Stop Microsoft
All Things Microsoft => Microsoft Software => Topic started by: ReggieMicheals on 9 May 2006, 00:36
-
http://www.us-cert.gov/cas/bulletins/SB2005.html
This bulletin provides a year-end summary of software vulnerabilities that were identified between January 2005 and December 2005. The information is presented only as a index with links to the US-CERT Cyber Security Bulletin the information was published in. There were 5198 reported vulnerabilities: 812 Windows operating system vulnerabilities; 2328 Unix/Linux operating vulnerabilities; and 2058 Multiple operating system vulnerabilities.
A little old, but this just doesn't seem to add up...
-
It probably counts the same thing in each distribution as its own.
-
It probably counts the same thing in each distribution as its own.
No it doesn't but they do count vulnerabilities more than once. For example...
For linux/unix...
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated) Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated) Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated) Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated) Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated) Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated) Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated) Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
And in Windows too...
Microsoft Windows ANI File Parsing Errors (Updated)
Microsoft Windows ANI File Parsing Errors (Updated)
Microsoft Windows ANI File Parsing Errors (Updated)
Microsoft Windows ANI File Parsing Errors (Updated)
Microsoft Windows ANI File Parsing Errors (Updated)
Microsoft Windows ANI File Parsing Errors (Updated)
Microsoft Windows ANI File Parsing Errors (Updated)
-
Plus one must consider the whole closed/open source factor. Only Microsoft can truly know how many security holes Windows has.....assuming that they actually have people looking for them (a little voice inside me is saying they probably don't).
-
"Winamp Arbitrary Code Execution" ???
Is winamp part of Windows or something?
-
It'd total bullshit, you can only count vunerabilities in core system componants like the network services and kernel and what's with counting the same ones more than once.
-
It'd total bullshit, you can only count vunerabilities in core system componants like the network services and kernel and what's with counting the same ones more than once.
Even then it's still numbers.
Something like "one year on default Ubuntu + updates and one year on default Windows XP + updates - who's been safer?" would be more useful. (I can't imagine Windows not having it's ass handed to it because, afterall, it ships with IE with ActiveX enabled.)
-
These people are ran by the National Cyber Security Division and according to Wikipedia "An audit of the division, conducted by DHS's inspector general Clark Kent Ervin (http://en.wikipedia.org/w/index.php?title=Clark_Kent_Ervin&action=edit), cast a negative view on the division's first year. Although the report praised the formation of the US Computer Emergency Readiness Team (US-CERT (http://en.wikipedia.org/wiki/US-CERT)) and its cyber alert system, the division received criticism for failures to set priorities, develop strategic plans and failing to provide effective leadership in cyber security issues."
Secondly keep in mind that they probably run on some POSIX variant...
-
The numbers are not indicative of the true number of security flaws.
but I think we have to realize XP has had no real enhancements since it was released and has been getting security reports for years and has only been making changes as required.
Linux is always being extended and I don't think its had the same coverage that windows has had in the past.
-
How about this ... get a 1337 haxxor and ask him which system is easier to hack Window$ or Linux (when both are "properly configured") ... I'm betting on Window$. Or put them to the test, see which one is compromised faster, easier.
-
How about this ... get a 1337 haxxor and ask him which system is easier to hack Window$ or Linux (when both are "properly configured") ... I'm betting on Window$. Or put them to the test, see which one is compromised faster, easier.
Well I've read on more than one occassion from security professionals that in *nix OS's, it is generally easier to escalate priviledges than in Windows.
How would this "test" of yours work anyhow?
-
I dunno, take two identical computers, on one install Window$ on the other Linux, then beef them both up security-wise (harden them), and then get a group of 1337 haxxors and have them hack in remotely. As proof of entry they leave a text document behind or alter some part of the system. Then see which one takes longer to hack.
-
I dunno, take two identical computers, on one install Window$ on the other Linux, then beef them both up security-wise (harden them), and then get a group of 1337 haxxors and have them hack in remotely. As proof of entry they leave a text document behind or alter some part of the system. Then see which one takes longer to hack.
Ok. If "hardening" meant, both would have firewalls enabled then nobody would ever get into either system. If it meant not enabling a firewall, but disabling all services, then nobody would ever get into either system. In order for the systems to be hackable at all, they would have to be running some sort of daemon.
How about IIS6 vs Apache? If it were that, my money would be on Windows/IIS6.
-
Come on ... I'm sure a real 1337 haxxor can hack anything :D
-
Ok. If "hardening" meant, both would have firewalls enabled then nobody would ever get into either system. If it meant not enabling a firewall, but disabling all services, then nobody would ever get into either system. In order for the systems to be hackable at all, they would have to be running some sort of daemon.
How about IIS6 vs Apache? If it were that, my money would be on Windows/IIS6.
You mean "(Windows Server 2003 or Windows XP Professional x64 Edition) and IIS6", seeing as that's all II6 runs on.
-
You mean "(Windows Server 2003 or Windows XP Professional x64 Edition) and IIS6", seeing as that's all II6 runs on.
Either/or. WinXP x64 is actually just Win2k3 x64 with the Luna theme pasted onto it. Look up the vulnerability history of IIS6 and you'll find that in the three years since it has been released there have been all of two discovered, and both of them would not be exploitable in a default installation, much less a hardened installation. In that same time frame there have been somewhere along the lines of 25 vulnerabilities discovered for Apache 1.x and 2.x.
Now, if the daemons were running were Windows File and Printer Sharing" (SMB) vs NFS/CUPS, I might have to put my money on linux.
-
Either/or. WinXP x64 is actually just Win2k3 x64 with the Luna theme pasted onto it. Look up the vulnerability history of IIS6 and you'll find that in the three years since it has been released there have been all of two discovered, and both of them would not be exploitable in a default installation, much less a hardened installation. In that same time frame there have been somewhere along the lines of 25 vulnerabilities discovered for Apache 1.x and 2.x.
Now, if the daemons were running were Windows File and Printer Sharing" (SMB) vs NFS/CUPS, I might have to put my money on linux.
Apache mightn't be perfectly safe over a long period of time if you're not alowd to update. But if you could install updates, I'm sure it'd be just fine.
-
all statistics are lies.
the people who make decisions based on statistics should realise that they *must* understand how the data was collected, how it is totalled and what has been left out before they can even begin to understand what's going on.
to the uninformed, statistics (including all those TCO ones) can be made to show anything, literally.
-
all statistics are lies.
Only 73% of them are.
-
The thing that bothers me is UNIX is a whole familly of operating systems and Windows is just one (sorry 2 if you count the 9x shit). Of course if you add up the vulnerabilities for all varieties of Linux and BSD + Solaris + (all the other UNIX clones) you'll get more than Windows XP + 2k + 2003 + (even I dare say 9x), it's just fucking obvious, damn there're some idiots around. :rolleyes: