LINUX as vulnerable as Windows?
Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: LINUX as vulnerable as Windows?

  1. #1
    Senior Member
    Join Date
    May 2002
    Posts
    390

    LINUX as vulnerable as Windows?

    Got this in me mailbox this morning.
    I'd be interested in hearing what people have to say about this.
    I'm posting the whole article so you all dont have to log in, but the site is worth it.

    From TechRepublic
    Aberdeen Group says Linux/UNIX is as vulnerable as Windows
    Jan 6, 2003 | John McCormick

    Turning up the heat up another notch on a long-simmering debate, the Aberdeen Group has published a study comparing the security of Linux/UNIX systems with that of the Microsoft Windows family of products.

    "Contrary to popular misperception, Microsoft does not have the worst track record when it comes to security vulnerabilities. Also contrary to popular wisdom, UNIX- and Linux-based systems are just as vulnerable to viruses, Trojan horses, and worms,” Aberdeen's report states.


    Based on CERT advisories for 2001 and 2002, Aberdeen reached the following conclusions:

    * "Virus and Trojan horse advisories affecting Microsoft products peaked at six in 2001, which then bottomed out at zero for the first 10 months of 2002.
    * Virus and Trojan horse advisories affecting UNIX, Linux, and open source software products went from one in 2001 to two for the first 10 months of 2002.
    * Advisories affecting network equipment products jumped from two in 2001 to six for the first 10 months of 2002.
    * Firewalls and other security products were affected by just two advisories in 2001, but have been linked to seven advisories for the first 10 months of 2002.”


    The report also points out that Apple is becoming vulnerable, “now that it is fielding an operating system [OS X] with embedded Internet protocols and UNIX utilities.”

    Windows vs. Linux/UNIX vulnerabilities
    Aberdeen Group report, vol. 1, no. 35, is dated Nov. 12, 2002, and it’s a brief but interesting read. I can’t post a direct link since you have to subscribe to see the report. But it doesn’t cost anything, so I recommend that you go to the Aberdeen site, register, and then take a look at the entire report.

    Some people will dismiss the report as Microsoft-sponsored hot air, but the raw data is there for everyone to see in CERT's Advisories and Incident Notes, giving legitimacy to The Aberdeen Group’s conclusion that open source operating systems in general, the new Mac OS X, and critical security programs themselves, aren’t as safe as many proponents suggest.

    The underlying data is worth a close look. No new Windows platform virus or Trojan CERT advisories were issued in the period of January 2002 through October 2002. CERT’s confirmed vulnerabilities list shows that the threat level is growing faster for Linux/UNIX platforms than for Windows. This could be a statistical anomaly due to the much larger number of Linux/UNIX versions (although there are actually fewer versions available now, as there has been consolidation in both the Linux and UNIX markets in recent years). So the number of threats is growing while the number of Linux/UNIX versions is shrinking.

    Perhaps this is an indication that UNIX is becoming less genetically diverse and therefore is more vulnerable to attack because the market isn’t so fragmented. One Microsoft virus would attack a lot of systems, but it used to take a slightly different virus for every version of Linux/UNIX. That's not always the case anymore.

    Rating vulnerabilities
    The open source community sometimes claims that vulnerabilities are “more serious” in Windows, but I don’t know of an objective way to measure that. And lacking a generally accepted method, all we are left with are the raw numbers. Microsoft rates vulnerabilities when it publishes a patch, but we need a comparable way to rate Linux/UNIX bugs if we’re going to compare the seriousness of the patches released for these platforms.

    It’s useful to look at incidents as well as confirmed vulnerabilities (advisories). Although this isn’t exactly the same as measuring how serious a vulnerability is, it provides a good way for those in the security business to judge how many attacks are taking place, or at least how many are being reported.

    According to the Aberdeen report, “In 1995 the incidents reported by CERT numbered 2,412. However, incidents tracked by CERT skyrocketed from 21,756 in 2000 to 52,658 in 2001, and then to 73,359 for the first nine months of 2002. Clearly, the trend in incidents and advisories is going up, and at an alarming rate.”

    However, we should always take incident statistics with a grain of salt. After all, vulnerabilities are easy to count, but who knows how many attacks go unreported.

    Microsoft has recently announced a new policy for rating vulnerabilities. The company says this was due to customer complaints about far too many “critical” warnings, which compelled administrators to patch vulnerabilities even when the critical rating was not warranted by the actual risk.

    According to Microsoft’s director of security assistance, Steve Lipner, the new rating system will expand the old Critical-Moderate-Low reporting scale to include Important, which will fall between Critical and Moderate.

    Most of the old Critical vulnerabilities will now be labeled Important, including threats that could lead to system penetration and file compromise. The Critical rating will be reserved for Internet threats (e.g., major disasters of the Code Red variety).

    A new two-tier security bulletin system with a less technical bulletin service will also be hosted at http://www.microsoft.com/security/ to supplement the current one, which many users found simply too technical.

