Sunday, January 14, 2007

Windows XP More Secure than Linux


Anyone who tracks security vulnerability reports knows of the ridiculous amount that reference holes in Linux. For whatever reason this is never talked about and Linux gets this magic aura of invulnerability. Part of the confusion lies with the complexity of the open source Linux model that separates Linux "Distributions" from Linux "Kernel" vulnerabilities. Now if you start looking into and adding up Linux "Distribution" vulnerabilities that can take you into the hundreds upon hundreds of security holes that are never talked about. To simplify things I took the latest Linux Kernel v2.6.x and compared it to Windows XP. This is more than a fair comparison for the shocking results to follow.

As with Firefox, Linux vulnerabilities are frequently lumped together in single advisories misleading the true vulnerability count:



Windows XP -170 Advisories = 213 Vulnerabilities.
Linux Kernel v2.6.x - 108 Advisories = 231 Vulnerabilities.

Even with open source advocates finally admitting that Linux is insecure they still try to claim it is more secure than Windows. Too bad this is now proven to be another myth.


Windows XP is more secure than Linux and sexier ;)

37 comments:

paletteguy said...

And they also said it would be cheaper :) -> Yet another marketing play. Yes, you can download the OS and Software but the ones that you have to use professionally cost big time and lets centralize all at one place (It takes me back to the 70s, 80s).
UI is okeay if all used it and not used console for all.

Unknown said...

Let's review. "Linux" is nothing more than a kernel. "Windows XP" is an operating system. "Red Hat", "Debian", "SuSE" are organizations/companies that have created their own operating system powered by the Linux kernel. So, "Red Hat AS4", or "SuSE Linux Enterprise Server" are "operating systems". Now, having cleared that up, you are making a comparison first, with a kernel, and then second, with a slew of operating systems. Your statement of "Windows XP" is more secure than Linux isn't a relevant comparison because first you would either be comparing it to a kernel, and then next alot of operating systems. To be fair, the way you would calculate your exploits would be to first identify all the exploits of the kernel, then add any additional exploit that does not include the previously listed kernel exploits to "an" operating system. Note, that is one. If you want to compare them individually, that would be fine, but otherwise, it would be like comparing "Debian Hardened Operating System version Potato" to "Windows XP, Windows 2000, Windows NT, etc" and summing all of Windows known exploits at a time. So this comparison isn't really any better than the other previously listed comparisons, which is disappointing seeing as the author did attempt to discredit those additional mislabeled comparisons.
Finally, if you wanted to be truely fair about these comparisons, you have to weigh the severity of each noted type of exploit in some fashion and assign it a score based on severity, ease, maybe even risk, and then sum up the scores of these to make a serious risk. That would seem to be a bit more useful in determining how "insecure"/"secure" something is, but then again, there are those of us who realize "nothing truely is secure", all it really boils down to is minimizing risk.
Following up, noting the comment from paletteguy, Linux "can" be cheaper, but not if you are interested and set on paying one of the well known companies for support for one of the pricey versions of a Linux powered operating system. I don't exactly buy into this model of buying support, especially based on my experience with Novell for example, when the consultants were constantly badgering me for my documentation to prove my points against their suggestions, which in retrospect, are they not the ones who are supposed to be providing us with said information? So if I were managing a company, I would much rather hire people who know the OS really well and pay "them" to be my support. First of all, you would have a much better support team as they would really know the product, being the Linux powered operating system of choice, and secondly if you doled out the support costs of one of these enterprise class operating systems to your staff who are to support the OS, you would have much more longevity out of your employees, and there would be much less turnover.
I would also like to add that the ones you pay for do not add the "professional" into the mix, but it's the user...the admin. And you can certainly use GUI's (well defined ones I might add) for desktop or server use. I'm not sure what the comment about the 70's and 80's refers to, but it seems this person is confusing "mainframe" terminology with today's trends (oh but wait....what is all this virtualization bit all about...could that not be consolidation? amazing how tech trends go back and forth ;), and moreover when dealing with "high availability", clustering proved to be an effective approach at this. So i'm not sure if this person is thinking that this is an attempt at centralization or not, but each (centralization/distributed) models have benefits and risks. One might want to read up on both to realize this.

Haz

Anonymous said...

Let's get some things straight. First I'm going to say that I sit on the fence between open source & : software is software and I don't mix politics and software for that matter. However there is noticable bias in the writing of many articles on this site. Second I have no credentials in security so this is coming from a security novice.

According to Secunia, Linux Kernal 2.6.X has 18 unpatched advisories, Windows XP Professional has 32, Home edition has 29. Granted that I have not taken the time to count individual vulnerabilities so all these numbers should be taken with a grain of salt. Your view of which OS/Kernel is most secure is coming from historical advisory numbers and isn't taking account of the time it takes to develop,test and publish a patch.

Some Windows XP vulnerabilities are also grouped such as advisories SA21417 and SA22341.

Finally take a look at the most severe unpatched Secunia advisory rating. It's currently higher for XP. Security isn't a matter of what did affect us in the past, it's what is affecting us now.

Andrew said...

Actually no I am comparing the Linux Kernel to Windows XP. Since the technicalities of what Linux stands for can be manipulated at will by the open source zealots to try and confuse the average person. When arguments were made involving what you call Linux "Operating Systems" and Windows XP, the zealots cried that you should only compare the Kernel. Either way it is irrelevant since all of those Linux "Operating Systems" include these vulnerabilities. Thus including the distribution vulnerabilities would be much worse for Linux.

These are NOT exploites but vulnerabilities. What is listed is the total amount of vulnerabilities, which is a very simple comparison.

The time to develop, test and publish a patch is irrelevant since this data can easily be manipulated and the testing of a Linux Patch does not effect anywhere near the amount or scope of Windows users and software.

Funny you should bring up the Windows "grouping" which were counted, and you show 2-3 vulnerabilities. Unlike the Linux one that lists 18, or the Firefox one which lists 27! This is common with Open Source software and is very misleading.

The Secunia total Advisory rating is useless since the grouping makes any analysis from the advisories irrelevant.

Unknown said...

