On Jan 24, 2:53 pm, Moshe Goldfarb <brick.n.st...@xxxxxxxxx> wrote:
This is just the digg entry which refers to the link below.
> http://digg.com/security/Windows_Vista_s_one_year_security_report_wil...
Note that the report is in a PDF. Was able to read it with Acrobat
for Linux.
Other PDF viewers didn't like it as well.
> http://blogs.technet.com/security/archive/2008/01/23/download-windows...
This is a good shortcut to the page. Note that this is a personal
blog.
> http://tinyurl.com/ypj4p9
<quote>
| Jeff Jones is a Security Strategy Director in Microsoft's
Trustworthy Computing group.
</quote>
So we can count on an unbiased report.
<quote>
Is there anything in this analysis which will prove one piece of
software
is "more secure" than another? No, that is not my intention.
</quote>
So it's not REALLY a security report, it's just propaganda, and should
be read as such.
He then goes into the typical Microsoft tactics.
He compares the number of patches published by Microsoft for Vista to
the number of patches published by Microsoft for XP, and then tries to
compare this to the number of patches for Red Hat, Ubuntu, and Mac OS/
X.
No indication of how many source code lines were changed. No
indication of how many successful attacks triggered the release of
each patch.
Traditionally, Microsoft sits on patches and consolidates them into a
big master patch whenever a big virus whacks enough PCs to make
national news. For Vista, this was 10 patches, probably because
viruse attacks on Windows is so common that it's not even considered
news anymore. These patches only cover patches for Windows and the
applications included with the most basic configurations, such as
Internet Explorer. Each "patch" may be the functional equivalent of
20-30 Linux patches. So the 10 patches for Vista might be 200-300
"patches" equivalent to Linux. In addition, no mention is made of any
patches to any other Windows application, including any other
Microsoft applications.
Traditionally, Red Hat issues security patches even if all it is is a
bug fix for a theoretical vulnerability that might result in the crash
of any of the 2500 applications included with the distribution. Many
of these patches are for only one line of code. Linux distributors
consolidate all patches for all applications, and publishes them as
soon as they are available via the online update services. The
patches are also incorporated into the next official release for that
distribution. Traditionally, Microsoft has reported the patch
response time from the time that the bug was first discovered, to the
time when the patches were incorporated into the new distribution.
Many of these patches fix theoretical problems that would require
specialized code, root access, and carefully crafted messages, which
would only affect one unpatched version of the kernel, libraries, and
the custome crafted application which would have to be exposed
deliberately. Such accesses of course would be logged with time
stamps, syslog entries, and acct entries.
Microsoft has been claiming "better security" for each release of
Windows since Windows 95, and to a certain extent has delivered
improvements. At the same time, successful attacks against Windows
have become less and less newsworthy. Fewer news events means
Microsoft has to publish fewer patches.
A "standard installation" of Windows XP without antivirus, firewall,
and anti-spyware will be infected in about 10 minutes of normal web
and e-mail use.
Of course, the same PC with I-Zone firewall or external firewall such
as a Linksys Router, McAffee or Symantic Antivirus, and proper
security settings (disable ActiveX controls, signed Java applets, html
preview of e-mail...) The vulnerability extends to several weeks.
Mainly it becomes a race between the Virus hackers and the Antivirus
hackers, often the vulnerability period is less than a few days.
I haven't seen similar reports Vista. That would be more interesting.
As for Linux, I haven't seen many reports of successful attacks on
Linux, including servers, other than poorly written PHP or poorly
administered web sites. For example letting unauthenticated users put
files into the CGI-BIN directory.
I don't dispute Microsoft's claim that Vista is more secure than
Windows XP as shipped by Microsoft. I'm not so convinced that Vista
is more secure than Windows XP with 3rd party security software. I'm
not sure that I would trust Jeff Jones to tell me either.
Rex Ballard
http://www.open4success.org
|
|