    A recent eWeek report brings yet another aspect of this subject to the forefront by pointing out that White House Cybersecurity Tsar, Richard Clark, has called for mandatory vulnerability reporting to a central federal government office. This would require any security firm discovering a new vulnerability to report it with the goal of forcing vendors to respond more quickly to new threats.

    Others feel this may lead to premature disclosure of vulnerabilities, which happened in the past when the FBI’s National Infrastructure Protection Center attempted to coordinate reports with various vendors.

    The newly organized (Sept. 26, 2002) Organization for Internet Safety is also developing a proposed set of guidelines for timely and safe reporting of vulnerabilities. OIS founders include Microsoft, @stake, Symantec, Caldera, Network Associates, BindView, and Oracle, so there may be some muscle behind these guidelines.

    Final word
    We will probably always be comparing apples and oranges when we try to see how the number and severity of vulnerabilities found in the major competing platforms match up. But this really doesn’t matter in the real world. The bottom line is that if a vulnerability leads to intrusions on your network, it’s a problem, and it doesn’t matter whether the vulnerability was a “high” risk or a “low” risk, only whether it cost you time and money to deal with it.

    Most of us are supporting legacy systems and always will be. Only new companies have the luxury of selecting a platform based only on security, performance, and initial cost. That’s further limited to only new companies that have an expert IT staff in place to advise the company founders before they buy a single computer. It’s far more likely that a platform decision will be based on the experience of the founders, the vendor who gets there first with the best proposal, or, most likely of all, which platform runs a line-of-business application that the company needs.

    The Aberdeen Report concludes that the reduction in Microsoft vulnerabilities is the result of the company’s much-touted new security initiative. It may be too early to determine that, but it is a relief to see that no major viruses have besieged Windows in 2002.

    As for Microsoft’s new security labeling system, I think it is useful. It makes sense to reserve the Critical rating for those dangerous global threats that can spread around the world quickly and temporarily threaten the integrity of corporate systems.
    just like water off a duck\'s back... I AM HERE.

    for CMOS help, check out my CMOS tut?

  2. #2
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,535
    Linux security is as strong as ever, despite recent statistics that say otherwise.

    Perhaps in response to the excessive publicity given to the strong security associated with Linux and open source software, it's no surprise that a number of commentators are making a high-profile argument that Linux, just like every other platform, does indeed have security issues. Members of the open source community have always known that Linux is not immune from security threats, so there is no argument there. What is in question is the final conclusion that these commentators are drawing, which is that Linux is less secure than Microsoft Windows.
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  3. #3
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    uhmmm, i really dont know what to say..... I personally still think that if you set up a *nix system correctly that its security is still very much higher than any microsoft system. Im not saying that because i use linux and i hate microsoft, but its a fact. Ever since i switched to linux my system is safer than it ever was. Alone the fact that you can close all ports manually and still be able to work in a network without the use of a firewall proves this fact. Also i would not go for articles that compares a subject like that. There have been so much flaming and bad advertisement on these kind of subjects that i dont know what to believe anymore except what i see and my experience has shown me. For example.....

    A normal user under windows 2000 - XP (not administrator) can still gain admin access much easier than a normal user could gain root access on a nix system. So, if a virus infects a win system as a user, the virus could still compromise the admnistrator account, whereby a virus on a nix system cannot get root. The point is not if the virus is run as root or admnistrator, but if its run by a normal user, can the virus get root/admin.?

    The way they compare this in the article you have posted is based on the server field. They compare the win normal user computers to *nix server computers. Ofcourse apache, squid, dhcp, and alot of other services can be compromised on a *nix system, so compare that to IIS, warftp, windows dhcp, winproxy etc.... Not just by OS!
    Windows by default has to many ports in state "LISTEN" that cannot just be shut down (not talking about the possibility to close them via a firewall). That alone is a security "leak" in the microsoft OS.

    Always follow the golden rule, install minimum, and add what you really need. In windows the minimum is already way to much. Thats bad for security. Then comes the subject of open source. What are the pro's and contra's of open source. Which is more secure?

    My believe is that open source is more secure based on the fact that exploited material is much faster patched. Also the fact that "more" people can check the source for errors. Offcourse you would say, so can the attacker or hostile code, but if its not open source, the whole liability is limited to the programmer, and programmers do make mistakes. If the source is not open, then the whole security is based on the policy of only one programmer or company. Its also a subject of money. Open source is cheaper (in terms of training users and programmers) which means that more people can actually learn and understand.

    lol, i hope im making sense here

    Anyways....let the comparing be done on another level, not only OS. Servers, services, access, network options, encryption, stability and many other things. If i have missed out examples its cause im to lazy to go into more detail at this time....but reply to me for more detail on what i think about this subject.


    Also only based on this thread.....i will not listen to microsoft to tell me how safe they are compared to other products. All they want is to sell and make money. On the other side, look at it this way, open source (not being a company who makes money) with their high level of security compared to microsoft which is a very expensive product and not so safe after all. I do know only one person who actually has a very very tight microsoft network, but he is a genius, its not the OS that secures his system, but his knowledge.

