Robert Hensing's Blog

Software Security . . . and stuff.


Windows Server 2003 spanks Red Hat's monkey?

  • Comments 32
  • Likes

Interesting information from RSA, it's nice to see someone other than me notice the pure creamy goodness of WS2003 for once (I've noticed it from the incident response side of things by noting a marked absence of WS2003 hacking cases over the last 2 years as compared to Windows 2000).

Why am I not surprised by their findings? 
Simple - I've been slowly biding my time as the WS2003 OS matures watching the bug counts in our OS and those of our competitors month by month using an independant site like Secunia - anyone who's been doing this already knows that there are dramatically more bugs discovered and fixed by our open source competitor which in my mind does not seem to indiciate any superior secure coding kung-fu being employed on their part (or that the 'many eyes' approach is indeed contributing to provably more secure code).

Here are the stats from Secunia - an organization not affiliated with Microsoft b.t.w. :)
Windows Server 2003 Enterprise Edition
44 advisories since June of 2003, 11% un-patched right now, 0% extremely critical, 45% highly critical, 59% exploitable 'from remote'.
Looking at the two un-patched ones, one is an HTML help vuln from 2003 - so I am betting that is a mistake and another is a minor information disclosure bug - obviously we have work to do still and we are doing it.

Red Hat Enterprise Linux ES 3.0
136 advisories, since NOVEMBER of 2004, 0% un-patched right now (I wonder if that includes all the latest slew of Linux kernel vulnerabilities reported in the last day or so) 1% extremely critical, 24% highly critical, 66% exploitable 'from remote'.

We are by no means perfect, and we still have a loooooooong way to go, but the journey has at least started and as the first batch of products to go through our secure development lifecycle start to withstand the test of time - it is really no surprise to me to see that our focus on building secure products first and foremost is starting to pay off in terms of better quality software with fewer and less damaging vulnerabilities.

  • Wonder if the test used a default install of each OS...on the MSFT page, they list a bug in NNTP and on the Linux side a bug in kdelib. I wouldn't imagine a production Windows server running NNTP if it was unnecessary, and the same goes for kdelib.

    What would be interesting would be an anonymous survey of what people were actually running in the field, and what vulnerabilities exist there.

    Of course, there's always OpenBSD, which claims to have one remote hole in the default install in more than eight years...I don't think Windows or any Linux distro can touch that.

  • Great points and well written - here are some counter points.

    1. It's generally un-intersting comparing one vendors OS CD to another (as you point out). What's interesting are comparisons of real world servers and roles, especially ones that are web-facing. To do that you need to add some things to the stack like IIS6, ASP.NET and SQL2000 (on WS2003) and Apache, MySQL and PHP on Linux. Then what you've got is what most people actually use these operating systems for on the Internet - a web application. But now you have to include all of THOSE application vulnerabilities as well. I assure you this only makes it worse for Linux - not better (for example, check out the IIS6 vs. Apache bug counts using the same Secunia web site). I leave this as an exercise to the reader. :)

    2. OpenBSD - that's an interesting distro, it certainly does have an impressive security record but they slip in what anyone else woudl call 'security updates' all the time that they don't label as 'security updates'.
    They fix things that lead to DoS but call them 'reliability fixes' or something like that - whereas from Microsoft anything that can remotely DoS Windows is rated at Important at least and we release a security bulletin.

  • 1. I would argue the numbers on the RHES3 page actually include PostgreSQL and Apache, as I see at least one vulnerability for each of those listed on that page. The default ES3 install includs both of those. I could be misreading the numbers...but there's a whole bunch of stuff included there that would never be running in the real world.

    This is partly because of RH's decision to turn on the kitchen sink in the default server install so their product can look extremely feature hurts them in situations like this.

    Agree w/respect to, if nothing is really enabled in the default install, it's going to look a lot nicer in this kind of comparison.

  • To be fair, you would need to compare the buglist of Windows, Microsoft Office, and maybe a hundred third-party packages... because that's all stuff that ships on the Red Hat CD. That would make things look a lot worse for Windows.

    Similarly for Apache, a huge number of Apache bugs are actually in third-party add-ons that are shipped (even if not used) with it.

    The big problem I have with Windows security is that it's a lot harder (and in some cases impossible) to turn things off and know that they're off.

    If I could get Windows without the HTML control, for example, all the "cross zone" attacks would go away. But if you did that, Windows Update, the Control panel, and no doubt lots of other things that I haven't thought of yet would break.

