Windows Security and Full Disclosure

A sys admin friend referred me to an
article about whether Windows is more secure than Linux.

Thanks to David Byrne for this tip: For at least the first 8 months
of 2001, open-source poster child Linux was far less secure than
Windows, according to the reputable NTBugTraq, which is hosted by
SecurityFocus, the leading provider of security information about the
Internet. (The company’s 2001 statistics are available only through
August 2001 for the time being.) According to NTBugTraq, Windows 2000
Server had less than half as many security vulnerabilities as Linux
during the reported period. When you break the numbers down by Linux
distribution, Win2K had fewer vulnerabilities than RedHat Linux 7.0 or
MandrakeSoft Mandrake Linux 7.2, and it tied with UNIX-leader Sun
Microsystems Solaris 8.0 and 7.0. A look at the previous 5 years–for
which the data is more complete–also shows that each year, Win2K and
Windows NT had far fewer security vulnerabilities than Linux, despite
the fact that Windows is deployed on a far wider basis than any version
of Linux. So once again, folks, you have to ask yourselves: Is Windows
really less secure than Linux? Or is this one of those incredible
perception issues? For more information and the complete stats, visit
the SecurityFocus Web site. I’ll check back on this story to see how
all of 2001 shapes up.

Here is my response:

I am neither a sys admin nor a security expert. But I have to say I find the conclusion drawn from that webpage and quote to be highly questionable. Here are some responses on slashdot to this alleged claim. Slashdot also had a good list of security problems Microsoft needs to solve during this month of “Fix all security bugs.”

Let me concede something. Because Windows is the predominant OS, it naturally will attract more script kiddies and crackers than other OS’s. That is only natural. As Linux increases mindshare (which is happening more slowly than anticipated, admittedly), it too will see its fair share of worms, DOS attacks and zombies. But the charts on the web page are meaningless to me. They just list numbers without giving any insight into what type of vulnerabilities are discussed and the relative severity of each one. Linux and Windows are susceptible to different kinds of vulnerabilities. Also, it’s easy to disagree about the counting system. What constitutes a single vulnerability and what constitutes two?

  1. The Gartner group (one of the most respected IT consulting firms) made a recommendation a few months ago that businesses consider changing from MS’s IIS Server to Apache Server, (which is available on Windows, but most widely used in linux) simply for security reasons. The amount of the security breaches for Apache is trivial; for IIS Server, considerable.
  2. Email servers. The most popular vehicle for transmitting viruses these days is through email, and Outlook/Exchange viruses have been hitting companies every two or three months. How much system admin time is spent installing patches and virus definition updates? It is true that sendmail (the UNIX/Linux mail servers) had a lot of security breaches a few years ago, but very few recently.
  3. Windows has shown a dangerous tendency to respond slowly to security problems and delay publicizing these problems. This happened most recently when a major security breach was found in MS’s passport system. Breaches in that application are ordinary occurences. What was unusual is that Microsoft preferred not to announce it until a solution had been found (a period lasting, I think, for two or three weeks), letting the supposed vulnerability exist without sys admins knowing about it. I’ve seen reports that Microsoft responds to security bugs more slowly than many open source projects.
  4. Microsoft has not been good over time about default settings. What about the remote plug and play fiasco on Windows XP that happened recently? What about Windows 9x security? What about file and print sharing? What about HTML mail for Outlook users? What about Word macros? What ports are open on a freshly installed Windows machine?
  5. I think the question basically boils down to whether you think open source is good for security or bad. (see a good article about “security through obscurity” )There are good arguments for either position. I tend to think that bugs in open source products are found more quickly and patched more quickly (at least with high visibility applications). Microsoft’s monopolopizing power offers little incentive for them to provide responses as quickly as needed. If a Linux vulnerability on the order of magnitude of Code Red or passport were posted publicly, some Linux dude working on a kernel or application would have responded very quickly. With Microsoft, you are on the corporation’s timetable and priority list. A company like microsoft has great programmers and network security people, but only a finite set of eyeballs to look over the code before it is closed to the public.

    (On the other hand, in Microsoft’s defense), they provide a unified infrastructure for updating the OS and installing service packs, something that Linux distributions are not famous for. Also, Microsoft has to stand before the code or fear losing market share or being susceptible to lawsuits (although its EULA agreements offer some degree of immunity). For that reason, Microsoft has a financial stake in producing good safe code. Open source projects, on the other hand, can’t really be held accountable in court.






Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.