Slashdot Mirror
Top 12 Operating Systems Vulnerability Survey
markmcb writes "Have you ever wondered how vulnerable your computer is from the first bit you write to the hard drive all the way until you have a fully patched system? If so, Matthew Vea has posted a concise summary of security strengths and shortcomings for twelve of the major operating systems of 2006/2007. In his summary, Matt tests each OS with widely available tools like nmap and Nessus, and notes responses at install, pre-patch, and post-patch times for each system. After the tedious job is done, he produces results that will make both the Apple and Windows communities cringe with regards to security. From the article: 'As far as straight-out-of-box conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities ... The UNIX and Linux variants present a much more robust exterior to the outside. Even when the pre-configured server binaries are enabled, each [Linux] system generally maintained its integrity against remote attacks.'"
As far as straight-out-of-box conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities
The difference is, the exploits for the mac just work, but you have to trick a stupid windows user into running them to hack XP.
Also, Macs are Jimmy Fallon-esque metrosexuals.
I don't need no instructions to know how to rock!!!!
Considering that server OSs were examined, why no OpenBSD? Too "obvious"?
... i'm no M$-fanboy at all, but testing a 2001-XP against a end-2006 fedora is not actually making any sense. install a 2001-red hat to compare and then tell me the numbers. i'm quite sure that there are no breaches as severe as the lsass or rpc/dcom stuff, but this comparison just doesn't make any sense...
Concise? Forgive me, but I was expecting a table or something that makes it easy to see the results. Instead it's 20 printed pages. I'd hate to see the expanded version!
Okay, We all know that 2001 version of XP, totally unpatched is vulnerable. Duh
I update all my WinXP installs OFFLINE, making sure that they are FULLY patched and running the latest AV before putting them on the wire. The issue is that Microsoft doesn't make it easy to do this, and I have to use third party products to properly secure their systems before they go online. (90+ Patches from SP2?????)
To me, that is the greatest of all faults.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Since when does throwing up 12 boxes and running a quick nessus scan over them count as a security survey?
The guaranteed-to-be-overlooked key point: all the Mac vulnerabilities exist in services that are off by default. Yes, it's annoying that Apple isn't faster at patching them (and other known local holes), but it still beats the hell out of XP's default state on first boot.
Media that can be recorded and distributed can be recorded and distributed.
-kfg
It seems that this "analysis" is rather over-dependent on Nessus. The article even points out that the tools used couldn't actually see any vulnerabilities (at least for the most up do date versions of the OSes), rather those listed were based on the "database" of vulnerabilities from Nessus. Seems like it would have been equally useful just to look in the Nessus database in the first place.
The reason it is not a stupid comparison is that Microsoft doesn't make it easy to do, so most people do it online. Granted, most of us do it from behind a firewall, but a compromised machine on your network listening to DHCP requests and responses might very well hack your ass in moments.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
What no OpenVMS analysis?
Hmm... MacOS X bad... UNIX good.
Presumably this contradiction is resolved by noting that on MacOS X, the vulnerable services are off by default, so MacOS X is in fact ripe with vulnerabilities out of the box, yet still presenting a robust exterior?
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
The article also says:
Out of the box, OS X is highly secure. You make the active decision to risk remote exploits when you enable these services.
For OS X Server, they had this to say for it, "Out of the box":
The lesson to be learned here is that an open connection is a potentially exploitable one. So don't open connections unless you're sure you want to do so. The second part of that lesson is if you're going to enable a remote port, make sure your security patches are up to date. "Out of the box" software is only secure for a short period of time.
Javascript + Nintendo DSi = DSiCade
I can run Nessus too!
Note that on both MacOS X and MacOS X Server, there was a clean installation, followed by specific USER ACTIONS to ENABLE services. Thus it should not be a surprise if you turn on the Web service, for example, you now respond on port 80.
Now once you enable a service, it's legitimate to then analyze the exposed service for vulnerabilities, and I found that information interesting.
