Vista Security Claims Debunked

An anonymous reader writes "Apparently Microsoft still hasn't learned that counting vendor acknowledged vulnerabilities isn't a good way to establish the security of an OS. As an analysis of Microsoft's claims on Full Disclosure shows, we see that the methodology used was badly flawed. A bug in Firefox (not to mention emacs), counts as a flaw for Linux, while IE bugs get ignored on Vista's chart. Then we see that vulnerabilities aren't vulnerabilities when they're security-challenged features such as Vista's Teredo. Also, there's far too little consideration given to severity, given that it stoops to counting even extra access restrictions on a file in OSX to have something to show. In short, the original Microsoft analysis was good PR and poor research."

Microsoft found making PR-FUD-ing research

[MukiMuki]

In other news, scientists have confirmed that water is, in fact, wet.

Re:Microsoft found making PR-FUD-ing research

[catwh0re]

MY absolute favourite security falsehoods are the various ways "researches" compare one system security to anothers

Such straight forward conclusions are impossible to make. Based on the following points.

- If many people are analysing code, you will find more bugs. If you don't review your code (or for example, don't have peer review - which closed source often lacks.) Then no bugs at all will be discovered.

- The existing number of unfound bugs is related to the number of discovered bugs. Well no not really: The number of found bugs is actually related to how long and how many researchers have been testing and actively looking for the bugs and second to that is how buggy the software is. I can assign a team of one researcher with no experience and they'll never find any bugs in the poorest of software.

- A difficult and obscure to exploit bug (one that requires a perfect storm of conditions) is as important as a bug that is easily exploitable(e.g. drive by downloads). Also with that: Bugs that bring down the whole system versus bugs that only fail a single service.(E.g. blue screen versus failing to display a JPG correctly.)

- Differences in reporting models: Total lack of transparency versus an open forum. E.g. Microsoft vs Linux reporting. You can only compare reporting from the same kind of reporting models. E.g. You can compare kHTML versus Mozilla (as they are both open and have similar review structures), but not Windows vs BSD (the dissimilar reviews allow misrepresentation via favourable skews and different classification paradigms.

Re:Microsoft found making PR-FUD-ing research

[Tumbleweed]

Au contraire - Gartner Group just released a study which concluded MS Water(tm) was not, in fact, wet*, unlike GNU/Water or H2O-BSD.

(*) MS Water(tm) tested at temperatures below 0 degrees C and above 100 degrees C, GNU/Water and H2O-BSD tested between 0 degrees C and 100 degrees C.

Shocked!

[yotto]

I am totally shocked. I just bought 10 licences too and threw away all my Linux computers!

Microsoft "Research"

[WilliamSChips]

Bears are Catholic. The Pope shits in the woods.

And here I was...

riding a flying pig on my way to get a sweater at the store 'cause I heard Hell had frozen over. At the gamestop next to the sweater store, some kid was playing Duke Nukem Forever, which I thought was an amazing game. ...so what do you mean the report isn't true?

Don't accept abuse. MS apparently lied.

[Futurepower(R)]

MOD PARENT UP!

Quote from the Slashdot story: "In short, the original Microsoft analysis was good PR and poor research." It amazes me how easily people accept abuse, and give excuses for being abused. It was not "good PR". My best understanding is that Microsoft's analysis was an intentional lie.

My rule number one in dealing with Microsoft: Unless forced by circumstances, never upgrade to a new version of Windows until the second service pack is released. Let other people have the grief. The huge number of bugs in Windows XP before SP2 was very expensive for us. If I remember correctly, SP2 fixed more than 630 bugs, and some of the fixes were not documented. It is not only the vulnerabilities that are expensive.

Quote from the link in the Slashdot story: "Also, the entire networking stack was rewritten for Vista, and that means lots of new bugs are present. I have already spoken to other researchers who have not disclosed such flaws publicly. However, a good start for learning about some is the Symantec paper that analyzed Vista during the BETA phases and revealed numerous issues."

Microsoft has, in my opinion, a long, long history of not allowing their programmers to finish their jobs. There were even security vulnerabilities in the Microsoft Help protocols!

Re:The Microsoft guy did a second report

[Zeinfeld]

Does it, or does it debunk the second report? It was my understanding that the first report included absolutely everything available for the distro, while the second report included less stuff, but still tons of stuff that isn't included in a base "windows" install.

Regardless of whether it does or does not the claims are as silly and irrelevant as the slashdot stories 'proving' that Linux is more secure.

The number of bugs is not relevant, it there is one bug the system is vulnerable. What matters is the window of vulnerability. The time between discovery of the bug by the bad guys and fixing it by the good guys.

UNIX used to be known for its insecurity. Richie and crew invented the buffer overrun bug, Tony Hoare was referring to this blunder in C when he gave his Turing Award lecture he brought up the fact that the first principle of ALGOL 60 had been security.

The perceived level of security of a system has much less to do with familiarity than any actual objective measure. None of the systems that are on the market today is built well enough for its supporters to start challenging others to this type of dick size measurement contest. Its silly and unhelpful.

This was fairly obvious at the time.

