Open source experts have hit back at a study published by the United States Computer Emergency Readiness Team that said more vulnerabilities were found in Linux/Unix than in Windows in 2005, labelling the report misleading and confusing. The report has attracted criticism from the open source community. Linux vendor Red Hat said the vulnerabilities had been miscategorised, and so could not be used to compare the relative security of Windows and Linux/Unix platforms.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2005-07-08
Member since:2005-11-30
Member since:2005-06-29
Not completely. It shuts up the worst trolls. I think it's a good start and there are some things they can do to make it better. I actually liked it better before they got into the whole "only vote down for these reasons" thing. The trouble was they didn't put an accompanying "only vote up for these reasons".
And now you see that almost everyone has a positive vote average because there's so much unmatched up voting. You're thinking, I wanna vote him down cause I disagree; but it's also cause he's totally offbase and some idiots voted him up to 5!
Member since:2005-12-03
And you can see the problem with many of the older programs which keep their settings in non-user level places. Even IE kept them under program files in Win98SE IIRC.
Microsoft Windows, and its users, clearly have a smaller focus on user seperation than Unix users.
I don't really care if Windows have "smaller focus on user separation", the original claim in the article was that it was something that "became relevant only recently". Privilege separation is something built inside the OS from the very beginning, and every Windows Logo certified app works perfectly under LUA: writes configuration to CSIDL_COMMON_DOCUMENTS/CSIDL_PROFILE directories and HKCU etc. You can use RunAs tool for launching processes under different credentials.
In corporate environment EVERY app pretty much has to be LUA-friendly, else it won't work. So someone please tell me how privilege escalation bugs are "not relevant". Google on "shatter attacks", "windows kernel privilege escalation"..
was going to agree, until you mentioned Posix. Let's look at some of these vulnerabilities...
Adobe Acrobat Reader mailListIsPdf() Buffer Overflow (Updated)
CenterICQ Insecure Temporary File
CVS 'Cvsbug.In' Script Insecure Temporary File Creation (Updated)
Eric Raymond Fetchmail 'fetchmailconf' Information Disclosure
Yea, acrobat is so Posix. Fetchmail might be Posix in ESR's world, but it's not in this one 
.
But! Besides POSIX, i also mentioned "other open-source frameworks" It really doesn't matter which one is used, is it Qt, GTK, wxWidgets, FLKT...you won't se much commercial Windows apps built on open-source frameworks or POSIX subsystem for Windows (SFU), as much as you won't see Linux apps built on closed-source frameworks.
It doesn't really matter if particular FOSS app has a Windows port, where almost no-one uses it in favour of proprietary apps, but it DOES matter if it's by default packaged with most popular distros. And this is what matters - common usage scenario. Almost noone uses for example fetchmail/mplayer on Windows, so it doesn't matter!
Reading comprehension. They said critical. Were those all critical? Secunia tracks all flaws, not just critical ones.
The percantage deviation on criticality doesn't compensate for 4 times more bugs RHEL seems to have. 22% * 256 advisories on RHEL vs. 39% * 76 advisories on WS2K3. Do the math yourself
Also, RHEL supports a lot more software than Microsoft does (and moreso than Microsoft Windows entails).
Who cares, we count the bugs in linux kernel + packages bundled with RHEL vs. bugs in WS2K3 as a complete OS (NTOSKRNL + Win32 userland apps).
Firefox is not remote exploitable. Seeing as how Firefox doesn't accept incoming connections, or even watch for them, I don't see how it can be remotely exploited.
Oh yes it is. Did you even read the vuln description?
http://www.frsirt.com/exploits/20050507.firefox0day.php
"If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file."
Just like the WMF flaw. But it really depends on what you describe as "remotely exploitable". For me it means that bad guys can break into my computer remotely, without my interaction. In this context, both the FF and WMF flaw are NOT remotely exploitable.
