| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Jeff Jones: July 2007 Operating System Vulnerability Scorecard | |
|
||
| Time: 08:17 EST/13:17 GMT | News Source: Microsoft | Posted By: Jonathan Tigner | ||
|
When I started doing these scorecards, I did two variations - year-to-date and last-3-months - thinking that the latter would reflect short-term bursts of issues and that the former would give an overall view for the year that would incorporate the ups and downs. Instead, the two versions of the charts seem to look very similar except for the numbers and scale. This kind of hints that whatever vulnerability disclosure and fix rate a product has, it is staying pretty consistent over time, at least in 2007. The other thing I find a bit interesting is the Server charts that incorporate the reduced set of Linux packages. For those Linux server builds, I eliminated everything GUI, X11, Gnome, KDE-related, firefox and all optional client-type application components and just kept a minimalist server with the ability to server web pages or act in a few other common server roles. In contrast, the Windows Server build includes every shipping component including Internet Explorer, Media Player and similar stuff. I imagine that a lot of people would have expected a stripped-down Linux server to have, if not fewer total vulnerabilities, then fewer High severity vulnerabilities. Finally, if I had one surprise in the charts, it was that I expected RHEL5 to be further distinguished from (ie, much lower than) RHEL4 in the YTD charts, given that it did not ship until March. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 322 Last | Next |
The time now is
6:50:26 AM
ET.
Any comment problems? E-mail us |
| #1 By 32132 (66.183.202.89) at 8/17/2007 1:26:26 PM |
|
VISTA ROCKS!!!!!
Linux sucks. OS X sucks more. |
| #2 By 23443 (63.93.197.67) at 8/17/2007 2:03:51 PM |
|
Ok, I'm just as much a Microsoft fan as anyone, but did anyone notice that this just shows Fixed vulnerabilities, not reported? I'd like to see both and see how things stack up.
Unless I'm reading the charts wrong... TD |
| #3 By 15406 (216.191.227.68) at 8/17/2007 3:15:06 PM |
|
#2: did anyone notice that this just shows Fixed vulnerabilities, not reported?
Yep, but cherry-picking facts is nothing new for MS. You just have to learn to expect the misdirection, pay attention to the details and read between the lines. I'd like to see both and see how things stack up. We'll never see that data. MS does not disclose bugs they are working on, while the FOSS community does. Hilariously, without providing the total bug count for the same time periods, the graph makes MS look worse as they don't patch their bugs as well as all the other OSes... |
| #4 By 32132 (66.183.202.89) at 8/17/2007 5:04:36 PM |
|
"I'd like to see both"
The charts for OS X and Linux would be HUGE. Immense. Off the page. And Vista would still be the winner. OS X and Linux should take a year out to work on security. They need to. They are becoming the laughingstock of the security community. This post was edited by NotParker on Friday, August 17, 2007 at 17:04. |
| #5 By 32132 (66.183.202.89) at 8/17/2007 5:07:14 PM |
|
"The other thing I find a bit interesting is the Server charts that incorporate the reduced set of Linux packages. For those Linux server builds, I eliminated everything GUI, X11, Gnome, KDE-related, firefox and all optional client-type application components and just kept a minimalist server with the ability to server web pages or act in a few other common server roles. In contrast, the Windows Server build includes every shipping component including Internet Explorer, Media Player and similar stuff. I imagine that a lot of people would have expected a stripped-down Linux server to have, if not fewer total vulnerabilities, then fewer High severity vulnerabilities."
RedHat was still a disaster. |
| #6 By 32132 (66.183.202.89) at 8/17/2007 5:10:50 PM |
|
"The open-source Ubuntu project is on the mend after shutting down more than half of its servers this past weekend because they had been compromised and were launching attacks.
James Troup, who leads the Canonical sysadmin team, said in an online advisory that one of the hosted community servers that Canonical sponsored had been breached. Once technicians discovered that compromise, he said an investigation found that five of the eight machines had been breached and were actively attacking other machines." Ubuntu is just another in a long line of Linux distro's to have their servers hacked. http://www.eetimes.com/news/latest/showArticle.jhtml?articleID=201800571 |
| #7 By 3653 (68.52.54.161) at 8/17/2007 5:35:30 PM |
|
latch with his consistent spin. lol @ the hater. now get me donut latch, and i don't want the glaze cracked either.
notparker - "OS X and Linux should take a year out to work on security. They need to. They are becoming the laughingstock of the security community" Case in point - http://news.com.com/8301-10784_3-9759132-7.html?part=rss&subj=news&tag=2547-1_3-0-5 This post was edited by mooresa56 on Friday, August 17, 2007 at 18:15. |
| #8 By 12071 (124.170.155.204) at 8/17/2007 9:23:39 PM |
|
#2 We go through similar threads EVERY single time someone out there writes any sort of story relating to number of vulnerabilities... in fact, most of us should just save our comments to be automatically re-inserted into any future stories. How's that for a new feature Lloyd?