As was said already, you should see the severity of these vulnerabilities.

since we are playing with number published by Secunia,

compare Windows XP
http://secunia.com/product/22/?task=statistics_2006

with Linux kernel 2.6.x
http://secunia.com/product/2719/?task=statistics_2006

for 2006

-criticality
Linux kernel 2.6.x: extremely=0%, highly=0%
WinXP: extremely=7%, highly=27%

-where from
Linux kernel 2.6.x: remote=27%
WinXP: remote=53%

-impact:
Linux kernel 2.6.x: system access=0%
WinXP: system access=54%!

in other words they are fewer (18 as opposed to 32) and less critical for linux

as for the rest of a GNU-Linux OS, apart from some parts of Xorg, as far as I know everything else runs in userspace, thus can't do any significant damage.

Also remember when we are talking about the Linux kernel, this includes any drivers (open-source that is) the system uses. To my opinion, the insecurity found in windows is partly the driver vendors fault (and of course some design philosophies)

Anonymous said...

Well in reading the comments posted, there are people here that are much more qualified than I. However, the article, while pointing out the security issues with an OS versus just the Kernel is not accurate.

Here are the problems with this article, coming from me, and what I have observed on both operating systems.

First, for a simple home computer, Windows cost an arm, but now will cost an arm and a leg, where as Linux, can be downloaded for free, or a much smaller fee (compared to windows) can be paid.

Secondly, you get what you pay for typically in other products (with exceptions) and well for the price we pay for Windows, it should be much better, work smoothly, however, it often has more errors than one knows what to do with, and we can not forget those times that files are randomly changed to read only, or moved even by Windows.

Thirdly, Windows allows any program really to change the registry and has no security features to prevent that like Linux does. In Linux the root password (on setting it that way) has to be provided, preventing random programs to generate things.

Looking at that, really puts it in perspective. And to throw out another twist, any Linux user and recompile their own Kernel, therefore we could have thousands of different versions out there.

I am just impressed that Linux has withstood all these attacks. And while I would love to see the day when more people buy Linux on a PC than Windows, it does not seem doable as the games and everything are not written for Linux, Windows and Mac... Until then, I will be using both, using Windows for complete compatability, while Linux will be my play system.

Andrew said...

STOP listing the secunia "advisory" totals which is not an accurate listing of the vulnerabilties.

This is NOT comparing 2006 but ALL TIME! What is stated is very clear.

How much something costs is irrelevant to how secure it is.

On a limited user account Windows XP does NOT let "anything" change the registry. This is identical to Linux. Have Linux users even used Windows before?

I have never seen more excuses in my life. Linux is a convoluted mess that all starts with the Linux Kernel yet people try to make some illogical argument that the comparison is not accurate? Please all the popular distributions include the latest kernel (v2.6.x) thus include these vulnerabilities.

This ONE version of the Linux Kernel (v2.6.x) has more vulnerabilities than Windows XP which has been out for 5 years. That is very telling of the insecure state of Linux which is overly hyped as "secure".

Nathaniel said...

This ONE version of the Linux Kernel (v2.6.x) has more vulnerabilities than Windows XP which has been out for 5 years. That is very telling of the insecure state of Linux which is overly hyped as "secure".

And that, of course, has NOTHING to do with the fact that XP hasn't been developed any further in 5 years, while the Linux kernel has been in constant development (and still is!) during that entire time.

Give it up, this is nonsense. WinXP is an OS, and Linux is a kernel. WinXP is "finished" and Linux is always under development. WinXP has to be restarted when you install the teeniest-tinyest piece of software, while Linux can run for years and still have up-to-date software.

So yeah, focus your beady little eyes on secunia-statistics. That won't change the fact that Linux and all the GNU/Linux distributions are miles ahead of Windows XP. I mean, you even said it yourself... Windows XP is frikkin' 5 years old!!!

Unknown said...

to Andrew:

the article makes use of these statistics to make its claim, but does a bad job.

the statistics given for 2006 are not ALL TIME! There is a separate section for ALL TIME (which covers 2003-2006) and separate sections for each year. Just click the 2006 one. There are 45 Secunia advisories released for WinXP for 2006 and there are 44 for Linux 2.6.x for the same year.

if you don't trust these values then don't use them at all. But if you do, at least use them right!

and once again, yes Linux is just the kernel (PLUS DRIVERS! remember that), but the rest of the GNU-Linux OS (no matter what disttro you use), has little to offer in terms of serious vulnerabilities, since most things run in user-space.


Unless if you are working for Microsoft, I can't see a reason for you to make this claim.

Andrew said...

"And that, of course, has NOTHING to do with the fact that XP hasn't been developed any further in 5 years, while the Linux kernel has been in constant development (and still is!) during that entire time."

Um did you miss Service Pack 2 for XP in 2004? Maybe you have missed all the updates to Internet Explorer (IE7), Windows Media Player and all the other components that are included with XP? Nice EXCUSES! It doesn't make Linux any more secure.

"Give it up, this is nonsense. WinXP is an OS, and Linux is a kernel. WinXP is "finished" and Linux is always under development. WinXP has to be restarted when you install the teeniest-tinyest piece of software, while Linux can run for years and still have up-to-date software."

I am not giving up anything. This is about security not the fact of the insane amount of games I can run on Windows XP or the pathetic 0.37% market share Linux has.

Looks like the Linux fanboys have arrived! Too bad the facts are against them.

Andrew said...

"the article makes use of these statistics to make its claim, but does a bad job."

No the article only makes use of the ALL TIME VULNERABILITIES! No one is talking about 2006 vulnerabilities you have the wrong discussion.

"There are 45 Secunia advisories released for WinXP for 2006 and there are 44 for Linux 2.6.x for the same year."

Are you retarted? This article talks about ALL TIME vulnerabilities! NOT advisories or advisories from 2006. Now try doing the math.

2006 Windows XP - 44 Advisories = 62 Vulnerabilities.
2006 Linux Kernel v2.6.x - 45 Advisories = 80 Vulnerabilities.

Wow looks like you should check you facts before you embarrass yourself further!

"if you don't trust these values then don't use them at all. But if you do, at least use them right!"

What are you talking about? This article only talks about all time vulnerabilities for Windows XP vs Linux Kernel v2.6.x! You are confused.

"but the rest of the GNU-Linux OS (no matter what disttro you use), has little to offer in terms of serious vulnerabilities, since most things run in user-space."

EXCUSES! Windows XP can run in limited user accounts just as easily. Your point is irrelevant.

Only a fanboy could not understand why it is important to show how insecure Linux really is!

Unknown said...