    In UNIX, I can bind services to one particular port, and run them chrooted or in a jail so that even if they're exploited they can't get out again. In Windows, the only way to do the equivalent of binding many services to specific ports is by playing with firewall rules... and there's no chroot or jail.

    IIS and the HTML control both have had a bad problem with reparsing strings, in Apache you run into that with some applications that run under it... but it does a pretty good job of not screwing up encodings before they get passed to CGIs or applets. How about a "secure IIS" that never reparsed a URL submitted to it?

    Finally, Red Hat is hardly a good example of UNIX/Linux. The only Linux I would trust less is that Linspire thing.

  • Very good feedback - I disagree we'd need to do things like include Office in the bugcount as I'm pretty sure RHEL is not shipping an Office suite like OpenOffice (I could be wrong - I'm not like a Linux expert). One could also easily review the 136 advisories to see if its in a component that is shared between the two OS's and eliminate ones that aren't. But if it's in a component that's not shared - what's that tell you? That Linux has a BIGGER potential attack surface than Windows due to the inclusion of everything but a mod_kitchensink in the distro?

    You do have a very valid point about Linux and being able to strip it down to bare appliance-like functionality - this is presently something that can be done more easily on Linux than on Windows.

    That said - you CAN run most Windows services (most of them, not all) as whatever user account you like (i.e. low privilege network service or local service limitted user account) to mitigate the damage that can be done by exploiting it (this is like your chroot jail as these accounts don't have write permissions anywhere interesting and aren't root / admin accounts).

  • Let me guess . . .

    You're worried about job security because you haven't seen many instrusions on Server 2003. And the best way to advertise that you're skilled and available for a new position is to try to write something that will get your blog on /. again.

    Am I close?

  • ROTFL!! Okay THAT was a great blog post man - I appreciate the laugh. :)

    I actually could care less about being /.'d, I'm definitely not in this for the fame - if I were I'd just write a book and try to get rich - I do this for fun and to help educate customers. :)

    Don't get me wrong - /. is a great community and all, and I frequent the site from time to time, but I was a little amused that they only managed to pick up my blog post on pass-phrases about 6 months after it went live (check the date on when I posted that thing). :)

    Perhaps that says something about the /. community?

    I say that only because my blog post was picked up by Win2k News AND PC Magazine (not to mention full-disclosure, bugtraq, etc.) loooooong before /. ran it. :) I had actually sort of assumed it may have already been submitted and somehow I missed it. :)

  • This kind of stats does only work for MS since MS distributes their patches monthly.
    The switch to this model was a marketing issue, to allow such favorable comparisons.

    Before that time it was not unusual to have 2-3 patches per month only for IE.
    By doing 1 cumulative patch per month per product the MS stats are not comparable !

  • That is NOT the reason we went to monthly security updates and ignoring that you're still wrong. Secunia isn't tracking security bulletins - they are tracking vulnerabilities and for any given bulletin there will be one or more vulnerabilities that are resolved by the security update. So if we released one Windows bulletin that fixed 5 vulnerabiltiies, this doesn't count as '1' this counts as '5'. Furthermore, since we switched to the monthly update process we have released IE out of cycle updates twice as needed to protect customers.

    Releasing bulletins on monthly schedules is a win win for us and for customers. It allows us to plan which month we're going to release our updates in and then test the snot out of them before we release. Customers benefit as well becuase they can plan their resources and staffing and outages accordingly. We've had overwhelmingly positive feedback from this change and other vendors have even taken steps to do the same. Imitations is the sincerest form of flattery I guess.

  • Just my two penneth, but at the end of the day these are just stats, we could play with them all day and not get any real answers. (I had have! see below).

    I think that it's great the MS is now taking security much more seriously and they are making some really good changes. But at the end of the day it's more about how you approach the whole of your security. If you are just going to place a default install on the web without any changes then quite frankly you deserve to get attacked! I would be splendid if you could but just a little amount of planning would tell you that this is not currently the case. You don't keep your stock in an open barn so why do it with your data?

    On the subject of chroot jails the idea is that even if the intruder does manage to gain elevated privilages in some way then all they can see, even as the superuser will be a small copy of the parts of the system that are required to run that one process. It goes one step further than just running a process as a special user. But even these are not perfect and have lead to things like SELinux and RBACS on Solaris.

