Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Is MS security REALLY THAT bad Compared to Open S? 3

Status
Not open for further replies.
Spirit

Spirit

Technical User
Jul 12, 2002
1,150
GB
Is MS security / coding rally as bad as the media try to make out and is Linux / Sum etc really that secure or is it a case of;

"I found this way to crash a server via a vulnerability in MS Exhchange 2003" Answer "you da man / you go go girl"
and
"I found this way to crash a server via a vulnerability in RedHat Linux" Answer "Redhat whatnow?"

Due to these "flaws" in MS I now have in place excellant patch management, firewalls with server locked down but should it be a case of opening it rather than locking it down?

Just a nice one to debate in the runup to xmas......

Iain
 
Sort by date Sort by votes
Here's my two cents:

Microsoft, whether deserved or not, has created lots of enemies out there. Finding the security holes and "getting" Microsoft and Bill Gates seems to be a game a lot of people want to play. Microsoft's freezing out so many developers may be to blame for this.

Since about 1994, Microsoft seems to be driven totally by their marketing department, and the technies have no voice in when a product is ready for prime time. Marketing wants to churn out those new applications and new versions of Windows without adequate QA, and bugs and security be damned. They've got to get that new product out so the revenue starts rolling in.(Remember all the problems with Window 95? Perhaps the fact that that new version was so late and still was buggy in the first editions elevated the influence of marketing.)

The administrators for Windows systems might not be as conscientious about keeping their systems patched as a Unix sys admin or AS400 sys admin or main frame sys admin is. Even within the same company, you might see one branch whose systems never get hit by a worm or virus but another branch's systems have 80% of their systems infected. That's a result of poor sys admin and poor education of the users about keeping the virus protection up-to-date on their PCs.

 
Upvote 0 Downvote
The advantage of open source is that since you have more people, in general, looking/inspecting/reviewing the code that
1) holes are found faster because a broder base is finding them.
2) holes are thus fixed faster.
3) interium fixes are published faster.

Microsoft is getting better and the microsoft update is a good step. I know many companies don't use it because it increases the risk of critial systems not working on a S.O.E. because of a change. But then this means that those machines would probably be vunerable if they where linux/BSD etc because if problems where found on those boxes they would be just as reluctant to change the configuration.

You'll probably find that opensource programmers want their code to be cleaner because they know people will be looking at it. Microsoft programmers work in a box where they are told to do x in y amount of time using z resources. What happens in that box is not as reviewed as open source. This could mean it is "Sloppier" and thus more prone to exploiting.



 
Upvote 0 Downvote
A star to bi!

And to add to that post....

Mi¢ro$oft has problems with the security of their software because of:

Popularity. Mi¢ro$oft's ubiquity makes it more available to be hacked on.

Kruft. Mi¢ro$oft is in the business of selling software, so they are constantly adding features, necessary or not, to their software.

Long-term lack of attention to securing software. The lack of sandboxing in Mi¢ro$oft's VBScript, ActiveX, and Java stacks is a prime example.


Want the best answers? Ask the best questions: TANSTAAFL!!
 
Upvote 0 Downvote
I don't know if MS "ubiquity" lends itself to being able to be hacked more. It is easier to find a box to hack but then these script kiddies aren't finding new hack they are just being script kiddies.

Just because MS has more boxes out there for kiddies to hack doesn't mean their holes are bigger....in a way you might say it makes them smaller because if a script kiddie is faced with a sea of MS boxes with a vunerability they might be less likely to target your box compaired to if they where targeting a Linux box and only had 100 targets.

Look at the matrix reloaded where trinity hacks into the power the backup system in that building....that was a vunerability in SSH. Linux, BSD, Unix, Solaris, Mac. They all have problems with buffer overflows etc. I'm not pro microsoft I'm just looking at this objectively. Its like saying C is better then VB. That is a broad statement and false is some cases.

Weather you like it or not many open source projects are "In the business of selling software". Just because something is "Open Source" does not mean it is free and I definately wouldn't site all "Free" software as being better. Most major open source project have a sales model. It isn't just a bunch of geeks giving up countless hours of design and development for bragging rights. Many of these people make very good money off their open source projects.
 
Upvote 0 Downvote
Just to add to perspective, since someone mentioned RedHat earlier, I was running the newest Redhat release on vmware and since I actually signed up for their update service (they said I needed some insane number of updates - 45 or so) I now get about 1 email every ten days or less concerning a vulnerability that there is a new download for.
Looking at the list, I see apache vulnerability fixes, iftp, kernel security, some dos vulnerabilities, rsync remote vulnerability, OpenSSL, OpenSSH, Sendmail, etc.

