Tuesday, January 22, 2008

FUD from Techworld, and Secunia's numbers

I came across an article in Techworld which discussed a Secunia report. The story ran with the title: "Red Hat and Firefox more buggy than Microsoft" . Now, on reading the report by Secunia, it is amply clear that the window of exploitation is lesser for Firefox, and Secunia also makes it clear that on a OS is to OS comparison, RedHat has far lesser bugs than Windows, with most of the security flaws residing on third party software. Therefore, if a proper comparison was to be made on the basis of the Secunia report, it would have meant that Firefox was more secure as they patched vulnerabilities quicker, and that Red Hat Operating system was less buggy. The article by Techworld therefore should be read with more than a pinch of salt, even though they actually clarify things later in the article. The definition of a "Zero day bug" is also. I feel wrong. A Zero day is one which is exploited before the patch is out. Mere report of a vulnerability does not constitute a zero day exploit. By this definition, Internet Explorer should have 2 zero day exploits and Firefox, none.
I also have an issue with the numbers quoted by Secunia in the report. Now, I have done quite a comprehensive analysis of the vulnerability counts between Windows and Linux, specifically Ubuntu. The number of vulnerabilities quoted for Windows seems to be very high, and I think they have added the numbers of Vista and XP with Server 2003 thrown in for Windows. The chart of the Secunia Report is by itself misleading. For me, an OS should not contain the browser or the mail client, and the numbers of separate Operating Systems like XP or Vista should be mentioned separately. The number of vulnerabilities of RedHat OS also seems to be skewed. Are they counting the Linux Kernel as a third party application? It certainly seems so, because there are a large number of kernel vulnerabilities (none of them highly or extremely critical, by the way). I myself had done a comparison of the highly and extremely critical vulnerabilities between Vista and Ubuntu Dapper, with Secunia's statistics. While Ubuntu certainly had fewer vulnerabilities, Vista certainly did not have 100 vulnerabilities, even with Internet Explorer and Mail included. I would certainly like an explanation from Secunia about their numbers.
Other interesting topics in the Secunia report dealt with the number of zero day vulnerabilities. It would have been interesting if all the vulnerabilities were detailed, since I had done an article about the zero day bugs of 2007 affecting desktops. However, the interesting point that is seen is that the number of zero day attacks have gone down for Microsoft products. Attackers are also targeting third party apps more and more.
Furthermore, the Secunia article also points out that the third party apps were the ones most likely to remain unpatched, thus raising the risk level of the user. In this scenario, it is essential to have a framework by which third party apps can be easily patched. Linux users are lucky, they have apt-get, which is THE KILLER application as far as security is concerned, and this is one of the main reasons why Linux users are nore secure than Windows. Sadly, Windows lacks a proper tool to do that in a single click. Secunia Personal Software Inspector goes a long way in actually finding out the vulnerable software though, and is a must have for any security conscious Windows user.
The final word about vulnerability count measurements, should, however, go to Window Snyder, formerly of Microsoft, now of Mozilla : "
Counting security vulnerabilities to compare the security of different software projects is flawed. It is only a useful metric if you are comparing a project to itself over time." and the classic "Number of vulnerabilities identified is a function of how many bugs are present, but is probably more influenced by things like who is looking, and how good they are at finding security issues. That makes it a misleading metric."


Anonymous said...

Terrific work! Thаt is thе type of informаtion that
are suрρosed to be shaгed acгoѕs thе net.
Shame on Googlе for now nοt poѕitioning this post higher!
Comе οn over and ѕeek adviсe from my web ѕіte .
Τhank you =)

my web blog: planetside 2