Slashdot Mirror
Top 12 Operating Systems Vulnerability Survey
markmcb writes "Have you ever wondered how vulnerable your computer is from the first bit you write to the hard drive all the way until you have a fully patched system? If so, Matthew Vea has posted a concise summary of security strengths and shortcomings for twelve of the major operating systems of 2006/2007. In his summary, Matt tests each OS with widely available tools like nmap and Nessus, and notes responses at install, pre-patch, and post-patch times for each system. After the tedious job is done, he produces results that will make both the Apple and Windows communities cringe with regards to security. From the article: 'As far as straight-out-of-box conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities ... The UNIX and Linux variants present a much more robust exterior to the outside. Even when the pre-configured server binaries are enabled, each [Linux] system generally maintained its integrity against remote attacks.'"
... i'm no M$-fanboy at all, but testing a 2001-XP against a end-2006 fedora is not actually making any sense. install a 2001-red hat to compare and then tell me the numbers. i'm quite sure that there are no breaches as severe as the lsass or rpc/dcom stuff, but this comparison just doesn't make any sense...
Concise? Forgive me, but I was expecting a table or something that makes it easy to see the results. Instead it's 20 printed pages. I'd hate to see the expanded version!
Since when does throwing up 12 boxes and running a quick nessus scan over them count as a security survey?
The guaranteed-to-be-overlooked key point: all the Mac vulnerabilities exist in services that are off by default. Yes, it's annoying that Apple isn't faster at patching them (and other known local holes), but it still beats the hell out of XP's default state on first boot.
Media that can be recorded and distributed can be recorded and distributed.
-kfg
It seems that this "analysis" is rather over-dependent on Nessus. The article even points out that the tools used couldn't actually see any vulnerabilities (at least for the most up do date versions of the OSes), rather those listed were based on the "database" of vulnerabilities from Nessus. Seems like it would have been equally useful just to look in the Nessus database in the first place.
What no OpenVMS analysis?
The article also says:
Out of the box, OS X is highly secure. You make the active decision to risk remote exploits when you enable these services.
For OS X Server, they had this to say for it, "Out of the box":
The lesson to be learned here is that an open connection is a potentially exploitable one. So don't open connections unless you're sure you want to do so. The second part of that lesson is if you're going to enable a remote port, make sure your security patches are up to date. "Out of the box" software is only secure for a short period of time.
Javascript + Nintendo DSi = DSiCade
Note that on both MacOS X and MacOS X Server, there was a clean installation, followed by specific USER ACTIONS to ENABLE services. Thus it should not be a surprise if you turn on the Web service, for example, you now respond on port 80.
Now once you enable a service, it's legitimate to then analyze the exposed service for vulnerabilities, and I found that information interesting.
But it should have been clearly established that the vulnerabilities noted in Mac OS X are for services that the user specifically enabled. The general description does not call this out, and I think that the conclusions are flawed because of this.
dave
Considering that server OSs were examined, why no OpenBSD? Too "obvious"?
Title says, "Top 12"? (Am guessing.)
An OS that was shipped in 2006 SHOULD have far fewer out-of-the-box holes than one that was shipped 6 years ago *coughXPcough*.
The "interesting" releases are the releases most likely to be installed by someone doing a fresh install today.
This usually means what he buys at the store, downloads as an ISO, or installs from the network plus any patches he can easily download, put on a CD or USB stick, and install prior to connecting the machine to a network. For example, for most Windows products this means the latest service pack or hotfix roll-up.
Also: After testing Service Pack 2, one more round of patches were applied using Windows Update In general this is not the best methodology. Frequently one patch prerequisites another patch.
A better methodology would be to install a round, test for remote exploits, then continue with additional rounds of patching until there were no more patches available. Report the results at each stage.
In this particular case, it's okay because Upon rebooting, the patched Windows XP system did not exhibit any remotely accessible vulnerabilities (even with the firewall disabled).
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
It's just like saying "your-favorite-distro was not detected until telnetd was installed and root password was set to 'password'". Stupid.
And yes, I am a Vista user.
I'll admit that I've only looked through the macosx vulnerability section in any detail, but I'm certainly not experiencing anything like the cringing promised by the writeup.
The upshot seemed to be that even when the examiner intentionally turned on every service and did not enable the firewall, the only vulnerabilities found were two timing-based user-enumeration attacks.
That's... that's the big shocking secret? That if I go out of my way to ask my system to be considerably less secure than its default configuration, Mallory out there can find out the names of accounts on my system? Quick, somebody get me some smelling salts!
Then somehow this
The immediately following sentence
So how does "straight-out-of-box vulnerable" and "after enabling built-in services" make any sense?
Sure there's pre-patch vulnerabilities for all 2 year old OS' out there... hardly makes me cringe however.
Cwm, fjord-bank glyphs vext quiz
This article *CLEARLY* points out that neither OSX client or server is vulnerable to ANY attack in it's default state. The summary at the end is bogus because it clearly contradicts his own findings.
One you turn on every bell and whistle you *might* disclose usernames on the system or be able to crash daemons, but non appear to allow a virus to propagate.