But it should have been clearly established that the vulnerabilities noted in Mac OS X are for services that the user specifically enabled. The general description does not call this out, and I think that the conclusions are flawed because of this.
dave
An OS that was shipped in 2006 SHOULD have far fewer out-of-the-box holes than one that was shipped 6 years ago *coughXPcough*.
The "interesting" releases are the releases most likely to be installed by someone doing a fresh install today.
This usually means what he buys at the store, downloads as an ISO, or installs from the network plus any patches he can easily download, put on a CD or USB stick, and install prior to connecting the machine to a network. For example, for most Windows products this means the latest service pack or hotfix roll-up.
Also: After testing Service Pack 2, one more round of patches were applied using Windows Update In general this is not the best methodology. Frequently one patch prerequisites another patch.
A better methodology would be to install a round, test for remote exploits, then continue with additional rounds of patching until there were no more patches available. Report the results at each stage.
In this particular case, it's okay because Upon rebooting, the patched Windows XP system did not exhibit any remotely accessible vulnerabilities (even with the firewall disabled).
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
It's just like saying "your-favorite-distro was not detected until telnetd was installed and root password was set to 'password'". Stupid.
And yes, I am a Vista user.
First off, they roll them out to the channel.
That means if I bought XP at a store 3 months ago, it would come with SP2 already in it.
Second off you can download the SP and burn your own CD fairly easily. Well, you do have to have a computer and maybe IE handy but that's not a handicap if you already have a Windows machine around.
Now the individual post-last-SP patches, those are a pain to do offline mainly because there are so many of them.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I'll admit that I've only looked through the macosx vulnerability section in any detail, but I'm certainly not experiencing anything like the cringing promised by the writeup.
The upshot seemed to be that even when the examiner intentionally turned on every service and did not enable the firewall, the only vulnerabilities found were two timing-based user-enumeration attacks.
That's... that's the big shocking secret? That if I go out of my way to ask my system to be considerably less secure than its default configuration, Mallory out there can find out the names of accounts on my system? Quick, somebody get me some smelling salts!
Then somehow this
The immediately following sentence
So how does "straight-out-of-box vulnerable" and "after enabling built-in services" make any sense?
Sure there's pre-patch vulnerabilities for all 2 year old OS' out there... hardly makes me cringe however.
Cwm, fjord-bank glyphs vext quiz
This article *CLEARLY* points out that neither OSX client or server is vulnerable to ANY attack in it's default state. The summary at the end is bogus because it clearly contradicts his own findings.
One you turn on every bell and whistle you *might* disclose usernames on the system or be able to crash daemons, but non appear to allow a virus to propagate.
The reality today is most home and small business non-dialup users have a NAT firewall. Most larger businesses have a regular firewall.
Either way, if you configure it to block incoming connections to the new machine and the rest of your network is uninfected and well-protected, you can almost always download patches safely.
Some OSes even come with inbound ports turned off by default using the built-in firewall.
If this is you, then "remotely exploitable vulnerability on an unpatched system" is pretty meaningless.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Agreed. The premise of the article all around was rather foolish. They deliberately and rather randomly made adjustments to lower security but none to raise them, including turning on some legacy services on some platforms that have not been used since people threw sharpened sticks at each other and their only test was the vulnerability database of one product. Obviously Vista wouldn't show up because it is rather new and no exploits have had time to develop, and obviously the UNIX variants would come up with mostly the same results because they share source code.
Disabling the firewall on Vista was rather foolish and not enabling it on OS X, while making other changes equally so. That being said, Apple is still nuts for not enabling the firewall by default (technically it is enabled and running, but its configuration is empty).
I would have liked to see the results of MacOS X after the 10.4.9 update, since it resolved a lot of security vulnerabilities.
Menzoberranzan Networks
I would like to see something different: a breakdown of proactive security measures taken by OS (or available in the OS) as a way of mitigating security issues. Security problems will pop up no matter what (whether in the OS or third-party software), and I'd like to see what OS do to prevent or reduce the impact of exploitation.