But it could also mean that it could be exploited simply by visiting a malicious web site. In this sense the WMF flaw was designated as "remotely exploitable", and so is this FF flaw.
Edited 2006-01-07 00:58
Member since:2005-09-10
Who cares, we count the bugs in linux kernel + packages bundled with RHEL vs. bugs in WS2K3 as a complete OS (NTOSKRNL + Win32 userland apps).
That's where you are wrong. A bug in ServU is a ServU bug, not a win3k bug, so it won't show up in win3k vulnerabilities, while every single bug found in all ftp servers, databases, languages (java, php, etc..) supported by RH will show up.
Regardless, I think these pictures sum it up rather well why win3k is less secure than RHEL:
Win3K: http://secunia.com/graph/?type=sol&period=all&prod=1173
RHEL: http://secunia.com/graph/?type=sol&period=all&prod=1044
Member since:2005-06-29
So someone please tell me how privilege escalation bugs are "not relevant". Google on "shatter attacks", "windows kernel privilege escalation"..
Because there are few multi-user Windows machines. I already told you this. Microsoft does listen to its customers, and few of them have multi-user machines. They may have reduced privilidges, but they're probably the only user on their computer. Their domain has thousands of users, and domain priv escalation would be a bad thing; but their computer has them.
It doesn't really matter if particular FOSS app has a Windows port, where almost no-one uses it in favour of proprietary apps, but it DOES matter if it's by default packaged with most popular distros. And this is what matters - common usage scenario. Almost noone uses for example fetchmail/mplayer on Windows, so it doesn't matter!
Fetchmail isn't available for Windows .
The percantage deviation on criticality doesn't compensate for 4 times more bugs RHEL seems to have. 22% * 256 advisories on RHEL vs. 39% * 76 advisories on WS2K3. Do the math yourself
Ah, but RHEL ships how much software, and Windows ships how much software? Where's that Windows PDF viewer again?
I know Secunia doesn't include acrobat holes as Windows holes.
Oh yes it is. Did you even read the vuln description?
http://www.frsirt.com/exploits/20050507.firefox0day.php
"If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file."
Remote exploits do not involve user interaction. As you said, and I said, but for some reason you're still arguing.
The nice thing about Javascript flaws is that you can shut Javascript off . I have it off, and turn it on for certain pages. Of course, you can shut off WMF; not that anyone knew what it was before last week.
Member since:2005-11-02
FOSS bashing seems to be as in today as Microsoft bashing was 3 years ago. Maybe it's cause Firefox went mainstream? We've lost our punk edge and sold out I guess .
I think that is only partly true at most. It seems to me that there is a organized campaign of anti-FOSS posting and astroturfing by MS employees and MS partner employees that appeared to come into effect a few months ago. The other factor is, as GNU/LINUX gets more widely used in in the corporate area, then people with only a Windows background in IT start to feel a little scared and let of steam against FOSS.
Member since:2005-07-06
I noticed that on this site. There are a lot of anti-foss people around since august 2005.
They jump on Linux/BSD and FF on every opportunity, in fact, they have been saying things like;
"calm down eh, calm down, there is no danger. this exploit will only affect stupid people who click on porn sites.."
yeah right.
I have read the microsoft reports, and I have used Windows from version 3.0 up. I know wmf files are ubiquitous in ALL versions of Windows.
Microsoft should be forced by a court of law to fix ALL versions of Windows and btw, all versions of Office, Publisher, Works etc which have wmf support built in.
AND... Another thing.
When I am looking for new support staff, I do not even give interviews to MCSEs anymore. I took one on once, and he did not have a clue about any system other than Windows. I have no time or money to train them type up properly.
Member since:2005-06-29
This is an interesting theory I've heard stated before. I've been writing it off as conspiracy conjecture.
But, I have noticed that the pro-Microsoft factor on this site has gotten about 5,000x more knowledgable than they used to be!
