[LINK] Linux, Open Source have 'more security problems than Windows'

[Glen Turner]

> http://www.theregister.co.uk/content/55/28118.html
> 
> According to a report published November 12 by Aberdeen Group, "Security
> advisories for open source and Linux software accounted for 16 out of the
> 29 security advisories - about one of every two advisories - published for
> the first 10 months of 2002 by Cert (www.cert.org, Computer Emergency
> Response Team)."

Oh dear, another analyst firm crossed of the competent list.

CERT advisories aren't a good measure of the number of flaws in an
operating system (you'd find the MITRE system better for that).  They're
not a bad guide to the vulnerability of a particular operating system, as
there is an advisory for most major issues that are actively exploited.  
But they can't count the level to which bugs are exploited -- we're still
seeing a lot of Sircam traffic.

All advisories do some double-counting. No-one runs CDE, KDE and GNOME as
their windowing system, so the existence of component choice for
non-Windows platforms increases the apparent number of vulnerabilities.

I think this needs to be treated like benchmarking.  Select competing
platforms, such as Red Hat Linux and Windows XP configured with client
software selections and Red Hat Linux and Windows 2000 Server configured
with server software selections.  Then track the number of exploitable
flaws which appear on BUGTRAQ.  Track the amount of time to a vendor fix.  
Count the cost of applying that fix in a enterprise setup.

This methodology obviously takes some commitment, more than simply
counting a year's work of CERT advisories.

The methodology also solves some labelling problems. For example, OpenSSL
is then part of the 'Linux server' configuration, even thought it wasn't
written by Linus.

> "Contrary to popular misperception," the report says, "Microsoft does not
> have the worst track record when it comes to security vulnerabilities.

Agreed, there's lots of gear out there that's massively more insecure.  
Some stuff from PABX manufacturers springs to mind.

But that misses the point.  Microsoft have a huge installed base and
there's some responsibility that comes with that.

> .... Lastly, the incorporation of open source software in routers, Web
> server software, firewalls, databases, Internet chat software, and
> security software is turning most Internet-aware computing devices and
> applications into possible infectious carriers."

You'd be kicking yourself if you paid the analysts for this insight. After
all, there's a US Presidential Commission looking into exactly this issue.
The buffer overrun in the ASN.1 Basic Encoding Rules not only made every
SNMP-speaking device vulnerable but also the SS7-based telephone system as
well.

That's probably the most serious expolitable software flaw to date, and
the one that really scares most people with security responsibilities.  
Yet you'd never guess that from the CERT advisory, or from the level of
exploit traffic on the net.

Similarly, DNS-based Denial of Service attacks are also a scary thing. You
can rate-limit most denial-of-service attacks, but in rate limiting DNS
the rate-limiting itself effectively denies DNS service to valid users.

> The report lauds Microsoft for having overhauled its development process in
> an attempt to fix security problems, and says, "Perhaps it is time for some
> of the suppliers of open source and Linux software to take similar
> measures."

Let me get this right.  In 2003 MS is will cut lose the installed base of
some hundreds of millions of machines running the 95/98/ME series of
operating systems.  The users need to spend considerable money to upgrade
these OSs, so quite a few of them won't.

And we're meant to be glad that MS is fixing future OSs.

Maybe we could throw a party in about 6 years time when the amount of
deployed software developed under the "overhauled development process"  
might be greater than that from the old software development process.

I'm not saying that MS should continue to support 95/98/ME, but charging a
huge amount to upgrade isn't going to help the installed base problem
either.  As one example of an alternative, Cisco don't charge for
security-driven IOS upgrades.

This is a fundemental difference between the Linux distros and Windows.  
The Linux installed base can be running the current OS, if not choosing
the latest GUI.  My development machine in a 486, which runs RHL 8.0 fine
with a non-demanding window manager. Because it can run 8.0 rather than
being stuck on the 4.0 which was originally installed that 486 doesn't
present anywhere near the same security threat as a 486 running Windows
95.

Glen