    Oh, and by the way at least one of the advisories for RHEL is for OpenOffice. There are more for things like squirrelmail, gaim (IM client), cvs,(Version control), ethereal(Network monitoring) and more than one Database. You have to compare like with like. Just because Redhat ships a full product does not mean that you have to install it. You don't put exchange or MS office on your Web server. And if you want to look at bug counts then skip over to the Debian entry for some big numbers! But then again they are shipping about 8000 packages on 10 archetcures so 400 bugs is not that bad!

  • Robert,

    "...if I were I'd just write a book and try to get rich..."

    Emphasis on "try", dude. It doesn't happen. Oh, wait...are you talking about writing romance novels with images of a shirtless Fabio on the cover? Now *that* kind of book you can get rich from...but writing in our field? No way!

    Regarding /....stuff only appears there when someone posts it. Someone wrote a review of my book and it didn't appear on the site for quite a while...evidently, it was written in such a way that the moderator didn't know whether to try and fix it, or just trash it.

    With regards to your post of 2/17, at 8:33pm...interesting what some people post, isn't it? Never let the facts get in the way of a good rant!

    Carry on, my friend!

  • I think a key message here is not "which one is best over a certain interval" but "look, both are vulnerable, there are no silver bullets".

    You cannot move to RHEL and expect your system not to be 0wned within a week, nor could you bring up Win2K03 and expect not to have to invest time locking it down. One thing Server 2003 does do is lock everything down by default (no exported printers over IPP here :), and tightened up a lot of other stuff, low level stuff. Its so tight that some apps dont work in untrusted user mode (we test our apps in non-power use mode, see). Which is inconvenient, but ultimately a good thing.

    What irritates me is this: regardless of the OS you use, you have to patch and reboot monthly. That is the harsh reality of the situation, and it means that when i go on a four week vacation I have to turn off my work sever *and* my home server, as there is no way I can keep them up to date while I am away.

    It also means that any VMWare image I have of either OS is a security risk as it ages. Those monthly DVDs of my WinXP images may be perfect backups of machine state, but they are a chain of differently vulnerable virtual systems.

    We, that is the software development community, have to do better. We have to stop thinking that because patches are possible, we can be less than thorough. We have to stop putting features in 'because they may be useful', unless you know that the value outweighs the possible insecurities.

  • Man - I have to admit, I used the dramatic title to try and get the Linux followers who may be subscribed to my blog 'out of curiosity' whipped into a frenzy to see if I could elicit some really passionate 'you suck' type replies but you all have managed to disappoint me!

    These are all for the most part GREAT replies, very well through out and very well written. It's nice to see my blog attracting a higher caliber IT person - true professionals! :)

    I pretty much agree with your post and John's before yours etc. (and Harlan's about not getting rich off of books. :)

    P.S. Steve - when you go on vacation - why not just enable automatic udpates at 3am on your Windows boxes so that they install the patches themselves while you're away? :) The new AU client works amazingly well . . . I never patch my XP machines at home and here at Microsoft if you forget to patch, Corpsec carpet bombs the network with patches and you get them whether you like it or not. :)

  • Another metric to add to the comparison might be the number of patches cited that require a complete OS restart to be activated. My day job is as a Windows Server admin, but I'm a Linux hobbyist. Most of the patches I've ever installed on Linux required at most a restart of the affected service to be activated. Most of the critical patches released for Windows Server 2003 have required complete OS restarts. That might mean that while there are less vulnerabilities on WS2003, it requires more drastic measures and additional downtime to patch.

  • Another very good point - on WS2003 most patches should NOT require a restart - the ones that do usually affect the kernel and I believe that patches on Linux that affect the kernel require you to recompile and restart - so that's pretty much the same.

    The problem with Windows is that most people don't understand WHY restarts are required or how to avoid them. Right now if a file that needs updating is in use - the update installer may or may not try to stop the process hosting that file. If it doesn't or can't stop the process hosting the file - then it will copy the file anyways putting it in the PendingFileRenameOperations registry queue and ask you to restart. To avoid reboots for non-kernel security updates it's usually as simple as figuring out what files are being updated (using the file manifest in the bulletin) and then using something like Process Explorer to see what processes they are loaded in and thus what services need to be stopped before the update is installed and then re-started afterwards.

    That said - even doing all of this I think we might still be a bit behind Linux here - but we're working on that . . . WS2003 SP1 is going to allow us to do 'hotpatching' in some cases - eliminating the need for a reboot even if the DLL or driver is in use. :)