Linked by Thom Holwerda on Fri 6th Jan 2006 22:56 UTC
Privacy, Security, Encryption Open source experts have hit back at a study published by the United States Computer Emergency Readiness Team that said more vulnerabilities were found in Linux/Unix than in Windows in 2005, labelling the report misleading and confusing. The report has attracted criticism from the open source community. Linux vendor Red Hat said the vulnerabilities had been miscategorised, and so could not be used to compare the relative security of Windows and Linux/Unix platforms.
Thread beginning with comment 82672
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: this is ridiculous
by ivans on Sat 7th Jan 2006 01:41 UTC in reply to "RE: this is ridiculous"
ivans
Member since:
2005-12-03

In other words, compare apples to apples. RHEL with the same core functionality that win3k provides out of the box: kernel + glibc + shell + dependencies - I'm generous, so you might count bugs found in ONE graphical UI RHEL supports, but it has to be stripped down (and most likely it is) to provide the SAME functionality as the windows graphical shell). Than pick those servers/services that are equivalent to those that come with the win3k bundle. One webserver (and one version! you won't be running IIS 4 or 5 on win3k) - apache -, one database (PostgreSQL), one mail server (Postfix), SAMBA, etc.

Okie, let's compare a typical scenario: LAMP vs Windows Server 2003 + IIS 6.0 + MS SQL Server 2000 + ASP.NET


http://secunia.com
RHEL: 256
WS2K3: 76

Apache 2.0.x: 28
IIS 6.0: 2

MySql 4.x 13
MS SQL Server 2000: 6

http://www.securityfocus.com/bid/

ASP.NET (1.0 & 2.0): 6
PHP: 62

We could also manually count linux kernel-mode bugs vs. NT kernel-mode bugs, but I don't think your gonna like the results either, you're just gonna fit them in your favorite conspiracy theory.

I'll just say to you that there were no windows kernel-mode (ring0) shellcodes up until 8 months ago, and those for linux were written 7 years ago. And wanna know why? Because noone understood properly what windows kernel does, and how it could be used to exploit security vulnerabilites inside the drivers/kernel because of it's undocumented nature, and several brilliant researchers (Barnaby Jack from eEye, valerino from rootkit.com, ey4s from xfocus.org) managed to get some lame PoC that only worked on specifics SPs and builds.

I'll just quote the comment of PaX team, whom I don't think need to be particularily introduced (http://en.wikipedia.org/wiki/PaX), and you decide what you think for yourself:

http://lwn.net/Articles/118251/

Using 'advanced static analysis': "cd drivers; grep copy_from_user -r ./* |grep -v sizeof", I discovered 4 exploitable vulnerabilities in a matter
of 15 minutes. More vulnerabilities were found in 2.6 than in 2.4.
It's a pretty sad state of affairs for Linux security when someone can
find 4 exploitable vulnerabilities in a matter of minutes. Since there
was no point in sending more vulnerability reports when the first hadn't
even been responded to,
I'm including all four of them in this mail, as
well as a POC for the poolsize bug. The other bugs can have POCs
written
for just as trivially. The poolsize bug requires uid 0, but not any
root capabilities. The scsi and serial bugs depend on the permissions
of their respective devices, and thus can possibly be exploited as
non-root. The scsi bug in particular has a couple different attack
vectors that I haven't even bothered to investigate. Some of these bugs
have gone unfixed for several years.

So please explain me how open source is not bugs eldorado, when detecting similar flaws in windows kernel would require manual disassembling and understanding of asm code which is extremely complex and documented absolutely nowhere. On open-source linux kernel, all you need to do is "grep". Secure my arse.

Edited 2006-01-07 01:44

Reply Parent Score: 4

RE[3]: this is ridiculous
by molnarcs on Sat 7th Jan 2006 02:06 in reply to "RE[2]: this is ridiculous"
molnarcs Member since:
2005-09-10

Hmmm... I'm not into conspiracy theories ;)

You forgot the timeframes - this time. Regardless, which php version did you have in mind? In the past two years I've been running php5 - and seen very few security advisories. How many of these advisories were platform specific btw? Oh, and about php5: http://secunia.com/product/3919/

You say: "Okie, let's compare a typical scenario" and you do the comparison the same way that I was complaing about.

Where do yo get your numbers from btw? I'm referring to "MS SQL Server 2000: 6". Because http://secunia.com/product/7/

But we can engage in a war of numbers - it still remains pointless, as long as we don't specify all the details and to a fair comparison.

