Report: Linux Vulnerabilities More Numerous And Severe Than Windows
Report: Linux Vulnerabilities More Numerous And Severe Than Windows
The report was Microsoft-funded, but researchers are providing the full methodology and challenging Linux advocates to prove them wrong.
By Michael Cohn Security Pipeline
Red Hat Enterprise Linux ES 3 has more high-severity risks than Windows Server 2003, and users are exposed to them for a longer period, according to a report released Tuesday.
A draft of the report was released last month and quickly attracted controversy for its methodology as well as allegations of ties between Microsoft and its researchers.
The full report confirms that Microsoft funded the study, and is sure to prompt further accusations of bias. But the researchers are providing the full methodology and challenging other security experts to test the legitimacy of their results.
Richard Ford, a research professor in the computer sciences department at the Florida Institute of Technology's College of Engineering, and Herbert Thompson, director of research and training at Security Innovation, a security technology provider, conducted the study. They used the ICAT Metabase, a database of vulnerabilities from the National Institute of Standards and Technology to measure the severity of the various vulnerabilities identified over the course of 2004. The report also tabulated the "days of risk" from the time vulnerabilities were publicly identified to the time they were fixed.
The report drew criticism from Red Hat. The head of the company's Security Response Team, Mark Cox, said on his blog,"Red Hat was not given an opportunity to examine the 'Role Comparison Report' or its data in advance of publication and we believe there to be inaccuracies in the published 'days of risk' metrics. These metrics are significantly different from our own findings based on data sets made publicly available by our Security Response Team."
Researchers analyzed the two systems configured as Web servers with add-on software.
- Researchers found that the Red Hat Linux had 3,893 total days of risk for all the risks classified as high severity, compared to 1,145 for Windows Server 2003.
- The average days of risk per vulnerability were 71.4 for Red Hat Enterprise Linux, compared with 31.3 for Windows Server.
- The team also looked at the vulnerability of the two systems to a port scan. They found that Red Hat Enterprise Linux had 77 high-severity vulnerabilities in its default configuration compared to 33 for Windows Server 2003, out of a total vulnerability count of 174 for Red Hat vs. 52 for Windows.
However, Thompson admitted that the relative severity of a vulnerability doesn't necessarily correlate with how much damage an attack can cause. "I have seen multiple instances where l5 low severity vulnerabilities have been combined into an attack that would have done damage as bad as a high severity attack," he said. He also cautioned that the "attack surface" of both systems could be mitigated simply by turning on the firewalls that come with both Windows Server and Enterprise Linux.
In addition, Thompson admitted that the vulnerability counts lumped together the vulnerabilities found in Linux, as well as add-on open source software for the Apache web server, PHP scripting platform, and MySQL database. The report mentioned, though, that MySQL had five vulnerabilities that took more than 90 days to fix.
One critic of the report said it's difficult to measure the relative severity of vulnerabilities.
"There are so many ways to rate vulnerabilities and severities," said Johannes Ullrich, chief technology officer of the SANS Internet Storm Center, a service that reports on security vulnerabilities. "It's hard to come to up with an objective measure."
He also noted that a complete Linux distribution comes with a greater variety of software than Windows, making it larger, more complex, and more prone to vulnerabilities.
And the skills of the person running the system is extremely important to measuring how secure that system is, Ullrich added, "No operating system is secure unless you know how to apply the patches, configure the passwords, and disable services you don't need. You can't rely on a single security measure. You have to use firewalls and such to build up layered defenses. If you don't do that right, any operating system is vulnerable," he said.
Thompson expects he and his co-researcher will face charges of bias on behalf of Microsoft due to the company's funding of the study. "One of the big issues was to get the methodology out there. We knew people would question the results because of Microsoft's involvement in funding," he said.
He and Ford submitted their research proposal to Microsoft, Microsoft evaluated the proposal, and decided to fund it. Thompson said the researchers also sent the methodology to various analysts, including Charles Kolodgy of IDC, and had it vetted by various academics as well as people at the RSA Conference. ."
Asked if the study would have been published if the results had come out in favor of Linux, Thompson responded, "They certainly gave us input but I'm sure the results would ultimately have been published no matter what the outcome was."
In the report, the researchers cited an earlier study by Forrester Research that also attracted a fair amount of criticism from Linux proponents. Thompson expects to hear reaction from them again. "I'm sure we'll get a fair amount of creative input based on who funded this study," he said. He pointed out, however, that Security Innovation has a wide range of clients, including Hewlett-Packard, Cisco, and IBM, and his aim was to encourage feedback from the technology community about how the methodology can be optimized for future studies. "Certainly I hope that when the criticism comes, it comes on the methodology and our acts instead of loud commentary on who funded this particular study," he said.
While the current study examines Windows Server and Red Hat Enterprise Linux in Web server configurations, Thompson and Ford plan to conduct future comparisons of database server and workstation roles.
Hah... Microsoft funded. In spite of all their assurances of neutrality I remain cynical.
