Slashdot Mirror

← Back to Stories (view on slashdot.org)

Top 12 Operating Systems Vulnerability Survey

Posted by Zonk on from the just-in-case-you-were-feeling-secure dept.

markmcb writes "Have you ever wondered how vulnerable your computer is from the first bit you write to the hard drive all the way until you have a fully patched system? If so, Matthew Vea has posted a concise summary of security strengths and shortcomings for twelve of the major operating systems of 2006/2007. In his summary, Matt tests each OS with widely available tools like nmap and Nessus, and notes responses at install, pre-patch, and post-patch times for each system. After the tedious job is done, he produces results that will make both the Apple and Windows communities cringe with regards to security. From the article: 'As far as straight-out-of-box conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities ... The UNIX and Linux variants present a much more robust exterior to the outside. Even when the pre-configured server binaries are enabled, each [Linux] system generally maintained its integrity against remote attacks.'"

27 of 206 comments (clear)

  1. come on... by cosmocain · · Score: 3, Insightful

    ... i'm no M$-fanboy at all, but testing a 2001-XP against a end-2006 fedora is not actually making any sense. install a 2001-red hat to compare and then tell me the numbers. i'm quite sure that there are no breaches as severe as the lsass or rpc/dcom stuff, but this comparison just doesn't make any sense...

    1. Re:come on... by drinkypoo · · Score: 4, Insightful

      ... i'm no M$-fanboy at all, but testing a 2001-XP against a end-2006 fedora is not actually making any sense. install a 2001-red hat to compare and then tell me the numbers.

      My only complaint is that Windows XP should be tested as installed from SP2, since any XP CD distributed through authorized channels today has SP2 built in.

      But you have to realize that Windows XP is the most common version of Windows in use today, and so it is reasonable to test it today...

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:come on... by Anonymous Coward · · Score: 2, Insightful

      So only pay attention to the comparison from after the point SP2 is installed?

  2. Concise? by jonknee · · Score: 3, Insightful

    Matthew Vea has posted a concise summary of security strengths and shortcomings for twelve of the major operating systems of 2006/2007.


    Concise? Forgive me, but I was expecting a table or something that makes it easy to see the results. Instead it's 20 printed pages. I'd hate to see the expanded version!
    1. Re:Concise? by solevita · · Score: 3, Insightful

      Who reads printed pages anyway? Just scroll down and read the relevant test results for every OS. No need to read all the blurb about when XP was first released or in what university BSD first came about; just scroll down and read every bit that starts "Nmap". You'll get through it very quickly.

      It was much nicer than most stories that make it to the front page; I didn't have to keep clicking the next page button every 50 words. It was good stuff, there were no ads (although I do run adblock) and a great deal of easy to read information.

      Let's just hope that /. provides us with more of these.

  3. Macs Still Safe in Default State by adavies42 · · Score: 5, Insightful

    The guaranteed-to-be-overlooked key point: all the Mac vulnerabilities exist in services that are off by default. Yes, it's annoying that Apple isn't faster at patching them (and other known local holes), but it still beats the hell out of XP's default state on first boot.

    --
    Media that can be recorded and distributed can be recorded and distributed.
    -kfg
    1. Re:Macs Still Safe in Default State by dpilot · · Score: 2, Insightful

      But unless you're already behind a firewall of some sort, 1 hour is more than long enough to be compromised, BEFORE the updates are done.

      --
      The living have better things to do than to continue hating the dead.
    2. Re:Macs Still Safe in Default State by Cheefachi · · Score: 4, Insightful

      I think what the parent poster was saying was that by default OS X has many services that can be compromised turned off and they remain turned off no matter how many times you perform an update or reboot. The article mentioned that all these services were manually turned on to perform the test so out of the box OS X is so secure they didn't even bother to test it out of the box.

      --
      An engineer is someone who spends 3 hours trying to solve a 2 hour problem in 1 hour - Anonymous
    3. Re:Macs Still Safe in Default State by vux984 · · Score: 4, Insightful

      The article mentioned that all these services were manually turned on to perform the test so out of the box OS X is so secure they didn't even bother to test it out of the box.

      But then they conclude OSX is rife with vulnerabilty during the patching process, which is pretty misleading if you ask me.

  4. Obligatory missing option post. by Dusty · · Score: 2, Insightful

    What no OpenVMS analysis?

  5. Nice Cherrypicking by AKAImBatman · · Score: 5, Insightful

    As far as straight-out-of-box conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities ... The UNIX and Linux variants present a much more robust exterior to the outside.

    The article also says:

    By default, Apple OS X does not have its built-in servers enabled. For testing the standard binaries, [available services] were all enabled through the Preferences tool. After enabling the services, Nmap identified the freshly opened ports and Nessus found only a user enumeration vulnerability in the HTTP server.

    Out of the box, OS X is highly secure. You make the active decision to risk remote exploits when you enable these services.

    For OS X Server, they had this to say for it, "Out of the box":

    During installation, Nmap fingerprinted the setup TCP/IP stack as OS X 10.3 or 10.4 and identified an open SSH port. Nessus did not identify any external vulnerabilities.