I won't say anything about the second part of your comment, because it is irrelevant to this discussion, and although I heard about it, it was one of those longish discussions where I could not decide by a quick glance who is "right"

Reply Parent Score: 2

RE[3]: this is ridiculous
by ma_d on Sat 7th Jan 2006 02:06 in reply to "RE[2]: this is ridiculous"
ma_d Member since:
2005-06-29

I'll explain with your own words:

I'll just say to you that there were no windows kernel-mode (ring0) shellcodes up until 8 months ago, and those for linux were written 7 years ago. And wanna know why? Because noone understood properly what windows kernel does

Class dissmissed.

Reply Parent Score: 1

RE[4]: this is ridiculous
by ivans on Sat 7th Jan 2006 02:24 in reply to "RE[3]: this is ridiculous"
ivans Member since:
2005-12-03

I'll explain with your own words:

I'll just say to you that there were no windows kernel-mode (ring0) shellcodes up until 8 months ago, and those for linux were written 7 years ago. And wanna know why? Because noone understood properly what windows kernel does

Class dissmissed.


And how is it that this invalidates my claim that open-source software is more prone to finding security flaws?

Reply Parent Score: 1

RE[4]: this is ridiculous
by gonzo on Sat 7th Jan 2006 02:40 in reply to "RE[3]: this is ridiculous"
gonzo Member since:
2005-11-10

<i?And wanna know why? Because noone understood properly what windows kernel does

Class dissmissed.[/i]

Well, you didn't quote the part where he said "..because of it's undocumented nature". Makes a difference doesn't it?

Or could it be that you're trying to say that Dave Cuttler doesn't understand NT kernel?

You DO know who Dave Cutler is, don't you?

INFO: http://en.wikipedia.org/wiki/Dave_Cutler

David Neil Cutler, Sr. (born March 13, 1942) is a noted software engineer, designer and developer of several operating systems including the RSX-11, VMS and VAXELN systems of Digital Equipment Corporation and Windows NT from Microsoft.

Reply Parent Score: 1

RE[3]: this is ridiculous
by ma_d on Sat 7th Jan 2006 02:17 in reply to "RE[2]: this is ridiculous"
ma_d Member since:
2005-06-29

I believe he already touched on why Apache != IIS. From the little I know of Apache, it supports a lot of modules which aren't all recommended for common use (some of them are just swiss cheese). But they document these things (I assume, I've never had trouble finding Apache related docs on their site).
IIS is a big commercial product from a "respected" vendor. They've got complete idiots clicking their way through setups. They're not gonna put in random swiss cheese plugins for people to screw themselves with.

FOSS is definitely a different bear than closed software.

You seem to be very clear that you loathe FOSS. Is there a reason for this?

Reply Parent Score: 2

RE[4]: this is ridiculous
by molnarcs on Sat 7th Jan 2006 02:57 in reply to "RE[3]: this is ridiculous"
molnarcs Member since:
2005-09-10

FOSS is definitely a different bear than closed software.

Exactly, and I'm beginning to regret that I have involved myself in this debate. It's pointless, because we can throw numbers all around, and still be very very far from a relevant comparison of the security of the two platforms.

URL_REWRITE is a good example. While I have it enabled for my own site in apache, it's not in IIS. In fact: http://www.google.com/search?hs=nbi&hl=en&lr=&client=opera&rls=en&q...
So a fair comparison would be my apache 2 install + IIS 6 + 3rd party modules (which are trusted how much?) The same goes for PHP. The list of available modules is too long to include here, but just a quick search in my ports dir yields this results: ftp://hatvani.unideb.hu/pub/personal/vegyes/php4.txt Now a flaw in mysql_connect() will be counted by secunia, even though I might have postgresql as a database backend. So you can't compare asp.net vulnerabilities with php vulnerabilities in such a generic way like ivoras does.

Indeed floss is a very different beast, and one would need a very rigid comparison that matches every single function present on a setup in a specific role on both platforms. What server X does exactly running on the windows platforms, what server Y does exactly running on RHEL (or FreeBSD for instance), and what software is needed exactly to provide those services on each platform. For instance, with linux you have the ability to compile your own kernel. When Pat Volkering was asked how he achieved a ridiculously high uptime on slackware.org while there were known vulnerabilities in the linux kernel, he just said that he ripped out everything from the kernel that was not needed... and those remote vulns. were found in modules that were not included in his setup. That's what (good) admins do - configure the system to be secure (that's what win3k admins do as well). It is just you can do a lot more with free software than with win3k.

As I said, I almost regret engaging in this debate - my first response was not very well thought out anyway, but a well thought out reply would be as long as book, because you have to begin to explain how floss works (and why it is or can be more secure than win3k) from the ground up. But seeing how ivans like meaningless numbers, I doubt he would be convinced anyhow ;)

Reply Parent Score: 5