Who knows? It hasn't happened yet significantly, but perhaps MS will get serious about security. I don't know whether this will be a good or bad thing. If all we want is fair competition, then I guess it's good. The problem is, I don't think MS will get too serious about security. :(
The data at the address below will refute microsoft's ridiculous propaganda:
Just proves that M$ is spewing it's usual brand of FUD
I have a dual-boot XP/Mandrake 10.1 (Official Free) system....
Running firewall on both systems.
Running IE6 - fully updated from MS Website, XP Pro - fully updated, MCaffe Virus checker - continuously updates itself.
Yesterday - ran Lavasoft's most excellent Ad-Aware on the full system:
134 Critical files, registry entries and general mal/adware!
I get popups, redirects, etc etc continously on IE6 (luckily I also have Firefox 1.0.2 on my XP side...)
I have NEVER had a single intrusion, virus or any Mal/Adware or browser redirects on my Mandrake system (or my previous FC3 system) in a year.
I last ran Adaware 2 weeks previously.
You do the maths.
Also interesting to note that they included PHP, Apache and MySQL vulnerabilities in the linux list. I wonder if they did the same for ASP, IIS and MSSQL? I doubt it.
Yeah, all this is true. But, as the devil's advocate, one also should compare the relative merits ofthe 2 Os'es at the business/office scale, where you have to evaluate using more criteria & parameters than that for home desktops. Microsoft says that windoze wins over Linux in that area with security & user-friendliness, but they're lying there too.
The last time I ran a spyware buster on XP at home, it found lots of stuff. The funny thing is that I hardly use XP at all.... Go figure.
So, I guess if I apply this "methodology" to buying a used car, and I was considering a car that had only one problem that had existed for 10 days along with another car that had three problems that had existed for 30 days, then the first car would be "better" considering that it had a total of 10 days of exposure vs. 90 days of exposure. Hmm, I guess this sounds OK, except that if the first car had a blown head gasket, and the second car only needed a new headlight and a new set of windshield wipers.
Maybe the academics should do a study on the following topic: Why can't Microsoft get its act together so that articles like this aren't necessary? -- J.W.
Mucrosoft funded and what exactly do they consider a "server vulverability"? A better comparision would be how often that vulerability was exploited. Windows Server 2003 would be in the millions and linux might be 5 or 10
i seriously doubt Microsoft would have funded it if it had been in Linux's favour.
Yet another _REPORT_ of that sort?
Man M$ has much money to fund such "researches"...
I think that this is one of those things people will never agree about. No matter how secure Microsoft ever gets, or not gets, people will always refute that it is a bad OS and is insecure. In reality any system can be insecure if the administrator of that system doesn't know what they are doing. To bring this up in a mostly linux user forum I think is pretty biased as well. I am not denying that Windows has flaws, but if linux users think they are invincible then they better get ready for a rude awakening. The one thing that makes Linux so good is also why linux will never have as wide spread use as windows. The problem is that there are no standards for linux., which has protected an exploit in one version from being able to be wide spread, but has also made it difficult for people to support in the business environement. There are some basic commands that are universal, but there are many files, and ways to configure systems that are so different that experience only matters on that system. With windows though if you know how to configure an XP machine or see a similar problem 99 percent of the time you can use that way for every XP machine you will ever run into.
I honestly think that until peoeple stop bashing each others OSes and are capable of seeing the positive and negative sides of these OS it will not be easy for IT personnel. I work for a company that uses both linux and windows. Most of the people on sales use windows, while most of our server and helpdesk machines use linux. I use both almost all the time. I like both and have been able to see the strengths and weaknesses of both OSs. Also I want to point out that a lot of IT professionals do not have an option of using Linux only machines and I truly believe that any IT professional that is so closed minded is not going to be in the industry much longer.
If you want to claim that I am a windows sympathizer then so be it, I just want to use the best thing for the job at hand.
set FlameRetardentSuit = TRUE
Huh??!??! What do mean by "standards"? That it is not endorsed by a particular company with no business ethics? Linux applications are compliant with every major standard set by neutral organisations. The only 'standards' they don't ollow are the pseudo-"standards" set by M$, such as ActiveX, and non-W3C markups. If anything, windoze has violated every major standard out there.
You can do that in Linux too, by using something called a shell.
We did, and concluded that Linux is better for most purposes.
That is normal, anybody who uses windoze for networked servers has wound up in a world of pain. Bear in mind that you can also use FreeBSD & other flavors of Unix also. Like hotmail.com, a microsoft enterprise, which runs on FreeBSD with Apache. Surprise,surprise! What happened to their "all-powerful" IIS?
Because microsoft's secret agents in ray-ban goggles and Armani suits will kidnap him and bury him under a sea of BSODS in Alaska :).
Windows vs. Linux security: No unbiased reports
Forrester Research published a report last March that came to the unlikely conclusion that Linux is no more secure than Windows. Last month, Danish security firm Secunia compared security across operating systems and concluded that Windows was more secure than many people think. Both studies are easy to counter with a little research and common sense, but that still leaves us without any meaningful third-party operating system security assessment.
