Author Topic: Interesting...Windows security flaws < UNIX's? (Read 2859 times)

ReggieMicheals · « **on:** 9 May 2006, 00:36 »

http://www.us-cert.gov/cas/bulletins/SB2005.html

Quote

This bulletin provides a year-end summary of software vulnerabilities that were identified between January 2005 and December 2005. The information is presented only as a index with links to the US-CERT Cyber Security Bulletin the information was published in. There were 5198 reported vulnerabilities: 812 Windows operating system vulnerabilities; 2328 Unix/Linux operating vulnerabilities; and 2058 Multiple operating system vulnerabilities.

A little old, but this just doesn't seem to add up...

WMD · « **Reply #1 on:** 9 May 2006, 02:06 »

It probably counts the same thing in each distribution as its own.

toadlife · « **Reply #2 on:** 9 May 2006, 02:15 »

Quote from: WMD

It probably counts the same thing in each distribution as its own.

No it doesn't but they do count vulnerabilities more than once. For example...

For linux/unix...

Quote

Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated) Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated) Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated) Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated) Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated) Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated) Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated) Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)

And in Windows too...

Quote

Microsoft Windows ANI File Parsing Errors (Updated)
Microsoft Windows ANI File Parsing Errors (Updated)
Microsoft Windows ANI File Parsing Errors (Updated)
Microsoft Windows ANI File Parsing Errors (Updated)
Microsoft Windows ANI File Parsing Errors (Updated)
Microsoft Windows ANI File Parsing Errors (Updated)
Microsoft Windows ANI File Parsing Errors (Updated)

TB · « **Reply #3 on:** 9 May 2006, 05:14 »

Plus one must consider the whole closed/open source factor. Only Microsoft can truly know how many security holes Windows has.....assuming that they actually have people looking for them (a little voice inside me is saying they probably don't).

piratePenguin · « **Reply #4 on:** 9 May 2006, 11:04 »

"Winamp Arbitrary Code Execution" ???
Is winamp part of Windows or something?

Aloone_Jonez · « **Reply #5 on:** 9 May 2006, 11:33 »

It'd total bullshit, you can only count vunerabilities in core system componants like the network services and kernel and what's with counting the same ones more than once.

piratePenguin · « **Reply #6 on:** 9 May 2006, 19:30 »

Quote from: Aloone_Jonez

It'd total bullshit, you can only count vunerabilities in core system componants like the network services and kernel and what's with counting the same ones more than once.

Even then it's still numbers.

Something like "one year on default Ubuntu + updates and one year on default Windows XP + updates - who's been safer?" would be more useful. (I can't imagine Windows not having it's ass handed to it because, afterall, it ships with IE with ActiveX enabled.)

inane · « **Reply #7 on:** 10 May 2006, 02:48 »

These people are ran by the National Cyber Security Division and according to Wikipedia "An audit of the division, conducted by DHS's inspector general Clark Kent Ervin, cast a negative view on the division's first year. Although the report praised the formation of the US Computer Emergency Readiness Team (US-CERT) and its cyber alert system, the division received criticism for failures to set priorities, develop strategic plans and failing to provide effective leadership in cyber security issues."

Secondly keep in mind that they probably run on some POSIX variant...

Pathos · « **Reply #8 on:** 10 May 2006, 10:16 »

The numbers are not indicative of the true number of security flaws.

but I think we have to realize XP has had no real enhancements since it was released and has been getting security reports for years and has only been making changes as required.

Linux is always being extended and I don't think its had the same coverage that windows has had in the past.

H_TeXMeX_H · « **Reply #9 on:** 15 May 2006, 06:18 »

How about this ... get a 1337 haxxor and ask him which system is easier to hack Window$ or Linux (when both are "properly configured") ... I'm betting on Window$. Or put them to the test, see which one is compromised faster, easier.

toadlife · « **Reply #10 on:** 15 May 2006, 06:26 »

Quote from: H_TeXMeX_H

How about this ... get a 1337 haxxor and ask him which system is easier to hack Window$ or Linux (when both are "properly configured") ... I'm betting on Window$. Or put them to the test, see which one is compromised faster, easier.

Well I've read on more than one occassion from security professionals that in *nix OS's, it is generally easier to escalate priviledges than in Windows.

How would this "test" of yours work anyhow?

H_TeXMeX_H · « **Reply #11 on:** 15 May 2006, 06:34 »

I dunno, take two identical computers, on one install Window$ on the other Linux, then beef them both up security-wise (harden them), and then get a group of 1337 haxxors and have them hack in remotely. As proof of entry they leave a text document behind or alter some part of the system. Then see which one takes longer to hack.

toadlife · « **Reply #12 on:** 15 May 2006, 06:45 »

Quote from: H_TeXMeX_H

I dunno, take two identical computers, on one install Window$ on the other Linux, then beef them both up security-wise (harden them), and then get a group of 1337 haxxors and have them hack in remotely. As proof of entry they leave a text document behind or alter some part of the system. Then see which one takes longer to hack.

Ok. If "hardening" meant, both would have firewalls enabled then nobody would ever get into either system. If it meant not enabling a firewall, but disabling all services, then nobody would ever get into either system. In order for the systems to be hackable at all, they would have to be running some sort of daemon.

How about IIS6 vs Apache? If it were that, my money would be on Windows/IIS6.

H_TeXMeX_H · « **Reply #13 on:** 16 May 2006, 06:17 »

Come on ... I'm sure a real 1337 haxxor can hack anything

piratePenguin · « **Reply #14 on:** 16 May 2006, 07:07 »

Quote from: toadlife

Ok. If "hardening" meant, both would have firewalls enabled then nobody would ever get into either system. If it meant not enabling a firewall, but disabling all services, then nobody would ever get into either system. In order for the systems to be hackable at all, they would have to be running some sort of daemon.

How about IIS6 vs Apache? If it were that, my money would be on Windows/IIS6.

You mean "(Windows Server 2003 or Windows XP Professional x64 Edition) and IIS6", seeing as that's all II6 runs on.

Stop Microsoft

News:

Author Topic: Interesting...Windows security flaws < UNIX's? (Read 2859 times)

ReggieMicheals

Interesting...Windows security flaws < UNIX's?

WMD

Re: Interesting...Windows security flaws < UNIX's?

toadlife

Re: Interesting...Windows security flaws < UNIX's?

TB

Re: Interesting...Windows security flaws < UNIX's?

piratePenguin

Re: Interesting...Windows security flaws < UNIX's?

Aloone_Jonez

Re: Interesting...Windows security flaws < UNIX's?

piratePenguin

Re: Interesting...Windows security flaws < UNIX's?

inane

Re: Interesting...Windows security flaws < UNIX's?

Pathos

Re: Interesting...Windows security flaws < UNIX's?

H_TeXMeX_H

Re: Interesting...Windows security flaws < UNIX's?

toadlife

Re: Interesting...Windows security flaws < UNIX's?

H_TeXMeX_H

Re: Interesting...Windows security flaws < UNIX's?

toadlife

Re: Interesting...Windows security flaws < UNIX's?

H_TeXMeX_H

Re: Interesting...Windows security flaws < UNIX's?

piratePenguin

Re: Interesting...Windows security flaws < UNIX's?