I'm not trying to argue one side over the other, but I will say that they both have some pretty long lists of vulnerabilities. Consideing how most of ther really well known MS-targeted viruses are written after vulnerabilities are released to the general public, I think it's interesting to see that while the number of vulnerabilities is comparable, the number of viruses isn't. Kind of casts the old "there are less vulnerabilities" argument in a new light.

-T

[sub]01000111 01101111 01110100 00100000 01000011 01101111 01100110 01100110 01100101 01100101 00111111[/sub]
The never-completed website:
 
Upvote 0 Downvote
Tarwin, is it because less people have a chip on their shoulder about M$ so don't bother trying to attack or is it intergration (whether its thrust upon us or not) between the apps isn't there with Open source so virus don't work or are harder to write so you don't get the script kiddies??
 
Upvote 0 Downvote
I still think it's a combination of market share and the fact that generally Linux users know what they're doing, where a great deal of Windows users are barely computer literate. That means that there is a much greater percentage of people using Windows systems that don't know about updating or why it might be a good idea.
-T

[sub]01000111 01101111 01110100 00100000 01000011 01101111 01100110 01100110 01100101 01100101 00111111[/sub]
The never-completed website:
 
Upvote 0 Downvote
I believe one world is as bad as another regarding vulnerabilities. Look at OpenBSD, supposedly one of the most secure platorms available. Even the people behind it don't claim high security if you install a bunch of applications on it. It just takes a long time to go through everything and plug all of the holes, then a new release comes out and you have more holes. That's the name of the game.

I blame most of this on the use of unsafe programming tools, in particular C. Unchecked pointers and array bounds seem to be the source of many of the problems. Some of this is alleviated on architectures with hardware-level protection, but you don't see much of this outside of the mainframe world. Improvements in processor sophistication will help here, but I suspect we'll see a long time pass before the newer 64-bit machines are widely deployed. And it still comes down to security faults in code.
 
Upvote 0 Downvote
I think win32's vulnerabilitis are caused by a combination of inappropriate use of code and lack of consideration for security.

Mi¢ro$oft developed its client-side scripting language, VBScript, but never got around to sufficiently sandboxing it. Then they reused the HTML rendering objects created for IE when displaying HTML email in Outlook. Unfortunately, that those objects also invoke the scripting engines, allowing the creating of virii that could infect your machine by just previewing a hostile email. Something like this cannot be blamed on not using c-language correctly -- this is a basic software engineering flaw.

In the world of unix-like OSes excel is in their non-interdependence of code. You don't, for example, have to run a gargantuan API which includes GUI code in order to get a fully-functional network stack. You can have a GUI, but it's not necessary for the system to function completely.

Want the best answers? Ask the best questions: TANSTAAFL!!
 
Upvote 0 Downvote
Applications cause most of the security holes. But Windows is less secure as an OS than Unix, even without apps installed, because of things like internet explorer being integrated into Windows which has more holes than swiss cheese.

Windows is so bloated there is no way to audit each line of code compared to OpenBSD. Even if MS did audit every line of Windows code, I don't believe they could ever patch every hole because of the way Windows has been developed over the years.
 
Upvote 0 Downvote
which reminds me: I just received two more security path updates for RedHat.
But your undoubtedly right, windows is less secure because there are more integrated applications. Unless your rather new to Linux, in which case yuour going to end up with Apache (i've seen 4 or 5 updates for that recently), SSH (someone mentioned a buffer overrun error, wasn't that an issue about 2 years ago also?), etc. And then there is the fact that if they don't know what they're doing very well they could very easily leave ftp, telnet, etc ports open...
But I digress, despite thefact that the number of patches and updates seems to be similar.

I still believe that anyone that can blame a company/group for a having bugs in an application the size of BSD/Linux/Windows has never really programmed.

[sub]01000111 01101111 01110100 00100000 01000011 01101111 01100110 01100110 01100101 01100101 00111111[/sub]
The never-completed website:
 
Upvote 0 Downvote
Tarwin:

Is it less secure because of the intergration or is it less secure because its easier to target a certainty? What I mean is if you're running say Redhat what are the chances of me guessing what Office platform you're running so I can wirte a code / script to exploit a vulnerability on it?

In contrast, if I try to hack a Windows PC / Server I can take a pretty good guess that they're running MS Office and not - say - StarOffice?

So just because statistically I could have a better hit rate for my malicious code attack M$ due to there being less configurations out there?

Say I look at people speeding. 4 out of every 5 cars caught speeding are BMW's sounds bad, except I am sat outside the BMW factory where 9 out of every 10 cars going by are BMW. So its just a case that because theres more BMW's its easier to catch them?
 
