CERT has become a de facto authority for reporting computer application- or operating system-related security issues, and has a special category of reports (CERT Advisories) that reports only those issues that are deemed severe enough to lead to system compromise. In looking up information on an old bug today, I came across CERT’s page of 2002 advisories, and was surprised to see that out of the 37 reported, only 10 of them were related to Microsoft Windows; out of those 10, three were for third-party applications that run on Windows, and one was for a vulnerability shared by pretty much every major operating system out there. In contrast, 24 of the advisories were related to Unix or Linux systems (and two others were PHP-related, which I’m probably not out of line saying is run far more often on non-Windows machines than on Windows ones). To me, this is just another data point for the argument that a lot more is made of Microsoft’s security deficiencies than is actually there, at least when CERT’s perspective is taken into account.

Comments

This was much discussed recently. The 24 items were for >>>ALL

• Posted by: GoatBeard on Jan 12, 2003, 7:13 PM

CERT is pretty good for reporting vulnerabilities, but they are far from comprehensive. Even a quick look at the NT Bugtrak mailing list can reveal many more than six vulnerabilities in programs from Microsoft in 2002. When comparing system vulnerabilities, I prefer looking at the common vulnerabilities and exposures site at http://www.cve.mitre.org.

CVE shows that Microsoft accounts for 8-10% of all 1400-or-so vulnerabilities listed for 2002. Honestly, considering the range of products Microsoft ships and the number of products they sell, I do not consider this an outrageous number of vulnerabilites.

On the other hand, I think Microsoft has made a number of bad design decisions that have caused many problems to become much bigger than they should be. Some examples include the lack of a chroot system call, the repeated lack of security in macros, and the lack of effective software management (ie how do I know what I’m running right now?).

In addition, the number of buffer overflow problems reported by Microsoft are simply vexing. This is the lamest kind of programming error—many companies have made this kind of error, but it is still lame.

That being said, I do think CERT is geared a bit more towards looking at large-scale and server security issues rather than general security problems. This points them more towards looking at Unix systems rather than Microsoft systems. On the other hand, there are a lot of people who like to bash Microsoft, too. :-)

—Sam

• Posted by: Sam Greenfield on Jan 12, 2003, 7:32 PM

By focusing on the fact that a minority of the vulnerabilities were attributable to MS, you overlook the need to calculate the overall potential risk. A couple of factors to keep in mind area that MS is installed on over 90% of the desktops, many of which are owned by consumers who ignore these issues; another one is that systems such as Linux and Unix tend to be servers supported by admins who can implement the proposed fixes or work around them and are on top of these issues. I don’t think it’s unjust to shout out loud if there is a serious vulnerability in IE just because statistically MS has less security problems.

• Posted by: Miguel Marcos on Jan 13, 2003, 5:03 AM

Jason, shame on you — I’d have expected you to look around and see some of the community commentary on the CERT Advisories before you posted something like this.

The security of a system comes down to one thing: Who’s administering it.

Additionally, don’t forget that the vulns in that list aren’t all being run on every linux system. Half of our systems don’t have apache installed, which eliminates at least three of those vulnerabilities. We’re not running Solaris, which kills another six. We’re not running one of the database toolkits that’s mentioned, so that kills off another two. All of our oracle systems are firewalled to a fare-thee-well, which eliminates another one… if someone’s inside our firewall, we’ve got bigger problems than Oracle. We’re not using Kerebos encryption… so on so forth. The comparisons you made in this post are based on a limited dataset, and you did no research on or verification of that dataset.

To add fuel to the fire, with Windows, half of the vulnerabilities listed in the CDC article affect every Momma and Poppa that is running IE 6 or WinXP. So you’ve got a million vulnerable systems sitting out there on high-speed connections with at best poor firewalling and infrequent patching.

• Posted by: Karl on Jan 13, 2003, 4:02 PM

Karl, I don’t even know where to start. I guess I can kick off with the assumption that I am unaware of the “community commentary,” an incorrect assumption; so far as I’ve seen, the commentary has tended towards the same blatant one-sidedness that all MS vs. the world arguments do, each side twisting the data into whatever pretzel its viewpoint needs it to be. It’s also actually funny to me that you see all that other dialogue as the commentary of the community, and my post as somehow both removed from and unaware of it (rather than a contribution to it). (And yes, GoatBeard, that’s also a response to you — I’m glad that the community “decided” that the numbers are biased, but it’s hard to see how that’s so.)

Also, understand that your reasoning cuts both ways on the applicability of a vulnerability to a given system. You don’t run Solaris, and thus are safe from six? I don’t use MSN Active Chat, and thus despite the fact that I run Windows, I’m not vulnerable. One of my big points, in fact, is the corollary of what you’re trying to say: despite every single Microsoft flaw being publicized as making every single Windows user vulnerable, that’s not the case; it’s always a subset of users, the subset using the particular application that contains the vulnerability. (Hence me pointing out that out of the 10 “Windows” advisories, only six of them were even for Microsoft products, and not all of those were for MS products that run out-of-the-box on every Windows machine.) And thus, it’s not a matter of doing “research on or verifying a dataset,” it’s simply noting the systems that are listed by CERT as having vulnerabilities serious enough to lead to compromise.

(And, to pick a large nit that stands out: your Oracle servers are protected by firewalls, and thus can’t be touched despite being unpatched? Some of the Oracle vulnerabilities are in packages that tie Oracle servers to front-end HTML/HTTP engines, and these are the very services that have holes punched through firewalls to them. Four of them are buffer overflows in the very HTML/HTTP front-end engine, PL/SQL; another is a failure of the PL/SQL engine to validate before allowing remote command execution, and another is a failure to validate an HTTP Authorization header. Firewalls ain’t gonna help you there.)

And it’s not like I deny the fact that there are tons of potentially vulnerable Windows machines out there — of course there are, and that’s a bad thing. My post was just to note that MS is doing better with security, and giving the perspective of one set of data that seems to validate that fact. Saying that that fact makes the Unix/Linux vulnerabilities somehow less important, though, is just a diversion — they’re still important, and the fact that there were more of them than there were for Windows in 2002 is an interesting fact to me.

(And note that the same logic that produces the “there are more Windows machines, so that makes those vulnerabilities more important” argument can create the same manipulation for the other side; that’d be the “machines that store email, customer data, and route traffic are more likely to run a non-Windows operating system, and that makes those vulnerabilities more important” argument. Also note that I don’t buy either of them — all of the advisories are important, for different reasons and with different impacts — and I find it disingenuous when people resort to using one of them to refute the other.)

• Posted by: Jason on Jan 13, 2003, 6:59 PM
Please note that comments automatically close after 60 days; the comment spammers love to use the older, rarely-viewed pages to work their magic. If comments are closed and you want to let me know something, feel free to use the contact page!