Andrew, I love your definition of "secure". Please, remind me never to employ you.

Sure - you point out that Linux kernel 2.6.x has more vulnerabilities then WinXP. But you either refuse to accept or don't want to accept that the WinXP vulnerabilities are both more serious and remotely accessible. Quoting from the same source as your figures:

Criticallity:
for Win XP
Extremely: 4%
Highly: 30%
Moderately: 31%
Less: 27%
Not: 8%

for Linux 2.6.x
Extremely: 0%
Highly: 0%
Moderately: 15%
Less: 55%
Not: 31%

And don't look at the location of exploit figures, or you'll never ever trust a Windows machine on a network ever again. A small detail of 57% of all vulnerabilities for Windows XP being remotely accessible (the figure for Linux 2.6.x is 19%, which isn't good but still better).

Of course (as Secunia say), these figures are not a valid basis for comparing OSs. I prefer a simple practical test: Which OS works better for me? In my case, I changed to Linux (from Windows) many years ago, because Linux (and its associated applications software) was far more stable and reliable. I use WinXP at work, and I can tell you that I have not seen anything to convince me that situation has changed at all.

Facts, you say? I can give you facts, but you won't like them so there is no point. You'll just distort them or someone elses figures to try and reinforce your (lost) point.
Get over your insecurities and move on with your life.

Andrew said...

I am already employed in IT and deal with security daily, I do not irrationally take online gossip as a decision to use certain software but I evaluate the FACTS!

First of all your percentages are the ADVISORIES! Those are not taking into account the vulnerabilities. Something that has one severe advisory that includes one vulnerability is much more secure than one advisory that includes 18 vulnerabilities!

Anyone who claims XP is unstable has no business using computers ever again.

Unknown said...

Hmmm. Seems you fail basic logic. 0% extreme or high criticality ADVISORIES means 0 extreme or high criticality VULNERABILITIES.
With, what was it, 140 WinXP advisories? - that means at least 5 extreme and 42 high criticallity vulnerabilities (4% and 30% of 140 respectively).
And still 57% of the remotely accessible!

As I said, you aren't interested in any facts that upset your world view. That is obvious.

And for the record - I did not say XP was unstable - I said that Linux is more stable and reliable. XP is a vast improvement over previous Windows versions but it is still less stable and reliable than Linux.

And since I strongly suspect I started doing IT stuff before you were born (the age you exhibit in your post suggests early to mid teens), I suspect I know an awful lot more about what I'm talking about than you do.

Andrew said...

The facts are clearly stated. Linux is less secure than Windows XP. Security "ratings" are widely debateable on how insecure they make you. Something does not have to gain system access to severly affect your security.

I strongly suggest you get a clue, since I have been in IT for over 15 years. How much you do not know has been proven with your unintelligent comments.

Linux is not more stable and reliable than XP. That just shows even clearly how little you know. I do not have any stability or reliability problems with XP.

Steve And Chriss said...

@ Andrew

"Linux is not more stable and reliable than XP. That just shows even clearly how little you know. I do not have any stability or reliability problems with XP."

Until the next MS patch and reboot sequence.

Andrew said...

"Until the next MS patch and reboot sequence."

Rebooting is irrelevant. Linux clearly needs to be patched more than Windows.

"All I'm going to say Andrew is that your failing to understand the meaning of analysis. You are supposed to weigh up the facts with evidence in a balanced manner and then form a conclusion based on your findings. What your doing is presenting a one sided argument."

The evidence is balanced and the facts are weighed up. Linux has had more vulnerabilities than Windows XP.

"Is it really? I find it incredible to read that your employed in IT and you find the patch turnaround time to be irrelevant. The longer vulnerabilities are out in the wild the more potential damage is being done. That is widely acknowleged and I'll refer you to incidents such as this.

Damage to what? Most of the unpatched vulnerabilities in Windows are blocked with DEP protection enabled anyway, the rest via a firewall and none do anything in a limited user environment which is what IT runs their user base in. What is widely acknowleged is their is alot of online hype that does not relate to the actual security environment in the real world. Security companies make their money by selling these scary stories. IT environments in the real world do not have these problems regardless of patch time.

"The rating is based on the most severe vulnerability discovered. Even as they are grouped it doesn't make it useless."

Well useless from the perspective of actual damage to the user, since different breaches of security effect different people in different ways.

martin said...

Damage to what? Most of the unpatched vulnerabilities in Windows are blocked with DEP protection enabled anyway, the rest via a firewall

Why should need a new processor when PaX has offered equivalent protection for Linux without the need for NX support since 2000?

And why should anyone trust that woeful excuse for a firewall that comes with Windows?

I find it hilarious you mention both the "insane amount of games" and limited user accounts on the same page. How is that arrangement working out for you?

Andrew said...

I find it hilarious how uninformed Linux users are.

"Why should need a new processor
when PaX has offered equivalent protection for Linux without the need for NX support since 2000?
"

You don't DEP is provided through software in Windows too. Though NX support makes it even more secure. I think Linux users need to use Windows once in a while.

"And why should anyone trust that woeful excuse for a firewall that comes with Windows?"

Why is it "woeful? because you heard some ignorant unknowledgeable moron say so? Why not back up this misinformed accusation with some facts?

"I find it hilarious you mention both the "insane amount of games" and limited user accounts on the same page. How is that arrangement working out for you?"

Have you ever heard of the "Designed for Windows XP" logo? Which guarantees it will run as a limited user. None of which changes the fact of the insane amount of games that run natively (not through emulation) in Windows XP nor all the Designed for Windows XP compatible games that run as a limited user. The more I talk to Linux users the more I realize they are simply fed propaganda and have no real world Windows experience.

martin said...

You don't DEP is provided through software in Windows too. Though NX support makes it even more secure. I think Linux users need to use Windows once in a while.

I said equivalent, not crippled.
Even Microsoft's web site states that in software mode, DEP only provides some protection from certain error handling conditions.

You also ignored the fact Linux had this protection before Windows XP even came out.

And by the way, I use Windows, Linux, Solaris, AIX, Mac OS X and others. I have a computer with XP x64 that I use regularly.

Maybe you should try Linux with a less spiteful view.

Why is it "woeful? because you heard some ignorant unknowledgeable moron say so? Why not back up this misinformed accusation with some facts?

I will reconsider my views when it can come near the depth of OpenBSD's pf or Linux's iptables.

