Udostępnij za pośrednictwem

Windows Server 2003 spanks Red Hat's monkey?

  • Artykuł

Interesting information from RSA, it's nice to see someone other than me notice the pure creamy goodness of WS2003 for once (I've noticed it from the incident response side of things by noting a marked absence of WS2003 hacking cases over the last 2 years as compared to Windows 2000).

https://www.linuxinsider.com/alert/40697.html

Why am I not surprised by their findings? 
Simple - I've been slowly biding my time as the WS2003 OS matures watching the bug counts in our OS and those of our competitors month by month using an independant site like Secunia - anyone who's been doing this already knows that there are dramatically more bugs discovered and fixed by our open source competitor which in my mind does not seem to indiciate any superior secure coding kung-fu being employed on their part (or that the 'many eyes' approach is indeed contributing to provably more secure code).

Here are the stats from Secunia - an organization not affiliated with Microsoft b.t.w. :)
Windows Server 2003 Enterprise Edition
https://secunia.com/product/1174/
44 advisories since June of 2003, 11% un-patched right now, 0% extremely critical, 45% highly critical, 59% exploitable 'from remote'.
Looking at the two un-patched ones, one is an HTML help vuln from 2003 - so I am betting that is a mistake and another is a minor information disclosure bug - obviously we have work to do still and we are doing it.

Red Hat Enterprise Linux ES 3.0
https://secunia.com/product/2535/
136 advisories, since NOVEMBER of 2004, 0% un-patched right now (I wonder if that includes all the latest slew of Linux kernel vulnerabilities reported in the last day or so) 1% extremely critical, 24% highly critical, 66% exploitable 'from remote'.

We are by no means perfect, and we still have a loooooooong way to go, but the journey has at least started and as the first batch of products to go through our secure development lifecycle start to withstand the test of time - it is really no surprise to me to see that our focus on building secure products first and foremost is starting to pay off in terms of better quality software with fewer and less damaging vulnerabilities.

Comments

  • Anonymous
    January 01, 2003
    Ephedrine faq ephedrine fatloss.

  • Anonymous
    January 01, 2003
    Does buspar work. Buspar experience. Buspar anxiety. Buspar. Buspar and weight gain.

  • Anonymous
    January 01, 2003
    Robert Hensing's Secure Windows Initiative Blog : Windows Server 2003 spanks Red Hat's monkey? Some interesting comment about the study comparing Redhat and Windows Server 2003 over at Robert Hensings blog. As people'll know if they've been following slashdot, it...

  • Anonymous
    February 17, 2005
    The comment has been removed

  • Anonymous
    February 17, 2005
    Great points and well written - here are some counter points.

    1. It's generally un-intersting comparing one vendors OS CD to another (as you point out). What's interesting are comparisons of real world servers and roles, especially ones that are web-facing. To do that you need to add some things to the stack like IIS6, ASP.NET and SQL2000 (on WS2003) and Apache, MySQL and PHP on Linux. Then what you've got is what most people actually use these operating systems for on the Internet - a web application. But now you have to include all of THOSE application vulnerabilities as well. I assure you this only makes it worse for Linux - not better (for example, check out the IIS6 vs. Apache bug counts using the same Secunia web site). I leave this as an exercise to the reader. :)

    2. OpenBSD - that's an interesting distro, it certainly does have an impressive security record but they slip in what anyone else woudl call 'security updates' all the time that they don't label as 'security updates'.
    They fix things that lead to DoS but call them 'reliability fixes' or something like that - whereas from Microsoft anything that can remotely DoS Windows is rated at Important at least and we release a security bulletin.

  • Anonymous
    February 17, 2005

  1. I would argue the numbers on the RHES3 page actually include PostgreSQL and Apache, as I see at least one vulnerability for each of those listed on that page. The default ES3 install includs both of those. I could be misreading the numbers...but there's a whole bunch of stuff included there that would never be running in the real world.

    This is partly because of RH's decision to turn on the kitchen sink in the default server install so their product can look extremely feature rich...it hurts them in situations like this.

    Agree w/respect to OpenBSD...plus, if nothing is really enabled in the default install, it's going to look a lot nicer in this kind of comparison.
  • Anonymous
    February 17, 2005
    The comment has been removed
  • Anonymous
    February 17, 2005
    The comment has been removed
  • Anonymous
    February 17, 2005
    Let me guess . . .

    You're worried about job security because you haven't seen many instrusions on Server 2003. And the best way to advertise that you're skilled and available for a new position is to try to write something that will get your blog on /. again.

