Posted on 03/22/2005 10:11:59 AM PST by ShadowAce
A report released today indicates Windows Server 2003 may actually be more secure than its most popular Linux competitor when it comes to vulnerabilities and the time it takes to patch them.
But well before the paper's official release, members of the IT security community have questioned the comparison, with some slamming the researchers' methodology and others the Microsoft connection -- the software giant funded the research behind the favorable findings.
"The fact that Security Innovations [which produced the paper] retained 'editorial control' doesn't help; if Microsoft is paying the bills, there can be all sorts of nonverbal pressure behind the scenes. It isn't like it was 'co-funded' by both Microsoft and Red Hat," said Michael D. "Mick" Bauer, senior editor of Linux Journal and director of value-subtracted services for Wiremonkeys.org.
He also questioned the narrow focus. "This study appears to be more concerned with vulnerability counts and patch-release cycles than in actual security or securability. Certainly, if Microsoft has reduced the amounts of bugs in [its] software and gotten faster at patching bugs, that's great. But the bug-patch rat race is only one part of a much more complicated security picture, and the way I see it, Linux still has compelling advantages from a security standpoint."
Such a reaction was anticipated by authors Richard Ford, Herbert H. Thompson and Fabien Casteran. They intentionally ignored threat profiles in favor of inherent vulnerabilities in Windows Server 2003 and two versions of Red Hat Enterprise Linux 3.0. The goal, they said, is to provide a security metric for IT professionals to apply to their own software shopping.
"I don't think people should make adoption decisions purely based on the results, but I think it does at the very least give decision makers and diehards on either side, or even the neutral people, a chance to look beyond hype and speculation and look at hard numbers," said Thompson, director of research at Melbourne, Fla.-based Security Innovation Inc., the application security provider that produced the report.
Thompson denies Microsoft's money influenced results but admits that's a source of contention for a lot of people. "We've gotten funding from Microsoft and as a result of that people have come back and said this automatically must not be relevant and fair and balanced. That's one reason our mission has been to be completely transparent in the methodology."
Microsoft has funded similar security studies, based on customer requests, including last year's Forrester Research study that concluded Windows had a lower average total days of risk than the four most popular Linux distributions. Another, also by Forrester, had shown Windows had a lower total cost of ownership. Both reports came under similar attack.
In the Security Innovation report, the trio took requirements for three typical enterprise Web server environments and scrutinized known vulnerabilities and subsequent patches. The Windows Server 2003 platform included ASP.NET for scripting, a SQL Server 2000 database server and Microsoft Internet Information Services 6.0 Web server. Any function was accepted by default during installation (assuming many admins just keep clicking the Next button during the process). On the Linux side, the team used two different configurations for Red Hat Enterprise Linux 3.0. Both ran PHP for scripting, a MySQL database server and an Apache Web server. But one version included high modularity, where essentially the researchers installed whatever Red Hat had available; the other was minimally configured to include only core components.
Among the findings: During calendar year 2004, the Windows platform recorded 52 vulnerabilities, while the default Linux installation included 174 vulnerabilities and the bare-boned version had 132 known flaws. Because of disparate severity ratings among vendors, the researchers used the more neutral ICAT system from the National Institute for Standards and Technology to rank a flaw's criticality. Using that government-funded system, the Windows configuration had 33 serious holes, compared to 48 for the minimally configured Linux machines and 77 on the loaded Linux box.
The other metric measured how much time lapsed between public disclosure, such as through announcements on Bugtraq, and a patch release. Researchers referred to the gap as "days of risk." In Windows, the average was 31.3 days; in Linux it was 69.6 days for minimally configured Red Hat and 71.4 for the default installation.
In addition, all three configurations contained holes left exposed for more than 90 days from disclosure to fix release. Seven were found in Windows Server 2003, with five designated as "highly severe" by ICAT. Four of those holes were in the Internet Explorer Web browser. In the minimally configured Red Hat, 31 holes were found, seven of them highly severe and five others not rated by ICAT at the time of the study. Eleven vulnerabilities were in the operating system kernel; followed by MySQL with five.
Thompson and Ford gave a preview of their report at February's RSA Conference, in which numerous audience members challenged their choices and conclusions. At the presentation, Ford defended their methodology. "We think it's thought through. We think it's pretty balanced," the Linux enthusiast had said.
On Monday, Thompson said suggestions and comments since RSA were incorporated into the final draft. The research, he stressed, is intended to aid IT managers weighing software purchases as well as shed light on what vendors and user communities are doing to reduce the number of security flaws in these products. "There's so much speculation out there," he said. "The Net is just rife with opinion on security of Windows and Linux but there's very little key decision data points out there, and that's one of the things we hope to provide."
But people like Bauer say the results remain unfair comparisons.
"Most of us in the Linux security community have been saying for years that the average Linux distribution -- Red Hat, SuSE, etc. -- isn't terribly secure 'by default.' Good security comes from careful configuration, not by running an installer," he said.
