Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||
RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb)RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb)Posted Apr 10, 2008 17:51 UTC (Thu) by rmunn (guest, #40618)Parent article: RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb)
"Every time Windows gets a vulnerability, someone immediately writes a rootkit or a worm," said Ford. Perhaps, but that's just a consequence of popularity. Were the popularity numbers reversed, with Linux at 90% of the market and Windows at 10% (making up numbers out of thin air, of course, for simplicity's sake), then the black hats would immediately jump on Linux vulnerabilities, while Windows holes would remain unexploited for longer. It's possible that Ford was being badly quoted here, and that the "ease of exploitation" he was talking about was how easy it is to turn a remote hole into a full-fledged takeover of the administrator account. There, Windows (pre-Vista) suffers from the "run as a privileged user all the time" problem -- sure, you can create limited-access accounts in XP, but it's not the default. Whereas in Linux, it is the default. I've heard that Vista attempts to fix this, so that you have to type in your password to gain admin privileges even temporarily, but I have no personal experience with Vista so I don't know how and/or whether this can be subverted by a clever exploit writer. At any rate, the number of exploits written is purely tied to popularity. While that number can be used to judge which systems are more urgent to patch RIGHT NOW, it would be a mistake to use that number to judge which systems are inherently more vulnerable.
(Log in to post comments)
RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb) Posted Apr 10, 2008 18:20 UTC (Thu) by danielpf (subscriber, #4723) [Link] "Perhaps, but that's just a consequence of popularity." This is the traditional easy excuse, but given without justification. Surely the quality of the code *must* play a role, as well as the literacy of the users. So closer to reality, a combination of factors determines the overall vulnerability of a system.
RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb) Posted Apr 10, 2008 18:23 UTC (Thu) by tzafrir (subscriber, #11501) [Link] The whole article is made of presenting the Linux argument first and then the Windows argument to counter that later. The number of exploits is also closely tied to the efficiency of patching the issues. Many copies of Windows are unpatched due to them being illegal. They also typically have much more third-party software that does not get updated through the standard system update mechanism.
RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb) Posted Apr 11, 2008 2:00 UTC (Fri) by midg3t (subscriber, #30998) [Link] This is an often overlooked part of Linux security - having a central repository from which to automatically get security updates for all applications. There's no technical reason why third-party apps can't be made available through the repository system, too.
RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb) Posted Apr 11, 2008 3:17 UTC (Fri) by nevyn (subscriber, #33129) [Link] There aren't any other reasons either, an obvious example would be adobe's yum repo. for flash/acroread. Well unless you count that people are used to terrible quality in the entire experience, from their non-free software.
RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb) Posted Apr 10, 2008 18:38 UTC (Thu) by Requiem (guest, #51519) [Link] Always look at methodology, in this case Linux vulns and Windows vulns are counted differently. Vulnerabilities are typically found in Linux through code audit, so whether or not the vulnerability allows for an actual exploit is theoretical. A higher percentage of all the vulnerabilities are found as well. Windows has less in the way of theoretical exploits, since the typical way to find one is to implement it, and more unknown active exploits, because there are always more bad guys looking for vulnerabilities than good. Also keep in mind that windows being popular gets the security researchers more interested in keeping it locked down as well. If Linux becomes dominant, it gets hold of more of the good guys too.
RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb) Posted Apr 10, 2008 22:49 UTC (Thu) by drag (subscriber, #31333) [Link] Also Microsoft will silently fix potential exploits without disclosing it. A few times they disavowed it, then later on they would admit to it. More then one. The theory is that the first thing that happens when Microsoft publishes a patch or information people take that and write a exploit to attack unpatched systems. So by being secretive about fixes they are actually doing people a favor. Also open source projects will often release patches for problems that are not exploitable, but they _could_ be exploitable if a bunch of other bad things happen. That is most problems that open source projects release as problems are not exploitable. Microsoft will not admit to those or fixing those. And people have proof of this sort of behavior. People have examined patches to Microsoft OSes and have reverse engineered them to find out what exactly they are doing and what systems they are patching. One black hat found at least 7 different fixes in a patch that only had one publicly announced fix. Also not all of Microsoft's software gets the same amount of treatment. There are many bug fixes in Windows XP and such that don't make their way into Windows XP POS (point of sale). AND on top of this Distributions ship with much much much more software then what is provided by Microsoft. If you want to have a vulnerability vs vulnerability comparison you will have to sit down and go through them one by one and examine things carefully.
Granularity of popularity Posted Apr 10, 2008 20:24 UTC (Thu) by dmarti (subscriber, #11625) [Link] There's also the problem of popularity at the individual package level. If all the Linux admins were diligent about removing unused software, you reduce the effective exposure of real-world Linux systems below the vendor vulnerability counts, because only vulnerabilities in the base OS load affect all users, and vulnerabilities in stuff that's not installed affect only those users who really needed that software enough to install it or leave it installed. (How many production servers have you seen running X and portmap?) Of course, not all Linux admins are willing to click "uninstall" all over the place, and the modern IT media doesn't advocate strongly enough for a culture of aggressive software removal.
