Slashdot Mirror
6 Months On, Vista Security Still Besting Linux
Martin writes "Great report on security vulnerabilities for MS/Linux/OS X. This is a revised version of the one Jeff Jones did back on March 21: Windows Vista — 90 Day Vulnerability Report. This time he did what the Linux community had asked. Everyone complained that he did the report based on a full Linux distro including optional components, not on just a base OS install. So this time he did both; Vista still came out on top. I was shocked that Apple was even on the list as I believed all those Mac commercials!"
Full: http://216.239.51.104/search?q=cache:l2ZWLi31QdIJ: blogs.csoonline.com/node/218+http://blogs.csoonlin e.com/node/218&hl=en&ct=clnk&cd=1&gl=us&client=fir efox-a
: blogs.csoonline.com/node/218+http://blogs.csoonlin e.com/node/218&hl=en&client=firefox-a&gl=us&strip= 1
Text only:
http://216.239.51.104/search?q=cache:l2ZWLi31QdIJ
creation science book
Sorry - the previous google cache link was to the 90 day writeup, not the 6 month writeup. Here's the text of the 6 month writeup... (site is very slow right now).
;-)
...
Windows Vista - 6 Month Vulnerability Report
Submitted by Jeff Jones on Thu, 2007-06-21 11:53. Topic(s): | Client | Corporate Management | Information Security | Operating Systems
I was somewhat surprised (but pleased) at the level of interest back when I published my Windows Vista - 90 Day Vulnerability Report. It was about the earliest span of time I thought might give us some indicators, and the indicators did look good. (Though, I did not give us an "A+", in spite of some of the attributions
Six months is a much more interesting time frame, and gives us the opportunity to see if the early trend indicators are holding up, or if the early signs of progress were a short-term gain. Also, I thought it was worth going a little deeper in the analysis to look at the total fixed and unfixed vulns as I did last time, plus these additional views:
* Include a comparison view of Linux distribution workstation builds that exclude vulnerabilities non-default optional components as well as OpenOffice and other applications that do not have equivalents on Windows XP.
* Include a comparison view that excludes Low and Medium severities to just focus on High severity vulnerabilities fixed and unfixed in the first 6 months, and
* A comparison view that combines both of these
For the full details, or to print the report, you can download the report in pdf.
For those that only want the executive summary, here is a key chart that shows the publicly disclosed High severity vulnerabilities during the first 90 days of availability, broken down by vulns fixed and vulns unfixed. Note that this chart is showing the reduced Linux builds that exclude non-default and optional components without equivalents on WIndows. (clicking the chart also gets you to the full report.)
High Severity Vulns, Fixed and Unfixed in First 6 Months of Windows, Red Hat, Novell SUSE, Ubuntu, Apple Mac
The results of the analysis show that Windows Vista continues to show a trend of fewer total and fewer High severity vulnerabilities at the 6 month mark compared to its predecessor product Windows XP (which did not benefit from the SDL) and compared to other modern competitive workstation OSes (which also did not benefit from an SDL-like process).
If you share the opinion that Windows and applications ported to Windows get a higher level of researcher scrutiny than other OSes, then the 6-month results are even more positive. If you don't share that opinion, then they still stand on their own
Read, Enjoy, Forward.
Best regards ~ Jeff
Full Disclosure: I work for Microsoft - read my previous blog post, Exactly how biased am I?.
Also, I'd like to make a shameless plug for my other blog, http://blogs.technet.com/security, where I sometimes post more personal entries such as The Saga of My Luggage & British Air and Building My Windows Vista Media Center - Part 1 - The System.
creation science book
http://www.microsoft-watch.com/content/security/mi crosoft_is_counting_bugs_again.html Updated response "Jeff Jones Vista security progress."
http://www.microsoft-watch.com/content/security/mi crosoft_is_counting_bugs_again.html
Looks like there are several errors with the method the blogger used to evaluate security flaws
This has already been analysed at microsoft-watch, and several flaws are pointed out there, the most basic one being that counting flaws is not a good measure of security anyway.
