I think this discussion shows the real people problem.

Obviously many Microsoft software products are less secure than comparable systems, any objective look at the figures and history shows this clearly.

People who count Bugtraq vulnerabilities and then shout "see Linux is worse" just missed the point entirely. The issues are severity, and diversity.

For example some of those vulnerabilities still concern sendmail, and no one with concerns about security uses sendmail.

Possibly some concern Postfix which does pretty much the same thing, but the vulnerabilities tend to be much more minor due to better engineering of the product. The actual number concerning widely used common components of any significance is small (OpenSSH being the latest).

As pointed out even if the vulnerabilities were as extensive and as easily exploitable, the diversity of 'Unix like' systems is much wider than many Microsoft administrators appreciate. It takes a lot of time and effort to craft an effective *nix worm due to this diversity.

The specific low quality of MS products is presumably the result of low quality control at Microsoft, which itself is probably a result of a monopoly position.

This was brought home most clearly to me was the OE4 bug, where I discovered all those nice security settings I'd chosen for HTML in my Email had no effect whatever other than to give me a false sense of security.

This version of OE had more features and options for controlling security than any Linux mail client I've ever used, but the quality of these extra features was so low as to make them worse than useless!

The story is repeated across a wide range of MS products, security is an after thought and retrofitted, and often poorly.

Ironically, the core features apparently offered for security are far better in Windows. The Unix permissions model is archaic, and the ACL replacement whilst widely available is rarely deployed in my experience (and problematic because it is "retrofitted" - hence it's lack of deployment - so a simplistic but well implemented security scheme is out performing a sophisticated and complex, but poorly implemented scheme).

To hear people say "just run an AV system", misses the point. First most other systems don't and have no virus problem. Second AV system suffer from an obvious race condition. Third viruses are only a small part of the real problem. Fourth they are a big performance hit.

A digital immune system sounds good till you realise the worm people are talking about worms that saturate within 15 seconds, like Norton AV is going to save anyone. The only acceptable solution is defence in depth, to avoid, mitigate and control problems.

I think the numbers clearly demonstrate that many Microsoft products are below par when it comes to security. And having secured both I can assure you Windows server products are bloody hard to properly secure compared to comparable *nix systems in part because they are richer in features (often that you just want to know how to switch off, uninstall , or patch). Anyone who wants to dispute this point to the documentation you use describing how to secure your Windows servers!

Having done a hatchet job on Micrsoft let's look at the other points.

Running as root.... yes if you hand out Linux systems to joe public some will run as root, although some distros will refuse to start X, or display hideous warning messages. So I don't think this is a big issue, except where vendors have failed to discourage.

With millions of Linux boxes out there, not all of them are being run by people as talented as Linus. Which is the picture the Microsoft apologists seem to want to paint, but a sensible choice of default services by most modern distro's has avoided anything like the XP DCOM farce.

I once plugged a newly installed Debian laptop into a University network without thinking , the subsequent port scan showed only two listening ports (both of which I'd added for the demo) - don't you love sensible defaults. I can guarantee had I a freshly installed W2K or XP the box it would have been infected in seconds, since all such boxes on that network were infected during that 1/2 day visit.

However I agree the monoculture is a big problem for everyone, I mean geez my disk space filled up on a Linux box due to mail from infected Windows PC, the monoculture hurts those of us who aren't even using it. My log files are just full of port 135 probes, getting in the way of seeing more significant activity.

However the idea that the software is magically better in the *nix world is false. Some of it is substantially better engineered, give me Solaris over W2K anytime, SUN really do do those things you read about in software engineering books, like code coverage measurement.

Indeed the Windows world has better tools for building secure applications in some areas (MS VC kicks arse over GCC for these kind of features), although often the programmers are unaware, and they are rarely enabled by default!

The free software world does have some edges, run any free software project long enough and someone will send you a security audit of the source code. But it is still down to the maintainers to accept and merge such enhancements. Many of these are based on automated code inspection (so now you know why there are so many Bugtraq posts for free software, any old comp sci student can audit it with their latest code auditing technique). Most people auditing code are doing it to ensure it is "safe to run", or at least not terribly unsafe.

So I'm persuaded the general case is made, that a Linux world, would have far fewer such problems than the current MS world. By the time DOS had achieved the same sort of usage as current Linux systems, viruses were epidemic, where as the existing *nix systems at that time were largely untroubled by malicious code, as they have remained so to this day.

However the general code quality in Linux distributions is not yet high enough that such a world would be anywhere near trouble free. Such a utopia is a pipe dream, although that won't stop me advocating techniques that will bring it closer.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/188/22964#22964