http://www.eweek.com/article2/0,1895,2149391,00.asp By Lisa Vaas June 21, 2007 News Analysis: Windows Vista only had 12 vulnerabilities in its first six months, making Linux distros look buggy by comparison, but analysts aren't convinced. In its first six months, Windows Vista has proven to have far fewer serious security vulnerabilities than enterprise Linux distributions and Mac OS X, claims a chief security strategist at the software company. Jeff Jones, security strategy director in Microsoft's Trustworthy Computing Group, will tout Vista's track record in a report on June 21, the six-month anniversary of the operating system's November release. In the report, which will be released on Jones' blog, Jones compares the number of vulnerabilities of critical, medium and low severity that have been discovered in Vista with those found in Windows XP, Red Hat Enterprise Linux 4 Workstation, Ubuntu 6.06 LTS, Ubuntu 6.06 LTSReduced Component Set, Novell SUSE Linux Enterprise Desktop 10.8, Novell SLED 10Reduced Component Set and Apple Mac OS X v10.4. The score, according to Jones: In the first six months of the Vista life cycle, Microsoft has released four major security bulletins that address 12 total vulnerabilities affecting Windows Vista. In comparison, the most popular Linux distribution, Red Hat Enterprise Linux 4 Workstation, was swamped with 129 publicly disclosed bugs in shipping components, 40 of them "High Severity." During the first six months, Red Hat fixed a total of 281 vulnerabilities in RHEL4 Workstation. Eighty-six of those fixed were rated "High Severity" by the NIST (National Institute of Standards and Technology) in the NVD (National Vulnerability Database). By Jones' count, Vista seems to be a nigh-impregnable fortress. But counting vulnerabilities is not the best metric, say analysts and Microsoft observers. "I get nervous about counts," said Michael Cherry, an analyst with Directions on Microsoft. "If we get obsessed about vulnerability counts we almost put pressure on them to manipulate the count. To not report things. I wish we had a better metric than counting." In addition, vulnerability counts are only somewhat objective, Cherry pointed out. "Let's say you're working on a module of code. You go in to fix problem A and while you're fixing problem A you find problem B. Do you count those as two problems or one? I can make a case for it being counted either way," he said. Besides, it's hard to base a trend on a six-month security assessment, Cherry said. Most operating systems have a 10-year life cycle, and so far Vista has had a very limited deployment. It could also be that there are more operating system guardians for Linux distros and Mac OS X, argued Joe Wilcox, editor of Microsoft Watch. More cops on the beat means that more criminals get caught. When presented with this scenario, Austin Wilson, director of Windows Client Security Product Management for Microsoft, based in Redmond, Wash., disagreed. "I can't speak for Linux distributions; it's a good question to ask them," he said. "I'm certainly happy to talk about Vista." Microsoft's Jones admitted that many think it's unfair to count the vulnerabilities for all of the components for the product that Red Hat ships and supports as Red Hat Enterprise Linux 4 WS. But Jones said he's prepared with a counterargument. "To accommodate that idea, I will additionally analyze a reduced set of RHEL4WS components that deliver functionality comparable to Windows XP and exclude other optional components," he said. "Linux distribution vendors add value to their workstation distributions by including and supporting many applications that don't have a comparable component on a Microsoft Windows operating system," he continued. "It is a common objection to any Windows and Linux comparison that counting the 'optional' applications against the Linux distribution is unfair, so I've completed an extra level of analysis to exclude component vulnerabilities that do not have comparable functionality shipping with a Windows OS. "You may read 'Red Hat and WindowsDefining an Apples-to-Apples Workstation Build' for more details, but basically I install an RHEL4WS computer and I exclude any component that is not installed by default, which includes all optional "server" components that ship with RHEL4WS. I additionally exclude text-Internet, graphics (the Gimp stuff) and office (OpenOffice) and Development Tools (gcc, etc.) installation groups. I use the rpm command to list out all packages that get installed and use that package list to filter vulnerabilities." Jones described the result as a Gnome-Windows workstation that includes standard system management tools and Firefox for browsing, sound and video support, but excludes all server packages, as well as OpenOffice and other optional components that a Windows system wouldn't have by default. He compared the security performance of this reduced RHEL4WS build to Vista's. During the first 6 months, Red Hat fixed 214 vulnerabilities affecting the reduced RHEL4WS set of components. Sixty-two of those addressed were of high severity. At the end of the six-month period, a total of 59 publicly disclosed vulnerabilities in the reduced set of components did not yet have a patch from Red Hat, 12 of them rated high severity. "So, though the reduced component set of RHEL4WS did have a better six-month period than the full product, Red Hat customers did face a reasonably large number of vulnerabilities in the first six months," Jones wrote. As far as Ubuntu 6.06 LTS (Long-Term Support) goes, Jones said it had 29 vulnerabilities already publicly disclosed prior to the June 1, 2006 availability date. Seven of the nine high-severity issues were fixed one week later on June 8. Furthermore, during the first six months, Ubuntu fixed 145 vulnerabilities affecting Ubuntu 6.06 LTS, 47 of which were rated high severity in the NVD. At the end of the six-month period, there were at least 20 publicly disclosed vulnerabilities in Ubuntu 6.06 LTS that did not yet have a patch available from Ubuntu. A reduced-component build of Ubuntu 6.06 LTS had 74 vulnerabilities in its first six months, Jones said, 28 of which were deemed high severity. At the end of the six-month period, a total of 11 publicly disclosed vulnerabilities in the reduced set of components did not yet have a patch from Ubuntu, two of which were rated high severity, he said. Novell's SLED 10 (SUSE Linux Enterprise Desktop 10), released