I can explain it for you, but I can't understand it for you.
Here ya go! Let me know when you're finished, thanks!
>none of that ./configure && make && make install nonsense or a miriad of package managers (yast, smart, yum etc etc)
>
>you see on windows ur guaranteed your app will work across all versions on linux forget about it
No, you're not guaranteed that your app will work on all versions at all. And, to boot, you have to F aorund with all the other problems that every single Windows user out there is well familiar with - you included.
Do you want an OS where none of that exists? An OS where there is a single, universal way of both containing and "installing" apps? Go try Mac OS X.
I've been running Linux as my desktop exclusively now for about five years. No viruses. No worms. No adware. Oh yeah, and it's free as in beer. The security on it just works. My vendor sets up the firewall for the appropriate level of paranoia "out of the box". Tools for system auditing (chrootkit, nmap, etc...) are usually installed by default. When windows can do all this for free, I'll give it another go. But until then, any such study I see is largely theoretical.
A self extracting tar file with installer?
.debs
Its a very old trick thats been on unix for years. you make an install shell script, you put a tag that signifies the end of it, then you appaend the tgz of the package you want to install.
Set this installer to executable and voila you have a self extracting installer - feel free to add gui's etc.
You might be familiar with the concept - pretty much every installer you use on windows employs this kind of system - its not exactly difficult to create or use.
Personally though I much prefer apt-get and
$_="Slashdotter";$syn="OTT";s;..;;;sub _{print shift||$_};s!ash!Perl !;s=$syn=ack=i;tr+LLEd+BLAH+;_"Just Another ";_
Rather than take his word for it why not just check at Secunia.
Vista
Ubuntu 6.06
"We are all geniuses when we dream"
- E.M. Cioran
It's a pretty contrived review.
The bulk of it has already been debunked here http://seclists.org/fulldisclosure/2007/Jun/0528.h tml
"I've got more toys than Teruhisa Kitahara."
see Cyberinsecurity at http://www.ccianet.org/filings/cybersecurity/cyber insecurity.pdf
see release-critical bugs at http://bugs.debian.org/bugs/release-critical
Where have you seen transparent quality control like that at M$?
A problem is an opportunity http://mrpogson.com
If you haven't noticed but there is only one "distro" of Windows, unless you want to count MCE, etc as another "distro".
I wish that was true. Good luck installing a random piece of software on Vista. It probably won't work. What about people who still use 98/ME, most software isn't compatible. Forget installing antivirus, a new scanner, or a new printer on an old version of Windows. You better watch or for the very same things on Vista, because there are still a ton of compatibility issues.
Now on to the biggest issue with your statement. Every Linux distro is a different operating system. Asking for installers to be universal is like asking for software built for Windows to install on Linux. Why don't application installers for Windows work consistently with WinXP, Win2003, WinVista, and WinCE? Oh yeah, because they are different operating systems.
Time makes more converts than reason
I looked at the user comments at the bottem of the article. One juicy tidbit was to this link..
i crosoft_is_counting_bugs_again.html
http://www.microsoft-watch.com/content/security/m
The biggest bug in Windows is between the chair and keyboard. The item in question is gullable, has admin privilages, and can run widely dispensed Windows specific code. As a sample of this, just look at the members of any botnet and the OS in use.
Anything that doesn't run Windows code and has the default of not running admin is more secure than patched Windows in most cases.
Vista still runs Windows code, it's biggest fault, but it seems to be driving towards better system security and user permissions.
The truth shall set you free!
No wonder Windows Vista is best in his review.
i crosoft_is_counting_bugs_again.html
I am not convinced, next please Mr Jones.
Someone else didn't like the numbers either and provided this link;
http://www.microsoft-watch.com/content/security/m
There are more patches in a month than there are fixed patches in the count.
The truth shall set you free!