Have you ever heard of the "Designed for Windows XP" logo? Which guarantees it will run as a limited user. None of which changes the fact of the insane amount of games that run natively (not through emulation) in Windows XP nor all the Designed for Windows XP compatible games that run as a limited user. The more I talk to Linux users the more I realize they are simply fed propaganda and have no real world Windows experience.

Anyone can do a search to see the massive problems Windows users encounter trying to run games and other applications under a limited account. UNIX got this right from the beginning.

Andrew said...

"I said equivalent, not crippled. Even Microsoft's web site states that in software mode, DEP only provides some protection from certain error handling conditions."

It still provides protection. Without hardware backing you at best get emulation which is never a guarantee. Regardless software DEP is present on Windows XP SP2 and Vista adds ASLR.

"You also ignored the fact Linux had this protection before Windows XP even came out."

Where did I ignore this? No one cares. Maybe Linux should stop being the ultimate hack job and being so badly programmed that so many vulnerabilities exist.

"Maybe you should try Linux with a less spiteful view."

I have and it sucks. All the games I want to play are either overly complicated to setup or do not run. Linux on the desktop is still a convoluted joke. Which is why the market share remains at a pathetic 0.37% even with it being "free".

"I will reconsider my views when it can come near the depth of OpenBSD's pf or Linux's iptables."

Sorry you are not going to get away with it that easily. Show me documented reproduceable proof that proves the Windows XP SP2 firewall does not provide adequate security. Stop regurgitating nonsense you read on open source sites.

"Anyone can do a search to see the massive problems Windows users encounter trying to run games and other applications under a limited account. UNIX got this right from the beginning."

Yeah they got it right, don't have any games for anyone to run. Microsoft since Windows XP was released provided documentation for game developers to program their games correctly. Not all followed and some users were still running legacy games. But that is the power of Windows and the great depth of software that is available for the Windows platform.

martin said...

It still provides protection. Without hardware backing you at best get emulation which is never a guarantee. Regardless software DEP is present on Windows XP SP2 and Vista adds ASLR.

Actually, PaX includes ASLR as well. SSP, and other source fortification are the new techniques Windows will never benefit from as long as the majority of software made for the platform comes from outside Microsoft.

If you had memory protection testing suites you would know that the protection offered by PaX NX emulation (PAGEEXEC) has is the same as hardware NX under Windows.

And since when is "It still provides protection" a good answer"?

Where did I ignore this? No one cares. Maybe Linux should stop being the ultimate hack job and being so badly programmed that so many vulnerabilities exist.

What evidence do you have for this accusation?

If you consult Secunia on a product like OS/2 you will see that not a single vulnerability is noted. I could sit a child down and they would probably be able to bypass the weak architecture.

Security depends on the user, not some number.


I have and it sucks. All the games I want to play are either overly complicated to setup or do not run. Linux on the desktop is still a convoluted joke. Which is why the market share remains at a pathetic 0.37% even with it being "free".


If games are that important to you then I would not recommend Linux. I don't care if people choose Windows. What I dislike is someone acting in a deceptive manner.

Most of the UNIX installations I administer have no requirement for gaming.

These UNIX installations mostly exist in the background, so your statistics are not valid.

Sorry you are not going to get away with it that easily. Show me documented reproduceable proof that proves the Windows XP SP2 firewall does not provide adequate security. Stop regurgitating nonsense you read on open source sites.

A good commercial firewall would most likely fill in the gaps left by the Windows firewall. I am sure a network administrator would be more than happy to tell you about the wide difference in intended usage and sad functionality even for end users. Microsoft's ISA would probably come closest.

Yeah they got it right, don't have any games for anyone to run. Microsoft since Windows XP was released provided documentation for game developers to program their games correctly. Not all followed and some users were still running legacy games. But that is the power of Windows and the great depth of software that is available for the Windows platform.

The resources for game developers are there. SDL and OpenGL are wonderful replacements for DirectX. Nvidia even provides its cg toolkit.

Andrew said...

"Actually, PaX includes ASLR as well. SSP, and other source fortification are the new techniques Windows will never benefit from as long as the majority of software made for the platform comes from outside Microsoft."

Yes I am well aware of that but it is not relevant to this discussion. Windows consistently benefits from new techniques, SP2 is an example as is the new security in Vista.

"If you had memory protection testing suites you would know that the protection offered by PaX NX emulation (PAGEEXEC) has is the same as hardware NX under Windows."

No it is not, it is emulated, which means it can never be guaranteed. Just because some software "suite" is fooled does not make it a replacement for real NX through hardware.

"And since when is "It still provides protection" a good answer"?"

Do I speak Greek? Software DEP provides more protection than no Software DEP.

"What evidence do you have for this accusation?"

The constant distro mess and lack of game and driver support.

"Security depends on the user, not some number."

The number of vulnerabilities directly relates to the security of the software out of the users control.

"If games are that important to you then I would not recommend Linux. I don't care if people choose Windows. What I dislike is someone acting in a deceptive manner."

So you dislike yourself? What kind of idiotic comment is this?

This is about Linux not Unix.

"A good commercial firewall would most likely fill in the gaps left by the Windows firewall. I am sure a network administrator would be more than happy to tell you about the wide difference in intended usage and sad functionality even for end users. Microsoft's ISA would probably come closest."

Most likely? You don't even know yet make bullshit claims? Yet you can't provide any documentation showing your bullshit claims? Please.

"The resources for game developers are there. SDL and OpenGL are wonderful replacements for DirectX. Nvidia even provides its cg toolkit."

Must be the 0.37% marketshare or the lack of platform API standardization? Is SDL the DirectX of Linux? Who knows the Distros are a huge confusing mess.

martin said...

Yes I am well aware of that but it is not relevant to this discussion. Windows consistently benefits from new techniques, SP2 is an example as is the new security in Vista.

You are still failing to grasp the point aren't you?

No it is not, it is emulated, which means it can never be guaranteed. Just because some software "suite" is fooled does not make it a replacement for real NX through hardware.

What you are saying makes no sense. There is nothing to fool. The fact remains that when testing real world applications there is no distinguishable difference between the protection offered by PaX without NX, and DEP with NX.

And DEP's protection with NX is still questionable.

Not including ASLR from the beginning was a mistake. Without it DEP is vulnerable to an exploit technique known as return-to-libc.

