Slashdot Mirror

← Back to Stories (view on slashdot.org)

Top 12 Operating Systems Vulnerability Survey

Posted by Zonk on from the just-in-case-you-were-feeling-secure dept.

markmcb writes "Have you ever wondered how vulnerable your computer is from the first bit you write to the hard drive all the way until you have a fully patched system? If so, Matthew Vea has posted a concise summary of security strengths and shortcomings for twelve of the major operating systems of 2006/2007. In his summary, Matt tests each OS with widely available tools like nmap and Nessus, and notes responses at install, pre-patch, and post-patch times for each system. After the tedious job is done, he produces results that will make both the Apple and Windows communities cringe with regards to security. From the article: 'As far as straight-out-of-box conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities ... The UNIX and Linux variants present a much more robust exterior to the outside. Even when the pre-configured server binaries are enabled, each [Linux] system generally maintained its integrity against remote attacks.'"

25 of 206 comments (clear)

  1. come on... by cosmocain · · Score: 3, Insightful

    ... i'm no M$-fanboy at all, but testing a 2001-XP against a end-2006 fedora is not actually making any sense. install a 2001-red hat to compare and then tell me the numbers. i'm quite sure that there are no breaches as severe as the lsass or rpc/dcom stuff, but this comparison just doesn't make any sense...

    1. Re:come on... by drinkypoo · · Score: 4, Insightful

      ... i'm no M$-fanboy at all, but testing a 2001-XP against a end-2006 fedora is not actually making any sense. install a 2001-red hat to compare and then tell me the numbers.

      My only complaint is that Windows XP should be tested as installed from SP2, since any XP CD distributed through authorized channels today has SP2 built in.

      But you have to realize that Windows XP is the most common version of Windows in use today, and so it is reasonable to test it today...

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  2. Re:SAY IT AINT SO JOE by iangoldby · · Score: 4, Funny

    The difference is, the exploits for the mac just work, but you have to trick a stupid windows user into running them to hack XP.
    That's not remotely funny -- even with the firewall disabled.
  3. Concise? by jonknee · · Score: 3, Insightful

    Matthew Vea has posted a concise summary of security strengths and shortcomings for twelve of the major operating systems of 2006/2007.


    Concise? Forgive me, but I was expecting a table or something that makes it easy to see the results. Instead it's 20 printed pages. I'd hate to see the expanded version!
    1. Re:Concise? by solevita · · Score: 3, Insightful

      Who reads printed pages anyway? Just scroll down and read the relevant test results for every OS. No need to read all the blurb about when XP was first released or in what university BSD first came about; just scroll down and read every bit that starts "Nmap". You'll get through it very quickly.

      It was much nicer than most stories that make it to the front page; I didn't have to keep clicking the next page button every 50 words. It was good stuff, there were no ads (although I do run adblock) and a great deal of easy to read information.

      Let's just hope that /. provides us with more of these.

  4. This is a survey of security? by MonGuSE · · Score: 5, Interesting

    Since when does throwing up 12 boxes and running a quick nessus scan over them count as a security survey?

  5. Macs Still Safe in Default State by adavies42 · · Score: 5, Insightful

    The guaranteed-to-be-overlooked key point: all the Mac vulnerabilities exist in services that are off by default. Yes, it's annoying that Apple isn't faster at patching them (and other known local holes), but it still beats the hell out of XP's default state on first boot.

    --
    Media that can be recorded and distributed can be recorded and distributed.
    -kfg
    1. Re:Macs Still Safe in Default State by Cheefachi · · Score: 4, Insightful

      I think what the parent poster was saying was that by default OS X has many services that can be compromised turned off and they remain turned off no matter how many times you perform an update or reboot. The article mentioned that all these services were manually turned on to perform the test so out of the box OS X is so secure they didn't even bother to test it out of the box.

      --
      An engineer is someone who spends 3 hours trying to solve a 2 hour problem in 1 hour - Anonymous
    2. Re:Macs Still Safe in Default State by vux984 · · Score: 4, Insightful

      The article mentioned that all these services were manually turned on to perform the test so out of the box OS X is so secure they didn't even bother to test it out of the box.

      But then they conclude OSX is rife with vulnerabilty during the patching process, which is pretty misleading if you ask me.

    3. Re:Macs Still Safe in Default State by Anonymous Coward · · Score: 3, Informative

      Um...Yes. That's exactly what is being said. RTFA! or RRTFA. Machines have been infected in as little as 20 SECONDS!