Two points:
:-D
1) They wont accept outside contributions unless you sign their paperwork.
2) I have personally contributed, so I know that at least 1 person from outside has contibuted
Gladly! Check out the "exploits" section.
It is well known that FLOSS has fewer bugs per 1000 lines of source code. The bloat that went into Vista brought in plenty of bugs to be sure.
r insecurity.pdf
Hmm, yet you have no proof of anything, just that you think Vista is bloated. Sorry, there's nothing 'to be sure' about in your statement.
M$ gets stuff determined by the sales department. We know how well salesmen design systems.
So you're claiming that salesmen are doubling as software architechs at MS?
Linux is designed to be modular so the complexity of each piece is less. M$ has stuff where the browser installs code, printing a document can cause pieces of the file to be executed, etc.
Windows is modular as well. The browser installing code is an ActiveX control, FF has the same capabilities.
There are far more projects in FLOSS than there are coders in M$. More manpower, with properly filtered output results in more correct code.
Sorry, having more coders does not mean that the code ends up more correct. Another logic fallacy here..
If a bug bugs me, I can look at the code, file a bug report, or suggest a patch. There is no way that can be done with M$'s way of doing things. Vista release was as buggy as a Linux release candidate.
You can file a bug report with MS as well. Whether or not you understand the code, and how it all interrelates is debatable though. Your claim that Vista RTM is as buggy as a Linux RC is again nothing more than a statement you claim to be true with no actual facts. For myself, and many others, Vista has been exteremely stable. I've not had a single issue since I've installed the OS.
see Cyberinsecurity at http://www.ccianet.org/filings/cybersecurity/cybe
see release-critical bugs at http://bugs.debian.org/bugs/release-critical
Where have you seen transparent quality control like that at M$?
So transparent I can't even see it, as both of those links result in a 404. I don't need a bug list (although its there for any patch) to determine if an OS is buggy or not, I can see that by simply using the OS.
aieee, the stuff in the exploits section is barely even related to linux. it's all third-party stuff. and by third-party i dont mean GNOME, i mean XOOPS. there's even Microsoft exploits listed here.
These comparisons are a joke. The number of bugs or vulnerabilities itself is completely meaningless because of the wide variety of issues you can have. For example, would you rather have 10 vulnerabilities that each enable a malicious Web site to crash your browser, or 1 vulnerability that enables a malicious Web site to browse your local disk?
Vista still encourages users to run with higher privileges than necessary, and the platform is still host to over 99% of the viruses and malware ever created. It is not even recommended to run Windows without third-party security enhancements such as anti-virus. Many will tell you to run it only in a virtualizer, not on bare hardware, so you can wipe the Windows "disk" every night and start fresh the next day. In fact, Microsoft will tell you to do that, it's what VirtualPC is for.
Anyone who believes this crap deserves Vista. Enjoy.
Fantastic sleuthing! here I was reading the article like a chump:
We give up, we'll go home now, and install Norton Antivirus and Windows Defender with the rest of the lemmings.
The *only* way to "measure" security is to "measure" breakins. You can talk about technological advances in architecture, but abstracting security to bug counting is goofy. Linux systems don't get broken into, because there simply aren't ways to get at them, particularly on the desktop. With things like AppArmor and SELinux your browser is isolated from other processes, every distro ships with the "desktop" version locked down (100% firewalled) by default, and samba, cups, and the other common network daemons (ntp? ssh?) are mature suites with excellent security histories.
I can't get the article to open, but I'm curious as to the vulnerabilities which he counted. How many of them actually have real world applications?
Here is how I would come up with a synthetic benchmark of security:
1. Admit that it will be synthetic, and is ultimately an exercise in mental masturbation
2. Count the bugs.
3. Remove all bugs that have no possibility to be exploited, and all "fixed" bugs.
4. Separate bugs into "server" and "desktop" bugs.
5. Multiple bugs by an index number between 0 and 1, with 0 being harmless bugs, and 1 being bugs that give you "root".
6. Total up bug indexes.
7. Now, count all fixed bugs (excluding impossible to exploit ones), multiple by a "damage index" (see #5), then multiple by (Time to fix bug, measured from release of software)/(Time software has been released). Add this to your result from #6.