For example, WinXP SP2 introduced stack randomization and various other enhancements. Solaris has an option to mark parts of the stack non-executable. Third-party extensions like grsec and Bastille allow Linux to be hardened in a way which prevents race conditions, buffer overflows and more. This is a very much simplified list -- but that's exactly why I'd like to see a better breakdown.
I love how people tend to think Computers are simple machines, like a potato peeler or something. They're complex machines, and there's people who do not take that into account. The minute you do anything with a computer (even after it's "secured") you run the risk of lowering your security.
... plenty of security is your behavior. And many people don't even realize things they do have any kind of adverse impact.
... why didn't they take into account any other factors? Say vulnerabilities in the different implementations of the TCP stacks.
I bet if I went and bought a nice new shiny sports car, and drove 200 mph into a brick wall, I would die. Geez! How insecure is that? I mean after all I have to engage the seatbelt? It wasn't engaged when I bought the car!
I guess my point is
This article should have been called "A list of default services running on different OSs that sometimes you have to enable manually".
I mean, we're talking security
More Nerd, less "news" please.
FLR
Just because the study says something you don't want to hear is no reason to bash the study. There was a very legitimate goal in testing the systems right out of the box; Many users do not immediately download updates. I worked in tech support for a little while and still keep in contact with people in the field. The average Windows user is 6 months or more out of date, based on the calls received by tech support at an ISP I worked for. Whats worse is that many users buy a machine, then order an internet connection, but never get updates. There are several reasons why they don't, but the three most common I here are:
1) Ignorance (They don't know they need them)
2) Slow Connections (They don't want to wait 3 days for updates to download)
3) Incompatibility (They are afraid that if they download a patch from MS it will break something)
With 90% of the market being controlled by windows users and the majority of those users being nontechnical home users, you can see the problem. It is the exact reason the US tops the list for infected systems for viruses and spyware.
If Windows had come out as the worst.
/. must do our best to totally discredit the survey.
Since it did not, we here at
Please elaborate on this. I'm not a Linux lover and I have noticed quite the opposite.
Probably it's something to do with Mac's add campaign pointing out all the flaws in Windows, while implying that Mac's have no flaws. People love to pick holes in pompous statements. It's sort of like the US pointing their finger at Chinas human rights abuses all the time and then the US wondering why people get excited when others show the US is also abusing human rights. (Disclaimer: I don't believe that operating system flaws are on par with human rights abuse, it was just an analogy)
A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort.
Test "tests" run are plain silly. Open ports do not mean vulnerabilities. Open services do not mean vulnerabilities as long as the authorization functions of the services work. In other words: Using completely patched systems all of the systems had 0 vulnerabilities.
/.
This was the most stupid and moot article in ages on
winXP is inside the support cycle. He could even test Win2000 since it is still supported. A big number of corporations run Win2000 today ("if it ain't broke...") not to mention the ones still running Win98.
Please mod:Flogging Dead Horse
"But this one goes to 11!"
For all other geeks, there's OpenBSD :-)
[Sorry, couldn't resist!]
It must have been something you assimilated. . . .
To determine the security of the systems out of the box, he changed almost every system from the out-of-the-box configuration.
He also included classic Mac OS in the test, even though this isn't even installed out of the box on any Mac, and won't run on any Mac shipped in at least three years. Why didn't he include Windows 98 and NT4 in his collection as well?
While there are an enormous variety of operating systems to choose from, only four "core" lineages exist in the mainstream - Windows, OS X, Linux and UNIX.
There's six mainstream lineages left, and they're NT5, 4BSD, Linux, System V, VMS, and whatever IBM's calling their systems architecture this week.
Hmmm, did you even read the article??? They tested the initial XP install, then installed SP2 and tested that release, and then rolled the system up to the current patch level, and tested that also.
Each OS was tested independently.
The OSes were not compared with others, nor was there an attempt to choose sides or suggest one OS is better than another...