Upvote 0 Downvote
There are certain applications that are the "default" when your looking to do certain tasks (such as installing Apache when you need a Linux web server). I'm not saying everyone installs these, but I don't think anyone would want to argue that everyone who install a web server on Windows will choose IIS either. It's just a look at what is commonly used from the perspective of the OS (ie, I have x OS and y is usually run on it, not application y is able to run on x, q, and z OS's).

The number of patches thing was a commentary and produced the expected reactions. I had not seen a similar argument brought up and wondered what effect it would have in the way of drawing reactions.

I'm not arguiong for or against any of the OS's that have been mentioned. Needless to say I have see these arguments drag out for ages time and again and I think pretty much everything has been covered that is going to be. I know I personally have seen enough of thee to play the mddle, the Open Source and the MS argument. The only interesting thing anymore is watching who will never play devil's advocate and who is fanatic about their defense of a certain systems integrity.

Anyways, thats it for me for this post. I'm tired of the topic being endlessly rehashed for no apparent reason.

I find Spirits argument to be interesting.

[sub]01000111 01101111 01110100 00100000 01000011 01101111 01100110 01100110 01100101 01100101 00111111[/sub]
The never-completed website:
 
Upvote 0 Downvote
Ok lets break this down.
We have 2 concerns here.
1st is a OS concern of what security problems are inherant withit
2nd is an application concern and what security holes does it create.

The real issue is #2.

Saying *nix OS's are more secure because the users tend to be more computer literate doesn't mean anything when it comes to the security of the OS.

Saying Windows applications are less secure may be true but you have to weigh this up with the fact that this is normally because of the larger amounts of features included.

Saying Windows OS is less secure because it allows applications to be installed on it is not valid. It is not Microsoft fault what extra systems you put on your box. If Apache is found to have a security problem that should not reflect on the OS because if it was a OS problem it wouldn't be classed as a Apache problem even though they might provide a fix/work around.

Targeting applications with a virus maybe easier with microsoft but that is a trade off you get with the intergration of applications. Office automation for one is a good example. You might not like it, it may expose holes, but I can tell you for certian that my current employer enjoys the fact that they save hundreds of thousands of dollars because of this capability and it didn't cost them a bucket load to develop the application because the services where already there.

That said it isn't hard for me to use a program like nmap (the program that was used in the matrix by trinity to identify the ssh vunerability) to finger print a machine and find out what applications are running on it. (I'm shifting the focus to hacking into a box because if you can get a virus on a machine it doesn't matter which OS your using the machine is exposed and vunerable).

If you get a user that isn't computer literate I would care to say that if they built 2 boxes, 1 XP and one a version of Linux/BSD/Unix and told them they should patch the boxes that at the end of the day the XP box would be more secure.

I use Smooth wall as my firewall. Great OS. Custom tailored to the function of a firewall. You would think that it being linux that derivative that is tailored just for firewalling that it would be very secure. And it is for the most part. I've only had 1 insident in about a year and a half with only one successfully hacking into that box that I know of. It had about 25-30 patches during that time too. What happened is I didn't look at the patch log for a few days until I had problems with my firewall. But by then someone used the security hole that was found. I do have to credit SW with the easiest OS installation I've ever done minus DOS.

In contrast before that I used windows as my gateway with various firewall software to include the inbuilt firewall in XP. The only time my box got hacked into during that time was when I stupidly created a network share on a folder that was available to both network cards. 10 minutes before I noticed a file pop on the desktop then disapear and that made my mind click and I realised MY mistake. I could have just as easily made this mistake on Linux....probably even more so because I'm not a *nix guru.

I'm not saying windows is a better OS. I'm not saying free software is better applications. Both of those statements are pretty broad and generalisation. I don't like generalisations most of the time because they can be to easily skewed. What I'm saying is that if you look at it objectively there are pluses and minuses on both parts and *nix/open source is NOT really more secure if you have 2 people of equal compitance setting them up. A good network engineer will have their network shut up pretty tight and probably have a mix of boxes on there network.

 
Upvote 0 Downvote
It's not that uninformed users can load desktop apps on Win32 servers that makes them less secure. It's the added code complexity and interdependent libraries to potentially support those desktop apps that makes Win32 less secure.

And Mi¢ro$oft's marketing to the contrary, more features is not necessarily better.

And the thing is, it's also not necessary for those holes to be there. The existence of a lot of those holes stems from the fact that the object sets weren't engineered. " Were grown" is probably a better verb phrase.

Want the best answers? Ask the best questions: TANSTAAFL!!
 
Upvote 0 Downvote
Sleipnir214 - "...It's the added code complexity and interdependent libraries to potentially support those desktop apps that makes Win32 less secure."

