Windows vs Linux - Workstation Comparison - Q3 2006

re: Windows vs Linux - Workstation Comparison - Q3 2006

Teddy — Thu, 19 Oct 2006 22:10:57 GMT

Howdy,

Interesting statistics, although one can dispute about it.

For example, counting so-called silent fixes from all camps would bring more truth. Otherwise it is wondering if vendor n fix 1 or n vulnerabilities on this fix/advisory and it falsifies all statistic. Yes, we do know many parties do it, but that is not point.

//Ted

re: Windows vs Linux - Workstation Comparison - Q3 2006

jrjones — Thu, 19 Oct 2006 22:20:02 GMT

Ted

Honestly, I've never gotten the "silent fixes" argument. How does silently fixing issues that nobody publicly knows about increase customer risk? Better, what process can you recommend that would protect customers from risk even better?

I don't quite understand your other question. These metrics cover vulnerabilities fixed, not advisories. That means if a vendor fixes 20 issues with one advisory or 1, the vulnerabilities are all individually counted.

I don't get your point... I think you are implying that some vendor might bundle multiple issues in one fix and thus reduce their count, but I'm not sure. That is not the case here though.

FYI, I have checked in the past and both Microsoft and Red Hat *average* about 2 vulnerabilities per security advisory, both with a wide variation.

re: Windows vs Linux - Workstation Comparison - Q3 2006

n00dles — Fri, 20 Oct 2006 03:01:47 GMT

Hi,

Great post.

I agree with your reasoning around the Linux package inclusions etc, but it would be interesting to see a similar comparison of patches that were remotely exploitable. It would be a huge task, and a vulnerability is a vulnerability is a vulnerability no question.

But when I look at all those security patches released so far for RHEL4 WS, I can't help but notice that hardly any of them would be remotely exploitable in the minimal workstation configuration you have used as the baseline.

re: Windows vs Linux - Workstation Comparison - Q3 2006

LarryOsterman — Fri, 20 Oct 2006 04:33:06 GMT

There are two major issues with the "remotely exploitable" argument. The first is with the meaning of "remotely exploitable".

Do you mean that it:

Can be exploited but requires authentication?

Can be exploited but is blocked by a built-in firewall?

Can be exploited but the service is installed and running but not listening to the net on the default config?

etc. That information isn't always easy to glean from a CVE report.

In addition some vendors don't always accurately disclose the level to which a vulnerability can be exploited - David Litchfield published a paper yesterday analyzing Oracles October CPU and he mentions that several of Oracle's vulnerabilites can be anonymously exploited even though Oracle claims they can't. I'm just picking on Oracle because I remember this off the top of my head (it was yesterday), other vendors have had similar issues.

Going with raw numbers and severity is safer and more measurable (IMHO)

re: Windows vs Linux - Workstation Comparison - Q3 2006

jrjones — Fri, 20 Oct 2006 07:01:38 GMT

Actually, I can dodge all of Larry's *good* questions by simply acceping the NVD designation of remotely exploitable (but of course, the issues he raises are still valid, especially for "lure" issues). If a vuln is complex to exploit and/or requires authentication, then it likely would not receive a High rating from NVD.

I've already done the analysis of "High Severity+Remotely Exploitable" and it is very close (in count) to High Severity alone. Basically, remote exploitability raises NVD severity so they correlate closely. In fact, the only non-remote High severity is a local "escalation to root/admin", which is pretty serious anyway.

re: Windows vs Linux - Workstation Comparison - Q3 2006

n00dles — Fri, 20 Oct 2006 09:29:27 GMT

Yes the NVD designation of remotely exploitable is what I had in mind. The kind of thing that made Blaster, Sasser and Slammer so devastating.

I'm just playing devils advocate here... I'm a Windows guy, and am the first to defend Windows in a security argument (IIS 6 vs Apache anyone :-).

Going with raw numbers and severity is more measurable without spending an inordinate amount of time on it, but raw numbers don't often tell the whole story. Just because McDonalds is the most popular restaurant in the world, doesn't mean the food is any good.

Again, I'm suggesting for a minute that the analysis above is anything less than completely valid and well reasoned. I was just curious of how the really bad anonymous remotely exploitable vulnerabilites were factored into the equation.

re: Windows vs Linux - Workstation Comparison - Q3 2006

n00dles — Fri, 20 Oct 2006 09:49:20 GMT

Err that should be *NOT* suggesting...

Windows vs Linux - Workstation - Q3 2006 addendum (High+Remote)

Jeff Jones Security Blog — Fri, 20 Oct 2006 21:23:38 GMT

This post is dedicated to n00dles , for daring to ask for even more detail ;-) and should be considered

Confronto tra Linux e Windows XP

Blog Team TechNet Italia — Mon, 23 Oct 2006 12:47:22 GMT

Jeff Jones ha scritto due interessanti articoli (in inglese) sulla sicurezza che confrontano Windows

Which fixes are included?

Mark Cox — Wed, 25 Oct 2006 11:45:58 GMT

For RHEL4 you removed OpenOffice from your calculations so that you didn't need to include Office vulnerabilities in your XP count. Is this because the number of critical office vulnerabilities in Q3 was very high? Does the XP count include Media Player and things shipped with XP2 by default like Flash player?

Microsoft has said that they often include fixes for vulnerabilities silently, and that by not disclosing them it doesn't affect customers risk. However some groups such as eEye reverse engineer the Microsoft patches to discover these additional flaws. Without needing to disclose the details of the silent fixes, by how much would they affect the weighted severity?

re: Windows vs Linux - Workstation Comparison - Q3 2006

jrjones — Wed, 25 Oct 2006 18:24:25 GMT

Hey Mark!

Did you take some time off? Haven't seen much activity from you on your blog lately.

Anyway, to answer your questions, I removed OpenOffice, etc, because the typical objection is "you don't have to install all of those components on <my>Linux" and I am trying to compare operating systems.

The XP count includes everything that shipped on the XP Pro CD media.

On the silent fixes, it seems like if eEye (or anyone else) reverse engineer a fix and identify it, even without details, then it has at that point been disclosed. It is easy to find articles by folks claiming (and I believe, doing) that they reverse engineer MSFT patches in 20 minutes. On the other hand, I can't seem to find very many of these identifying the supposed extra vulns. There are some, just not that many.

The one that got well publicized as "when silence is not golden", for example, was "found" by ... reading about it in the Bulletin.

This silent fix question is worth digging deeper on as a general security policy issue, so I think I'll post a blog entry examining it in more detail.

בלוגים שלא הכרתם (אולי)

TechNet Talk — Sun, 29 Oct 2006 16:31:40 GMT

למי מכם שויסטה הוא נושא חם עבורו, מומלץ להעיף מבט בבלוגים של אנשי הפיתוח של המוצר במיקרוסופט. ועוד, בלוג

Common Objections - Comparing Linux Distros with Windows

Jeff Jones Security Blog — Mon, 29 Jan 2007 21:32:28 GMT

Once again, my effort to explore common misperceptions (more recently exploring unpatched statistics