FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Windows / *nix security Myths ?





mOrpheuS
Just came across the US government's year-end Cyber Security Bulletin.

http://www.us-cert.gov/cas/bulletins/SB2005.html

The part that I found the most interesting :
Quote:
There were 5198 reported vulnerabilities: 812 Windows operating system vulnerabilities; 2328 Unix/Linux operating vulnerabilities; and 2058 Multiple operating system vulnerabilities.


It's not that all vulnerabilities listed under MS are windows'/MS' fault or that all reported under *nix are *nix's fault. However, *nix core/kernel related vulnerabilities still outnumber those related to MS windows.

Despite having a surprisingly better security track record than *nix systems, why is it that Windows is dubbed insecure by almost every user who claims to be tech-savvy ?

If one were to believe anything other than internet gossip, they might just realize that Windows being anymore unsecure than Linux, could just be a (rather popular) myth.

p.s. - As a side note, Mozilla FireFox has about as many, if not more, security holes than Internet Explorer. Wink
Nyizsa
I think I know the reason of that many vulnerabilities of Linux. It's distros!
For example, if there is a vulnerability in a module, it will be reported as one in Debian, one in Red Hat, one in SuSe, and so on. How many distros are out there? Let's say 20. Let's divide your number by 20... We will get 116. It sounds more reasonable, doesn't it?
mOrpheuS
Nyizsa wrote:
I think I know the reason of that many vulnerabilities of Linux. It's distros!
For example, if there is a vulnerability in a module, it will be reported as one in Debian, one in Red Hat, one in SuSe, and so on. How many distros are out there? Let's say 20.

Such vulnerabilities are listed as "Multiple Vendor Linux Kernel xxxxx vulnerability" ... and are counted only once.

Similarly a vulnerability in a Linux package/module common across multiple distros (eg., CUPS, zlib etc) is also counted only once.


Nyizsa wrote:
Let's divide your number by 20... We will get 116. It sounds more reasonable, doesn't it?

Laughing And here I was, trying to find out why people presume certain things to be more reasonable ...
manumiglani
Well, Windows is considered insecure because its vulnerabilities are targeted by hackers more often because it is used by most no. of people. HAckers can get a hell lot of money and fame if they attack windows system because of the large no. of users it has. While Linux and Mac has a very small no. of users as compared to windows, so hackers mostly avoid to target their vulnerabilities. Same is the case with IE. It is being targeted because of larger share of market.
djclue917
mOrpheuS wrote:
If one were to believe anything other than internet gossip, they might just realize that Windows being anymore unsecure than Linux, could just be a (rather popular) myth.

p.s. - As a side note, Mozilla FireFox has about as many, if not more, security holes than Internet Explorer. Wink


I think this is because bugs in *nixes and other open source projects/software can be easily detected and "seen" because the source codes are open unlike MS Windows and other closed source software. Bug detection is easier when the code is open. You cannot conclude that closed source software has fewer bugs than open source software since the basis is only the number of bug reports. Incedentally, since the code in open source software is freely available, it is more likely that bugs will be easier to find than in a closed source software.

Also, the development of open source software is different from proprietary softwares. In most cases, a FOSS user would more likely send a bug report upon discovering a certain bug. While proprietary software users generally doesn't care about the quality (code-wise) of the software they are using.

P.S. - If that were the case, then Internet Explorer users shouldn't have been having problems with getting infected with all sorts of "hazardous" code.

http://www.mozillazine.org/talkback.html?article=7059

The number of bugs doesn't really show how secure a piece of software is. On the other hand, the severity of these bugs do.
Animal
I think one of the main issues is the fundamental way each system works. now I may be wrong on this, so don't shout or throw things at me...

By default, all Windows ports are open and "listen" for relevant incoming connections. As a result, a firewall is necessary to hide the ports that aren't being used. If there isn't a firewall to do this, or at least control what can and can't enter the machine, it's "open to attack" - being a default, this is a bit of a problem.

Linux, on the other hand, doesn't "Listen" for incoming traffic on a certain port unless you tell it to. For example, if you run a website on Linux, port 80 or 8080 is opened (the http port) while the others remain closed.

As far as I'm concerned, this is the reason Microsoft Windows is more of a security vulnerability that any Linux system. Ok, Linux . Unix may have had more reported vulnerabilities, but these are not going to be easily exploited unless a hacker has an intimate knowledge of your system / network etc. Windows hacking is easier and therefore more widespread, so this is why Windows is fundamentally more vulnerable.

And I'm not knocking Windows - it's the OS I use 90% of the time (I dual boot with Linux). As with everything, if you use it correctly, it works as you want it to - and yes, using it correctly means using a firewall!
Donutey
the other thing is that severe linux vulnerabilities are fixed a lot quicker than windows ones...
{name here}
It's funny how one of the most secure OSes is Unix based...
djclue917
{name here} wrote:
It's funny how one of the most secure OSes is Unix based...


What do you mean?
Scorpio
Forgive me for asking, but why is there a * instead of u in UNIX?
Animal
Donutey wrote:
the other thing is that severe linux vulnerabilities are fixed a lot quicker than windows ones...


True, but I'd imagine the microsoft fixes undergo more quality assurance testing.


scorpio wrote:
Forgive me for asking, but why is there a * instead of u in UNIX?


*nix usually refers to systems based on Unix and Linux. MacOS is also Unix based.
filterchild
As djclue917 said earlier in the post, the main reason why all of these security vulnerabilities were found in open-source software and not in closed-sourceware is because, if you have the source there in front of you, searching for problems is going to be a lot easier.
Also, in distributed development environments (most open-source software is developed by multiple people) large bugs are caught and patched quicker. Smaller, less severe bugs have an easier time slipping through the cracks.

Additionally, Linus himself has commented that it might be a good time to concentrate on fixing bugs in the Linux kernel rather than adding new features. In my opinion, a good source code audit could really help Linux out.

Also, anyone here heard of and/or use OpenBSD? Absolutely awesome OS, just about the most secure one on the planet from what I can gather.
{name here}
OpenBSD is one of the most secure OSes out there(the one I was talking about). It is used by several governments around the world.

If you notice many exploits are repeated
filterchild
Aha, I see what you're saying now.
What do you mean by most of the exploits are repeated?
{name here}
filterchild wrote:
Aha, I see what you're saying now.
What do you mean by most of the exploits are repeated?

Many of the exploits are listed twice or more on both the *nix and Windows sides.

Really the question they should be posing is who actually gets infected more in a controlled test with an equal amount of windows and linux PCs browsing the same pages.
filterchild
Ah, I see what you're saying. You're right, it seems that most of those exploits are duplicates of others. It doesn't make any sense why they need to be duplicates of each other, clicking on them doesn't provide much additional insight. Also, just from looking through a few of these (in particular, the Cheetah vulnerabilities) these are pretty simple little things, and very easily caught.

Additionally, most of the vulnerabilities listed here do not necessarily relate to Linux itself but more to open-source libraries and programs which are cross-platform some of the time.
n0obie4life
mOrpheuS wrote:
p.s. - As a side note, Mozilla FireFox has about as many, if not more, security holes than Internet Explorer. Wink


Just to point out, that is true. The only difference is that Internet Explorer's holes are more crititcal (as it's integrated into the Windows Environment).
Related topics
Reply to topic    Frihost Forum Index -> Computers -> Operating Systems

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.