Granularity of popularity Posted Apr 12, 2008 16:07 UTC (Sat) by Richard_J_Neill (subscriber, #23093) [Link] I'm not convinced by this. Of course you shouldn't leave services running if you don't need them, but you don't have to uninstall the binary. (And yes, our production server does run portmap - it tends to be rather useful when the fileserver is NFS!)
Granularity of popularity Posted Apr 14, 2008 22:44 UTC (Mon) by phiggins (subscriber, #5605) [Link] If one of those binaries is setuid root, then you'll surely wish you had uninstalled it after someone exploits it. There are other reasons to not have unnecessary programs installed, such as a compiler.
RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb) Posted Apr 10, 2008 21:59 UTC (Thu) by sbergman27 (subscriber, #10767) [Link] """ Were the popularity numbers reversed, with Linux at 90% of the market and Windows at 10% (making up numbers out of thin air, of course, for simplicity's sake), then the black hats would immediately jump on Linux vulnerabilities """ This often voiced view is supremely irrelevant, since the level of dominance which MS holds on the desktop is clearly a pathological condition. If Microsoft turned into a pumpkin at midnight tonight, there is not a chance that *any* one OS would obtain such a level of dominance and generate another such monoculture. Not Linux. Not Apple. Not anyone. "If the situation were reversed" is a fairy tale, and has no bearing on reality. Microsoft's monoculture is both their goose that lays the golden eggs... and their albatross. But if their freakishly large bean stalk were chopped down tomorrow, or died more slowly of root rot, no other would spring up in its place. That particular bean stalk was nurtured in a different time, before the internet, when such things were still possible. And in the absence of the gargantuan vine, and its associated monoculture, no crackers would then see Linux, or *BSD, or Mac OS, or Solaris, or anything else as the obvious platform to target. And, at least in a relative sense, we could all live happily ever after.
RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb) Posted Apr 13, 2008 3:08 UTC (Sun) by rmunn (guest, #40618) [Link] If Microsoft turned into a pumpkin at midnight tonight, there is not a chance that *any* one OS would obtain such a level of dominance and generate another such monoculture. Not Linux. Not Apple. Not anyone. I think I disagree mildly with you here. Commercial software developers love the current monoculture, because it means they can focus most of their effort on a single OS instead of going the more difficult route of writing cross-platform software. So even if MS went belly-up tonight, there'd still be pressure on the OS market to gravitate towards a small set of OS'es, or maybe even just one OS, as dominant players in the market. The other OS'es would suffer the fate of the Amiga, BeOS, etc. and slowly die for lack of software. That's assuming, of course, that commercial software continues to play a big role in people's decisions about what OS to use. But much as I love the open-source world, I don't see commercial software going away anytime soon. Still, you may well be right that no new monoculture would develop -- but I don't think that invalidates the point I was trying to make, which is that the raw numbers of "vulnerabilities being exploited" are skewed by the current monoculture. (Or rather, near-monoculture). Consider: if you were a black hat and discovered, at the same time, a remote root-access exploit for Windows and one for the Linux kernel (so that it would work on just about any distribution), but it would take you about a day's work to write each exploit, which would you write first? I was not trying to say "Oh, the only reason Windows exploits are so prevalent is because Windows is popular, and the weakness of Windows security has nothing to do with it." I think some people who responded to my comment thought that's what I was saying. No -- the weakness of the Windows security model does have a great deal to do with how many exploits target Windows. What I was trying to get across was that the current popularity numbers also play a role in how many exploits get written targeting one OS over another; and therefore with the current near-monoculture, raw exploit counts are not very useful as a gauge of security. Re-reading Ford's comment, I think his "ease of exploitation" line was indeed talking more about how easy it is to break into Administrator level once an entry point has been found -- so my "that's just based on popularity" line may have been wrong. But he did say that "raw vulnerability counts really don't give you a good picture," so I think I've just repeated what Ford was saying, only I said quite a bit less with a lot more words.
RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb) Posted Apr 10, 2008 22:48 UTC (Thu) by man_ls (subscriber, #15091) [Link] Perhaps, but that's just a consequence of popularity.Another counterpoint to this sentence: in the spaces where Windows is not dominant we don't see such an abundance of non-Windows exploits. OK, Apache is the exception maybe, but even when websites get defaced there is little else harm done. Just compare Windows malware with the number of worms and trojans attacking Linux servers. Or the number of symbian exploits in the wild. Or even Solaris attacks in its days of glory. There is just no contest with the the malware-of-the-month pest and the resulting Windows botnets.
RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb) Posted Apr 11, 2008 6:55 UTC (Fri) by Requiem (guest, #51519) [Link] Most smart phone malware targets Symbian actually. At least it did a year ago.
|
|||||||||||