Ok so let me get this correct, in order for his scanners to even detect Vista on the network he had to totally disable the built in firewall.
The list of open ports was THREE.
No vulnerablities were detected even with the firewall totally OFF.
Seems like (for now) Vista wins this one.
Wikipedia knows.
Have you ever wondered how vulnerable your computer is from the first bit you write to the hard drive all the way until you have a fully patched system?
Who says you have to write to a disk before your computer becomes insecure? Aside from the fact that devices with only a Flash memory may also have vulnerabilities, hardware design flaws are a commonly ignored potential attack vector.
(Yes, I'm aware that the title is "Top 12 Operating Systems Vulnerability Survey." And no, I didn't RTFA - this is Slashdot, after all.)
Just because it can't be explained doesn't mean it isn't true. Science fits into reality... not the other way around.
News out today is that Windows( including Vista ) has another security risk in the animated mouse code. That's right, another one. The previous one was in early 2005 and I guess their Trustworthy Computing people forgot to look at the rest of the animated mouse code cause they moved it right into Windows Vista.
y /935423.mspx
I did see where McAfee said that Firefox on Windows blocked this so I'm only guessing that it's yet another Windows w/Internet Explorer flaw since one of the temp fixes is to turn off html rendering in MS Outlook and that's probably the MS IE code there too.
pretty sad when a mouse can open security holes so far into the system. Supposedly, MS Vista does somewhat contain this but I'm not sure if that is with a standard install.
So tell your friends to watch where their mouse has been.
http://www.microsoft.com/technet/security/advisor
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
If you read the article it states that there are *NO* ports open on a default OS X client install. They manually enabled *EVERY* remote service after boot and then scanned it. So, my Mom is safe. She'll never go to System Preferences and enable all those things. My brother, OTOH, is probably not. He pokes around everywhere :-) However, I feel more confident having him poke around with OS X than I would with Windows.
"terrorism" and "pedophilia" are the root passwords to the Constitution
Did you think that up all by yourself? You're such a smart kid. Do you need help with your book reports?
the NPG electrode was replaced with carbon blac
I refuse
to believe
that
Ubuntu is more secure than Slackware.
Have been living in a dream all these years?
Do not. Touch. Down.
thats fine and dandy. how about some suggestions to how we can keep our boxes secure?
If history repeats itself, why can't we study the future?
Linux is the most secure, partly due to it's Unix understructure. Windows lacks a strong definition of Adminship, and lowered rights for the user, "Root" and "Users," for use Linux guys. Of course, Linux's way is considerably more fustrating, it's a lot easier to do whatever you want, whenever you want on your Windows system, without having to enter the Root password all the time.
And Viruses don't work on Linux, not due to scarecity, but more to the fact that so long as you don't run unknown code with root permissions, you aren't allowed to destroy the system.
But... The most attacks these days are through the applications. So not updating your Apache under Linux will get you into just as bad of a jam as not updating it under Windows.
I use Gentoo.
From a revenue perspective, this isn't the list of "2006's flagship operating systems." I'd like to see a survey of the operating systems used to run the businesses that affect my daily life (businesses like banks and credit card companies). This is the realm of z/OS, HP-UX, i5/OS, and AIX. However, I'm sure that these systems are buried so deep behind firewalls, that vulnerability scans don't even make sense.
But the writer got the Windows tests WRONG. He tested by installing Windows XP without a Service Pack and then upgrading to SP2. He found lots of open ports before the SP and that's what he's reporting. That is clearly silly, as you can't buy XP without SP2 embedded today, and you can't buy a machine without it preinstalled. Testing XP without a service Pack would be like testing an Apple with OS9. Same thing when he tests Windows Server 2003 without Service Pack 1 or Service Pack 2. Yes, the tester later reports the effects of installin the Service Pack (whith are much better) but reporting the service pack less results is just plain misleading.
Anyways, from what I can tell the *nix environment adheres to the principles of least needed priv.s and seperations of concerns moreso than windows; granted, windows was originally a single user environment and is less tailored for this kind of work.
