Why Vista is more secure than the rest

[Dark_Angel]

What facilities does the average linux distro or OSX provide that Vista does not that would make it unfair to compare? what additional functions, features and programs are provided?

You need to compile some of them before they run of course

Seriously though, I don't really get what Moredhel means on that, I mean just because Linux is made from a large variety of sources, its all put together in one package... if it has a security flaw, then well... it does...

(Not a slate at Linux BTW, I kinda like it).

As for windows Ram, I have 4GB. I would rather windows use as much as it wants while all I am doing is surfing the web. Whats the point having something to never really use it unless playing a game or when I use photoshop?

Windows will free it up for it anyway

 

[Bash]

But even Linus Torvalds commented a few months ago saying that Vista's security appears to be holding up much much better than XP's did

IMO this isn't about propaganda. It is about facts. The Microsoft document clearly states all of its sources/references so that others can duplicate the research and, hopefully, come to the same conclusion. Obviously that doesn't automagically make the research correct though... and I dare say that the Linux distro's could have been stripped down a bit more from all their default install bloat. He commented in the article that he only disabled packages which he "felt" users would disable... that is wide open to opinion. But TBH you could write a whole thesis on just how to go about comparing Windows and Linux in security terms... and IMO that's not really the primary concern of the research.

Little confused? You say its all about facts but then say that the research may not be correct? That was the point I was trying make. As for the rest, I totally agree. Good post.

 

[Dark_Angel]

That graph would suggest that Ubuntu is the most secure OS as it has the least unfixed vulnerabilities. The graph is of course completely pointless as it does not demonstrate how serious each individual vulnerability is. Not to mention that you didn't mention the source...

I'm not saying that Vista is more or less secure than any other OS, just that there isn't really any clear metric which allows you to measure security.

The source (and thank you for spelling that right BTW ) is actually from random googling. I can't mention a specific site, because at least 10 different tech sites I went on had that graph, or portions from that graph (especially comparisons from XP and Vista)

 

[R4z0r]

What facilities does the average linux distro or OSX provide that Vista does not that would make it unfair to compare? what additional functions, features and programs are provided?

Ubuntu includes a full office suite for a start! I bet if you included all of Office's vulnrabilities in the above charts they'd look a bit different. There's plenty of other stuff too, a complete development enviroment, numerous games, etc. You'd have to have a look at the website to get a full list but there is significantly more included with most Linux distributions than with Vista.

 

[NathanE]

Little confused? You say its all about facts but then say that the research may not be correct? That was the point I was trying make. As for the rest, I totally agree. Good post.

Yes but let's not get carried away with the whole Linux vs Vista thing. The point is that Vista is a vast improvement over XP for security

 

[NathanE]

I did a little random googling last night, and the amount of random blogs and tech sites which agree with MS is staggering.

Yes but that's not really surprising The research's overall conclusion is valid IMO. Yes it isn't absolutely perfect and I can imagine quite a few Linux advocates aren't terribly happy with the report. But they should easily understand the report's reasoning and they should definately be able to agree with Vista being more secure than XP. But clearly a little fine tuning of Linux's installed packages isn't going to make a vast difference to the outcome. Even from my own memory Vista had very very very few major security flaws last year, and even the handful of "major" ones had quite good mitigating factors. Linux on the other hand... I can remember getting probably 5 to 10 CERT bulletins in 2007... and CERT generally doesn't get out of bed unless something is really serious. But as I said I don't think this report was meant to "show up" the third party OSes. It was primarily for showing that Vista isn't quite as bad as the mass technology media makes out...

 

[Una]

Yes but let's not get carried away with the whole Linux vs Vista thing. The point is that Vista is a vast improvement over XP for security

I don't think anyone really disputes that fact. Vista finally implemented things like ASLR, stack canaries, DEP etc.. which has been in Linux for ages and UAC which is a usability nightmare compared to sudo/su sessions..

 

[NathanE]

Loads of people dispute it... people on this very forum have slated Vista in the past as being "full of holes" or "swiss cheese"... and of course so has the technology media which is where those people got their misguided views from in the first place.

DEP and stack overflow protection were added yonks ago. XP SP2 for DEP and even further back for stack overflow protection. But that was a tweak to the VC++ compiler... not the OS. IIRC VC++ was the first compiler to add it - since we seem to be counting brownie points here :/

 

[Una]

Loads of people dispute it... people on this very forum have slated Vista in the past as being "full of holes" or "swiss cheese"... and of course so has the technology media.

Well most of the tech media are clueless... Microsoft's propaganda does not help though...

DEP and stack overflow protection were added yonks ago. XP SP2 for DEP and even further back for stack overflow protection. But that was a tweak to the VC++ compiler... not the OS. IIRC VC++ was the first compiler to add it - since we seem to be counting brownie points here :/

Yes DEP was in SP2, however, in XP2 it was only enabled for windows programs and services unless you specified to turn it on for all processes. Like, it wasn't even on for IE? Even on IE7 on vista its off by default... (IE8 corrects this though).

Haha, the VC++ (/GS) then was easily defeated (http://www.nextgenss.com/papers/defeating-w2k3-stack-protection.pdf). I don't know what its like these days.. GCC 2.7 had Stackguard support since (1999/1998). /GS in VC++ was around 2003 ish I think..

