Thursday, December 20, 2007

Why Linux is More Secure Than Windows

In my last post, I showed how the vulnerability counts for Ubuntu Dapper LTS were lower than Windows Vista. However, I also mentioned that this should be used only to counter Microsoft FUD, and not as a measure of security. What, then, shows that Linux is actually more secure than Windows?

To answer this, we first have to look at what security actually is. Too many people make the mistake of calling a product secure, e.g Linux is more secure than Windows, Opera is more secure than IE etc. Now, security is not a product. It is a process with the user in a central role. Security is a state to be actively attained by proper interaction of the user and the software. Vulnerability patch management is just an important part of this process. What are perhaps more important are proper tools for patch management, stronger defaults and a multilayered approach to security keeping in mind the practical security scenario for that particular software, with the user forming both the first and last line of defence.

With this is mind, I turn to the reasons why an educated user using a Linux distro is in general more secure than while using Windows:

  1. Much better patch management tools: In Windows, the automated update procedure just updates the components supplied by Microsoft. No third party applications are patched. Now, third party applications make up the bulk of the security vulnerabilities. Using Real player? You have to update separately. Using Flash? Update separately. So, for all applications, you have to regularly check for updates for each and every software. This is extremely cumbersome, (though, fortunately, this experience is made tolerable by use of the Secunia PSI) and most users just forget to do it. In Linux, you have automated update system which will update all your software. In Ubuntu, any product you have downloaded, if present in the repository, will be updated at the single click of a mouse. In other distros, if the downloaded software is not present in the repository provided by the distro, adding the product repository is a one time process. This greatly increases user compliance in staying fully updated.

  2. Much stronger default configuration: Linux was designed to be a multi-user system. Therefore, the underlying system files will remain protected even if the user is compromised. If, unfortunately, any remote code execution takes place, it will only take place locally. This is to be contrasted to Windows XP, where the user logs in as administrator by default, and any compromise takes on a system wide character. Windows Vista has also moved to a limited user account by default, and therefore is more secure than its predecessor.

  3. Modular Design: Linux is modular by design, that is, any system component may be removed if unnecessary. As a result, if the user feels that a part of the system is more insecure, he or she may remove that component. The same cannot be said of the Windows system. e.g If I feel that Firefox is the most vulnerable part of my Linux distro, I may remove it completely and replace it with another browser, say, Opera. In Windows, I cannot remove Internet Explorer.

  4. Better tools to protect against zero-day attacks: It is not always sufficient to keep oneself fully patched. Zero-day attacks (an attack where the exploit code is released before the vendor patches the vulnerability) are increasingly becoming common. One study has also shown that it takes only six days for crackers to release exploits, it takes vendors much longer to release them. Therefore, a sensible security policy will make provisions for zero-day attacks. Windows XP has no such provision. Vista, in protected mode, though useful, provides only limited protection to Internet Explorer Attacks. Contrast it to the protection provided by AppArmor or SELinux, both of which provide finely granular protection against any types of remote code execution attacks. It is increasingly becoming common for Distros to ship with AppArmor (e.g SuSE, Ubuntu Gutsy) or SELinux(Fedora, Debian Etch, Yellow Dog) by default. In others, they can be downloaded from the repositories (e.g AppArmor in Mandriva 2008)

  5. Open Source Architecture: In Linux, it is mostly “What you see is what you get” as far as security is concerned. The Open code means that vulnerabilities are seen by “many eyes” and fixed as fast as possible. What, more importantly, this also means, is that there is no scope to hide the patched vulnerabilities, there are no hidden fixes. The user, if motivated, may find out the security issues known for his Operating System, and take precautionary measures against potential exploits, even if the vulnerabilities are not patched. In the Windows world, however, many security issues are hidden. Internally found flaws are not publicly released, and the vendor waits for a major update or service pack to patch silently. While this may lead to lesser vulnerability counts, and better publicity using flawed statistics, this keeps the user in ignorance. As a result, an user may not patch a system if he finds that he is not vulnerable to the reported vulnerabilities, while he may, in reality, be affected by a hidden patch.

  6. Diverse Environment: The Windows environment has been likened to a monoculture. There is great homogeneity which makes it easier for crackers to write exploit code, viruses and the like. Compare this to the Linux world. Here, a program can be a .deb, .rpm, or source code, to name a few. This heterogeneity makes it difficult for crackers to have the widespread impact that is possible on Windows.

Finally, however, the security of a system is in the hands of the user. A knowledgeable user can use a Windows 98 safely, an ignorant user may even compromise OpenBSD based systems. Therefore, it is extremely important to know how one can be compromised, and how one can protect oneself against getting owned. Remember that!