  6. Nessus and Nmap by demonbug · · Score: 5, Informative

    It seems that this "analysis" is rather over-dependent on Nessus. The article even points out that the tools used couldn't actually see any vulnerabilities (at least for the most up do date versions of the OSes), rather those listed were based on the "database" of vulnerabilities from Nessus. Seems like it would have been equally useful just to look in the Nessus database in the first place.

  7. Nice Cherrypicking by AKAImBatman · · Score: 5, Insightful

    As far as straight-out-of-box conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities ... The UNIX and Linux variants present a much more robust exterior to the outside.

    The article also says:

    By default, Apple OS X does not have its built-in servers enabled. For testing the standard binaries, [available services] were all enabled through the Preferences tool. After enabling the services, Nmap identified the freshly opened ports and Nessus found only a user enumeration vulnerability in the HTTP server.

    Out of the box, OS X is highly secure. You make the active decision to risk remote exploits when you enable these services.

    For OS X Server, they had this to say for it, "Out of the box":

    During installation, Nmap fingerprinted the setup TCP/IP stack as OS X 10.3 or 10.4 and identified an open SSH port. Nessus did not identify any external vulnerabilities.

    The lesson to be learned here is that an open connection is a potentially exploitable one. So don't open connections unless you're sure you want to do so. The second part of that lesson is if you're going to enable a remote port, make sure your security patches are up to date. "Out of the box" software is only secure for a short period of time.
    --
    Javascript + Nintendo DSi = DSiCade
    1. Re:Nice Cherrypicking by SCHecklerX · · Score: 5, Insightful

      The lesson to be learned here is that an open connection is a potentially exploitable one. So don't open connections unless you're sure you want to do so. The second part of that lesson is if you're going to enable a remote port, make sure your security patches are up to date. "Out of the box" software is only secure for a short period of time.


      Which is one reason it's so hard to secure a windows system. Who knows what half of those listening services actually do and what depends on them.

      Also, you missed the third part, which is to configure the services you do need conservatively (ie, configure apache to not allow methods you do not use for your site, disable anonymouse FTP, or if needed lock its permissions and probably chroot it, etc).

      Security isn't *too* hard if you have admins that actually listen to their lead security guy:

      1. Run only the services that you need
      2. Configure those services securely
      3. Keep those services patched


      Yes, there is a lot more to security, and how services are used factors into your response in how to mitigate any known problems, but the sysadmin security stuff boils down to the above list.
  8. Read carefully what was done on MacOS X by david.emery · · Score: 5, Insightful

    Note that on both MacOS X and MacOS X Server, there was a clean installation, followed by specific USER ACTIONS to ENABLE services. Thus it should not be a surprise if you turn on the Web service, for example, you now respond on port 80.

    Now once you enable a service, it's legitimate to then analyze the exposed service for vulnerabilities, and I found that information interesting.

    But it should have been clearly established that the vulnerabilities noted in Mac OS X are for services that the user specifically enabled. The general description does not call this out, and I think that the conclusions are flawed because of this.

              dave

    1. Re:Read carefully what was done on MacOS X by samkass · · Score: 3, Insightful

      I think their analysis is fundamentally flawed once they put MacOS X and UNIX into separate buckets. Almost everything they tested on MacOS X is based on the UNIX underpinnings of MacOS X, and at that level MacOS X *is* UNIX (with 10.5, they even went through the trouble of getting it certified as such). It's not like they were testing Cocoa or the GUI.

      Any remote network vulnerability that treats MacOS X as anything other than another UNIX distro has built-in bias.

      --
      E pluribus unum
  9. Re:Obligatory missing option post. by $RANDOMLUSER · · Score: 3, Funny

    Ha ha. My favorite oxymoron: "Open VMS". The question isn't really "Can you break in?" but "Why would you want to?".

    --
    No folly is more costly than the folly of intolerant idealism. - Winston Churchill
  10. Re:No OpenBSD? by soloport · · Score: 4, Informative

    Considering that server OSs were examined, why no OpenBSD? Too "obvious"?

    Title says, "Top 12"? (Am guessing.)

  11. Wait, why am I cringing? by Onan · · Score: 3, Interesting

    I'll admit that I've only looked through the macosx vulnerability section in any detail, but I'm certainly not experiencing anything like the cringing promised by the writeup.

    The upshot seemed to be that even when the examiner intentionally turned on every service and did not enable the firewall, the only vulnerabilities found were two timing-based user-enumeration attacks.

    That's... that's the big shocking secret? That if I go out of my way to ask my system to be considerably less secure than its default configuration, Mallory out there can find out the names of accounts on my system? Quick, somebody get me some smelling salts!