Jay Beale, lead developer of the Bastille Linux Project, questioned the choice of vulnerabilities. "They're focusing on high severity vulnerabilities. A local privilege escalation exploit is high severity, which is true. But they argue that high severity vulnerabilities should be fixed fast. Actually, while local priv escalation vulns are high severity, they're not high risk. And so neither vendor fixes them very quickly."
Bauer did give Microsoft a nod for recent improvements in its software security, including more timely patch releases. "But I still like Linux better from a security standpoint," he said. "Even though this is less true every year, I still find many of the choices that Microsoft makes for me to be maddening, such as the way Windows handles digital certificates. With Linux I simply have more choice in determining how my system behaves, and to be security-conscious is to be a control freak."
I use IIS 6, and it's a LOT better than IIS 5, not just in security. It's actually caught up to what other http servers have had for years, like independent application pools and web sites.
Not hard to upgrade anyway, there's a conversion tool that does most of the work for you.
Except you have to buy an entire OS upgrade license to upgrade, you can't just upgrade your web server. Depending on what's on the server, it could mean dealing with the migration of a lot more than just your web applications. BTW, we've used that migration tool, and it doesn't work very well. Depending on your application, there can still be a lot of headaches that need to be addressed manually.
You're right. I hadn't fully read it yet. I downloaded the survey and the methodology, but what I now find missing is the exact list of vulnerabilities.
I still wonder what the "window of vulnerability" would have been if they'd had access to when Microsoft bugs were actually found, vs. when they were reported. Microsoft is known for sitting on these for months.
I have a quite proficient hacker friend who has figured out a few local privilege elevation exploits and submitted them to Microsoft. It's been months but he hasn't heard anything. These exploits would have gone on the Windows side with a very long window of vulnerability had he just posted these to public boards.
That creates a whole other security problem for Windows. If he can figure these out then others can. Microsoft isn't admitting or fixing the problem, so there are currently millions of vulnerable machines.
Thanks. You're actually reasonable, sometimes. What most if not all of the Linux crowd refuses to admit is one of the two primary researchers is a Linux enthusiast.
I still wonder what the "window of vulnerability" would have been if they'd had access to when Microsoft bugs were actually found, vs. when they were reported. Microsoft is known for sitting on these for months.
Simply another case where obscurity provided a benefit. Keeping the vulnerabilities from the public prevented widescale exploit creation and release prior to a patch being available. You don't get that with open source, people like Linus Torvalds want the vulnerabilities known by everyone on the planet even if no patch is available, much less a fully tested one.
Recommendations by Torvalds and others have prompted self proclaimed "security researchers" to release open source exploit code prior to the vendors ever being notified of the vulnerability. We may start seeing an end to that, as some have apparently had enough:
It helps that I'm not so much of a Linux fan.
Simply another case where obscurity provided a benefit.
I can see a benefit gained by not disclosing an exploit for a very short time until that exploit can be fixed, but Microsoft sits on them for months, hoping that no bad guys also discover them. That is dangerous. It also invalidates the results of reports such as these.
Here's a novel suggestion: Try addressing the contents of the report rather than who delivers it.
Have you even bothered to read the report? WTF, Bobbie...
BWAAAA-HAAAA-HAAAA!!!!!
Coming from YOU of all people! The King of Personal Attacks.
What a dork.
Ill address the content below...
zzzzzzz
Face it. Microsoft products aren't currently the ones most eat up with security bugs. Look at yesterday's report from Homeland Security. There's more holes in PHP than all Microsoft products combined.
http://www.us-cert.gov/cas/bulletins/SB05-082.html
I don't know. Why don't you go off and find all that information and post it here. Remember to include links and references.
I suspect Nux is going to go through some growing pains as it expands in the market and becomes a more flexible platform.
Between XP and SuSE, I prefer XP's speed but SuSE's fire-and-forget stability.
You OSS bigots are all the same. You can't come up with any credible reasons to criticize this report -- so you just throw out FUD. And when people (like me) question your rationale, you can't produce. Which just goes to show you: You're not interested in reading the report and addressing the issues contained within. You just want to bash anyone who criticizes anything you support. Grow up.
The study itself mentioned that they didn't use CIAC/Cert alerts in the study because they felt that CIAC makes "value judgements" about the severity of the bugs. This "study" didn't even take into account the threat model that should be applied to the system. This makes it even less useless than the simple bug count they are trying to pass off as research.
I'm not here to do your research for you. We all know you are a msft kneepadder unwilling to recognise the fact that people spend so much time trying to work around defects in the products that it's not even funny. I can't tell you how many threads I've seen around here centered on people trying to deal with the huge threat that spyware/viruses/worms represent to windows users.
I think it's sad that so many people invest so much time in software that is demonstratively broken because they just don't know any better. I still get pinged on a regular basis by zombies owned by clueless people who don't know that they are part of the problem. It's folks like you though, who should know better yet still spew the same old fud because you have a vested interest in things not getting better.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.