Slashdot Mirror

← Back to Stories (view on slashdot.org)

Top 12 Operating Systems Vulnerability Survey

Posted by Zonk on from the just-in-case-you-were-feeling-secure dept.

markmcb writes "Have you ever wondered how vulnerable your computer is from the first bit you write to the hard drive all the way until you have a fully patched system? If so, Matthew Vea has posted a concise summary of security strengths and shortcomings for twelve of the major operating systems of 2006/2007. In his summary, Matt tests each OS with widely available tools like nmap and Nessus, and notes responses at install, pre-patch, and post-patch times for each system. After the tedious job is done, he produces results that will make both the Apple and Windows communities cringe with regards to security. From the article: 'As far as straight-out-of-box conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities ... The UNIX and Linux variants present a much more robust exterior to the outside. Even when the pre-configured server binaries are enabled, each [Linux] system generally maintained its integrity against remote attacks.'"

14 of 206 comments (clear)

  1. Re:SAY IT AINT SO JOE by iangoldby · · Score: 4, Funny

    The difference is, the exploits for the mac just work, but you have to trick a stupid windows user into running them to hack XP.
    That's not remotely funny -- even with the firewall disabled.
  2. This is a survey of security? by MonGuSE · · Score: 5, Interesting

    Since when does throwing up 12 boxes and running a quick nessus scan over them count as a security survey?

  3. Macs Still Safe in Default State by adavies42 · · Score: 5, Insightful

    The guaranteed-to-be-overlooked key point: all the Mac vulnerabilities exist in services that are off by default. Yes, it's annoying that Apple isn't faster at patching them (and other known local holes), but it still beats the hell out of XP's default state on first boot.

    --
    Media that can be recorded and distributed can be recorded and distributed.
    -kfg
    1. Re:Macs Still Safe in Default State by Cheefachi · · Score: 4, Insightful

      I think what the parent poster was saying was that by default OS X has many services that can be compromised turned off and they remain turned off no matter how many times you perform an update or reboot. The article mentioned that all these services were manually turned on to perform the test so out of the box OS X is so secure they didn't even bother to test it out of the box.

      --
      An engineer is someone who spends 3 hours trying to solve a 2 hour problem in 1 hour - Anonymous
    2. Re:Macs Still Safe in Default State by vux984 · · Score: 4, Insightful

      The article mentioned that all these services were manually turned on to perform the test so out of the box OS X is so secure they didn't even bother to test it out of the box.

      But then they conclude OSX is rife with vulnerabilty during the patching process, which is pretty misleading if you ask me.

  4. Nessus and Nmap by demonbug · · Score: 5, Informative

    It seems that this "analysis" is rather over-dependent on Nessus. The article even points out that the tools used couldn't actually see any vulnerabilities (at least for the most up do date versions of the OSes), rather those listed were based on the "database" of vulnerabilities from Nessus. Seems like it would have been equally useful just to look in the Nessus database in the first place.

  5. Nice Cherrypicking by AKAImBatman · · Score: 5, Insightful

    As far as straight-out-of-box conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities ... The UNIX and Linux variants present a much more robust exterior to the outside.

    The article also says:

    By default, Apple OS X does not have its built-in servers enabled. For testing the standard binaries, [available services] were all enabled through the Preferences tool. After enabling the services, Nmap identified the freshly opened ports and Nessus found only a user enumeration vulnerability in the HTTP server.

    Out of the box, OS X is highly secure. You make the active decision to risk remote exploits when you enable these services.

    For OS X Server, they had this to say for it, "Out of the box":

    During installation, Nmap fingerprinted the setup TCP/IP stack as OS X 10.3 or 10.4 and identified an open SSH port. Nessus did not identify any external vulnerabilities.

    The lesson to be learned here is that an open connection is a potentially exploitable one. So don't open connections unless you're sure you want to do so. The second part of that lesson is if you're going to enable a remote port, make sure your security patches are up to date. "Out of the box" software is only secure for a short period of time.
    --
    Javascript + Nintendo DSi = DSiCade
    1. Re:Nice Cherrypicking by SCHecklerX · · Score: 5, Insightful

      The lesson to be learned here is that an open connection is a potentially exploitable one. So don't open connections unless you're sure you want to do so. The second part of that lesson is if you're going to enable a remote port, make sure your security patches are up to date. "Out of the box" software is only secure for a short period of time.


      Which is one reason it's so hard to secure a windows system. Who knows what half of those listening services actually do and what depends on them.

