do you know that uses slackwear, who will use it this way?
So you specifically answered "Leave service open" when you installed, right? What did you expect was going to happen?
but I don't think I particularly care to see this particular survey done on those business relevant systems.
the vulnerability was, I believe, in the personal web sharing function, and we might guess it was saying it was a vulnerability similar to some specific oracle 9i vulnerability.
I was surprised several years back to find that oracle 8i and 9i had (semi-)custom apache and similar stuff.
No, I never did get an oracle certification,
... if you consider winning a lame analysis like this winning, ...
My primary workstation system using Windows Server 2003, SP #2, running the NMap port to Win32, when done in a fully security hardened setup via tools like:
//insecure.org/nmap/submit/ .
Security Configuration Wizard (SCW - A WINDOWS SERVER 2003 TOOL ONLY, AFAIK)
Security Analysis Tool and Templates in MMC.EXE
Services cutoffs in services.msc as well as policies, & also altering the running ones (many of them allow for this IN SERVICES.MSC MIND YOU) logon entity for many to less than LocalSystem.
gpedit.msc
secpol.msc
regedit.exe (for performance and security hacks application, 123 of them)
A LinkSys/CISCO True NAT firewalling hardware router
Software combined w/ hardware NAT firewall router @ the OS' native firewall
Software combined w/ hardware NAT firewall router @ the port filtration level (the poor man's firewall as it is called as another added layer for layered security)
IP Security Policy that compliments the software firewall, port filters, & Hardware NAT router.
* The last 3 work at the IpFltDrv.sys, IpSec.sys (ip security filtering policies), & IpNAT.sys (firewall hook) drivers level (repectively IN THAT ORDER, iirc)
A custom adbanner blocking hosts file (to speedup my surfing not calling out to DNS servers, I don't run those services on my workstation anyhow, nor do I run DHCP via software anymore either)
IE 7 set with Windows 2003 Server's default 'hardened' IE 6 setup (you can do this to XP or 2000 manually though, same deal as below next really)
AND all browsers set to max security (using IE security zones properly on IE & Outlook Express, turning off java/javascript - activex/activescript usage except for pages that need it, by tab, in Opera by site prefs like my RAID 1 web interface noted below for a test of NMap for Win32 4.20)
and more (etc. like ANTIVIRUS IN NOD32, BEST THERE IS, AND antispyware in SPYBOT TEATIMER RUNNING)
That setup, on this test using NMap for Win32 on a hardened Windows Server 2003 SP#2 setup, got this score result:
E:\>nmap -P0 -sT -F -O -A 192.168.0.xx
Starting Nmap 4.20 ( http://insecure.org/ ) at 2007-03-30 02:18 Eastern Standard
Time
Interesting ports on 192.168.0.xx:
Not shown: 1255 closed ports
PORT STATE SERVICE VERSION
8080/tcp open http Jetty httpd 4.2.23 (Windows 2003/5.2 x86 java/1.4.2_10)
OS and Service detection performed. Please report any incorrect results at http:
Nmap finished: 1 IP address (1 host up) scanned in 289.203 seconds
Pretty good, considering I left my RAID 1 mgt. and its java engine running for my Promise SuperTrak Ex8350 PCI-e SATA1/2 128mb ECC Ram Caching controller (via its WebPam interface, java run no less). That would not have even showed up if I did turn it off, but it was an example the scan was indeed, working.
(And, what it's showing is coming thru 8080 & once I turn that service off? The scan returns nothing @ all on my client rig I ran the test on, but my server rig running IIS 6.x on Win2k3 SP #2 & SQLServer 2005 still have hits on it, because of IIS largely... but on my workstation, zippo, because once I turn off my RAID 1 controller service (WebPAM) no java running listening is why).
Windows machines, especially those on Windows Server 2003 SP #2 fully hardened (doesn't take THAT long to do) can do well security-wise if you do things right (like not opening up email attachments from strangers, lol, you know this I bet though of course) can do well.
Vista does well surprisingly as well on tests like CIS Tool 1.0 (by the "center for internet security") and on Belarc Advisor tests as well. Not as good as a hardened system like mine, but better than XP by default, AND probably better than Windows Server 2003 (VISTA's codebase iirc no less) does prior to hardening.
E.G.-> On CIS Tool 1.0? My system nails an 84.735 of 100 possible score (151 passed, 7 failed),
Do I get the feeling the parent was actually a joke? Silly mods.