I suppose your solution is to buy a new computer and Vista when a Pentium III with Linux or OpenBSD could have the same level of protection?

And SSP and technology that works through the compiler cannot be enforced with the majority of the software for Vista that comes in binary only.

And the technology uses an underutilized component of the processor, the supervisor bit. Not emulation as you claim.

The constant distro mess and lack of game and driver support.

Obviously there is a trend here!

The number of vulnerabilities directly relates to the security of the software out of the users control.

No. Mac OS 9 and OS/2 are great examples of operating systems that have close to no vulnerabilities yet provide pathetic security.

If you are serious about security then you understand the nature of the advisories and work around them. A user's security is NEVER out of their control.

So you dislike yourself? What kind of idiotic comment is this?

This is about Linux not Unix.


I found your statement "Windows XP More Secure than Linux" to be deceptive. You took some time to look at statististics and then in some omniscient attitude, you make a blanket statement.

The great thing about Linux is that it can complement or replace your existing UNIX installations without the upheaval that switching to Windows would entail. UNIX and Linux are not far apart, so it is easier to refer to them as one entity.

Most likely? You don't even know yet make bullshit claims? Yet you can't provide any documentation showing your bullshit claims? Please.

For example the complete lack of outbound filtering? See http://www.grc.com/lt/leaktest.htm for an example of an application that can completely bypass the Windows firewall.

Must be the 0.37% marketshare or the lack of platform API standardization? Is SDL the DirectX of Linux? Who knows the Distros are a huge confusing mess.

Where did you get that number? You are ignoring the true impact of Linux. Servers, workstations and embedded applications are the leading adopters of Linux.

In none of these areas is gaming even a concern.

You seem obsessed with being able to play games. If Linux "sucks" because you can not play your favorite games, you should change the article title.

Something like "Linux doesn't let me play my games and I will therefore find other evidence that it is bad" would have been more fitting.

If you have a genuine problem with Linux (or its security) other then that it cannot play *Windows* games, then tell everyone.

Maybe some Linux zealot told you how Linux is the best operating system out there for anyone. I really don't know what happened, but you clearly wasted your time if using Windows games was your primary concern.

And I really have a hard time understanding why you cannot just pick a distribution and stick with it. People that embrace a distro of the week attitude are just as confusing to me.

My point is that Microsoft tends to deliver suboptimal solutions later than competitors, despite their financial advantages.

Andrew said...

I fully grasp that Windows is more secure than Linux.

Emulation means it is running in software and thus pretending to be something AKA "fooling". Only true hardware NX can guarantee DEP or PaX. PaX is just as questionable but it is better than no PaX just like DEP is better than no DEP and DEP with NX is better than regular DEP.

Yes ASLR is better which is why Vista comes with it. That doesn't excuse the vulnerabilities in Linux.

Since a PIII is unable to play the latest games let alone the fact that Linux and OpenBSD have next to no game support, then yes. But I manage Windows workstations and do not have any security problems.

Man what is with you guys and non compiled software? No one who wants to get work done wants to compile something, they simply want to use it.

No PaX without hardware NX is emulated NX and you incur some performance hit. Using the supervisor bit is just a trick and not a substitute for real NX hardware support.

Mac OS9 and OS/2 have no user base anymore. Linux is still currently used even with only 0.37% market share, it is actively developed. But I can't imagine how many vulnerabilities would exist in Linux if it had Window's market share.

Working around something is standard practice but the vulnerabilities are definitely out of the users control in terms of them appearing.

I made a very logical analysis based on the data provided. Nothing is deceptive. The data is all there and linked.

What the hell does Unix have to do with anything? Windows 2000 is similiar to XP but I am not talking about it.

"For example the complete lack of outbound filtering? See http://www.grc.com/lt/leaktest.htm for an example of an application that can completely bypass the Windows firewall."

Anything can bypass ANY firewall once it has compromised your system logged in as an administrator! Outbound filtering does not guarantee anything unless you running Vista.

http://blogs.technet.com/jesper_johansson/archive/2006/05/01/426921.aspx

"Where did you get that number? You are ignoring the true impact of Linux. Servers, workstations and embedded applications are the leading adopters of Linux."

It is linked above. Web Servers mainly but the Desktop share is pathetic and since Windows XP is a desktop OS that is where the comparison is.

Actually my concern is security, which Linux has proven to be no better than it's misleading claims.

Linux advocates still do not get why people do not use it or why Windows which costs far more is so widely used. I just proved security is not an argument anymore.

martin said...

Emulation means it is running in software and thus pretending to be something AKA "fooling". Only true hardware NX can guarantee DEP or PaX. PaX is just as questionable but it is better than no PaX just like DEP is better than no DEP and DEP with NX is better than regular DEP.

It is emulation in the sense that no NX bit is present. It isn't software though. I still credit the PaX authors for their deep understanding of the features of a multitude of different processors: alpha, i386, ia64, mips, mips64, parisc, ppc, ppc64, sparc, sparc64 and x86_64.

Yes ASLR is better which is why Vista comes with it. That doesn't excuse the vulnerabilities in Linux.

No, it doesn't excuse the vulnerabilities of Linux. I do think Microsoft owes its customers using XP the ability to fix some of the problems with hardware DEP. The lack of ASLR put the whole scheme at risk.

Since a PIII is unable to play the latest games let alone the fact that Linux and OpenBSD have next to no game support, then yes. But I manage Windows workstations and do not have any security problems.

DEP (or PaX) only shine when you are running a server or a multiuser machine.

I don't think that Windows is inherently insecure.

For a small scale SMTP or DNS server it's nice to know that if djbdns or qmail get out of control technology like PaX, ExecShield, or AppArmor will give you an additional layer of protection.

Man what is with you guys and non compiled software? No one who wants to get work done wants to compile something, they simply want to use it.

I don't compile my own software, unless there is a special situation that truly requires it. If you pick a good distribution like RHEL, or its free relative Fedora Core, the software is compiled with these protections built in.

Imagine Apache releases a new version. Red Hat will compile it for their customers with this technology already implemented. Very few Linux users actually get their software directly from the site of origin.

They wait for it to be "digested" by their distribution of choice.

See http://fedoraproject.org/wiki/Security/Features
for a full list of what they do by default.

Mac OS9 and OS/2 have no user base anymore. Linux is still currently used even with only 0.37% market share, it is actively developed. But I can't imagine how many vulnerabilities would exist in Linux if it had Window's market share.

