A second remote hole for OpenBSD
Posted Mar 14, 2007 18:53 UTC (Wed) by drag
In reply to: A second remote hole for OpenBSD
Parent article: A second remote hole for OpenBSD
It's usefull in some cases. For instance with OpenBSD. 2 remote holes in 10 years is pretty damn impressive. There is no if, ands, or butts about it.
If Linux had that same sort of track record most of us would of considured the whole security thing a solved problem. As it stands right now the only reason Linux looks good sometimes is because Windows looks so bad. When compared to other contemporary OSes Linux security is pretty sad sometimes.
But ya it leads to games. For instance take Microsoft's IIS6.
One of the primary reasons why IIS6 is very secure and IIS5 isn't is because Windows 2000 server shipped with all sorts of scripts enabled and pretty much all features were running and active. While with Windows 2003 it was shipped in a fairly locked-down configuration.
When you get a Windows 2003 server all it can do, pretty much, is show static html.
So that is the configuration were Microsoft reports vunerabilities on. So they have very small amount of vunerabilities aviable.
However if you look at what sort of things need to be enabled and what people actually use when they use IIS6 you realise that when Microsoft reports vunerabilities it has divided up all these things into different catagories.
So if you have a vunerabilities with ASP/ASP.net server stuff it won't show up as a IIS6 vunerability. When you go to Secunia and compare Apache vs IIS6 all sorts of Apache mod's and especially OpenSSL support shows up on those lists were the comparable features for Windows do not.
Also with vunerability numbers it can be deceiving because the criteria for declaring something a vunerability is much different. With Microsoft unless something is realy shown to be exploitable it's not a vunerability and won't show up in advisories. With Open Source developers any programming bug, if it has a _chance_ to be a problem it's reported. Also information disclosure is taken more seriously in advisories by OSS developers, generally.
So with comnparing Windows 2003 vs Redhat 4, Redhat has many many more vunerabilities reported. Problems with OO.org, problems with desktop applications, majhonng games, potential problems, predictable tmp files, etc etc.
Were with Windows 2003 you won't even see any IE vunerabilities show up.. Microsoft considures that a seperate product, I guess, when it comes to classifications and that's how it appears with Secunia.com's statistics.
And in addition to that Microsoft has admited on one or more occasion that they still do not practice full disclosure. If they feel that it's not important to tell people about a problem, they won't.
HOWEVER even when you take all of that into considuration and match functionality for functionality between a Windows 2003 server and a Linux server it's obvious that Linux is starting to fall behind in the whole security stuff with web services and such. Generally speaking, with administrators of equal skill level and websites with similar functionality, if you setup a Windows 2003-based web server vs a Linux-based web server the Windows server is going to be more secure.
But it's not nearly as lopsided as it would appear by comparing vunerabilities by numbers.
to post comments)