[Fsf-friends] security- a discussion

[Manjush G. Menon]

hi guys,

Check out the forwarded message,
which originated from the following groups.

------------------------------------------------------------------------
To: linux-middleeast@yahoogroups.com, arab-linux@yahoogroups.com
From: Peters A P <peters1968@yahoo.com>
Date: Wed, 8 Jan 2003 03:38:36 -0800 (PST)
Subject: [arab-linux] I found this and thought this might be of interest

Aberdeen Group says Linux/UNIX is as vulnerable as Windows

Turning up the heat up another notch on a
long-simmering debate, the Aberdeen Group has
published a study comparing the security of Linux/UNIX
systems with that of the Microsoft Windows family of
products

"Contrary to popular misperception, Microsoft does not
have the worst track record when it comes to security
vulnerabilities. Also contrary to popular wisdom,
UNIX- and Linux-based systems are just as vulnerable
to viruses, Trojan horses, and worms," Aberdeen's
report states.

Based on CERT advisories for 2001 and 2002, Aberdeen
reached the following conclusions:

"Virus and Trojan horse advisories affecting Microsoft
products peaked at six in 2001, which then bottomed
out at zero for the first 10 months of 2002
Virus and Trojan horse advisories affecting UNIX,
Linux, and open source software products went from one
in 2001 to two for the first 10 months of 2002
Advisories affecting network equipment products jumped
from two in 2001 to six for the first 10 months of
2002
Firewalls and other security products were affected by
just two advisories in 2001, but have been linked to
seven advisories for the first 10 months of 2002."

The report also points out that Apple is becoming
vulnerable, "now that it is fielding an operating
system [OS X] with embedded Internet protocols and
UNIX utilities."

Windows vs. Linux/UNIX vulnerabilities
Aberdeen Group report, vol. 1, no. 35, is dated Nov
12, 2002, and it's a brief but interesting read. I
can't post a direct link since you have to subscribe
to see the report. But it doesn't cost anything, so I
recommend that you go to the Aberdeen site, register,
and then take a look at the entire report

Some people will dismiss the report as
Microsoft-sponsored hot air, but the raw data is there
for everyone to see in CERT's Advisories and Incident
Notes, giving legitimacy to The Aberdeen Group's
conclusion that open source operating systems in
general, the new Mac OS X, and critical security
programs themselves, aren't as safe as many proponents
suggest

The underlying data is worth a close look. No new
Windows platform virus or Trojan CERT advisories were
issued in the period of January 2002 through October
2002. CERT's confirmed vulnerabilities list shows that
the threat level is growing faster for Linux/UNIX
platforms than for Windows. This could be a
statistical anomaly due to the much larger number of
Linux/UNIX versions (although there are actually fewer
versions available now, as there has been
consolidation in both the Linux and UNIX markets in
recent years). So the number of threats is growing
while the number of Linux/UNIX versions is shrinking

Perhaps this is an indication that UNIX is becoming
less genetically diverse and therefore is more
vulnerable to attack because the market isn't so
fragmented. One Microsoft virus would attack a lot of
systems, but it used to take a slightly different
virus for every version of Linux/UNIX. That's not
always the case anymore

Rating vulnerabilities
The open source community sometimes claims that
vulnerabilities are "more serious" in Windows, but I
don't know of an objective way to measure that. And
lacking a generally accepted method, all we are left
with are the raw numbers. Microsoft rates
vulnerabilities when it publishes a patch, but we need
a comparable way to rate Linux/UNIX bugs if we're
going to compare the seriousness of the patches
released for these platforms

It's useful to look at incidents as well as confirmed
vulnerabilities (advisories). Although this isn't
exactly the same as measuring how serious a
vulnerability is, it provides a good way for those in
the security business to judge how many attacks are
taking place, or at least how many are being reported



According to the Aberdeen report, "In 1995 the
incidents reported by CERT numbered 2,412. However,
incidents tracked by CERT skyrocketed from 21,756 in
2000 to 52,658 in 2001, and then to 73,359 for the
first nine months of 2002. Clearly, the trend in
incidents and advisories is going up, and at an
alarming rate."

However, we should always take incident statistics
with a grain of salt. After all, vulnerabilities are
easy to count, but who knows how many attacks go
unreported

Microsoft has recently announced a new policy for
rating vulnerabilities. The company says this was due
to customer complaints about far too many "critical"
warnings, which compelled administrators to patch
vulnerabilities even when the critical rating was not
warranted by the actual risk

According to Microsoft's director of security
assistance, Steve Lipner, the new rating system will
expand the old Critical-Moderate-Low reporting scale
to include Important, which will fall between Critical
and Moderate

Most of the old Critical vulnerabilities will now be
labeled Important, including threats that could lead
to system penetration and file compromise. The
Critical rating will be reserved for Internet threats
(e.g., major disasters of the Code Red variety)

A new two-tier security bulletin system with a less
technical bulletin service will also be hosted at
http://www.microsoft.com/security/ to supplement the
current one, which many users found simply too
technical

A recent eWeek report brings yet another aspect of
this subject to the forefront by pointing out that
White House Cybersecurity Tsar, Richard Clark, has
called for mandatory vulnerability reporting to a
central federal government office. This would require
any security firm discovering a new vulnerability to
report it with the goal of forcing vendors to respond
more quickly to new threats

Others feel this may lead to premature disclosure of
vulnerabilities, which happened in the past when the
FBI's National Infrastructure Protection Center
attempted to coordinate reports with various vendors

The newly organized (Sept. 26, 2002) Organization for
Internet Safety is also developing a proposed set of
guidelines for timely and safe reporting of
vulnerabilities. OIS founders include Microsoft,
@stake, Symantec, Caldera, Network Associates,
BindView, and Oracle, so there may be some muscle
behind these guidelines

Final word
We will probably always be comparing apples and
oranges when we try to see how the number and severity
of vulnerabilities found in the major competing
platforms match up. But this really doesn't matter in
the real world. The bottom line is that if a
vulnerability leads to intrusions on your network,
it's a problem, and it doesn't matter whether the
vulnerability was a "high" risk or a "low" risk, only
whether it cost you time and money to deal with it

Most of us are supporting legacy systems and always
will be. Only new companies have the luxury of
selecting a platform based only on security,
performance, and initial cost. That's further limited
to only new companies that have an expert IT staff in
place to advise the company founders before they buy a
single computer. It's far more likely that a platform
decision will be based on the experience of the
founders, the vendor who gets there first with the
best proposal, or, most likely of all, which platform
runs a line-of-business application that the company
needs

The Aberdeen Report concludes that the reduction in
Microsoft vulnerabilities is the result of the
company's much-touted new security initiative. It may
be too early to determine that, but it is a relief to
see that no major viruses have besieged Windows in
2002

As for Microsoft's new security labeling system, I
think it is useful. It makes sense to reserve the
Critical rating for those dangerous global threats
that can spread around the world quickly and
temporarily threaten the integrity of corporate
systems
------------------------------------------------------------------------

Have a great day

~~Manjush