Linked by Thom Holwerda on Fri 6th Jan 2006 22:56 UTC
Privacy, Security, Encryption Open source experts have hit back at a study published by the United States Computer Emergency Readiness Team that said more vulnerabilities were found in Linux/Unix than in Windows in 2005, labelling the report misleading and confusing. The report has attracted criticism from the open source community. Linux vendor Red Hat said the vulnerabilities had been miscategorised, and so could not be used to compare the relative security of Windows and Linux/Unix platforms.
Permalink for comment 82672
To read all comments associated with this story, please click here.
RE[2]: this is ridiculous
by ivans on Sat 7th Jan 2006 01:41 UTC in reply to "RE: this is ridiculous"
ivans
Member since:
2005-12-03

In other words, compare apples to apples. RHEL with the same core functionality that win3k provides out of the box: kernel + glibc + shell + dependencies - I'm generous, so you might count bugs found in ONE graphical UI RHEL supports, but it has to be stripped down (and most likely it is) to provide the SAME functionality as the windows graphical shell). Than pick those servers/services that are equivalent to those that come with the win3k bundle. One webserver (and one version! you won't be running IIS 4 or 5 on win3k) - apache -, one database (PostgreSQL), one mail server (Postfix), SAMBA, etc.

Okie, let's compare a typical scenario: LAMP vs Windows Server 2003 + IIS 6.0 + MS SQL Server 2000 + ASP.NET


http://secunia.com
RHEL: 256
WS2K3: 76

Apache 2.0.x: 28
IIS 6.0: 2

MySql 4.x 13
MS SQL Server 2000: 6

http://www.securityfocus.com/bid/

ASP.NET (1.0 & 2.0): 6
PHP: 62

We could also manually count linux kernel-mode bugs vs. NT kernel-mode bugs, but I don't think your gonna like the results either, you're just gonna fit them in your favorite conspiracy theory.

I'll just say to you that there were no windows kernel-mode (ring0) shellcodes up until 8 months ago, and those for linux were written 7 years ago. And wanna know why? Because noone understood properly what windows kernel does, and how it could be used to exploit security vulnerabilites inside the drivers/kernel because of it's undocumented nature, and several brilliant researchers (Barnaby Jack from eEye, valerino from rootkit.com, ey4s from xfocus.org) managed to get some lame PoC that only worked on specifics SPs and builds.

I'll just quote the comment of PaX team, whom I don't think need to be particularily introduced (http://en.wikipedia.org/wiki/PaX), and you decide what you think for yourself:

http://lwn.net/Articles/118251/

Using 'advanced static analysis': "cd drivers; grep copy_from_user -r ./* |grep -v sizeof", I discovered 4 exploitable vulnerabilities in a matter
of 15 minutes. More vulnerabilities were found in 2.6 than in 2.4.
It's a pretty sad state of affairs for Linux security when someone can
find 4 exploitable vulnerabilities in a matter of minutes. Since there
was no point in sending more vulnerability reports when the first hadn't
even been responded to,
I'm including all four of them in this mail, as
well as a POC for the poolsize bug. The other bugs can have POCs
written
for just as trivially. The poolsize bug requires uid 0, but not any
root capabilities. The scsi and serial bugs depend on the permissions
of their respective devices, and thus can possibly be exploited as
non-root. The scsi bug in particular has a couple different attack
vectors that I haven't even bothered to investigate. Some of these bugs
have gone unfixed for several years.

So please explain me how open source is not bugs eldorado, when detecting similar flaws in windows kernel would require manual disassembling and understanding of asm code which is extremely complex and documented absolutely nowhere. On open-source linux kernel, all you need to do is "grep". Secure my arse.

Edited 2006-01-07 01:44

Reply Parent Score: 4