And the reason for that is "lies, damn lies and statistics". It's a wonderful tool for giving you the flexibility to presenting any case that you wish to present but in the end you'll get nowhere which is why we keep having the same conversations over and over again. In this case, the worst thing you can do is base your initial statistics off lists that were compiled together by the vendor's themselves as Jeff Jones here had done. The reason for that is that you're basically trusting the vendor to a) admit to every vulnerability that they have (found by both internal and external users) and b) correctly advertise that fact without hiding multiple vulnerabilities in a single patch. Microsoft, as an example, has been found on many occasions to be completely untrustworthy on both points. Security, like most other things to them, is a PR game, not a security game. They need to look like they're doing the right thing, rather than necessarily doing the right thing. They realize that they can win over many people, many example of such people right here at ActiveWin, by producing a list with less number of patches. And that's great, but it is NOT a basis for beginning an apples to apples comparison of security. A more valid approach to these studies, which unfortunately won't happen with closed-source companies (as their views on Security are much the same) is to include a complete list of known vulnerabilities broken down by category. Alongside each vulnerability would be a severity level (after all 1000 low critical vulnerabilities is almost always better than a single extremely critical vulnerability). Alongside that would be a date of when the vulnerability was first announced and alongside that would be a date of when it fixed by the vendor. More information can be added to that table, but straight away we have the ability to compare the number of vulnerabilities per category (rather than comparing the number of patches for Windows and the number of patches for Linux including web servers, office suites, etc etc.), the severity of those vulnerabilities and the time it took to patch each one. I don't know about you, but I'd prefer to have the vendor that patches all of their highly critical vulnerabilities in the shortest time possible, unlike one that takes, for example: 140 days - http://research.eeye.com/html/advisories/published/AD20070814b.html 294 days - http://research.eeye.com/html/advisories/published/AD20070814a.html 144 days - http://research.eeye.com/html/advisories/published/AD20070710.html to fix high severity vulnerabilities! |
| #9 By 23275 (24.179.4.158) at 8/17/2007 9:41:25 PM |
|
#8, You introduce some interesting points.
We all have to deal with security issues each day - all of us, and patching is a big part of that, but only one part. "securable" is perhaps the word we need to deal with and we have to stop thinking really big when it comes to security and start thinking very small - like at the thread level at least. One can patch and patch and run fully patched and it doesn't matter - face anything against the public networks and if someone wants it bad it enough, they're going to get in [yeah, I know... "DUH!"]. Okay, so let's take this site. Old code, great server - fully patched, hardened and behind multiple and disimilar firewalls, NDS, IDS and a fleet of hunter killer guys. So what. It ain't enough - never is. One has to take it further and as "What?" What is facing the cloud and what does that connect to and depend upon? So additional layers - apps and thread level firewalls and IDS have to be added - and wrapped around each process that faces the world - and not having that is what is going to undo all of us [and it pisses me off]. I mean to ask, how many unsafe sites are out there - and by unsafe I mean, how many are under-served [millions!]. Properly - responsibly facing hosts and sites in the networks costs a small fortune - one has to do it all these days and even volunteer sites like this one can cost a small mountain of cash to keep safe. We can all "TALK" all dang day about security and patches, but we really need a candid discussion that embraces the full truth. It has to be said that one can have a server or system that is never patched - never booted and that is STILL SAFE. We have W2K database servers that have not been retsarted since 2001!!! They are perfectly safe. We see each day, fully patched servers that get beat to heck and back - the difference is in a much more complete approach to securing them. We have to face that to do it right is very complex, very hard to sustain and it costs what it should - a lot. This idea that any one OS is enough or better in this context is silly and it does not help one whit when it comes down to it. |
| #10 By 32132 (66.183.202.89) at 8/17/2007 9:42:07 PM |
|
#8 All of those are fixed.
Now, back to reality. OS X and Linux security is a joke. This post was edited by NotParker on Friday, August 17, 2007 at 21:42. |
| #11 By 12071 (124.170.90.70) at 8/18/2007 5:50:32 AM |
|
#9 You're absolutely right, any descent security strategy must be approached using a layered architecture which will include various forms of hardware and software layers. Anyone who doesn't take that approach to securing their systems... deserves what they get. But the story here was specific to operating systems and the number of patches for them in a given period which is what I was responding to.