Are we RTheSameFoolishA?
Enumeration was enabled by way of UserDir in the httpd.conf .
Yeah, the default httpd.conf provided by Apple has a couple of no-brainers in it. That is related to one of them. I suppose I should submit those to Apple's bug database.
I'm not sure how the enumeration is done, but I shut off UserDir. (I don't use rendezvous. There is a less sever mitigation, but I'm paranoid.)
Oh, yeah, if they can enumerate your users, it provides a foot up into, for example, brute-forcing passwords.
Interesting how some people are noting that x86 does level the playing field for the black hats a bit. I know that the hard core guys don't really find any barriers in the PPC machine code, but, as a speed bump, it was once a factor in slowing down incursions.
Sure wish Apple would keep both CPU lines. Also wish they would maintain a current, more minimal platform for people who don't want bells and whistles like dashboard. But I guess the upshot of that is, I'm going to max the RAM on my old clamshell iBook, put an 80G hard disk in it, and triple boot it (Classic, Mac OS X, Fedora Core. Shoot, if I can figure out the partitioning, I'll see if I can quad boot it with openbsd.) So, Apple moves me to Linux. Nothing strange going on there.
I'd like to see a survey of the operating systems used to run the businesses that affect my daily life (businesses like banks and credit card companies).
... so compromise those, and you get the mainframe because ITGC's are pretty weak.
Perhaps its cost prohibitive for a hobbyist to actually purchase a mainframe for a one-time test? You may be surprised how many financial institutions do not use just the mainframe operating systems you mentioned. Besides, even those that do, access that data from desktop platforms
So, they had to explicitly enable all of ftp, samba, afp etc for OS X to get something to show, yet didn't even notice MDNS/Rendzejour (port 5353) open out of the box? Mongs.
[other agreeable/worthwhile comments skipped]
There's six mainstream lineages left, and they're NT5, 4BSD, Linux, System V, VMS, and whatever IBM's calling their systems architecture this week.
IBM kinda has two, right? You probably mean z/OS IBM's mainframe OS successor to MVS, but there's also i5/OS aka OS/400 which has a unique and interesting (imho) object-oriented system architecture. Last I checked IBM sold $1 billion of the latter every year (OS+hardware). Oh, and there's VM/CMS which is what all the virtualization efforts on all systems today are emulating (no pun intended) and trying to improve upon.
Just 2 cents from someone who learned about these when researching commercial operating systems a while back. I recognize these aren't mainstream to a Unix-head or Windows-head, but I guess once you toss in VMS, I'm think its worth mentioning MVS and OS/400.
--LP
I think he's implying that given all the "the conclusion isn't fair to Mac OSX", that the vocal uber-geeks are switching from Linux to Macs.
http://www.mhall119.com
How many people are running out-of-the-box RH7?
How many tens of millions of people are running out-of-the-box XP?
Tech Public Policy stuff
Let me get this right... It's considered "out of the box" to enable OS 9.2.2 Classic web sharing inside of OS X 10.4.x (which has it's own, also off by default), even though the current and previous generation of Intel Macs don't support running Classic at all?
l e&id=10654
To really get a feel for the validity of their results, get a load of this OS 9 Classic high-risk vulnerability:
"Nessus: The web server tested positive for an Oracle9i crash through an incorrectly crafted, long URL."
http://www.nessus.org/plugins/index.php?view=sing
I knew Macs could do many things, but having an Oracle vulnerability without having Oracle is impressive indeed.
Some things just make you say WOW
If they wanted to find OS 9 / Classic vulnerabilities, they could at least actually test for something real instead of going by questionable out-of-date nonsense in a database.
It is very likely that the old unsupported version of Internet Explorer on OS 9 does have some real vulnerabilities. They didn't even check for that. Of course anyone still using that is probably also vulnerable to eating food from the 90's hiding in the back of their refrigerator.
Their whole approach of using a scanner to compare security of OSes is deeply flawed. While it can be helpful for spotting issues with a machine that just sits there, like a server, it is nearly useless in the case of a desktop system where many of the undesirable events depend heavily on the behavior of the local user. Use of a scanner also neglects little things like browser vulnerabilities!
We're given nearly useless results, and more vulnerabilities for OS X than for XP and Vista combined.
Another MS funded "study" perhaps? It is Vista hype season after all.