[ISN] Microsoft calls 'foul' on OS vulnerability data

From: InfoSec News (isnat_private)
Date: Fri Nov 08 2002 - 01:03:18 PST

  • Next message: InfoSec News: "[ISN] NPA reports hackers attacking its computers"

    By Paul Roberts, IDG News Service
    NOVEMBER 07, 2002
    Microsoft Corp. is responding to a report published last week by
    London-based security intelligence firm Mi2g Ltd. that claimed that
    the Apple Macintosh operating system and certain varieties of Unix are
    less vulnerable to attack than the popular Windows and Linux operating
    The report, a summary of which was released to the public by Mi2g,
    attributed 44% of the software vulnerabilities announced in the first
    10 months of 2002 to Microsoft's Windows operating system and 19% to
    the open-source Linux operating system. By comparison, the company
    attributed only 1.9% to Apple Computer Inc.'s Mac OS.
    In an interview, Mike Nash, vice president of the security business
    unit at Microsoft, said he feels those numbers are misleading.
    "Essentially what [Mi2g] has done is look at a combination of
    vulnerabilities announced by vendors and new vulnerabilities reported
    by users," Nash said. "There's no way to determine if the same issue
    is counted multiple times, or if erroneous vulnerabilities are being
    Products with more customers, like Microsoft Windows, are bound to
    have more vulnerabilities reported under such a system regardless of
    whether those products are less or more secure than the competition,
    according to Nash.
    Jan Anderson, a member of Mi2g's Intelligence Unit, says that the
    small size of the Mac OS user base -- what Mi2g refers to as "security
    through obscurity" -- doesn't entirely account for Mi2g's results,
    "Our main point here is that although only about 3% of systems are
    running Mac OS, the proportion of attacks suffered by these systems is
    60 times less than this, i.e., 0.05 percent. There are also relatively
    few known vulnerabilities of Mac OS as stated in the news release,"  
    Anderson wrote in an e-mail response to questions.
    The issue may come down to which vulnerabilities get counted and which
    In a statement, Mi2g said that the company is in touch with Microsoft
    at a senior level and that the two companies are working together to
    deal with the issue of vulnerability counting.
    "Our methodology relies on collecting vulnerabilities and slotting
    them into two categories: confirmed vulnerabilities and candidate
    vulnerabilities. We collect our vulnerabilities from recognized,
    credible and reliable sources including CERT, eliminating all
    duplicates and discounting for multiple references. We do look at
    vulnerabilities which affect a particular operating system as a whole
    even though they may originate at a server or application level," Mi2g
    D.K. Matai, CEO of Mi2g, said removing unconfirmed reports from Mi2g's
    numbers doesn't improve the picture for Microsoft.
    "Even there, we note that Microsoft doesn't account for 44% of
    vulnerabilities; it accounts for 54%," Matai said.
    According to Matai, Mi2g compares its data against that maintained by
    independent software vulnerability tracking organizations such as the
    CERT Coordination Center at Carnegie Mellon University in Pittsburgh,
    and the company's numbers are consistent with those maintained by
    CERT declined to comment on the vulnerability data it maintains.
    Regardless, software industry analysts and security experts agree that
    looking at the number of reported vulnerabilities is a poor measure of
    an operating system's security.
    "Comparing the number of vulnerabilities to shipments of the software
    is interesting, but not very useful," said Dan Kusnetzky, vice
    president of systems software research at IDC in Framingham, Mass.
    "All software is written by people, and people are fallible. The thing
    to look at that's more important is, when problems show up, of any
    kind, what is the response from the software vendor? How quick is the
    response? If the response comes six months after a problem was
    reported, that's not good."
    Marc Maffre, chief hacking officer at Aliso Viejo, Calif.-based eEye
    Digital Security Inc., agreed.
    "All operating systems have vulnerabilities," Maffre said. "The
    question is, How fast were they fixed? and, Is there a way to secure
    the vulnerability in advance of a fix -- a guideline document that
    would have helped?"
    While Apple's operating system may have fewer reported software
    vulnerabilities, Maffre and Kusnetzky both said, there are also few
    incentives driving hackers or companies like eEye to scour that
    "Breaking into Mac isn't something that gets a hacker kudos in his or
    her community. Breaking Microsoft gives that person the ego dollars
    that they depend upon," Kusnetzky said.
    Asked what businesses and individuals should do to assess the relative
    security of the various operating systems, Maffre and Kusnetzky both
    suggested that customers focus on securing their systems and assessing
    the ability of the software vendor to respond to problems as they
    arise, as opposed to worrying about the number of vulnerabilities.
    But both Maffre and Kusnetzky declined to give Microsoft a pass on the
    question of security.
    "Microsoft does need to do a better job at being secure," Maffre said.  
    "There are too many trivial mistakes that you'd think a billion-dollar
    company wouldn't make."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Nov 08 2002 - 04:06:53 PST