Microsoft does let its people waste infinite amounts of time taking videos and blogging (scobleizer), so maybe they encourage some people to go argue in the larger internet forums.
But I'm just making a theory: I'm not subscribing to it!
Member since:2005-11-10
Unix has focused on seperate users since, well, probably day 1
...
So, that's 35 years now.
Well, this is both true and false and here's why:
What about GNU/Linux.. is not Unix? Yes? No?
RH Linux was available 35 years ago?
The first desktop OS for Windows to include NT was in 2001.
So Windows NT Workstation was server OS?
Besides, we're in 2006.. right?
Member since:2005-06-29
"So in summary... Google has pulled the plug on support on a protocol they've helped popularize, after years of promising interoperability, for reasons that are dubious at best, and in a way that leaves people who don't jump to the new Hangouts app unable to talk to their contacts without any feedback that their IMs aren't getting through... And they've done that with no warning to anyone. I imagine there's a bunch of people out there wondering where some of their buddies have gone, or why their messages aren't getting responses, because this isn't documented anywhere." Google really messed this up. Such a dick move.
The Tizen Greek Community has some screenshots of a very recent build of Tizen running on a Samsung GT-i8800. It looks wholly unremarkable.Joint statement to The Next Web from Microsoft and Google: "Microsoft and YouTube are working together to update the new YouTube for Windows Phone app to enable compliance with YouTube's API terms of service, including enabling ads, in the coming weeks. Microsoft will replace the existing YouTube app in Windows Phone Store with the previous version during this time." Good to know these children stopped acting like little pricks. Can we have full Google support in Windows 8 now, please?
Yahoo is acquiring Tumblr, the microblogging and social networking website, for $1.1 billion USD. Tumblr offers little revenue but lots of eyeballs if Yahoo can monetarize them. Now Yahoo is bidding for Hulu, the streaming video service. After years of ineffective responses while Google, Facebook, and others took large chunks of the online advertising market, Yahoo is fighting back. Can Yahoo reignite the momentum it had at the turn of the century? What do you think?
"Sources have described iOS 7 as 'black, white, and flat all over'. This refers to the dropping of heavy textures and the addition of several new black and white user interface elements." I couldn't be happier.
"Ilja van Sprundel, a security researcher with IOActive, has discovered a large number of issues in the way various X client libraries handle the responses they receive from servers, and has worked with X.Org's security team to analyze, confirm, and fix these issues."
"Google is facing a new antitrust probe by the U.S. Federal Trade Commission into whether the company is using its leadership in the online display-advertising market to illegally curb competition, people familiar with the matter said." Sucks to be Google today, apparently."In the midst of the major press blitz surrounding its annual I/O Conference, Google dropped some unfortunate news about its instant messaging plans. In several places around the web, the company is replacing the existing 'Talk' platform with a new one called 'Hangouts' that sharply diminishes support for the open messaging protocol known as XMPP (or sometimes informally Jabber), and also removes the option to disable the archiving of all chat communications. These changes represent a switch from open protocols to proprietary ones, and a clear step backward for many users." That's why I always say: only suckers trust companies."The wave of departures is a sign of internal struggle, but amidst all the bad news, there is a glimmer of hope. According to an anonymous HTC executive cited by WSJ, the crucial HTC One is selling 'pretty good so far'. The executive revealed that HTC sold about five million One units since launch, a performance that is deemed encouraging. However, sales have been limited by the persisting supply issues that still plague the production of the HTC One." Finally some good news for HTC. Five million units amidst supply constraints is very impressive.
"Sony gave the PS4 50% more raw shader performance, plain and simple (768 SPs @ 800MHz vs. 1152 SPs & 800MHz). Unlike last generation, you don't need to be some sort of Jedi to extract the PS4's potential here. The Xbox One and PS4 architectures are quite similar, Sony just has more hardware under the hood. Weâll have to wait and see how this hardware delta gets exposed in games over time, but the gap is definitely there. The funny thing about game consoles is that itâs usually the lowest common denominator that determines the bulk of the experience across all platforms. On the plus side, the Xbox One should enjoy better power/thermal characteristics compared to the PlayStation 4. Even compared to the Xbox 360 we should see improvement in many use cases thanks to modern power management techniques." AnandTech does its usual in-depth thing.