  12. Cringe? by CODiNE · · Score: 4, Insightful
    Hardly.

    By default, Apple OS X does not have its built-in servers enabled. For testing the standard binaries, Personal File Sharing, Windows Sharing, Personal Web Server, Remote Login, FTP Access, Apple Remote Desktop, Remote Apple Events and Printer Sharing were all enabled through the Preferences tool. Although OS X features a robust implementation of IPFW (Internet Protocol FireWall), it was not enabled.53 After enabling the services, Nmap identified the freshly opened ports and Nessus found only a user enumeration vulnerability in the HTTP server.


    Then somehow this :

    As far as straight-out-of-box conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities

    The immediately following sentence :

    Even before enabling the servers, Windows based machines contain numerous exploitable holes allowing attackers to not only access the system but also execute arbitrary code. Both OS X and Windows were susceptible to additional vulnerabilities after enabling the built-in services.


    So how does "straight-out-of-box vulnerable" and "after enabling built-in services" make any sense?
    Sure there's pre-patch vulnerabilities for all 2 year old OS' out there... hardly makes me cringe however.
    --
    Cwm, fjord-bank glyphs vext quiz
  13. Completely inconsistent by evought · · Score: 4, Insightful

    Agreed. The premise of the article all around was rather foolish. They deliberately and rather randomly made adjustments to lower security but none to raise them, including turning on some legacy services on some platforms that have not been used since people threw sharpened sticks at each other and their only test was the vulnerability database of one product. Obviously Vista wouldn't show up because it is rather new and no exploits have had time to develop, and obviously the UNIX variants would come up with mostly the same results because they share source code.

    Disabling the firewall on Vista was rather foolish and not enabling it on OS X, while making other changes equally so. That being said, Apple is still nuts for not enabling the firewall by default (technically it is enabled and running, but its configuration is empty).

  14. Re:What about 10.4.9? by drinkypoo · · Score: 3, Informative

    I ran nessus 2.2.8 (on Ubuntu Feisty) with all included plugins active, against an up-to-date MacOSX 10.4.9 system which is sitting just to my right. The system has Windows Sharing, Remote Login, and FTP Access turned on. The closest it came to a vulnerability was with netbios-ns (137/udp) and it said "If you do not want to allow everyone to find the NetBios name of your computer, you should filter incoming traffic to this port." Hope this is something like what you wanted to know.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  15. Calm your self... by CasperIV · · Score: 4, Insightful

    Just because the study says something you don't want to hear is no reason to bash the study. There was a very legitimate goal in testing the systems right out of the box; Many users do not immediately download updates. I worked in tech support for a little while and still keep in contact with people in the field. The average Windows user is 6 months or more out of date, based on the calls received by tech support at an ISP I worked for. Whats worse is that many users buy a machine, then order an internet connection, but never get updates. There are several reasons why they don't, but the three most common I here are:
    1) Ignorance (They don't know they need them)
    2) Slow Connections (They don't want to wait 3 days for updates to download)
    3) Incompatibility (They are afraid that if they download a patch from MS it will break something)

    With 90% of the market being controlled by windows users and the majority of those users being nontechnical home users, you can see the problem. It is the exact reason the US tops the list for infected systems for viruses and spyware.

  16. I find his methodology bizarre. by argent · · Score: 3, Insightful

    To determine the security of the systems out of the box, he changed almost every system from the out-of-the-box configuration.

    He also included classic Mac OS in the test, even though this isn't even installed out of the box on any Mac, and won't run on any Mac shipped in at least three years. Why didn't he include Windows 98 and NT4 in his collection as well?

    While there are an enormous variety of operating systems to choose from, only four "core" lineages exist in the mainstream - Windows, OS X, Linux and UNIX.

    There's six mainstream lineages left, and they're NT5, 4BSD, Linux, System V, VMS, and whatever IBM's calling their systems architecture this week.

  17. Vista? by MSFanBoi2 · · Score: 3, Interesting

    Ok so let me get this correct, in order for his scanners to even detect Vista on the network he had to totally disable the built in firewall.

    The list of open ports was THREE.

    No vulnerablities were detected even with the firewall totally OFF.

    Seems like (for now) Vista wins this one.

  18. Re:SAY IT AINT SO JOE by kgbspy · · Score: 3, Funny

    PC user: Macs suck. You can't play games on them, you can't get any good software for them; really, nobody supports Macs. Mac user: Yeah, but at least we don't get viruses. PC user: See? Not even virus writers support Macs!

    --
    ~
    ~
    ~
    -- INSERT --