[Cal+Paterson]

The Jeff Jones reports are complete crap. This was obvious at the time. He pretty much showed himself a fool by claiming that XP had less critical bugs than the current Ubuntu, SuSE and RHEL, and thus was more secure. He seems to think that he can compare security based on the number of public and critical bug reports between a company that does not release bug reports to the public and companies that do.

Any observer from a tech background would know that this would turn his results to shit, but he is;

1. A Microsoft Employee
2. A Blogger

so that never mattered anyway.

Thing I learned in the marketing class I failed:

Marketing is cheaper than R&D.

I Am So Amazed That MS Would Deceive

[NeverVotedBush]

I mean, in their entire history, when has Microsoft ever done ANYTHING untrustworthy?

Like literally copying/stealing other people's code line for line and putting it in their OS? (Stacker)

Like putting in software hooks to see if competing office products were running and then crash them or make them run slow? (WordPerfect)

Like swapping code in an OS and a browser to make it appear that the browser was integral to the OS to weasel out of antitrust issues? (Win98 / Explorer)

Naw... I just can't believe that MicroSoft would stoop so low as to try to promote its "ground-up" new OS (that amazingly has many of the exact same vulnerabilities as XP) as being hardened and more secure than Linux and OSX>

They wouldn't do anything like that, would they?

Microsoft is about making money ... not products

[golodh]

It may be sad, but it's really straightforward: Microsoft is a typical profit maximizer. That's their aim. Every activity they do, be it product development, marketing, or plain PR is aligned with that central business goal.

This means simply that Microsoft will generally pour just enough resources into a product to beat the competition and dominate the marketplace. We saw that with the browser war. When it had to overtake Netscape it came up with a good product. After it killed Netscape, and there was practically no other comparable browser, resources were taken off the browser product because it was good enough and there was no sense whatsoever in improving it.

We saw it with the IDE's. When Microsoft had to compete with Borland {Borland Pascal; Borland C/C++} it came up with the 'Visual' IDE. Visual C, Visual Fortran. It was a good IDE, and it won against Borland. After that ... it languished. Now ... now that we're seeing the Eclipse IDE and SUN's IDE ... suddenly Microsoft floors the accelerator again.

The same holds for the Operating System itself. Windows was systematically tailored to capture the eye of consumers and businesses, which it did very well. Never mind that the internals were {and still are} cludgy. What the user sees is the user-interface; that's what sells. Security flaws? Well ... as long as there is no competitor to which people can switch while retaining their investment in software and training ... security flaws aren't a show-stopper. Getting their own stuff to work was {previous Windows version have so many tightly coupled components that you never knew what would break next when you changed or added anything}, and that's why Jim Allchin very sensibly steered towards a properly engineered Windows. Vista in other words.

Given that we're seeing Linux, OS-X, and Open Solaris competing in more or less the same market we also saw an increased effort from Microsoft to tart up the user interface. Those transparant windows thingies.

This is something fundamental you have to understand about Microsoft. They are calculating folk, and never ever were trailblazers. Tail-light chasers, yes, but never trailblazers. 'Good Enough' is their goal, and their yardstick is ... the competition. Why? Because to Microsoft 'Good Enough' means 'Good enough to win in the marketplace and bring in revenue'. That's how Microsoft became so rich.

Re:Thing I learned in the marketing class I failed

[CaptainZapp]

Marketing is cheaper than R&D.

You haven't read an annual company report recently, or ever for that matter?

Even in sdoftware - or pharmaceutical companies where one would assume that a lot is spent for research the R&D budget is usual ~18% (which varies, of course) while sales and marketing usually eats away approx. half of the costs.

Sales, marketing and distribution is horrendously expensive and gets a far bigger chunk of the budget then R&D.

This is a generalisation, of course, but true for the vast majority of companies.

Re:Where is the debunking?

[GreatBunzinni]

I read the article pretty carefully. I don't see any actual numbers to back up this "debunking".

That's because you are gullible enough to believe the hype, aggravated by your lack of will to perform a basic search for the facts. Here is a bit of debunking from a quick google search.

From Secunia's advisory atatistics:

• Microsoft Windows Vista has 2 unpatched vulnerabilities, highest rated not critical
• Microsoft Windows XP Home has 27 unpatched vulnerabilities, highest rated highly critical
• Microsoft Windows XP Professional has 30 unpatched vulnerabilities, highest rated highly critical
• Apple Macintosh OS X has 5 unpatched vulnerabilities, highest rated less critical
• Ubuntu Linux 7.04 has zero unpatched vulnerabilities
• Ubuntu Linux 6.10 has zero unpatched vulnerabilities
• Red Hat Enterprise Linux Desktop (v. 5 client) has zero unpatched vulnerabilities
• Red Hat Enterprise Linux (v. 5 server) has zero unpatched vulnerabilities

Those are real world facts supported on real world evidence which is freely available to the public. It isn't a random blog entry which is based on god knows what data which is only known by the author and possibly doesn't even exist. So where in fact is there a need to "debunk" a moronic, unsubstantiated claim made by some microsoft employee, specially when there is all that evidence right in front of everyone's face?