      Also, you missed the third part, which is to configure the services you do need conservatively (ie, configure apache to not allow methods you do not use for your site, disable anonymouse FTP, or if needed lock its permissions and probably chroot it, etc).

      Security isn't *too* hard if you have admins that actually listen to their lead security guy:

      1. Run only the services that you need
      2. Configure those services securely
      3. Keep those services patched


      Yes, there is a lot more to security, and how services are used factors into your response in how to mitigate any known problems, but the sysadmin security stuff boils down to the above list.
  6. Read carefully what was done on MacOS X by david.emery · · Score: 5, Insightful

    Note that on both MacOS X and MacOS X Server, there was a clean installation, followed by specific USER ACTIONS to ENABLE services. Thus it should not be a surprise if you turn on the Web service, for example, you now respond on port 80.

    Now once you enable a service, it's legitimate to then analyze the exposed service for vulnerabilities, and I found that information interesting.

    But it should have been clearly established that the vulnerabilities noted in Mac OS X are for services that the user specifically enabled. The general description does not call this out, and I think that the conclusions are flawed because of this.

              dave

  7. Re:No OpenBSD? by soloport · · Score: 4, Informative

    Considering that server OSs were examined, why no OpenBSD? Too "obvious"?

    Title says, "Top 12"? (Am guessing.)

  8. Re:come on... by drinkypoo · · Score: 4, Insightful

    ... i'm no M$-fanboy at all, but testing a 2001-XP against a end-2006 fedora is not actually making any sense. install a 2001-red hat to compare and then tell me the numbers.

    My only complaint is that Windows XP should be tested as installed from SP2, since any XP CD distributed through authorized channels today has SP2 built in.

    But you have to realize that Windows XP is the most common version of Windows in use today, and so it is reasonable to test it today...

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  9. Cringe? by CODiNE · · Score: 4, Insightful
    Hardly.

    By default, Apple OS X does not have its built-in servers enabled. For testing the standard binaries, Personal File Sharing, Windows Sharing, Personal Web Server, Remote Login, FTP Access, Apple Remote Desktop, Remote Apple Events and Printer Sharing were all enabled through the Preferences tool. Although OS X features a robust implementation of IPFW (Internet Protocol FireWall), it was not enabled.53 After enabling the services, Nmap identified the freshly opened ports and Nessus found only a user enumeration vulnerability in the HTTP server.


    Then somehow this :

    As far as straight-out-of-box conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities

    The immediately following sentence :

    Even before enabling the servers, Windows based machines contain numerous exploitable holes allowing attackers to not only access the system but also execute arbitrary code. Both OS X and Windows were susceptible to additional vulnerabilities after enabling the built-in services.


    So how does "straight-out-of-box vulnerable" and "after enabling built-in services" make any sense?
    Sure there's pre-patch vulnerabilities for all 2 year old OS' out there... hardly makes me cringe however.
    --
    Cwm, fjord-bank glyphs vext quiz
  10. Completely inconsistent by evought · · Score: 4, Insightful

    Agreed. The premise of the article all around was rather foolish. They deliberately and rather randomly made adjustments to lower security but none to raise them, including turning on some legacy services on some platforms that have not been used since people threw sharpened sticks at each other and their only test was the vulnerability database of one product. Obviously Vista wouldn't show up because it is rather new and no exploits have had time to develop, and obviously the UNIX variants would come up with mostly the same results because they share source code.

    Disabling the firewall on Vista was rather foolish and not enabling it on OS X, while making other changes equally so. That being said, Apple is still nuts for not enabling the firewall by default (technically it is enabled and running, but its configuration is empty).

  11. Calm your self... by CasperIV · · Score: 4, Insightful

    Just because the study says something you don't want to hear is no reason to bash the study. There was a very legitimate goal in testing the systems right out of the box; Many users do not immediately download updates. I worked in tech support for a little while and still keep in contact with people in the field. The average Windows user is 6 months or more out of date, based on the calls received by tech support at an ISP I worked for. Whats worse is that many users buy a machine, then order an internet connection, but never get updates. There are several reasons why they don't, but the three most common I here are:
    1) Ignorance (They don't know they need them)
    2) Slow Connections (They don't want to wait 3 days for updates to download)
    3) Incompatibility (They are afraid that if they download a patch from MS it will break something)

    With 90% of the market being controlled by windows users and the majority of those users being nontechnical home users, you can see the problem. It is the exact reason the US tops the list for infected systems for viruses and spyware.