#10 The actual reality is that IF Microsoft decides to patch a vulnerability, it takes them up to and over 10 months to do it. The absolutely ONLY exception to this rule, is if the vulnerability is or has a very real potential to hurt their bottom line. In those cases, even with live exploits in the wild, vulnerable users of their operating systems will be left out in the cold at the very least 1 month and quite occasionally longer than that. The other vendors don't treat security like a PR exercise, instead the get down to it and release the patches to their users/customers. |
| #12 By 32132 (66.183.202.89) at 8/18/2007 4:41:36 PM |
|
#11 Lets look at #3 in your list:
Only files saved in the Publisher 98 legacy format that contain an embedded textbox object are vulnerable to the exploit. Do you actually read the advisories????? Publisher 98 is 10 YEARS OLD!!!! Linux won't fix stuff over 1 year old!!!! Firefox end of lifed 1.5 with a few months notice! "The other vendors don't treat security like a PR exercise" I doubt Apple has the time with patches being released in megabatches of 50 or more every month or so. Apple is notorious for telling people as little as possible about security. As for RedHat, they should be ashamed of themselves distributing such shoddy crap. |
| #13 By 12071 (124.170.90.70) at 8/18/2007 7:55:29 PM |
|
#12 Why just #3, why not #1 and #2? #2 was the one that took almost 10 months to fix and you don't have a thing to say about it? And because of the type of person you are, a lying Microsoft apologist... you missed out on the most important line in that whole advisory! Here, let me include it here for everyone to see:
"Internet Explorer 7 silently fixed the vulnerability roughly ten months ago, due to a change in URLMON.DLL's behavior when reading compressed content." That's right boys and girls, Microsoft silently makes changes without informing anyone! THAT is why they're untrustworthy and that is why them talking about security is a joke! It's nothing more than a PR exercise to protect their bottom line. #3 is a vulnerability in a dll that is distributed with Publisher 2007 to convert older publisher documents. Are you saying companies don't have Publisher 98 files anymore? Like they don't still have Access 97 files hanging around? Apple's track record of security disclosures is also nothing to be too proud of, but at least they've got the right attitude, i.e. fix the bugs rather than silently fix them in the hope that no-one will notice and the total number can be kept down to a minimum to please people like parkkker. |
| #14 By 2960 (24.254.95.224) at 8/19/2007 2:32:12 AM |
|
There's statistics, and then there's damned statistics.
These charts just don't match with what happens in real life. TL |
| #15 By 7754 (216.189.211.226) at 8/19/2007 4:08:59 AM |
| #13... kind of a pointless discussion, but this statement is almost laughable: (re: Apple) "at least they've got the right attitude." Apple may receive little real attention from hackers, but their attitude towards security is anything but "right." |
| #16 By 37 (68.190.114.234) at 8/19/2007 9:41:47 AM |
|
So to conclude, we have found that *nix OS, Windows OS and OS X and their respective companies all have the wrong attitude about security, but 5 people on the ActiveWin comments section do.
Gotta love the couch security experts :-) |
| #17 By 32132 (66.183.202.89) at 8/19/2007 11:46:40 AM |
|
"Microsoft silently makes changes without informing anyone!"
Silently? http://www.microsoft.com/technet/security/Bulletin/MS07-004.mspx They fixed a VML vulnerability in January and published a bulletin about it. The current bulletin says it supercedes the old one I just referenced. "Are you saying companies don't have Publisher 98 files anymore?" No. I'm saying that in the list of priorities it didn't need to be the highest since the chances of anying running a conversion routine on a specially malformed Publisher 98 file are a lot lower. In the real world you have to prioritize. Linux and OS X are fighting so many fires they can't keep up at all. |
| #18 By 11888 (67.71.153.235) at 8/19/2007 4:24:58 PM |
|
I suspect Vista will catch up just fine once it gains a larger install base. It's a strange posting though. Doesn't it say that they've fixed fewer problems than the competition with no regard to the actual number vulnerabilities? Is this from the GM play book? This post was edited by MrRoper on Sunday, August 19, 2007 at 16:29. |
| #19 By 13030 (198.22.121.110) at 8/21/2007 9:43:31 AM |
|
As others have mentioned, this analysis, without the greater context of the total number of vulnerabilities (outstanding or otherwise), is baseless since no reliable conclusion can be drawn. What would we be discussing if only 10% of Windows vulnerabilities had been fixed and 90% of the open source vulnerabilities had been fixed? If this proposition were true, we'd be discussing how effective the open source teams are at addressing vulnerabilities.
Also, as I have mentioned before and so have others, the vulnerabilities need to be measured by both severity and lifespan. I would like to see all of the data, not the hand-picked subset. As it currently stands, this analysis does not serve the community well. |
|
Write Comment
Return to News |
Displaying 1 through 25 of 322 Last | Next |
The time now is
6:50:26 AM
ET.
Any comment problems? E-mail us |