Forrester measured the time between the discovery of a flaw and the release of a fix for the flaw -- a worthwhile metric, but one that's almost meaningless by itself. If there's any professional analysis and comparison of the severity of the flaws in Windows versus Linux, it never made it to press coverage about the report, and my editors haven't authorized my spending the $900 Forrester charges for the details.
A rash of articles recently claimed Linux was less secure than Windows because the total number of security alerts for Linux outnumbered those for Windows. Once again, the articles failed to address any meaningful data, such as the severity of the flaws reported, whether the flaws counted against Linux were actually flaws in applications or programming environments that run on both Linux and Windows (such as the Apache Web server or PHP programming language), and so on.
The latest round of stories based on misleading data was prompted by data furnished by the Danish security firm Secunia. While the headlines focused primarily on Mac OS X and didn't have "Linux" or "Windows" in the titles, Secunia reportedly exposed the myth of both Mac OS X and Linux as being more secure than Windows.
There is a fatal flaw in the Secunia data, at least as it is presented for public consumption, that we can expose by looking at the Secunia data comparing Red Hat Enterprise AS3 with Windows 2003 Enterprise Edition.
Secunia publishes graphs on the security advisories for Red Hat Enterprise AS3. According to the graphs, 66% of the vulnerabilities can be exploited remotely, meaning they are exposed to a known or anonymous user on the Internet if you have your system connected to the Internet. Another graph shows that 17% of the vulnerabilities can allow a cracker to escalate his privileges on the vulnerable system, which means the cracker may be able to get administrator privileges and do unlimited serious damage.
Now look at a comparable Secunia page that includes similar graphs for Windows 2003 Enterprise Edition. According to these graphs, only 48% of the Windows 2003 vulnerabilities can be exploited by a remote user, compared to 66% with the above Linux distribution. The number of vulnerabilities that allow a cracker to escalate privileges is only 13%, compared to 17% for Red Hat.
At first glance, Red Hat Enterprise Server AS3 seems to carry far greater security risks than Windows 2003 Enterprise Edition, doesn't it? After all, 66% of the alerts for Red Hat's product deal with remote users vs. 48% of the alerts for Windows. And while 17% of the alerts deal with crackers gaining elevated privileges with Red Hat, it comprises only 13% of the alerts for Windows.
The problem is that while Secunia tells you the percentage of vulnerabilities can be exploited by remote users, and the percentage of vulnerabilities which allow the cracker to escalate privileges possibly to administrator level, the graphs do not tell you where the data for these figures intersect.
It should be self-evident that the most serious type of vulnerability is one that makes it possible for an anonymous user to gain administrator privileges and seize control of your system via the Internet. After all, which is more dangerous to your organization, a flaw that can only be exploited by someone with a valid user account and physical access to your machine, or a flaw that is exposed to every hotshot cracker in cyberspace?
This is precisely the story that is missing from the Secunia graphs. Secunia fails to address the crucial question: Of all the vulnerabilities which allow crackers to gain administrator control over a system, how many can be exploited over the Internet by an unprivileged user?
While I cannot give you a fully authoritative analysis for these two sample products, I can tell you what I gleaned from a reasonable examination of the security alerts listed by Secunia as the alerts they used to construct the graphs.
Red Hat: After spending considerable time studying many of the alerts listed for Red Hat Enterprise AS3, I only found one vulnerability that, with any certainty, could allow an unprivileged remote user to seize control of a system with administrator privileges.
Windows: In sharp contrast, it was obvious that several of the security alerts for Windows 2003 Enterprise Edition showed unprivileged remote users can seize complete control of the Windows server with full administrator privileges. I quote from just three the Microsoft alerts themselves as examples (emphasis mine):
1. A vulnerability for anyone viewing images over the Internet: "This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges."
2. All programs that use SSL (Web servers, etc.): "A buffer overrun vulnerability exists in the Private Communications Transport (PCT) protocol, which is part of the Microsoft Secure Sockets Layer (SSL) library. Only systems that have SSL enabled, and in some cases Windows 2000 domain controllers, are vulnerable. An attacker who successfully exploited this vulnerability could take complete control of an affected system."
3. A vulnerability in NetMeeting and other programs using H.323 protocol: "A remote code execution vulnerability exists in the way the Microsoft H.323 protocol implementation handles malformed requests. An attacker who successfully exploited this vulnerability could take complete control of an affected system."
Granted, it usually takes a great deal of time, effort, and expertise to analyze each of the published alerts in order to determine the full potential risk of any given vulnerability. But isn't this exactly what a security firm or research group should be doing? Of course, these organizations generally do not do such research for free, so I do not expect to see meaningful objective results unless someone sponsors responsible research in this area, and until the press regains enough integrity to refuse to massage or reprint every press release that promises an eye-catching headline.
Nicholas Petreley is an author and consultant in Kansas City, Mo
|All times are GMT -5. The time now is 12:59 AM.|