Member since:
2005-06-29
This is utter crap, NT kernel has privilege separation mechanisms built in from day one. Google for terms: "Security Reference Monitor", "Object Manager", "access token", "TCSEC C2 (aka Orange Book". So the "recently" means what, 15 years? LOL
.
.
Those don't make a lot of difference when you: 1.) Only have one user. Or 2.) Have everyone as an administrator. Or my favorite 3.) Everyone uses the same account.
Unix has focused on seperate users since, well, probably day 1. I'm not too familiar with everything before System V, but I'm just guessing they did as they were competing, initially, with things like ITS and CTSS.
So, that's 35 years now. The first desktop OS for Windows to include NT was in 2001. A lot of business desktops, and the few servers, were NT for a long time before of course. But people weren't logging into the servers as users, they used server programs on them. VNC and remote terminals just aren't nearly as popular with Windows users as Unix users. And RDP is pretty recent as well.
And you can see the problem with many of the older programs which keep their settings in non-user level places. Even IE kept them under program files in Win98SE IIRC.
Microsoft Windows, and its users, clearly have a smaller focus on user seperation than Unix users.
Want an example of people who care about local exploits? Web hosts. If they're nice and give you ssh access they worry about local user exploits. How many Windows webhosting companies give you RDP access? Seriously, how many do?
How can it be non-representative when the first figure represents Win32, .NET and other proprietary APIs/frameworks, and the other one represents POSIX, and open-source frameworks typically found on modern UNIXen?
I was going to agree, until you mentioned Posix. Let's look at some of these vulnerabilities...
Adobe Acrobat Reader mailListIsPdf() Buffer Overflow (Updated)
CenterICQ Insecure Temporary File
CVS 'Cvsbug.In' Script Insecure Temporary File Creation (Updated)
Eric Raymond Fetchmail 'fetchmailconf' Information Disclosure
Yea, acrobat is so Posix. Fetchmail might be Posix in ESR's world, but it's not in this one
Acrobat is not included in many distributions of Linux, including the most prolific: RedHat.
CVS is rarely a default install item.
And fetchmail usually isn't either.
They're all common, but I know I don't have any of them installed 2-3 times; and that's how many times each was counted.
WS2K3: 76 advisories from 2003-2006
RHEL: 256 advisories from 2003-2006
Reading comprehension. They said critical. Were those all critical? Secunia tracks all flaws, not just critical ones. Also, RHEL supports a lot more software than Microsoft does (and moreso than Microsoft Windows entails).
LOL, what is he talking about? Firefox 1.0.x took 2 MONTHS to patch critical bugs since it had NO PATCH MECHANISM INTEGRATED. And we all remember that leaked remotely exploitable Firefox vuln when almost a week any script-kiddie could download 0day exploit from frsirt.com, don't we?
Firefox is not remote exploitable. Seeing as how Firefox doesn't accept incoming connections, or even watch for them, I don't see how it can be remotely exploited.
Firefox has been slow, at times, to respond to security issues. And believe me, they've gotten flamed for it a lot too. You're not the first.
I'm not sure why people vote on this forum. They obviously don't think their votes through. The other day I got voted up to 5 for the dumbest comment, and anytime I post something relevant and factual (like this) I get voted down. This paragraph isn't directed at you Ivans, just at the 2 people who thought you were enlightened in your post.
FOSS bashing seems to be as in today as Microsoft bashing was 3 years ago. Maybe it's cause Firefox went mainstream? We've lost our punk edge and sold out I guess
Edited 2006-01-07 00:13