OS/2 does seem dead. I had a passport advantage account with IBM and even they wanted to get rid of it. I still run into OS 9 users quite frequently. As far as Linux, I think there is an equal amount of scrutiny.

See scan.coverity.com to see an open source code audit sponsored by the department of homeland security in progress.

Also note that Novell SuSE and Microsoft Windows meet EAL4.

Working around something is standard practice but the vulnerabilities are definitely out of the users control in terms of them appearing.

They are out of control in terms of appearing. All I was claiming was that even an unpatched Windows 95 user or RHL 1.1 user still can have a "secure" computing experience.

I made a very logical analysis based on the data provided. Nothing is deceptive. The data is all there and linked.

I am not challenging the methodology, only the conclusions.

What the hell does Unix have to do with anything? Windows 2000 is similiar to XP but I am not talking about it.

Alright, I won't mention UNIX anymore.

Anything can bypass ANY firewall once it has compromised your system logged in as an administrator! Outbound filtering does not guarantee anything unless you running Vista.

I am quite certain that leaktest could run under a limited user account. Outbound filtering would be useful if you had a NAT configuration, and wanted to block certain activities from egressing.

It is linked above. Web Servers mainly but the Desktop share is pathetic and since Windows XP is a desktop OS that is where the comparison is.

Actually my concern is security, which Linux has proven to be no better than it's misleading claims.

Linux advocates still do not get why people do not use it or why Windows which costs far more is so widely used. I just proved security is not an argument anymore.


I don't care for zealous OS advocates of any kind, they seem to ignore the fact people can judge for themselves. If you only want to consider Linux on the desktop, you are right, Mac OS X and Windows both eclipse it. I have seen statistics anywhere from your .37% to 2.5%. When your router, cell phone, web site, Tivo, and GPS handheld run Linux without blatantly advertising it, it is hard to marginalize it within the framework of a desktop perspective.

I understand your frustration with bad claims like Linux is more secure than Windows, but why return the same nonsense in a different form?

Andrew said...

"It is a widely accepted fact that the Windows Firewall offers no protection against outbound connections which offers no protection against phone-home attacks which means personal data could window up in the hands of those who would like to exploit it."

You are a clueless, clueless man. It is IMPOSSIBLE to prevent outbound access in Windows XP. It is more of a widely misinformed inaccurate Myth. Read this AGAIN!

Windows Firewall: the best new security feature in Vista?


"The reason for the Windows firewall is clear : use it to get on the internet, get your updates and security software then get rid of it."

Nope you keep using it since its security is excellent. There is nothing wrong with the XP firewall.

"I'm sure you remember the Blaster worm fiasco? It wouldn't have had anywhere near as the same effect if Windows firewall was on by default which is why Microsoft introduced a basic firewall. They kept it basic because doing otherwise would be considered monopolistic."

Windows XP came with a firewall from day 1. In 2001 when it was released attacks like Blaster were a non issue, which is why they updated and enabled the XP Firewall in SP2 by default. They kept it basic because outbound protection is useless running as an admin! It is of no surprise that Linux users are CLUELESS about Windows security and spread lies and misinformation about the Windows XP Firewall. Again read this until you understand.

Windows Firewall: the best new security feature in Vista?

Andrew said...

The previous reply was to another moderated post from Joseph.

"It is emulation in the sense that no NX bit is present. It isn't software though."

Partially and it is not full NX. Regardless there is a performance hit as opposed to true NX.

"I do think Microsoft owes its customers using XP the ability to fix some of the problems with hardware DEP. The lack of ASLR put the whole scheme at risk."

I don't see any problems with it and it works fine. How much the lack of ASLR puts you at risk is debateable. Regardless it is in Vista.

"DEP (or PaX) only shine when you are running a server or a multiuser machine."

Not at all, stopping buffer overflow attacks prevents many exploits that malware uses to install. This is why a system running DEP is much less vulnerable to any exploit that uses an unknown unpatched vulnerability like this.

"They are out of control in terms of appearing. All I was claiming was that even an unpatched Windows 95 user or RHL 1.1 user still can have a "secure" computing experience."

I disagree. Windows 95 has not received security patches since 2001. Once patches stop you cannot guarantee security.

"I am quite certain that leaktest could run under a limited user account. Outbound filtering would be useful if you had a NAT configuration, and wanted to block certain activities from egressing."

While it can run, this is irrelevant since the average user runs Windows as full admin. Managed systems use limited accounts and setup outboundfiltering on hardware firewalls or servers.

"When your router, cell phone, web site, Tivo, and GPS handheld run Linux without blatantly advertising it, it is hard to marginalize it within the framework of a desktop perspective."

This can be said of any OS that is run in these devices including Windows CE.

"I understand your frustration with bad claims like Linux is more secure than Windows, but why return the same nonsense in a different form?"

I don't consider it nonsense and am merely addressing a little known fact of the number of vulnerabilities present in Linux. I don't consider Linux to be insecure but I consider it no more secure than Windows and this is just another reasons why.

Andrew said...

"Your definition of a firewall is quite different than mine. A firewall should be able to manipulate any activity that pertains to the TCP/IP stack. The Windows firewall might be good enough for you, but it certainly lacks the functionality most would expect."

That is not defining it but giving an opinion on the feature set. A firewall's main purpose is to provide security from attacks and the Windows XP SP2 firewall is an excellent solution that does just that. It is designed for home desktop users, which is an area Linux still does not understand. It provides security easily and unobtrusively.

"The other excuse, that a process could masquerade as another has been thoroughly dealt with by the likes of executable hashing that even rudimentary free firewalls like ZoneAlarm offer."

Once something has system access as admin it impossible to guarantee this. Without complex hijacking of a process in memory malware can simply try to connect as IE.exe. Most users would just let it through. There are many ways to defeat outbound filtering and with full system access it is impossible to stop on XP. Vista has put in system safe guards that make this extremely difficult to do even with full system access. Which is why outbound filtering is irrelevant on XP.

I already stated ASLR is in Vista and maybe they stole it from OpenBSD? I simply don't care.

martin said...

That is not defining it but giving an opinion on the feature set. A firewall's main purpose is to provide security from attacks and the Windows XP SP2 firewall is an excellent solution that does just that. It is designed for home desktop users, which is an area Linux still does not understand. It provides security easily and unobtrusively.