8. Voila! You've now posted something that will most likely compete favorably with MS's bug number. It will also still be totally useless.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
It's not the most professional writing I've seen, but I believe most of the points made are valid.
There's another commentary here. http://www.microsoft-watch.com/content/security/mi crosoft_is_counting_bugs_again.html
"I've got more toys than Teruhisa Kitahara."
Having been formerly a maintainer for an open source project (see my sig), I can say that we at least (being even a small project) got way more submissions per week than we could possibly have integrated even if all we did full time was integrate them. Of course we didn't just accept simple patches, we reviewed every line of code and evaluated it for cleanliness, security, performance, and (since this is a game) game balance.
In addition to this, the truth is that at least 9 in 10 submissions which we did evaluate were rejected for various reasons, not the least of which were that many of the implementations were horribly ugly even when they did manage to pass all the other criteria. The people whose submissions got looked at most seriously were those who contributed regularly. My eventual development partner hounded me literally for months before I took him seriously (he was a pretty abrasive guy on the surface, with a lot of criticism for my work, and this turned me off to him at first).
The fact is that there's no way most OSS developers have the time to look at the submission of every Tom, Dick, and Harry. The way to get noticed is to provide features which are innovative, well coded, make sense (so many of our submissions were simply bad ideas), and to persevere. We want partners, not dump and run developers.
Slay a dragon... over lunch!
The guy you replied to was a stupid troll, probably some pre-pubescent dork who looks at llama pr0n all day long. Truly, you wasted your time replying to him.
If you can get past the troll, the bad grammar, and the general idiocy, there lies one, and I mean just one, good point: While you and I may appreciate the command line's power, or the ease of apt-get, etc...how do most people install software on Windows? They download it and run the setup file from their desktop. That's how I do it. I don't think I have ever been able to install programs that simply on my Ubuntu box.
Yes, I find it easy to type "sudo apt-get install xxxxx" but let's face it, not everyone is gonna do that. Even when people make legitimate, well worded, polite comments here or elsewhere complaining about the perceived difficulty of installing software, invariably someone provides a little bash script or command to perform the desired function. Trouble is, these types of replies miss the point entirely. At best, the person who posts them is trying to be helpful but just doesn't get that many people are scared of the CLI. At worst, he is trying to be an arrogant jerk. I hope you wouldn't have replied that way if the poster had actually voiced his concern in a proper way. Those kinds of replies reinforce the negative stereotypes about the F/OSS community.
blah blah blah
What's purple and commutes? An Abelian grape.
http://toastytech.com/guis/winvistawin101.png
"Beware of he who would deny you access to information, for in his heart he dreams himself your master."
I suspect you've fallen into the falacy that just because people can look at the source, people actually do.
And you've fallen for the fallacy that the almost-daily security updates we get from Ubuntu, for example, aren't the result of people fixing things?
Keep abusing your neurons like that, and you'll go blind.
[1] "By Jeffrey R. Jones Director, Microsoft Security Business and Technology Unit"
- 5173565.html_ News_Researcher_Says_Vista_The_Most_Secure_OS.6304 6006.details/ articles/itproviewpoint031004.mspx
[2] "Jeffrey R. Jones, a self-described "security guy" who works at Microsoft's security division"
[3] "an overview of Microsoft's progress in improving security by Jeffrey R. Jones, Senior Director - Microsoft Security Business Unit."
[1] - http://articles.techrepublic.com.com/5100-1035_11
[2] - http://www.boxxet.com/Windows_Vista/Windows_Vista
[3] - http://www.microsoft.com/technet/security/secnews
boycott slashdot February 10th - 17th check out: altSlashdot.org