    The lesson to be learned here is that an open connection is a potentially exploitable one. So don't open connections unless you're sure you want to do so. The second part of that lesson is if you're going to enable a remote port, make sure your security patches are up to date. "Out of the box" software is only secure for a short period of time.
    --
    Javascript + Nintendo DSi = DSiCade
    1. Re:Nice Cherrypicking by SCHecklerX · · Score: 5, Insightful

      The lesson to be learned here is that an open connection is a potentially exploitable one. So don't open connections unless you're sure you want to do so. The second part of that lesson is if you're going to enable a remote port, make sure your security patches are up to date. "Out of the box" software is only secure for a short period of time.


      Which is one reason it's so hard to secure a windows system. Who knows what half of those listening services actually do and what depends on them.

      Also, you missed the third part, which is to configure the services you do need conservatively (ie, configure apache to not allow methods you do not use for your site, disable anonymouse FTP, or if needed lock its permissions and probably chroot it, etc).

      Security isn't *too* hard if you have admins that actually listen to their lead security guy:

      1. Run only the services that you need
      2. Configure those services securely
      3. Keep those services patched


      Yes, there is a lot more to security, and how services are used factors into your response in how to mitigate any known problems, but the sysadmin security stuff boils down to the above list.
    2. Re:Nice Cherrypicking by stratjakt · · Score: 2, Insightful

      Who knows what half of those listening services actually do and what depends on them.

      I do, lots of people do.

      Which one do you have a question about?

      It's not that hard to learn Windows.

      --
      I don't need no instructions to know how to rock!!!!
    3. Re:Nice Cherrypicking by fazookus · · Score: 2, Insightful

      "Although OS X features a robust implementation of IPFW (Internet Protocol FireWall), it was not enabled."

      So they take a secure machine and start services to make it less secure, but they can't be bothered to turn on the firewall?

      Odd...

    4. Re:Nice Cherrypicking by Mister+Whirly · · Score: 2, Insightful

      "Who knows what half of those listening services actually do and what depends on them."

      People that are serious about security and don't want their boxes compromised.... For instance, me.
      An OS service is an OS service - figuring out *nix services is no easier or harder than figuring out Windows services.

      --
      "But this one goes to 11!"
  6. Read carefully what was done on MacOS X by david.emery · · Score: 5, Insightful

    Note that on both MacOS X and MacOS X Server, there was a clean installation, followed by specific USER ACTIONS to ENABLE services. Thus it should not be a surprise if you turn on the Web service, for example, you now respond on port 80.

    Now once you enable a service, it's legitimate to then analyze the exposed service for vulnerabilities, and I found that information interesting.

    But it should have been clearly established that the vulnerabilities noted in Mac OS X are for services that the user specifically enabled. The general description does not call this out, and I think that the conclusions are flawed because of this.

              dave

    1. Re:Read carefully what was done on MacOS X by samkass · · Score: 3, Insightful

      I think their analysis is fundamentally flawed once they put MacOS X and UNIX into separate buckets. Almost everything they tested on MacOS X is based on the UNIX underpinnings of MacOS X, and at that level MacOS X *is* UNIX (with 10.5, they even went through the trouble of getting it certified as such). It's not like they were testing Cocoa or the GUI.

      Any remote network vulnerability that treats MacOS X as anything other than another UNIX distro has built-in bias.

      --
      E pluribus unum
  7. Be careful jumping to conclusions on prepatched OS by davidwr · · Score: 2, Insightful
    When it comes to prepatched or out-of-the-box configurations, be very careful jumping to conclusions.

    An OS that was shipped in 2006 SHOULD have far fewer out-of-the-box holes than one that was shipped 6 years ago *coughXPcough*.

    The "interesting" releases are the releases most likely to be installed by someone doing a fresh install today.

    This usually means what he buys at the store, downloads as an ISO, or installs from the network plus any patches he can easily download, put on a CD or USB stick, and install prior to connecting the machine to a network. For example, for most Windows products this means the latest service pack or hotfix roll-up.

    Also:

    After testing Service Pack 2, one more round of patches were applied using Windows Update In general this is not the best methodology. Frequently one patch prerequisites another patch.
    A better methodology would be to install a round, test for remote exploits, then continue with additional rounds of patching until there were no more patches available. Report the results at each stage.

    In this particular case, it's okay because

    Upon rebooting, the patched Windows XP system did not exhibit any remotely accessible vulnerabilities (even with the firewall disabled).
    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  8. Vista was not visible... by jernejk · · Score: 2, Insightful
    From TFA:

    In order to identify any Vista services present, it was necessary to disable the default firewall after booting into the system for the first time. After disabling Vista's firewall, Nmap was able to identify three open ports for Windows networking and correctly fingerprinted the system Windows Vista. Sorry, but what's the point in doing this? Out of the box, vista comes with no open ports. Deal!

    It's just like saying "your-favorite-distro was not detected until telnetd was installed and root password was set to 'password'". Stupid.