Tuesday, December 18, 2007

Ubuntu vs Vista Vulnerability Counts in 2007 : Destroying the FUD

There has been a lot of FUD flying around stating that Microsoft Windows Vista is more secure compared to Linux. What has been actually compared are the number of vulnerabilities fixed, for a distribution of Linux and Windows Vista. Both 3 month and 6 month studies have been published, with the intention of showing Linux security in a poor light. Now, this is in no way an apples to apples comparison, because Linux contains plenty of applications. Furthermore, vulnerabilities for server applications had also been included. For an apples to apples comparison, just the OSes have to be compared. Now, I went to Secunia, and found out the vulnerabilities affecting Ubuntu 6.06 and Vista for the entire year 2007 till date. What I found was surprising, since in 2007, in the OS (which I took to be the Kernel + X windows + Desktop environment for Ubuntu with their libraries), Ubuntu had only three highly critical vulnerabilities. Windows Vista, in fact had 10. Check it out for yourself.

For this study, I checked only the highly and extremely critical vulnerabilities because these are the vulnerabilities which hackers actually use to get into the system. The moderately critical vulnerabilities give DoS attacks causing crashes, while the mildly critical vulnerabilities do not cause system compromise or require a local access. However, these mildly critical reportedvulnerabilities are increased in the Linux distros.

All the other vulnerabilities in Linux were due to other applications like Firefox or Xine or Open Office. My earlier analysis has already shown that Firefox is more secure than Internet Explorer, even though Firefox had more vulnerabilities. If comparable applications in Windows Vista were installed, the vulnerability counts of Vista, in all probability would have exceeded Ubuntu. Especially if Quicktime or Real were installed along with an instant messenger service in Vista, the comparison would have been really interesting, but I am leaving that for my next post.

Note that this analysis is just for disproving the FUD. Actually, the reason why Linux is more secure is different. It has a more secure architecture, and has a wonderful tool (synaptic)which can update all the applications in a single click, an ease which is simply missing in Windows, as a result of which many people do not update their third party software properly. But more of that later. Just remember, this graph above is an argument against FUD. The real reasons for security is different. Vulnerability counts are a horribly flawed metric to compare Operating systems. Furthermore, even days-of-risk are not a good measure to campare security in Linux distributions relative to closed source OSes.

N.B: For the record, the highly and extremely critical vulnerabilities are 10 for Vista, 13 for IE7 on Vista, 3 for Windows mail and 2 for Windows media player.
For Ubuntu, all the three vulnerabilities listed above were in Open SSL (I disagree with the criticality, but that is another matter). There were other highly critical vulnerabilities in Firefox, Open Office, Poppler, imagemagick, Xine-lib , krb5 ,and w3m, for the default desktop installation. If possible, and my ISP permits (they are a stupid lot), I will give more information tomorrow. Since more patches may come in the rest of the year, I am not giving the exact numbers now.

This comparison is just from the information found in Secunia. Other security analysts may give different ratings.

Update: These packages showed highly critical vulnerabilities till 12/19/2007

Package Advisory
OpenSSL SA27363

Firefox SA24205






Open Office SA27077



Imagemagick SA27048

Poppler SA27632
Xine-UI SA24462
w3m SA23588
Koffice SA27658
Thunderbird SA27383



Krb5 SA26644


php SA26102

tcpdump SA26286

Of these, only OpenSSL can be considered a part of the OS. Kerberos is not enabled, php and tcpdump are server packages and the others are applications packages (of which Koffice and thunderbird are not a part of the default installation in Ubuntu anyway). I will update the list again at the end of the year.Also note that these are advisories. An advisory may contain more than one vulnerability. e.g OpenSSL has 2 advisories but 3 vulnerabilities. For this study, vulnerability checking of the applications have also been done upstream.

Monday, December 3, 2007

Internet Explorer Shows Amazing Security Gains in 2007

(..Ok, Opera finished as the safest browser, but that's nothing new)

I have finished calculating the total number of risk-days (for those who want to know what risk-days is, read my earlier research) for browsers for the period January 2006 till now. Whew! And the surprising result is that Internet Explorer has improved markedly on the security front in 2007. When compared for the entire period of the study, IE finished as the most vulnerable browser. However, when comparing the years 2006 and 2007 separately, a pleasant surprise awaited me!

Edit: I celebrated too soon. In December, 1 more zero day vulnerabilities were announced in IE. There were also three more highly critical IE flaws and four more highly critical Opera flaws reported, but they were not associated with an increased risk-days (updated on 01/22/2008)

In 2006, the security record of Internet Explorer was abysmal! It was no where near its competitors. 2007 also began inauspiciously, with a zero-day vulnerability in January. However, since then, there has been to date not a single highly or extremely critical risk-day (See graph)! Well, neither did Firefox (if you leave out the URI vulnerability, which was basically a Windows problem) or Opera, but for Internet Explorer, it is definitely a first.