I think it all comes down to the competence of the admin, in the end. An 'out of the box' install is only so for a moment. I know I can secure a windows box more than some of my friends can secure a linux box, and I can secure a linux box less so than one of my friends can secure his BSD box. At least I assume, we've never gone head to head. It's the mindset of the hacker, in the original sense of the word, that everything that you have at hand is a tool and should be used accordingly. If you can only find one use for a tool, which is more useless, the tool, or you? I'm not speaking of you, of course, but a generic 'you' representing John B. Random on the street.
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
On the flip-side, because Windows and OS/X are used more frequently, there are more security experts (white hat and black hat) searching for ways to break the code. It also means that it is much more profitable for commercial scanner products (not used in this case, but I'm talking in general) to concentrate on gathering methods for these OS'. If it cost half as much to gain as many methods for Linux, but only 4% of potential customers gave a damn, why would any security vendor bother? The return on investment would be terrible!
The practical upshot is that none of the methods being used to conduct these kinds of surveys gives you a useful picture. It would take a concerted effort to use multiple methods (and multiple approaches to each) to build up a good enough image to winnow out the false or misleading. Whilst a major security vendor could probably afford the time and resources to do this, again it's return on investment. Who is going to pay for a better study? Managers? No. If Gartner said that the sky was purple and pilchards grew in trees, managers would typically believe it, even if every pilchard expert on the planet worked together to produce a mega-report refuting Gartner line-by-line.
What about the Open Source folk? Surely they'd respond positively. I'd like to believe that, but I never did see Tripwire respond to the Internet Audit, which claimed that binaries were altered without Tripwire detecting it. (And how come there are no host intrusion detectors or network intrusion detectors configured as standard on most Linux distros?) There is also evidence that OpenBSD's track record on dealing with DoS attacks is nowhere near as good as it is with holes that would allow actual machine access. Hey, I'd consider myself above average on Open Source advocacy, but the bottom line is that there isn't this overwhelming, universal passion for Doing The Right Thing in the Open Source world. It's better than in many sectors, but there are plenty of security sinners out there in F/L/OSS-land.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Nessus "found" that the Mac OS 9.2.2 box had a vulnerability that would allow an attacker to crash, or run code in, the Oracle 9i application server?
Since Oracle 9i doesn't even run on Mac OS 9.2.2, I don't think this is likely to be a big concern.
This is certainly more insightful than flamebait. TFA is a flawed comparison of OSes that appears designed to make UNIX variants, and in particular Linux, look good. It actually works against the whole movement to blindly support these studies, or moderate comments like the parent in a purely partisan way without actually thinking about them in context. It supports the the view that Linux users are irrational zealots.
Can somebody with mod points please, in the absence of a +0 Uncomfortable But True moderation option, please mod the parent Insightful.
Yes, I'm a GNU/Linux user. My promotion of Linux is based on its merits. It is not the support of an english football fan for their team.
I don't therefore I'm not.
You may not agree with the conclusions. But there's some smart overview thinking here.
who do you know that uses slackwear, who will use it this way?
So you specifically answered "Leave service open" when you installed, right? What did you expect was going to happen?
but I don't think I particularly care to see this particular survey done on those business relevant systems.
the vulnerability was, I believe, in the personal web sharing function, and we might guess it was saying it was a vulnerability similar to some specific oracle 9i vulnerability.
I was surprised several years back to find that oracle 8i and 9i had (semi-)custom apache and similar stuff.
No, I never did get an oracle certification,
... if you consider winning a lame analysis like this winning, ...
What about debian sarge?
Are we RTheSameFoolishA?
Enumeration was enabled by way of UserDir in the httpd.conf .
Yeah, the default httpd.conf provided by Apple has a couple of no-brainers in it. That is related to one of them. I suppose I should submit those to Apple's bug database.
I'm not sure how the enumeration is done, but I shut off UserDir. (I don't use rendezvous. There is a less sever mitigation, but I'm paranoid.)