    And yes, I am a Vista user.

  9. Cringe? by CODiNE · · Score: 4, Insightful
    Hardly.

    By default, Apple OS X does not have its built-in servers enabled. For testing the standard binaries, Personal File Sharing, Windows Sharing, Personal Web Server, Remote Login, FTP Access, Apple Remote Desktop, Remote Apple Events and Printer Sharing were all enabled through the Preferences tool. Although OS X features a robust implementation of IPFW (Internet Protocol FireWall), it was not enabled.53 After enabling the services, Nmap identified the freshly opened ports and Nessus found only a user enumeration vulnerability in the HTTP server.


    Then somehow this :

    As far as straight-out-of-box conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities

    The immediately following sentence :

    Even before enabling the servers, Windows based machines contain numerous exploitable holes allowing attackers to not only access the system but also execute arbitrary code. Both OS X and Windows were susceptible to additional vulnerabilities after enabling the built-in services.


    So how does "straight-out-of-box vulnerable" and "after enabling built-in services" make any sense?
    Sure there's pre-patch vulnerabilities for all 2 year old OS' out there... hardly makes me cringe however.
    --
    Cwm, fjord-bank glyphs vext quiz
  10. Re:What? by Anonymous Coward · · Score: 2, Insightful

    This article *CLEARLY* points out that neither OSX client or server is vulnerable to ANY attack in it's default state. The summary at the end is bogus because it clearly contradicts his own findings.

    One you turn on every bell and whistle you *might* disclose usernames on the system or be able to crash daemons, but non appear to allow a virus to propagate.

  11. Re:MS makes installing SPs offline easy by drinkypoo · · Score: 2, Insightful

    Now the individual post-last-SP patches, those are a pain to do offline mainly because there are so many of them.

    That's what I'm talking about. I comment in another location that they should be testing against the SP2 version because if you get XP today, that's what you're installing.

    But the period between SP2 and the patches, that's a time when the machine is typically on the 'net and potentially vulnerable.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  12. Hardware firewall is your friend by davidwr · · Score: 2, Insightful

    The reality today is most home and small business non-dialup users have a NAT firewall. Most larger businesses have a regular firewall.

    Either way, if you configure it to block incoming connections to the new machine and the rest of your network is uninfected and well-protected, you can almost always download patches safely.

    Some OSes even come with inbound ports turned off by default using the built-in firewall.

    If this is you, then "remotely exploitable vulnerability on an unpatched system" is pretty meaningless.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  13. Completely inconsistent by evought · · Score: 4, Insightful

    Agreed. The premise of the article all around was rather foolish. They deliberately and rather randomly made adjustments to lower security but none to raise them, including turning on some legacy services on some platforms that have not been used since people threw sharpened sticks at each other and their only test was the vulnerability database of one product. Obviously Vista wouldn't show up because it is rather new and no exploits have had time to develop, and obviously the UNIX variants would come up with mostly the same results because they share source code.

    Disabling the firewall on Vista was rather foolish and not enabling it on OS X, while making other changes equally so. That being said, Apple is still nuts for not enabling the firewall by default (technically it is enabled and running, but its configuration is empty).

  14. Calm your self... by CasperIV · · Score: 4, Insightful

    Just because the study says something you don't want to hear is no reason to bash the study. There was a very legitimate goal in testing the systems right out of the box; Many users do not immediately download updates. I worked in tech support for a little while and still keep in contact with people in the field. The average Windows user is 6 months or more out of date, based on the calls received by tech support at an ISP I worked for. Whats worse is that many users buy a machine, then order an internet connection, but never get updates. There are several reasons why they don't, but the three most common I here are:
    1) Ignorance (They don't know they need them)
    2) Slow Connections (They don't want to wait 3 days for updates to download)
    3) Incompatibility (They are afraid that if they download a patch from MS it will break something)

    With 90% of the market being controlled by windows users and the majority of those users being nontechnical home users, you can see the problem. It is the exact reason the US tops the list for infected systems for viruses and spyware.

  15. Re:Not A Stupid Comparison by InsertCleverUsername · · Score: 2, Insightful

    Parent makes an important point. I think the MS automatic updates are a great help to Joe Average User, but if they wanted to do things right, MS would lock down almost all networking other than HTTP connections to update.microsoft.com until the fresh install was fully patched.

    --
    Ask me about my sig!
  16. I find his methodology bizarre. by argent · · Score: 3, Insightful

    To determine the security of the systems out of the box, he changed almost every system from the out-of-the-box configuration.

    He also included classic Mac OS in the test, even though this isn't even installed out of the box on any Mac, and won't run on any Mac shipped in at least three years. Why didn't he include Windows 98 and NT4 in his collection as well?

    While there are an enormous variety of operating systems to choose from, only four "core" lineages exist in the mainstream - Windows, OS X, Linux and UNIX.

    There's six mainstream lineages left, and they're NT5, 4BSD, Linux, System V, VMS, and whatever IBM's calling their systems architecture this week.