I agree but as I put earlier its a trade off. The fact is that that code is there and helps people and organisations to do things they probably couldn't automate with other products. So you have applications that don't provide that functionality on other operating systems. If they do they are prone to the same attacks often. In many cases you can choise to install subcomponents or not when installing an application. Installing less subcomponents may make your system more secure but less functional....its just a decision if it needed functionality or not.

Saying MS software has holes because it wasn't engineered isn't right. The software is highly engineered. It some bad codeing practices that in most cases cause the security holes. MS isn't the only organisation with coders that are not diligent. Motorola is and exception to the rule with their quality controls. Also I've worked on a few Open Source projects.....they start with a design and tend to "Grow" more then MS software does I care to say. Because Open Source update with features more often. Where MS most of the time wait and produce a new version that has been designed.

Don't know why I try....nothing will stop MS bashing. I try to be more impartial about the whole thing. Not no where did I say MS is better. I just think to mean people look at Open Source and *nix thru rose colored glasses.

I do concede that MS security holes generally cost more then security holes on other systems. But that does not mean the there are exponentially more security holes...just means that there are more MS machines and more people targeting them.

Lets look at 2 competing products. MySQL and MSDE. Both targeted at similar markets. MySQL is open source. MSDE created by the big bad software giant MS. MySQL has had it fair share of patches to include those to provent DoS attacks that can crash the machine. Lets look a MSDE/SQLServer. Biggest not on that would obviously be the "Slammer" Virus. With 4 millions MySQL installations why do you think the MySQL vunerablities where not exploited but the MSDE ones where. It isn't that the MSDE/SQLServer ones where easier or worse. It's more of the mentality of most attackers. This shoudn't be construded as MS softare being worse programming wise....its more a indication that the people creating the attacks think it more "Cool" to attack a MS box then the MySQL box. I can tell you that after the MySQL exploit was made public that hacking attempts on the MySQL boxes I was working with went up drastically and it took 10 days for an official patch to get released. Where with the slammer virus the effect was exponentially higher but this doesn't mean the security hole was worse. Its just that the MySQL on wasn't targeted as much.
 
Upvote 0 Downvote
Honest criticism of Mi¢ro$oft's software engineering practices is not bashing. It is honest criticism. Calling all criticism bashing is nothing more than an out-of-hand dismissal of said criticism.

And I think I need to point out that coding practices are actually a part of software engineering. So is reusing objects in ways that don't open holes from the exposure of excessive functionality necessary for a situation.

Also, the fact that other companies may have excreble software engineering practices, too, is specious. You're not arguing that it's okay for Mi¢ro$oft to have bad software engineering practices simply because other companies do to, are you?

But open source projects put releases more often because no one has to pay for the new versions of software. Mi¢ro$oft has to wait until a product has a number of additional features sufficient for their marketing department to think that people will pay for a new version.

The software from open source projects, depending on their exact licenses, can have no costs for software, just costs associated with the time to install and tweak the new installation. So instead of a patch, an open source project will put out a new version to implement bug fixes.



Want the best answers? Ask the best questions: TANSTAAFL!!
 
Upvote 0 Downvote
I hate to get back into this, but:
I have yet to see anything that backs up the argument that MS's engineering practices are faulty. How was this particular piece of information gained? It isn't enough to say "There are bugs, they must not have planned it". Thats marketing hooha. Is there a magic percentage of bugs that define a product as ill-defined?


Just a quick check, but:
MS holds off on patches/features until they can put out a version in order to make money
Open Source holds off on patches/features because they can have little to no costs

Unless I misunderstood. The point cold have been that MS patches and patches and then puts out new versions with new features, while Open Source waits and puts out all the new features and bug fixes. I would think this actually argues that any holes in Open Source software would stay there longer.

Of course I don't actually agree with that take on the matter, considering I just got yet another apache bugfix, which makes a handful without upgrading the apache version.

[sub]01000111 01101111 01110100 00100000 01000011 01101111 01100110 01100110 01100101 01100101 00111111[/sub]
The never-completed website:
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

sysadmin10
  • Locked
  • Question
Onboarding a new MSP customer
Replies
0
Views
195
sysadmin10
sysadmin10
Mountainbear
  • Locked
  • Question
Tech tools
Replies
0
Views
1K
Mountainbear
Mountainbear
audaxviator
  • Locked
  • Question
Is Microsoft burrying CIL/MSIL?
Replies
2
Views
383
audaxviator
audaxviator
johnherman
  • Locked
  • News
Privacy battle(s)
Replies
0
Views
168
johnherman
johnherman
johnherman
  • Locked
  • Question
Is Privacy Dead? 2
Replies
0
Views
180
johnherman
johnherman

Part and Inventory Search

Sponsor

Back
Top