Graph I: The high criticality risk days for the different browsers in 2006 and 2007 (upto 1st December). Note that Opera just does not appear, and none of the browsers appear in 2007.For explanation for the two bars of Firefox, read the last paragraph of the article.

Graph II: The Risk days for each browser for 2006 and 2007(upto 1st December). Opera clearly has the best record. Firefox has a better record than Internet Explorer.

However, as is Microsoft's wont, the risk-days for low risk vulnerabilities have shot through the roof, and resulted in it having by far the highest number of risk-days among the major browsers. However, I suspect that there is improvement in that sphere also. Actually, the tables below flatter Microsoft's record in 2006 as it does not consider the number of unpatched vulnerabilities it carried into 2006. Now, low-risk weaknesses are also important since it can be a source of a cross-site scripting or similar attacks, where important user information may be stolen from an unwary user. This is a problem area for Internet Explorer and to a lesser extent, Firefox. Opera was also plagued by cross scripting vulnerabilities.

Tables I, II and III: Showing the different risk days for the different categories of vulnerabilities, for the different browsers.

The methodology of the study was the same as in the previous study. A search of Secunia was made for all the reported vulnerabilities, and the risk-days. Risk days is the sum of the total number of days for which vulnerabilities in a particular application were publicly announced , but still unpatched.
There were plenty of problems faced while making the analysis. Secunia gives total advisories, however, all the vulnerabilities within an advisory are not of equal severity. Secunia usually gives the advisory the highest criticality rating . This results in not so severe vulnerabilities being classified as a critical bug if the Secunia advisory is followed. Usually, this causes no problems for a risk-days analysis because a multiple vulnerability advisory is mostly the vendor advisory, where vulnerabilities disclosed have a zero-risk day. In one case, however, (Firefox, 2006) a moderate criticality bug was not properly patched, raising its risk-days to 45. Since this was part of an advisory reporting highly critical flaws, it got a 4x tag attached to it unfairly. However, to maintain uniformity in the analysis, this was still kept in the highly critical group. If a fair assessment is made, however, the number of risk-days for Firefox in the 4x group should be 7 and 3x should be 45. In 2007, Secunia showed a security flaw in Firefox for the infamous URI bug, but it was shown just as a Firefox bug. Since it was primarily a Windows bug , and depended upon IE,(and is still classified as an IE bug in NVD), I have decided to remove it from the analysis.To safeguard against any faulty conclusion, I therefore compared all the high criticality flaws (4x and above) and confirmed it with the NVD database. There was the further question of how to measure the risk-days for zero-day vulnerabilities. However, on account of an accurate date for the emergence of the bug being elusive, I did not give any numbers for the zero day bug in 2007 for IE but replaced it with a query mark. I suppose some mistakes may still be made, so I will try to upload the files where it can be downloaded from and scrutinized properly.. These inaccuracies should necessitate looking at the big picture than just counts of the vulnerabilities. Vendor supplied ratings, where applicable, are many times a better guide.

Sunday, December 2, 2007

Former Microsoft Security Strategist Says Microsoft Does Not Report All Security Issues

Respected security strategist, Window Snyder, presently Head of Security Strategy at Microsoft and formerly senior security strategist at Microsoft and security lead and signoff on Microsoft Windows XP Service Pack 2 and Windows Server 2003, has mentioned that Microsoft does not publicly report security issues found internally. Rebutting the study comparing IE security to Firefox by one of the directors of security at Microsoft she stated in her blog that:
"One of the goals of the bug counting report is to demonstrate that Microsoft fixed fewer bugs for IE than Mozilla did for Firefox. Unfortunately for Microsoft (and for anyone trying to use this report as analysis of useful metrics) he does not count all the security issues...... He counts only the public issues, because that is all Microsoft will tell us about......... the set of issues that are available for public comparison is limited to the set of vulnerabilities that are reported externally AND fixed in security updates.

This is a small subset of all the vulnerabilities, because the vulnerabilities that are found through the QA process ..... are fixed in service packs and major updates"

This, coming from a former Microsoft Security Strategist is a big deal and confirmation that all the studies coming out from Microsoft comparing the security of their products with their competitors is just hogwash.
She also says that Microsoft is worried that if they publicly release X updates , 
the world will focus on those X updates not that they are now fixed and no longer
 a risk.  
This actually leads to some questions for our mainstream technology media. Why is actually counting bugs important? I am no supporter of Microsoft, but why are they villified at every opportunity for fixing bugs? Fixing bugs is essential, and all vendors do it. Perhaps if our attitude to bug counts change, Microsoft will become more open in this regard. OK, Microsoft are prats, but to some extent, the media, in search of a good story, (and nothing sells like bashing a giant) are also to blame.