I realize that, when I use XP x64 I don't get much of a choice. Third party vendors still have to catch up and make compatible products.

I stand by my original opinion that home users could benefit from outbound filtering.

Even ignoring the malicious, a user might want some notification that an application is calling home.

Once something has system access as admin it impossible to guarantee this. Without complex hijacking of a process in memory malware can simply try to connect as IE.exe. Most users would just let it through. There are many ways to defeat outbound filtering and with full system access it is impossible to stop on XP. Vista has put in system safe guards that make this extremely difficult to do even with full system access. Which is why outbound filtering is irrelevant on XP.

I already stated ASLR is in Vista and maybe they stole it from OpenBSD? I simply don't care.


At least it would raise the bar significantly. Malware authors would have to corrupt the running firewall (ZoneAlarm, for instance) to get it to apply the same rules as it would for IE. I have had it set off alarms due to small updates to IE that change its executable hash somewhat.

Another use would be simple port blocking (or something more sophisticated) if you didn't want people behind a gateway engaging in some activity. Like wasting time at work on IM or online games.

Skype had proven to be a notoriously hard thing to block. With sophisticated stateful firewalls like iptables or pf, you can analyze relationships that normally would be ignored to its usage of inconspicuous ports and other obfuscation techniques.

IPSec sounds good at first, but in reality is too static for typical usage for anything other than a server.

ASLR was invented by PaX. I just found it ironic that Microsoft accuses Linux of violating its IP, makes no concrete claims, yet gives no credit to ASLR's original author.

In addition, the ASLR implementation in Vista has some weaknesses.

It still doesn't randomize the stack or heap.

And for legacy support, exes distributed without flags set for protection won't benefit from ASLR by default.

I don't consider it nonsense and am merely addressing a little known fact of the number of vulnerabilities present in Linux. I don't consider Linux to be insecure but I consider it no more secure than Windows and this is just another reasons why.

I agree with your point. I wouldn't tell someone that Windows is more secure, or that Linux is. That has been my entire point.

This can be said of any OS that is run in these devices including Windows CE.

How many routers have you seen with CE? There is a set engineering cost for a vendor to adopt either Linux or CE to their devices. Beyond that, the costs per device is what matters. Even with a cost of 5 dollars per device, the ultimate amount adds up.

I disagree. Windows 95 has not received security patches since 2001. Once patches stop you cannot guarantee security.

If I were to put this Windows 95 user behind a hardware firewall, gave them a modern web browser, and educated them on secure practices I can see no security issues.

Haliaetus said...

I am not qualified to comment on this quarrel about the security of Windows versus Linux, but this market share discussion is puzzling.

I did a simple web-search for "Linux" and "Windows XP". The Windows search returned 103 million hits, the Linux search returned 201 million hits.

No it is not scientific, but at least acknowledge that Linux is BIG, and here to stay.

It is impossible to know how many Linux desktop users there are, but it has been estimated that the number is around 29 million and growing fast.

I am typing this on my laptop happily running Ubuntu Linux, and how much time do I use searching for Viruses and remowing adware, updating my virusprogram and so on ?
No time at all !

Almost no one drives around in a Rolls Royce, but it is certainly not because it is a bad car !

Andrew said...

"I stand by my original opinion that home users could benefit from outbound filtering."

Outbound filtering causes some of the most problems for home users. Talk to anyone who works at a Microsoft helpdesk and they will tell you one of their #1 problems with people loosing internet access is the third party firewall blocking it. From a security standpoint it does nothing to prevent you from getting infected since you already have to be infected for it to try and connect out. The article I linked to proves conclusively why it is impossible to guarantee outboung filtering with someone running as an administrator in Windows XP. The problem is so called Windows "experts" irresponsibly recommend third party firewalls to people who do not need it. Instead of giving them accurate security advice. They scare them with ridiculous FUD.

"Even ignoring the malicious, a user might want some notification that an application is calling home."

The average user does not care. I work with end users daily and they simply say yes and let everything connect. They do whatever is easier. I found massively infected machines with third party firewalls and all the malicious ports and applications were allowed access. These are the application not designed to circumvent a third party firewall. As for regular applications? They still don't care. Those that do already use a third party firewall. But telling the average user they need one is irresponsible.

"At least it would raise the bar significantly. Malware authors would have to corrupt the running firewall (ZoneAlarm, for instance) to get it to apply the same rules as it would for IE. I have had it set off alarms due to small updates to IE that change its executable hash somewhat."

No it wouldn't if it connected as IE.exe! Most people wouldn't check and when you look in the program control section you would find two separate programs, one would be the real internet explorer the other would be IE.exe using the same exact icon but be a malicious program! Once you have system access there are many ways to bypass a third party firewall and with the freely available rootkits, it can easily go undetected. Do you realize what you are trying to do? You are attempting to stop something from connecting to the Internet AFTER it has already infected your machine! That is idiotic and impossible on Windows XP running as an admin.

"Another use would be simple port blocking (or something more sophisticated) if you didn't want people behind a gateway engaging in some activity. Like wasting time at work on IM or online games."

Port blocking is irrelevant if you are trying to block outbound activity on a Windows XP machine running as an admin with a software firewall. Anything can be blocked if you are running the firewall on separate secure server or from a good hardware firewall.

The only people that would want to block Skype are businesses or educational institutions. That would be done from a central location and has nothing to do with the XP firewall!

Home users don't use IPSec, it is mainly used with VPNs and SSL communications.

Honestly I really don't care about who, what and where about ASLR. I am just happy it is in Vista. The rest doesn't address security.

You can get enhanced ASLR for free:

WehnTrust

ASLR is the least of my concerns however.

I haven't seen much of anything with a Linux OS in it. I have heard tons of hype about it in tech news though.

I wouldn't use or put anyone on Windows 95 ever. Absolutely no security is just one of many problems with 95. I actually don't use or recommend anything but Windows 2000 or XP for many reasons.

Andrew said...

"I did a simple web-search for "Linux" and "Windows XP". The Windows search returned 103 million hits, the Linux search returned 201 million hits."

Is that a joke? Try "Windows" which returns 665 million hits. But how many websites have a word in it, hardly represents the usage. Just because Linux is talked about to death does not mean it is widely used! End users don't all have websites and the majority probably have myspace or blog pages where they talk about ANYTHING but computers or Windows or Linux. I am surprised no one knows the true abysmal market share Linux has!