    Am I close?
  • Anonymous
    February 17, 2005
    ROTFL!! Okay THAT was a great blog post man - I appreciate the laugh. :)

    I actually could care less about being /.'d, I'm definitely not in this for the fame - if I were I'd just write a book and try to get rich - I do this for fun and to help educate customers. :)

    Don't get me wrong - /. is a great community and all, and I frequent the site from time to time, but I was a little amused that they only managed to pick up my blog post on pass-phrases about 6 months after it went live (check the date on when I posted that thing). :)

    Perhaps that says something about the /. community?

    I say that only because my blog post was picked up by Win2k News AND PC Magazine (not to mention full-disclosure, bugtraq, etc.) loooooong before /. ran it. :) I had actually sort of assumed it may have already been submitted and somehow I missed it. :)
  • Anonymous
    February 17, 2005
    The comment has been removed
  • Anonymous
    February 17, 2005
    The comment has been removed
  • Anonymous
    February 18, 2005
    Just my two penneth, but at the end of the day these are just stats, we could play with them all day and not get any real answers. (I had have! see below).

    I think that it's great the MS is now taking security much more seriously and they are making some really good changes. But at the end of the day it's more about how you approach the whole of your security. If you are just going to place a default install on the web without any changes then quite frankly you deserve to get attacked! I would be splendid if you could but just a little amount of planning would tell you that this is not currently the case. You don't keep your stock in an open barn so why do it with your data?

    On the subject of chroot jails the idea is that even if the intruder does manage to gain elevated privilages in some way then all they can see, even as the superuser will be a small copy of the parts of the system that are required to run that one process. It goes one step further than just running a process as a special user. But even these are not perfect and have lead to things like SELinux and RBACS on Solaris.


    Oh, and by the way at least one of the advisories for RHEL is for OpenOffice. There are more for things like squirrelmail, gaim (IM client), cvs,(Version control), ethereal(Network monitoring) and more than one Database. You have to compare like with like. Just because Redhat ships a full product does not mean that you have to install it. You don't put exchange or MS office on your Web server. And if you want to look at bug counts then skip over to the Debian entry for some big numbers! But then again they are shipping about 8000 packages on 10 archetcures so 400 bugs is not that bad!
  • Anonymous
    February 18, 2005
    Robert,

    "...if I were I'd just write a book and try to get rich..."

    Emphasis on "try", dude. It doesn't happen. Oh, wait...are you talking about writing romance novels with images of a shirtless Fabio on the cover? Now that kind of book you can get rich from...but writing in our field? No way!

    Regarding /....stuff only appears there when someone posts it. Someone wrote a review of my book and it didn't appear on the site for quite a while...evidently, it was written in such a way that the moderator didn't know whether to try and fix it, or just trash it.

    With regards to your post of 2/17, at 8:33pm...interesting what some people post, isn't it? Never let the facts get in the way of a good rant!

    Carry on, my friend!
  • Anonymous
    February 18, 2005
    The comment has been removed
  • Anonymous
    February 18, 2005
    The comment has been removed
  • Anonymous
    February 18, 2005
    Another metric to add to the comparison might be the number of patches cited that require a complete OS restart to be activated. My day job is as a Windows Server admin, but I'm a Linux hobbyist. Most of the patches I've ever installed on Linux required at most a restart of the affected service to be activated. Most of the critical patches released for Windows Server 2003 have required complete OS restarts. That might mean that while there are less vulnerabilities on WS2003, it requires more drastic measures and additional downtime to patch.
  • Anonymous
    February 18, 2005
    Another very good point - on WS2003 most patches should NOT require a restart - the ones that do usually affect the kernel and I believe that patches on Linux that affect the kernel require you to recompile and restart - so that's pretty much the same.

    The problem with Windows is that most people don't understand WHY restarts are required or how to avoid them. Right now if a file that needs updating is in use - the update installer may or may not try to stop the process hosting that file. If it doesn't or can't stop the process hosting the file - then it will copy the file anyways putting it in the PendingFileRenameOperations registry queue and ask you to restart. To avoid reboots for non-kernel security updates it's usually as simple as figuring out what files are being updated (using the file manifest in the bulletin) and then using something like Process Explorer to see what processes they are loaded in and thus what services need to be stopped before the update is installed and then re-started afterwards.

