|
Is Windows Vista Really More Secure Than Linux or OS X?
Published: June 27, 2007
by Alex Woodie
In the first six months of availability, Windows Vista has proved itself to be more secure than either Linux or Mac OS/X, as well as its predecessor, Windows XP, according to a report published by a Microsoft security researcher this month. However, while one might be led to believe that Microsoft is making real progress by looking at its public security patch track record, what Microsoft doesn't say about its patches may cast a different light on what's actually going on.
Jeff Jones, a strategy director in Microsoft's Security Technology Unit (STU), analyzed the frequency of patched and unpatched security vulnerabilities during the first six months various vendors' operating systems became available, and published them in a report titled "Windows Vista 6-Month Vulnerability Report."
During the first six months of availability, Jones found that Microsoft issued four patches fixing a total of 12 security flaws in Windows Vista, five of which the software giant considered critical. However, according to Jones, there are still 15 unpatched security vulnerabilities currently affecting Vista, although he says only one of them is considered a serious problem, with four of them garnering "medium" severity ratings. Adding these up brings a total of 27 known security problems in Windows Vista during the first six months of availability.
By contrast, Windows XP experienced a total of 39 security flaws, including 36 that were patched during that time frame and three that were not, according to Jones research. Twenty-three of these flaws were considered serious problems, Jones says.
Next, Jones analyzed the security flaw rate during the first six months of availability for Linux distributions from Red Hat and Novell.
When Red Hat Enterprise Linux 4 Workstation shipped in February 2005, there were already 129 publicly disclosed vulnerabilities in all components shipped with the software, 40 of which were given the "high severity" label. However, to provide a better comparison, Jones looked at a "stripped down" version of the operating system that included just the bare components. With this package, Jones found a total of 214 fixes from Red Hat over the first six months, including 62 high severity fixes. At the end of six months, 59 publicly disclosed vulnerabilities had yet to be patched, including 12 that were critical.
Jones also looked at Novell's SuSE Linux Enterprise Desktop 10, which shipped in July 2006. When this operating system shipped, there were already 23 security vulnerabilities spanning all components of the package, including five of which were considered highly severe. Just like Jones did with Red Hat, he only examined the reduced set of components in SuSE Linux Enterprise Desktop 10 and found that, over the first six months of availability, the company patched 123 vulnerabilities in the operating system, 44 of which had the high severity label. At the end of six months, 20 publicly disclosed vulnerabilities were still unpatched, and six of them had the high severity label.
Apple didn't fare much better in Jones' analysis of Mac OS X 10.4. When this operating system shipped in April 2005, there were already 10 publicly disclosed vulnerabilities in it, three of which were high severity flaws. Over the first six months, Apple fixed 60 vulnerabilities in the operating system, including 18 with the high severity label. There were still 16 unpatched flaws in OS X 10.4 after the first six months, including three that were very dangerous flaws, according to Jones.
So what do all these numbers mean? According to Jones, they show that Vista should be considered a more secure operating system than the latest Linux and OS X products, and that Microsoft has made real progress is securing Windows.
"In all four cases studied for the six-month period after ship, Windows Vista appears to have a lower vulnerability fix and disclosure rate than the other products analyzed, including the reduced Linux installations," Jones concludes. "The results of the analysis show that, as it did at the 90-day mark, Windows Vista has an improved security vulnerability profile over its predecessor and a significantly better profile relative to comparable modern competitive operating systems."
While one can't argue with Jones' numbers or his analysis, which look (mostly) solid, one can question what the results mean. From an aggregate point of view, Windows is unquestionably responsible for a much larger number of security holes, malware infections, and hacker intrusions than Linux and OS X combined. This is due, of course, to the fact that the Windows installed base is an order of magnitude larger than the Linux/OS X installed base. So in terms of actual damage done due to security vulnerabilities, Windows (primarily Windows XP, since that is what is out there) is the conduit for a far greater amount of hacker escapades and malware infections than Linux and OS X.
There's also the matter of how Microsoft counts security exposures. Earlier this month, the software giant issued Microsoft Security Bulletin MS07-032, which fixed what it considered a moderate "information disclosure" flaw in Windows Vista that could allow a hacker to sign onto a system using an administrator's user name and password (which were mistakenly left in plain text in the registry).
While MS07-32 didn't qualify as a "critical" remote code execution vulnerability by itself, it could easily lead to one if a hacker signed onto the system using the administrator's user name and password, and that is what led Eric Schultze, chief security architect for security software researcher and developer Shavlik Technologies to declare that Microsoft was being less than truthful about the nature of the problem. Despite its apparent risks, MS07-32 was not included in Jones analysis of Vista vulnerabilities, even though it was issued before the published date on Jones' report.
Microsoft has also been known to sneak fixes into patches without telling anybody about them. Two eEye Digital Security researchers, Steve Manzuik and Andre Protas, discovered secret patches for Windows 2000 in an update rollup. "They feel that by talking about every little problem in the patch, it increases the end user risk," Manzuik said in a March 2006 IT Jungle exclusive. "[But] not talking about it doesn't mean it doesn't exits. It just means the bad guys will be finding them."
Other security experts have suggested that more Windows Vista flaws will be discovered in the near future as more people begin to use the new operating system and malware writers delve into the code. Re-use of old, Windows XP-era code is a big concern in this regard, according to Amol Sarwate, manager of vulnerability research at Qualys. Sarwate says the discovery of the .ANI vulnerability in April suggests that "this is the beginning of the weaknesses that we will see this year with Vista and that Microsoft's reuse of code from previous versions of Windows can weaken Microsoft's new Security Development Lifecycle."
Jones, for his part, says the SDL is working. In his paper, Jones says the "SDL process and heightened focus on security is having a positive impact on Microsoft Windows in terms of fewer vulnerabilities."
You can download a copy of Jones' report at www.csoonline.com/pdf/6_Month_Vista_Vuln_Report.pdf.
RELATED STORIES
Vista's Security Honeymoon Is Over
Symantec Gives Vista Security a So-So Grade
Windows Vista: It's All About the Security
Symantec Critical of Windows Vista Security
Yankee Group Gives Mixed Review of Vista Security Features
Microsoft Security Patches Include Hidden Surprises
 Post this story to del.icio.us
 Post this story to Digg
 Post this story to Slashdot
|