"It is impossible to know how many Linux desktop users there are, but it has been estimated that the number is around 29 million and growing fast."

Estimated by whom? "Growing fast"? Is that another joke? 0.37% market share is growing fast? Are you delusional? How many years has Linux been out? The fact remains it is the ultimate desktop failure ever! Nothing has gotten more press to fail so badly. Even giving something away for free doesn't help.

I spend no time searching for or updating anything. It is all automatic and I don't get infected with anything.

Andrew said...

Talk about propaganda. Only Linux could get away with fabricating some imaginary number like 29 Million users based on estimating a 118k Registered users!

martin said...

Outbound filtering causes some of the most problems for home users. Talk to anyone who works at a Microsoft helpdesk and they will tell you one of their #1 problems with people loosing internet access is the third party firewall blocking it. From a security standpoint it does nothing to prevent you from getting infected since you already have to be infected for it to try and connect out. The article I linked to proves conclusively why it is impossible to guarantee outboung filtering with someone running as an administrator in Windows XP. The problem is so called Windows "experts" irresponsibly recommend third party firewalls to people who do not need it. Instead of giving them accurate security advice. They scare them with ridiculous FUD.

Yes, if a user is running as an administrator, anything they run could theoretically disable the firewall, antivirus or other software.

I too have seen users get nervous when popups regarding system processes that look foreign are asking permission to act as servers or clients to alien IP addresses. Blocking the wrong service can lead to the internet appearing as if it's unreachable.

Working in the role of an administrator tends to taint my view of what a firewall should do.

I will admit, the Windows firewall does a good job of stealthing inbound ports. I am glad Microsoft pushed it more heavily to customers in SP2.

The average user does not care. I work with end users daily and they simply say yes and let everything connect. They do whatever is easier. I found massively infected machines with third party firewalls and all the malicious ports and applications were allowed access. These are the application not designed to circumvent a third party firewall. As for regular applications? They still don't care. Those that do already use a third party firewall. But telling the average user they need one is irresponsible.

When you take the average user's computer skills into question, the argument for third party firewalls does need a fair amount of skepticism.

No it wouldn't if it connected as IE.exe! Most people wouldn't check and when you look in the program control section you would find two separate programs, one would be the real internet explorer the other would be IE.exe using the same exact icon but be a malicious program! Once you have system access there are many ways to bypass a third party firewall and with the freely available rootkits, it can easily go undetected. Do you realize what you are trying to do? You are attempting to stop something from connecting to the Internet AFTER it has already infected your machine! That is idiotic and impossible on Windows XP running as an admin.

You are completely right!

Anything can be blocked if you are running the firewall on separate secure server or from a good hardware firewall. The only people that would want to block Skype are businesses or educational institutions. That would be done from a central location and has nothing to do with the XP firewall!

That was the role I had in mind. If someone doesn't want to cough up the cash for ISA/Commercial Firewall/Hardware Firewall, pf or iptables does become useful.

I haven't seen much of anything with a Linux OS in it. I have heard tons of hype about it in tech news though.

Motorola's successor to the razr is supposed to use Linux. The TomTom gps device uses it. The Tivo uses it. A lot of routers, and cable/dsl modems have it. The OLPC has it (I think it is a joke, though.) Nokia has a new internet tablet.

The main competition seems to come from VxWorks on networking devices and Symbian/Windows Mobile on smart phones/pdas. I used to have a handheld laptop like device from LG that ran CE, but I have not seen it since.

I wouldn't use or put anyone on Windows 95 ever. Absolutely no security is just one of many problems with 95. I actually don't use or recommend anything but Windows 2000 or XP for many reasons.

As far as stability or support for modern software, Windows 2000 or XP are definitely better choices. NT is way beyond DOS in terms of sound architecture.

My question still stands, if you knew that someone needed Windows 95, and only accessed the outside world through a web browser, what security issues would be presented by loading a recent copy of Opera or Firefox and putting them behind a decent firewall?

I know that a billion vulnerabilities are probably waiting to be exploited, but if the user was knowledgeable, and had no one malicious on the local network or using the machine locally what security issues are there?

Windows and Linux have many vulnerabilities to be discovered, and there is a good possibility at least one hasn't been publicly disclosed. Even beyond that, the many that haven't been addressed at all will pose an issue to your system's security.

Once patches stop you cannot guarantee security.

Security is never a guarantee. All that someone can promise is to issue patches to known vulnerabilities within a reasonable period.

Andrew said...

"Yes, if a user is running as an administrator, anything they run could theoretically disable the firewall, antivirus or other software."

The difference with AntiVirus is it is designed to catch the infection BEFORE it can do anything. If it catches it then there is nothing to do. Outboung filtering on a firewall is trying to stop something that has already infected you.

"That was the role I had in mind. If someone doesn't want to cough up the cash for ISA/Commercial Firewall/Hardware Firewall, pf or iptables does become useful."

I understand and see how it can be useful in a server environment but I was never discussing that. The Windows XP Firewall is strictly an end user based firewall since XP is a end user OS.

"My question still stands, if you knew that someone needed Windows 95, and only accessed the outside world through a web browser, what security issues would be presented by loading a recent copy of Opera or Firefox and putting them behind a decent firewall?"

I wouldn't run it and wouldn't put my reputation behind it. Can you even find a firewall that still supports 95? Like I said you will not find me using anything but Windows 2000 or XP.

"Security is never a guarantee. All that someone can promise is to issue patches to known vulnerabilities within a reasonable period."

It is definitely NOT guaranteed when you know known vulnerabilities will NEVER be patched.

Andrew said...

"Out of those Linux security whole-how many are on the OS and not on other programs installed on the base system? If we say install a few IM clients, Office, Photoshop, Adobe Reader, Flash, Winamp, RealPlayer, and many other programs you need to actually use XP-you'll find out the Windows has a huge amount of TOTAL vulnerabilities. You should break out the numbers before quoting them."

Did you not read the page? They are Linux Kernel Vulnerabilities.


You mean Platform Vulnerabilities? Linux still loses:

Cyber Security Bulletin 2005 Summary

"Between January 2005 and December 2005 there were 5198 reported vulnerabilities: 812 Windows operating system vulnerabilities; 2328 Unix/Linux operating vulnerabilities; and 2058 Multiple operating system vulnerabilities"