That's what I'm talking about. I comment in another location that they should be testing against the SP2 version because if you get XP today, that's what you're installing.
But the period between SP2 and the patches, that's a time when the machine is typically on the 'net and potentially vulnerable.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I thought it was funny, but maybe because I had a co-worker who always went on about how everything on the mac 'just works'.
You are awash in a sea of fiercely stated opinions. Obvious exits are: 'File->Quit', 'Reply', and 'Page Down'.
The reality today is most home and small business non-dialup users have a NAT firewall. Most larger businesses have a regular firewall.
Either way, if you configure it to block incoming connections to the new machine and the rest of your network is uninfected and well-protected, you can almost always download patches safely.
Some OSes even come with inbound ports turned off by default using the built-in firewall.
If this is you, then "remotely exploitable vulnerability on an unpatched system" is pretty meaningless.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Agreed. The premise of the article all around was rather foolish. They deliberately and rather randomly made adjustments to lower security but none to raise them, including turning on some legacy services on some platforms that have not been used since people threw sharpened sticks at each other and their only test was the vulnerability database of one product. Obviously Vista wouldn't show up because it is rather new and no exploits have had time to develop, and obviously the UNIX variants would come up with mostly the same results because they share source code.
Disabling the firewall on Vista was rather foolish and not enabling it on OS X, while making other changes equally so. That being said, Apple is still nuts for not enabling the firewall by default (technically it is enabled and running, but its configuration is empty).
I would like to see something different: a breakdown of proactive security measures taken by OS (or available in the OS) as a way of mitigating security issues. Security problems will pop up no matter what (whether in the OS or third-party software), and I'd like to see what OS do to prevent or reduce the impact of exploitation.
For example, WinXP SP2 introduced stack randomization and various other enhancements. Solaris has an option to mark parts of the stack non-executable. Third-party extensions like grsec and Bastille allow Linux to be hardened in a way which prevents race conditions, buffer overflows and more. This is a very much simplified list -- but that's exactly why I'd like to see a better breakdown.
I ran nessus 2.2.8 (on Ubuntu Feisty) with all included plugins active, against an up-to-date MacOSX 10.4.9 system which is sitting just to my right. The system has Windows Sharing, Remote Login, and FTP Access turned on. The closest it came to a vulnerability was with netbios-ns (137/udp) and it said "If you do not want to allow everyone to find the NetBios name of your computer, you should filter incoming traffic to this port." Hope this is something like what you wanted to know.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Just because the study says something you don't want to hear is no reason to bash the study. There was a very legitimate goal in testing the systems right out of the box; Many users do not immediately download updates. I worked in tech support for a little while and still keep in contact with people in the field. The average Windows user is 6 months or more out of date, based on the calls received by tech support at an ISP I worked for. Whats worse is that many users buy a machine, then order an internet connection, but never get updates. There are several reasons why they don't, but the three most common I here are:
1) Ignorance (They don't know they need them)
2) Slow Connections (They don't want to wait 3 days for updates to download)
3) Incompatibility (They are afraid that if they download a patch from MS it will break something)
With 90% of the market being controlled by windows users and the majority of those users being nontechnical home users, you can see the problem. It is the exact reason the US tops the list for infected systems for viruses and spyware.
Parent makes an important point. I think the MS automatic updates are a great help to Joe Average User, but if they wanted to do things right, MS would lock down almost all networking other than HTTP connections to update.microsoft.com until the fresh install was fully patched.
Ask me about my sig!
Test "tests" run are plain silly. Open ports do not mean vulnerabilities. Open services do not mean vulnerabilities as long as the authorization functions of the services work. In other words: Using completely patched systems all of the systems had 0 vulnerabilities.
/.
This was the most stupid and moot article in ages on
To determine the security of the systems out of the box, he changed almost every system from the out-of-the-box configuration.
He also included classic Mac OS in the test, even though this isn't even installed out of the box on any Mac, and won't run on any Mac shipped in at least three years. Why didn't he include Windows 98 and NT4 in his collection as well?
While there are an enormous variety of operating systems to choose from, only four "core" lineages exist in the mainstream - Windows, OS X, Linux and UNIX.
There's six mainstream lineages left, and they're NT5, 4BSD, Linux, System V, VMS, and whatever IBM's calling their systems architecture this week.
Ok so let me get this correct, in order for his scanners to even detect Vista on the network he had to totally disable the built in firewall.
The list of open ports was THREE.
No vulnerablities were detected even with the firewall totally OFF.
Seems like (for now) Vista wins this one.
PC user: Macs suck. You can't play games on them, you can't get any good software for them; really, nobody supports Macs. Mac user: Yeah, but at least we don't get viruses. PC user: See? Not even virus writers support Macs!
~
~
~
-- INSERT --
Nessus "found" that the Mac OS 9.2.2 box had a vulnerability that would allow an attacker to crash, or run code in, the Oracle 9i application server?
Since Oracle 9i doesn't even run on Mac OS 9.2.2, I don't think this is likely to be a big concern.