    I would be very happy to hear more comments on this, cause this subject is indeed very interesting, and many facts and points can be cleared in this sort of discussion, based on the information the end users (US) can provide, and not the interests of companies or distributors.

    Cheers
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  4. #4
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    Yeah right. I wonder how much Microsoft paid them to put this report out.
    * Virus and Trojan horse advisories affecting UNIX, Linux, and open source software products went from one in 2001 to two for the first 10 months of 2002.
    That makes a sum total of 3. How many known viruses does Windows have again? According to Norton Antivirus after a Liveupdate dated 9th Jan 2003, 62724 known viruses and variants, in case you were curious. Now, don't get me wrong, I actually happen to like Windows for certain things (I'm posting this from a Windows machine), but when MS (or someone they paid off) tries to pass Windows off as more than it is, I get pissed off.
    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  5. #5
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Hi cgkanchi,

    very nicely said indeed.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  6. #6
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    I'd like to remind people that a system -- regardless of whether it's windows, *nix, novell, mac, etc. -- is only as secure as the Admin wants it to be. The biggest problem with these stats is that they do not account for low to no knowledgeable admins. Red Hat has done an excellent job at marketing and pushing their linux out to people who have limited knowledge. This was Microsoft's problem with NT a while back. It *is* possible to have a secure Windows box just as it *is* possible to have an unsecure *nix box. It is entirely depedent not on the OS but on the person that sets it up.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  7. #7
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    msmittens, i also fully agree about the admin part...but..

    windows needs more external software to secure it. When i mean secureing it, i mean more privacy for the user without having to delete or install alot of software. Alot of windows applications are spyware and/or rats (by default). Privacy is not given on a microsoft system in the same degree as *nix. That makes windows less secure. But indeed tha admin part is very important, and that applies to all systems. Hope i have made sense, if not please tell me.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  8. #8
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Which windows are you referring to and what things need to be added externally from third party? Windows 2000, credit to MS for a change, has some pretty amazing security features including but not limited to security configuration editor and the fact that by default the network is using kerberos.

    And which windows software is spyware/"ratware"?

    I had some further thoughts to pass on as well.

    I suspect that perhaps why CERT isn't seeing as much Windows vulnerabilities versus *nix is because Win2K is still taking a hold on the market. Meanwhile, Linux and others have taken off. More people do want to know if they can use it at home. If the "kiddies" are getting more familiar with products like Linux and spending less time on Win2K/XP, then yes, more bugs will be found because "more grubby hands are on it". You ever wonder why Novell 5 and 6 had so few vulnerabilities?? Cuz hardly anyone plays with it these days.

    These are realistic views. Neither is more secure than the other out of the box, IMHO. It's how well the thing between the monitor and the chair uses it (and remember, that thing causes 95% of the errors).
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  9. #9
    zip2dip
    Guest

    Post

    Systems of tux.Linux vers mac or windows.!
    As long there is an mind of makeing an software os an open software there will be an security flaw.I would take time back to the 80's when some apple minded people thought that they could accomplish something that we still are arguing about.If all RFC's should be flaw less like what.? where did we loose track of what.Beats the best of the greatest minds that i have ever crossed my paths with.How secure do you think an complex made program that is made out to conduct an surpressed mind of an unsecured world that so many of us think its secure inaf from anything.Are we only following an path if we benefit from it by as single human beeings or do we want to explore the possibilyts that enlights us to think beyond.
    I would like to think that for thats how that thread or post sounds like.Does one strong mind wants to feed others about what is.I would go insane by not exploring the other way.All programs follow an single path of given.Some minds that i know wants to explore and give us the other side then stay with an frame for so many is an threath.We know how to exploit do so many things in our ability to brake surtein rules that we didnt want to follow.Does that make us great .? If thats the case then we need to look beyond the matter.Atleast i wont steal or phreak stuid systems that has nothing so important it would change my world.I rahter take systems that gives me the hardest time to make them so so workable,securing in a way that i think some great minds wanted them to be.Technologial brake trues are only one artigulate way to sell and feed minds of great what ? hehe..
    Complexity of an system or network that is out there that leaves out others to exploits its given path is like consuming all www,thing an never understand what it was thought of to be in the first place.I am not saying that mind or script source that is not open is that hard to crack or to be understod*hacked*.We are not alone in anywhere we step our unknown minds.Our edu system is part of this great mind feeding purpouse of getting the mantel to be so great.So there fore i think that without pushing the limit ,the envelope,the anything what makes modern high-tech feel so great.Thus many new and old things are proven by so many great minds that is out there like in www.Antionline.com .What makes so many great software feel like an single treat for only few that understand complexity in easy feel so in the itchy finger tips...

    So there fore i say that its great to Understand something then be surpressd mind and never understand anything.....

    All systems are part of something,what is your part.?

  10. #10
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324

    Unhappy

    Zip2Dip,


    Ummm.. What?!
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •