[ISN] MS: Vista More Secure than Linux, Mac OS X

From: InfoSec News (alerts@private)
Date: Fri Jun 22 2007 - 00:02:37 PDT


http://www.eweek.com/article2/0,1895,2149391,00.asp

By Lisa Vaas
June 21, 2007

News Analysis: Windows Vista only had 12 vulnerabilities in its first 
six months, making Linux distros look buggy by comparison, but analysts 
aren't convinced.

In its first six months, Windows Vista has proven to have far fewer 
serious security vulnerabilities than enterprise Linux distributions and 
Mac OS X, claims a chief security strategist at the software company.

Jeff Jones, security strategy director in Microsoft's Trustworthy 
Computing Group, will tout Vista's track record in a report on June 21, 
the six-month anniversary of the operating system's November release.

In the report, which will be released on Jones' blog, Jones compares the 
number of vulnerabilities of critical, medium and low severity that have 
been discovered in Vista with those found in Windows XP, Red Hat 
Enterprise Linux 4 Workstation, Ubuntu 6.06 LTS, Ubuntu 6.06 LTSReduced 
Component Set, Novell SUSE Linux Enterprise Desktop 10.8, Novell SLED 
10Reduced Component Set and Apple Mac OS X v10.4.

The score, according to Jones: In the first six months of the Vista life 
cycle, Microsoft has released four major security bulletins that address 
12 total vulnerabilities affecting Windows Vista.

In comparison, the most popular Linux distribution, Red Hat Enterprise 
Linux 4 Workstation, was swamped with 129 publicly disclosed bugs in 
shipping components, 40 of them "High Severity." During the first six 
months, Red Hat fixed a total of 281 vulnerabilities in RHEL4 
Workstation. Eighty-six of those fixed were rated "High Severity" by the 
NIST (National Institute of Standards and Technology) in the NVD 
(National Vulnerability Database).

By Jones' count, Vista seems to be a nigh-impregnable fortress. But 
counting vulnerabilities is not the best metric, say analysts and 
Microsoft observers.

"I get nervous about counts," said Michael Cherry, an analyst with 
Directions on Microsoft. "If we get obsessed about vulnerability counts 
we almost put pressure on them to manipulate the count. To not report 
things. I wish we had a better metric than counting."

In addition, vulnerability counts are only somewhat objective, Cherry 
pointed out. "Let's say you're working on a module of code. You go in to 
fix problem A and while you're fixing problem A you find problem B. Do 
you count those as two problems or one? I can make a case for it being 
counted either way," he said.

Besides, it's hard to base a trend on a six-month security assessment, 
Cherry said. Most operating systems have a 10-year life cycle, and so 
far Vista has had a very limited deployment.

It could also be that there are more operating system guardians for 
Linux distros and Mac OS X, argued Joe Wilcox, editor of Microsoft 
Watch. More cops on the beat means that more criminals get caught.

When presented with this scenario, Austin Wilson, director of Windows 
Client Security Product Management for Microsoft, based in Redmond, 
Wash., disagreed. "I can't speak for Linux distributions; it's a good 
question to ask them," he said. "I'm certainly happy to talk about 
Vista."

Microsoft's Jones admitted that many think it's unfair to count the 
vulnerabilities for all of the components for the product that Red Hat 
ships and supports as Red Hat Enterprise Linux 4 WS. But Jones said he's 
prepared with a counterargument. "To accommodate that idea, I will 
additionally analyze a reduced set of RHEL4WS components that deliver 
functionality comparable to Windows XP and exclude other optional 
components," he said.

"Linux distribution vendors add value to their workstation distributions 
by including and supporting many applications that don't have a 
comparable component on a Microsoft Windows operating system," he 
continued. "It is a common objection to any Windows and Linux comparison 
that counting the 'optional' applications against the Linux distribution 
is unfair, so I've completed an extra level of analysis to exclude 
component vulnerabilities that do not have comparable functionality 
shipping with a Windows OS.

"You may read 'Red Hat and WindowsDefining an Apples-to-Apples 
Workstation Build' for more details, but basically I install an RHEL4WS 
computer and I exclude any component that is not installed by default, 
which includes all optional "server" components that ship with RHEL4WS. 
I additionally exclude text-Internet, graphics (the Gimp stuff) and 
office (OpenOffice) and Development Tools (gcc, etc.) installation 
groups. I use the rpm command to list out all packages that get 
installed and use that package list to filter vulnerabilities."

Jones described the result as a Gnome-Windows workstation that includes 
standard system management tools and Firefox for browsing, sound and 
video support, but excludes all server packages, as well as OpenOffice 
and other optional components that a Windows system wouldn't have by 
default.

He compared the security performance of this reduced RHEL4WS build to 
Vista's. During the first 6 months, Red Hat fixed 214 vulnerabilities 
affecting the reduced RHEL4WS set of components. Sixty-two of those 
addressed were of high severity. At the end of the six-month period, a 
total of 59 publicly disclosed vulnerabilities in the reduced set of 
components did not yet have a patch from Red Hat, 12 of them rated high 
severity.

"So, though the reduced component set of RHEL4WS did have a better 
six-month period than the full product, Red Hat customers did face a 
reasonably large number of vulnerabilities in the first six months," 
Jones wrote.

As far as Ubuntu 6.06 LTS (Long-Term Support) goes, Jones said it had 29 
vulnerabilities already publicly disclosed prior to the June 1, 2006 
availability date. Seven of the nine high-severity issues were fixed one 
week later on June 8. Furthermore, during the first six months, Ubuntu 
fixed 145 vulnerabilities affecting Ubuntu 6.06 LTS, 47 of which were 
rated high severity in the NVD. At the end of the six-month period, 
there were at least 20 publicly disclosed vulnerabilities in Ubuntu 6.06 
LTS that did not yet have a patch available from Ubuntu.

A reduced-component build of Ubuntu 6.06 LTS had 74 vulnerabilities in 
its first six months, Jones said, 28 of which were deemed high severity. 
At the end of the six-month period, a total of 11 publicly disclosed 
vulnerabilities in the reduced set of components did not yet have a 
patch from Ubuntu, two of which were rated high severity, he said.

Novell's SLED 10 (SUSE Linux Enterprise Desktop 10), released on July 
17, 2006, had "at least 23 vulnerabilities" already publicly disclosed 
prior to the ship date, and Novell provided fixes for 20 of these in the 
first six months, Jones said. Of those, five flaws were high severity.

During the first six months, Novell fixed a total of 159 vulnerabilities 
affecting SLED 10, of which 50 were rated high severity in the NVD. At 
the end of the six-month period, there were at least 27 publicly 
disclosed vulnerabilities in SLED 10 that did not yet have a patch from 
Novell, six of them high severity.

For the reduced component build of SLED 10, in its first six months, 
according to Jones' count, Novell fixed 123 vulnerabilities affecting 
the reduced SLED10 desktop set of components. Forty-four of those 
addressed were of high severity. At the end of the six-month period, a 
total of 20 publicly disclosed vulnerabilities in the reduced set of 
components did not yet have a patch from Novell, six of them rated high 
severity.

As for Mac OS X, Mac OS X v10.4 had 10 vulnerabilities already publicly 
disclosed prior to the April 29, 2005 ship date and Apple provided fixes 
for nine of these during the first six months after shipment. Three of 
the vulnerabilities were high severity. During the first six months, 
Apple fixed a total of 60 vulnerabilities affecting Mac OS X v10.4, of 
which 18 were rated high severity in the NVD. At the end of the 
six-month period, Mac OS X v10.4 still had 16 publicly disclosed 
vulnerabilities that did not yet have a patch available from Apple, 
three of them rated high severity.

Jones also compared Vista's performance with the number of 
embarrassments Windows XP suffered in its first six months. According to 
Jones, when Windows XP shipped, there were already three vulnerabilities 
in Internet Explorer that had been disclosed and fixed three weeks 
previously. Consequently, new users needed to apply an IE patch 
immediately to address those.

Microsoft fixed a total of 36 vulnerabilities (including the three 
mentioned above) during the first six months the product was available. 
Twenty-three of the vulnerabilities were rated high severity in the NVD. 
At the end of the six-month period, three publicly disclosed 
vulnerabilities did not yet have a patch available from Microsoft, two 
of which (CVE-2002-0189 and CVE-2002-0694) were rated high severity by 
NIST. The other was rated low severity.

"So, with respect to its predecessor product, Windows Vista seems to 
have a better initial 90 days, with one-third as many vulnerabilities 
fixed and with both Windows Vista and Windows XP having only two 
high-severity issues outstanding at the end of the six-month period," 
Jones wrote in the report.

The most serious of Vista's unfixed vulnerabilities is that the 
operating system implements a Teredo address without user action upon 
connection to the Internet. This is a problem Symantec raised in March 
about Microsoft's use of the proprietary IP tunneling protocol, used to 
transition to IPv6 from IPv4.

The issue with Teredo, according to Symantec's Oliver Friedrichs, 
director of emerging technologies for Symantec, based in Cupertino, 
Calif., is that many firewalls and intrusion detection systems are not 
Teredo-aware. "They're not familiar with the protocol or how to 
decapsulate the protocol. That means, for one, when we're talking about 
a firewall, Teredo may allow attacks to circumvent or bypass the 
firewall," Friedrichs said at the time.

Microsoft is pointing proudly to Vista's security performance, 
particularly given that its client is the first to go through its secure 
development life-cycle process. That process involves the creation of a 
threat model for each new feature, along with vetting by outsider 
security researchers.

"From the start, with Windows Vista, we said for any new feature in the 
product we're going to first of all start with a threat model," Wilson 
said. "Every feature had to have a threat model. When developing you 
have to say, What are the things you have to do if a bad guy was going 
to exploit [a feature]? Evaluating threat models, that's brand-new in 
Vista."

Microsoft also hired a "significant number" of third-party security 
researchers to come onto campus in 2006, Wilson pointed out. They were 
given access to source code and told to hammer away at vulnerabilities. 
Many of those researchers went on to present findings at the Black Hat 
security conference. Also at Black Hat in July 2006, Microsoft gave a 
copy of the Vista beta to participants, inviting them to find 
vulnerabilities.

"We think the big difference was a hard-core focus on doing the right 
thing from an engineering standpoint end-to-end on the product, and 
using third-party researchers to look at it," Wilson said.

UAC (User Account Control) is one example of how a feature was changed 
in reaction to its threat model. Microsoft painted a scenario where if 
the user is running as a standard user and wants to do an administrative 
action, he or she will get a prompt to proceed as an administrator. 
Early threat models posed the question, What would happen if somebody 
spoofed the user into thinking he or she was typing passwords into the 
system, but in fact the user was actually giving a third party the 
log-in and password?

"We determined that the prompt needed to happen on a secure desktop, 
where the code can't run where the user interface is spoofed," Wilson 
said. "That's one example of [Microsoft creating] a threat model, 
saying, Hey, could somebody spoof that dialogue? The answer was we saw 
the potential, so we did a change to the code to make sure that threat 
couldn't happen."

In related news, security blogger Ryan Naraine blogged on June 20 about 
Microsoft having silently fixed vulnerabilities in its bulletinswhat he 
called "a controversial practice that effectively reduces the number of 
publicly documented bug fixes (for those keeping count) and affects 
patch management/deployment decisions."

However, Cherry of Directions on Microsoft couldn't get excited about 
the issue.

"I don't understand what the surprise is about. Microsoft is continually 
finding things in the code, and they fix them. And so, if nobody's 
reported it yet, I don't see the harm in why they have to tell somebody 
they're there. And when they get to a service pack, they always have 
told us what's in it. [They have] a large list of what fixes are there. 
There will always be some that you've never heard a whisper about."


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Fri Jun 22 2007 - 00:15:01 PDT