Oh, yeah, if they can enumerate your users, it provides a foot up into, for example, brute-forcing passwords.
Interesting how some people are noting that x86 does level the playing field for the black hats a bit. I know that the hard core guys don't really find any barriers in the PPC machine code, but, as a speed bump, it was once a factor in slowing down incursions.
Sure wish Apple would keep both CPU lines. Also wish they would maintain a current, more minimal platform for people who don't want bells and whistles like dashboard. But I guess the upshot of that is, I'm going to max the RAM on my old clamshell iBook, put an 80G hard disk in it, and triple boot it (Classic, Mac OS X, Fedora Core. Shoot, if I can figure out the partitioning, I'll see if I can quad boot it with openbsd.) So, Apple moves me to Linux. Nothing strange going on there.
So, they had to explicitly enable all of ftp, samba, afp etc for OS X to get something to show, yet didn't even notice MDNS/Rendzejour (port 5353) open out of the box? Mongs.
[other agreeable/worthwhile comments skipped]
There's six mainstream lineages left, and they're NT5, 4BSD, Linux, System V, VMS, and whatever IBM's calling their systems architecture this week.
IBM kinda has two, right? You probably mean z/OS IBM's mainframe OS successor to MVS, but there's also i5/OS aka OS/400 which has a unique and interesting (imho) object-oriented system architecture. Last I checked IBM sold $1 billion of the latter every year (OS+hardware). Oh, and there's VM/CMS which is what all the virtualization efforts on all systems today are emulating (no pun intended) and trying to improve upon.
Just 2 cents from someone who learned about these when researching commercial operating systems a while back. I recognize these aren't mainstream to a Unix-head or Windows-head, but I guess once you toss in VMS, I'm think its worth mentioning MVS and OS/400.
--LP
I think he's implying that given all the "the conclusion isn't fair to Mac OSX", that the vocal uber-geeks are switching from Linux to Macs.
http://www.mhall119.com
How many people are running out-of-the-box RH7?
How many tens of millions of people are running out-of-the-box XP?
Tech Public Policy stuff
Let me get this right... It's considered "out of the box" to enable OS 9.2.2 Classic web sharing inside of OS X 10.4.x (which has it's own, also off by default), even though the current and previous generation of Intel Macs don't support running Classic at all?
l e&id=10654
To really get a feel for the validity of their results, get a load of this OS 9 Classic high-risk vulnerability:
"Nessus: The web server tested positive for an Oracle9i crash through an incorrectly crafted, long URL."
http://www.nessus.org/plugins/index.php?view=sing
I knew Macs could do many things, but having an Oracle vulnerability without having Oracle is impressive indeed.
Some things just make you say WOW
If they wanted to find OS 9 / Classic vulnerabilities, they could at least actually test for something real instead of going by questionable out-of-date nonsense in a database.
It is very likely that the old unsupported version of Internet Explorer on OS 9 does have some real vulnerabilities. They didn't even check for that. Of course anyone still using that is probably also vulnerable to eating food from the 90's hiding in the back of their refrigerator.
Their whole approach of using a scanner to compare security of OSes is deeply flawed. While it can be helpful for spotting issues with a machine that just sits there, like a server, it is nearly useless in the case of a desktop system where many of the undesirable events depend heavily on the behavior of the local user. Use of a scanner also neglects little things like browser vulnerabilities!
We're given nearly useless results, and more vulnerabilities for OS X than for XP and Vista combined.
Another MS funded "study" perhaps? It is Vista hype season after all.
it's a lot easier to do whatever you want, whenever you want on your Windows system, without having to enter the Root password all the time.
To ..
it's a lot easier for hackers to do whatever they want, whenever they want on your Windows system, without having to enter the Root password all the time.
But regardless of that, I am not constantly having to enter in root passwords on my Linux system. It's not that intrusive really.. at least in my opinion.
waiting for ad.doubleclick.net