    That said - even doing all of this I think we might still be a bit behind Linux here - but we're working on that . . . WS2003 SP1 is going to allow us to do 'hotpatching' in some cases - eliminating the need for a reboot even if the DLL or driver is in use. :)
  • Anonymous
    February 18, 2005
    Thanks for the response, Robert. My team at work administers hundreds of W2K and W2K3 servers and our current patching solution is SUS/AU, soon to be WUS when it comes out of beta. We defer to MS's recommended best practices when patching our fleet, so watching the usage of a particular DLL on a particular server to determine if/when we can restart a service to activate a particular patch vs. the default behavior of restarting the server when prompted would be very time consuming. Note also that the AU client stops requesting packages from SUS after it's installed hotfixes that indicated that a server restart was required.

    I'm currently beta-testing WUS (and, as a result, the new MSI3-powered AU clients), and I don't believe they have any of the functionality you're describing from a reboot-avoidance perspective. Perhaps later hotfix packages will check for dependencies and allow the admin to determine if they'd like to temporarily take a service down in lieu of a restart. I've seen a few IIS-related hotfixes do that. However, that certainly isn't the norm and I've seen nothing in my testing to indicate that that is going to change. Granted, I haven't pointed any WS2003 servers running SP1 RC2 at WUS, yet.

    Your point regarding recompiling the Linux kernel to address security vulnerabilities is contrary to what I'm used to seeing. Perhaps the reloading of a patched kernel module might be required in some cases, but I thought the commercial Linux distributions don't require their users to recompile the kernel. Most of my Linux experience is at home, behind a firewall, and I haven't ever been "forced" to patch for security reasons. So I don't really have much experience to draw on there. ;)
  • Anonymous
    February 18, 2005
    The comment has been removed
  • Anonymous
    February 18, 2005
    Great conversation. I'll concede the Linux points.

    Hopefully the product groups you mention are reading this and will choose to build the functionality you've described into future packages. Right now, for the majority of hotfix packages, they're not anywhere close.

    Thanks.
  • Anonymous
    February 18, 2005
    Thanks - right now, most of the kernel updates we release, unfortunately really do require reboots (even if the update is primarily to a device driver like mrxsmb.sys - which can't be unloaded / reloaded AFAIK). We'll eliminate hopefully upwards of 30% of these reboots using hotpatching on WS2003 SP1 (yet another reason to ugprade!).

    You should definitely be suspicious of any update to an application like Windows Messenger, MSN Messenger, Media Player, Office or any other app like that - if it says it requires a restart. :) It most likely does NOT and you can simply shut down the application, apply the update and then restart. :)
  • Anonymous
    February 18, 2005
    As a Microsoft insider can you confirm that the study by Dr. Ford and Dr. Thompson was not sponsored by Microsoft and was totally independent.

    The VNUNet article says that the article was by Linux enthusiasts thus implying that they are impartial and hate coming to this conclusion.

    But both these guys work for organizations that have either ongoing sponsorship from Microsoft or have large contracts to do research/testing for Microsoft. (Go to their web sites)

    This doesn't mean that the results are wrong. But we shouldn't think of them as Linux enthusiasts who have seen the light at last and had a Religious conversion.
  • Anonymous
    February 18, 2005
    I actually was just as surprised by this announcement as the rest of the world - I had no idea this was going down at RSA - I don't think it was sponsored by anyone (I thought the articles called that out).

    I'm pretty sure all they did was look at public data and present it at a conferrene under the guise of a friendly 'bet' between the two parties - as such it should be pretty easy to prove - one great source of public data is secunia which I linked too in the blog post.
  • Anonymous
    February 19, 2005
    Trackback Ping
  • Anonymous
    February 20, 2005
    The comment has been removed
  • Anonymous
    February 25, 2005
    So, (1) would imply that with Linux you get nothing - as that's what you paid. This, of course is not true.

    And as for (2), hoestly, how many sysadmins can or want to write code? And if they do, will they write it securely and be able to test it well? Not likely.

    And one for Robert. Your note about the "update product" is insightful. however, MS Mgmt should demand that product groups use other update effectively and to the customer's best interest.

    \Greg
    Windows & Slackware user
  • Anonymous
    February 27, 2005
    You can exec kernel with kexec after update, without restart
  • Anonymous
    February 27, 2005
    http://www-128.ibm.com/developerworks/linux/library/l-kexec.html
  • Anonymous
    March 03, 2005
    funny... microsoft has 11% un-patched

    redhat has 0% un-patched...

  • Anonymous
    March 13, 2005
    no, the funny thing was supposed to be the vast difference in the overall numbers, RH vs MSFT.

    It's easy to SAY 0% un-patched when you have a whole team of uhh...experts?...spread the world over releasing patches whenever they think they've fixed it.