I’ve expect that as soon as we get into any meaty and interesting discussions, my current place of employment (Microsoft) will come into play, combined by assertions that I must be biased. It is fairly predictable, so I thought it might be interesting to just pre-empt it and open the question myself.
I’ve been a Director at Microsoft for a little over four years now, in the security group that works to drive security improvement across the company. For that alone, some may condemn me, so let’s dig into it.
In the engineering program at Purdue University, we all used Unix accounts and to this day, my fingers remember the key “vi” editing commands. My workstation and development platform for my first four years of work was a Sun workstation. Working from home after that, I used Slackware Linux as my primary workstation for two years starting in 1994. When we turned the TISFirewall Toolkit into the Gauntlet firewall, we did it on the BSD/OS. (BTW, does anybody remember how “fun” it was to get two ethernet cards working on BSD?) Basically, I’ve used and done security analysis on most common operating systems over the past 20 years – even some uncommon and interesting proprietary ones by Unisys, Tandem and HP. In fact, over 75% of my security career came before Microsoft.
How did I end up at Microsoft? Let’s go back in time five years. At that point, it was commonly accepted by most people that Microsoft had some security problems. In contrast, most folks thought the Unix and Linux community (and vendors) historically had a better approach to security and would build on that. Around that time, I got a call from a respected former colleague (Steve Lipner), who convinced me that Microsoft management was committed to improving security across the company and was taking real steps to do it. I was skeptical, but ultimately convinced enough to join – where better to have real impact in computer security?
Still, I like to be practical about security. Does your team have deep Unix skills and no experience on Windows? If so, your risk will be better managed on some sort of Unix system, regardless of whether Microsoft security is better, worse or indifferent.
So, I’ve been around security a while and in the past four years I’ve personally participated in steps at Microsoft that, in my mind, are resulting in improved security for customers. Is it perfect? No. Are the products much better than predecessors? Certainly so. Is security improvement happening on Linux and Unix? Definitely. Who is doing better? Ah, that brings us back to the question doesn’t it – by what metric?
Am I biased? I do not think so, but let’s just all keep assuming I am, because I don’t mind. If I make comparisons, I’ll lay out my metrics. I’ll lay out my assumptions. I’ll describe the methodology. Then, if you want to dispute the results, debate the assumptions, or critique the methodology, I’ll ask the same of you. Regardless of the outcome, all sides will get presented, progress is made and that’s a win for interested readers.
Best regards ~ Jeff
No i think i know where you come from but will look foward to seeing comparisons
Thanks M8
http://www.osnews.com/story.php/18172/Vista-Vulnerability-Report-Debunked
Full Disclosure: 6 Month Vista Vuln Report, Debunked
6 Month Vista Vuln Report, Debunked
* This message: [ Message body ] [ More options ]
* Related messages: [ Next message ] [ Previous message ] [ Next in thread ] [ Replies ]
From: Kristian Hermansen
Date: Tue, 26 Jun 2007 09:09:31 -0400
This report from Microsoft's Jeff R. Jones is ludicrous:
http://www.csoonline.com/pdf/6_Month_Vista_Vuln_Report.pdf
The Microsoft "researcher" claims that Windows Vista is exponentially
less vulnerable than many Linux distributions and Mac OS X. It may be
true that the default Vista installation has had less public
vulnerability reports, and that Linux has had many more, but this is
due to the nature of Open Source. Jeff does not include any "silently
fixed" vulnerabilities that have been patched since Vista was released
and Microsoft has not disclosed such vulnerabilities publicly.
Here is a per section debunking of his paper broken down by topic,
because I feel Jeff really needs to perform another less exaggerated
analysis.
"Window Vista - The First 6 Months"
Let's remember that Vista was released to business partners earlier
than home users. He does not account for this gap, and thus, this
could soften the exposure of the official Vista code to many
researchers for analysis.
"Teredo"
Teredo is also a major hole, and they are leaving it wide open. The
community feels this is a flaw, but Microsoft doesn't seem to care.
Also, the entire networking stack was rewritten for Vista, and that
means lots of new bugs are present. I have already spoken to other
researchers who have not disclosed such flaws publicly. However, a
good start for learning about some is the Symantec paper that analyzed
Vista during the BETA phases and revealed numerous issues.
"Windows XP"
Windows XP, touted as the most secure OS to date on release. Also,
touted as secure in SP1, and again most secure in SP2. We are now
seeing it again with Vista. Are we really supposed to believe that
somehow this mantra is going to change just because Microsoft tells us
so? In defense of Microsoft, however, they have focused their efforts
to really clean things up, and that is commendable.
"Red Hat Enterprise Linux 4 Workstation"
OK. The claims here are just plain insulting. The 100+
vulnerabilities include such software as PostgreSQL, MySQL, mailman,
squid, and emacs. None of this software is installed in a default
installation of RHEL4. I think the guy clicked on "Install
Everything" and went to town with vulnerability reports :-)
"RHEL4 Reduced Component List"
This analysis more closely assimilates with Vista, but is still
bloated in that many of the vulnerabilities he reports are very small
bugs in Firefox, which don't result in a compromise of the host.
Again, the nature of bug reporting in open versus closed source
software.
"Ubuntu"
Again, the nature of open versus closed source bug reporting.
However, even the kernel flaws reported are only relevant when such
modules are loaded in the system and that surface is exposed. Again,
the results are inflated, even in the "reduced" set.
"Novell"
More of the same. The vulnerabilities are shared between all the
distros of course!
"Mac OS X"
Even though OS X claims to be secure, researchers have obviously shown
that Apple will have flaws too. This is nature of software, and it
affects all code. However, the paper claims that things like the
vulnerability below are relevant...
A bug in AFP Server when using an ACL-enabled storage volume may in
certain situations result in an ACL remaining attached when a file
with POSIX-only permissions is copied.
"Putting It All Together"
* insert nice graphs here *
The conclusions that are drawn are built on a lack of understanding by
the Microsoft researcher. I highly encourage him to go back and take
another look, and pare down the results to essential information that
is absolutely critical to the conclusions, rather than just "Other
OS's have more bugs, see, look at my graphs"...