on July 17, 2006, had "at least 23 vulnerabilities" already publicly disclosed prior to the ship date, and Novell provided fixes for 20 of these in the first six months, Jones said. Of those, five flaws were high severity. During the first six months, Novell fixed a total of 159 vulnerabilities affecting SLED 10, of which 50 were rated high severity in the NVD. At the end of the six-month period, there were at least 27 publicly disclosed vulnerabilities in SLED 10 that did not yet have a patch from Novell, six of them high severity. For the reduced component build of SLED 10, in its first six months, according to Jones' count, Novell fixed 123 vulnerabilities affecting the reduced SLED10 desktop set of components. Forty-four of those addressed were of high severity. At the end of the six-month period, a total of 20 publicly disclosed vulnerabilities in the reduced set of components did not yet have a patch from Novell, six of them rated high severity. As for Mac OS X, Mac OS X v10.4 had 10 vulnerabilities already publicly disclosed prior to the April 29, 2005 ship date and Apple provided fixes for nine of these during the first six months after shipment. Three of the vulnerabilities were high severity. During the first six months, Apple fixed a total of 60 vulnerabilities affecting Mac OS X v10.4, of which 18 were rated high severity in the NVD. At the end of the six-month period, Mac OS X v10.4 still had 16 publicly disclosed vulnerabilities that did not yet have a patch available from Apple, three of them rated high severity. Jones also compared Vista's performance with the number of embarrassments Windows XP suffered in its first six months. According to Jones, when Windows XP shipped, there were already three vulnerabilities in Internet Explorer that had been disclosed and fixed three weeks previously. Consequently, new users needed to apply an IE patch immediately to address those. Microsoft fixed a total of 36 vulnerabilities (including the three mentioned above) during the first six months the product was available. Twenty-three of the vulnerabilities were rated high severity in the NVD. At the end of the six-month period, three publicly disclosed vulnerabilities did not yet have a patch available from Microsoft, two of which (CVE-2002-0189 and CVE-2002-0694) were rated high severity by NIST. The other was rated low severity. "So, with respect to its predecessor product, Windows Vista seems to have a better initial 90 days, with one-third as many vulnerabilities fixed and with both Windows Vista and Windows XP having only two high-severity issues outstanding at the end of the six-month period," Jones wrote in the report. The most serious of Vista's unfixed vulnerabilities is that the operating system implements a Teredo address without user action upon connection to the Internet. This is a problem Symantec raised in March about Microsoft's use of the proprietary IP tunneling protocol, used to transition to IPv6 from IPv4. The issue with Teredo, according to Symantec's Oliver Friedrichs, director of emerging technologies for Symantec, based in Cupertino, Calif., is that many firewalls and intrusion detection systems are not Teredo-aware. "They're not familiar with the protocol or how to decapsulate the protocol. That means, for one, when we're talking about a firewall, Teredo may allow attacks to circumvent or bypass the firewall," Friedrichs said at the time. Microsoft is pointing proudly to Vista's security performance, particularly given that its client is the first to go through its secure development life-cycle process. That process involves the creation of a threat model for each new feature, along with vetting by outsider security researchers. "From the start, with Windows Vista, we said for any new feature in the product we're going to first of all start with a threat model," Wilson said. "Every feature had to have a threat model. When developing you have to say, What are the things you have to do if a bad guy was going to exploit [a feature]? Evaluating threat models, that's brand-new in Vista." Microsoft also hired a "significant number" of third-party security researchers to come onto campus in 2006, Wilson pointed out. They were given access to source code and told to hammer away at vulnerabilities. Many of those researchers went on to present findings at the Black Hat security conference. Also at Black Hat in July 2006, Microsoft gave a copy of the Vista beta to participants, inviting them to find vulnerabilities. "We think the big difference was a hard-core focus on doing the right thing from an engineering standpoint end-to-end on the product, and using third-party researchers to look at it," Wilson said. UAC (User Account Control) is one example of how a feature was changed in reaction to its threat model. Microsoft painted a scenario where if the user is running as a standard user and wants to do an administrative action, he or she will get a prompt to proceed as an administrator. Early threat models posed the question, What would happen if somebody spoofed the user into thinking he or she was typing passwords into the system, but in fact the user was actually giving a third party the log-in and password? "We determined that the prompt needed to happen on a secure desktop, where the code can't run where the user interface is spoofed," Wilson said. "That's one example of [Microsoft creating] a threat model, saying, Hey, could somebody spoof that dialogue? The answer was we saw the potential, so we did a change to the code to make sure that threat couldn't happen." In related news, security blogger Ryan Naraine blogged on June 20 about Microsoft having silently fixed vulnerabilities in its bulletinswhat he called "a controversial practice that effectively reduces the number of publicly documented bug fixes (for those keeping count) and affects patch management/deployment decisions." However, Cherry of Directions on Microsoft couldn't get excited about the issue. "I don't understand what the surprise is about. Microsoft is continually finding things in the code, and they fix them. And so, if nobody's reported it yet, I don't see the harm in why they have to tell somebody they're there. And when they get to a service pack, they always have told us what's in it. [They have] a large list of what fixes are there. There will always be some that you've never heard a whisper about." _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Fri Jun 22 2007 - 00:15:01 PDT