If you take a look at how many programs on vista are compiled with ASLR or using unsafe functions vista still has a way to go.

I like the way they don't put any BSD's on there. OpenBSD would seriously skew the statistics.

Then again, this is pointless.. this stuff will never be fixed until developers get a good security background.

No it shows DISCOVERED vulnerabilities . There is a huge difference. Not to mention most distros release patches in a few days (some are better than others though), they are usually fully disclosed in patch notes, i've seen a lot of large scale security fixes pushed under the carpet by MS, and some they refuse to even acknowledge till their Tuesday patch day.

As also mentioned the scale of the vulnerability isn't mentioned either so they could be anything, that graph is useless.

I would also consider that Ubuntu is a Linux distro, therefore Linux is the kernel and core utilities and Ubuntu adds on all the other packages, Vista is the kernel, the system utilities, the GUI and all the other crap. You can bet Ubuntus figures include every package installed on it (but not written or maintained by the Ubuntu team..) whereas Vista just counts the base OS'.

Exactly, MS are known for silently patching security vulnerabilities as Product Updates/Enhancements. You can't compare the hundreds of packages in the linux distro repositories with vista core OS code.. It's like including 3rd party programs like flash/firefox etc.. I don't really know a good metric to compare OS security realistically..
0-Day Patch - Exposing vendors (in)security performance (http://www.blackhat.com/presentations/bh-europe-08/Frei/Presentation/bh-eu-08-frei.pdf). Gives some nice realistic statistics from the major OS vendors on 0-days. Who knows how many unreported vulnerabilities are out there.. I wouldn't like to guess.

 

[shocking]

You've misenterpreted (sp?)

What the graph shows is how many vulnerabilities each OS had in the first place and how many of those have been fixed.

Vista had the least amount of all in the first place which is why it is the most secure OS.

Whereas Ubuntu had almost 4 times as many vulnerabilities which then had to be fixed.

I care waaaay more about the amount of vulnerabilities that were not fixed. Vista had about 40, whereas Ubuntu had about 15. Can you understand why, using that awfully flawed graph, I interpret that Vista was less secure in it's first year?

Again, I don't really want to get into a dispute about which is the more secure OS, just thought I would comment on the silly statistics being thrown around as evidence

 

[Adrianr]

I care waaaay more about the amount of vulnerabilities that were not fixed. Vista had about 40, whereas Ubuntu had about 15. Can you understand why, using that awfully flawed graph, I interpret that Vista was less secure in it's first year?

To be fair, you can't argue with that. Surely it's about the amount of threats open to your computer, not the amount there were to start with?

It all depends on how long it took between vulnerabilities being there and when they were patched of course, but at the time of making that graph, the only logical conclusion to draw is that Ubuntu has less unfixed problems, and thus, less ways in.

However, say that graph is the product of a years analysis, and both were patched up to the level they are at now the day before the graph was made, for 364 days, Vista was the most secure OS.

It really is a flawed graph.

 

[NathanE]

Haha, the VC++ (/GS) then was easily defeated (http://www.nextgenss.com/papers/defeating-w2k3-stack-protection.pdf). I don't know what its like these days.. GCC 2.7 had Stackguard support since (1999/1998). /GS in VC++ was around 2003 ish I think..

*shrugs* Not quite sure why you've turned this into a ****ing contest? End of the day all these little ring3 protections are futile... they are just there to make it harder. Compiler stack overflow protection were really just a stop-gap until the No Execute bit came along in processors.

If you take a look at how many programs on vista are compiled with ASLR or using unsafe functions vista still has a way to go.

Yup... however at least around 95% of the core OS has got both DEP and ASLR enabled.

IE7 has DEP and ASLR actually. Little known fact... As long as you have UAC enabled and hence Protected Mode then it has DEP & ASLR. Because IE7 on Vista runs each tab/instance in a seperate "worker process" called ieuser.exe which has extremely low security privileges as well as having DEP & ASLR. The parent process "iexplore.exe" is nothing more than a GUI shell.

See this screenshot:

I like the way they don't put any BSD's on there. OpenBSD would seriously skew the statistics.

It will be interesting seeing Server 2008's report in a years time.

Then again, this is pointless.. this stuff will never be fixed until developers get a good security background.

To be honest any developer worth their salt knows about security nowadays.

Exactly, MS are known for silently patching security vulnerabilities as Product Updates/Enhancements. You can't compare the hundreds of packages in the linux distro repositories with vista core OS code.. It's like including 3rd party programs like flash/firefox etc.. I don't really know a good metric to compare OS security realistically..
0-Day Patch - Exposing vendors (in)security performance (http://www.blackhat.com/presentations/bh-europe-08/Frei/Presentation/bh-eu-08-frei.pdf). Gives some nice realistic statistics from the major OS vendors on 0-days. Who knows how many unreported vulnerabilities are out there.. I wouldn't like to guess.

To be fair many of the patches to Vista in the last year weren't "core OS". Many of them were just peripheral programs like even Windows Defender! Hunk of junk that it is...

I find that PDF a little misleading. I mean just from observing their graphs on the 3rd page they seem to be discounting the significance of actually getting the patch onto customer servers. It doesn't matter if you release a patch within 5 hours. If it takes another month or even years for that patch to reach 95% of your customers then you have still failed. Why is it seemingly only Microsoft that takes patch delivery very very seriously?