Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

5,198 Software Flaws Found in 2005

Zonk posted more than 8 years ago | from the better-to-find-them-than-not dept.

Security 257

An anonymous reader writes "Security researchers uncovered nearly 5,200 software vulnerabilities in 2005, almost 40 percent more than the number discovered in 2004, according to Washingtonpost.com. From the article: 'According to US-CERT...researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included). An additional 2,058 flaws affected multiple operating systems.'"

Sorry! There are no comments related to the filter you selected.

Axe Grinding (5, Informative)

alanw (1822) | more than 8 years ago | (#14370036)

Brian Krebs is clearly either extremely stupid, or has an axe to grind. If you look at the Cert Cyber Security Bulletin 2005 Summary [us-cert.gov] , you can see that many of the lines in it end in "(Updated)" A simple count of lines gives the results that Brian quotes, however there are far more "(Updated)" entries in the Unix/ Linux Operating Systems section. Removing these lines gives the following results:
including excluding
"(Updated)" "(Updated)"
Windows 813 671
U/L 2328 891
Multiple 2057 1512

(sorry about the spacing - can't find any way of doing it)

greatly reducing the proportion of Unix/Linux vulnerabilities

Re:Axe Grinding (5, Insightful)

ginotech (816751) | more than 8 years ago | (#14370049)

That is messed up. You're right, simply updating a vulnerability doesn't make it a new one. You know why Linux and co. have more updated ones, though? Because people can actually see the bugs in the code!

Re:Axe Grinding (5, Interesting)

click2005 (921437) | more than 8 years ago | (#14370088)

Where is the mention of seriousness of the flaws? How many allow root access or something else serious/critical instead of "clicking this button makes the tool tab disappear" or something.

They also fail to mention that a lot of these flaws are not in the OS itself (or essential components) but in 3rd party software.

A lot of the software isnt even included in a standard installation.

Re:Axe Grinding (4, Interesting)

someone300 (891284) | more than 8 years ago | (#14370070)

Also, isn't this more of a survey of the security flaws of the software running on the operating systems, rather than the operating systems themselves anyway? The summary linked article seems to imply that it's an OS flaw.

7-Zip isn't an OS vulnerability, nor is 4d web star.

Couldn't this be tilted against linux/unix/whatever due to the larger amount of crappy server/networking software available for it?

how about a real count... (0)

Anonymous Coward | more than 8 years ago | (#14370211)

I have seen numbers like this running around for some time. What I would like to see is *someone* actually define a number of catagories (like OS, UI, Apps, Drivers, etc.) and then place specific *named* apps in those catagories and then give me the numbers. So, how many of those bugs are actually OS/driver specific or are vectored through the UI, Apps, etc?

Re:Axe Grinding (0, Troll)

TrappedByMyself (861094) | more than 8 years ago | (#14370079)

Please describe your emotions as
1) You saw the initial numbers
"It can't be true, it just can't be true"
2) You realized there were many redundancies on the *nix side
"YES YES, I knew it!"
3) You started filtering, and the *nix number was dropping alot
"Ha Ha, Woooo!!!"
4) *nix, in the end, still had a higher number than Windows.
"NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO!!!!!!!!! !!!!!

Re:Axe Grinding (4, Interesting)

twiddlingbits (707452) | more than 8 years ago | (#14370148)

As someone pointed out some of these "flaws" are not OS flaws but issues with application software, and the Severity level are not indicated. So, until the list is sorted accurately it's hard to tell if Win of *NIX was better.

The way I read the results, *NIX list cover the whole set of OSes of this type. There are at least three major versions of UNIX (Solaris, AIX, HP-UX) and multiple releases/versions of each in production. I know that Solaris 8,9 and 10 are all still supported by Sun in 2005 and that is a very big base of installed servers. There are about a dozen LINUX distros, some with serveral releases/versions in production. The Windows numbers cover XP, Win2K, Win2K server, Win2003server. If you count desktops, the Windows installed base is bigger meaning a flaw may affect more users.

However, until someone publishes a more detailed study,with the methodology described, we are ALL just speculating.

Re:Other issues (2, Informative)

symbolic (11752) | more than 8 years ago | (#14370370)


I've noticed that on some of the 'nix-based alerts, the initial "discovery" was made in 2004, but not reported by various distros until after the beginning of 2005. I also noticed that with some of them, ALL of the distros listed reported the problem in 2004, but then, someone else chimes in right after the beginning of 2005 (Avaya Security Advisory), basically restating what has already been announced by several other parties prior to 2005.

Re:Axe Grinding (2, Informative)

camcorder (759720) | more than 8 years ago | (#14370086)

Also from security perspective I would like to know ratio of remote vulnerabilities on these platforms and how much of them DoS vulnerabilities and more critical compromise vulnerabilites.

It's correct that a DoS vulnerability might be actually more critical as it was thought (as in recent IE bug). I think numbers as such very deceptive. From an user perspective I can say this year brought me lots of stupid worm mails which mostly targeted from Windows platforms.

Re:Axe Grinding (4, Informative)

jc42 (318812) | more than 8 years ago | (#14370168)

Hey, you missed the even bigger method of increasing the unix/linux score: counting each distro separately.

Thus, if you go to distrowatch.com, you find 100 distros for linux alone. So for most actual kernel bugs, you can count each one at least 100 times. And for apps that run on all unix releases, the multiplier can be a lot higher.

Of course, there are several distros of Windows, too. But not nearly as many, and the people adding up the bug counts somehow always seem to miss this trick with Windows.

Anyone else got a favorite way of producing misleading bug scores?

Re:Axe Grinding (2, Insightful)

pintomp3 (882811) | more than 8 years ago | (#14370263)

TFA keeps talking about vulnerabilities and flaws interchangabily. a flaw doesn't mean a vulnerability. although i believe updates should be included in the tally, the tally is trivial. few of the unix/linux flaws make your computer vulnerable compared to the windows ones. that is more a design issue though.

Re:Axe Grinding (-1, Troll)

cjjjer (530715) | more than 8 years ago | (#14370335)

You are saying because there are "updates" then the flaws don't count? The code in question obviously was vulnerable at one point in time and an update was created. Now who has an axe to grind or is stupid?

first post? (-1, Offtopic)

bladx (816461) | more than 8 years ago | (#14370040)

first post?

The state of security (4, Insightful)

Ckwop (707653) | more than 8 years ago | (#14370041)

There's two ways to look at this. I would say that it is quite unlikely that the quality of software with respect to security went down in 2005. Computer Security now has such high profile that software houses across the world are spending many dollars trying to provide better security.

If you accept that security quality has not gone down, then you must conclude our ability to detect vulnerabilites is getting better. This is universally a good thing. Every vulnerability the "good guys" find before the "bad guys" is one we can have fix for before the bad guys take over our system.

Then there's the other side of these figures. That's alot of vulnerabilities. Now, fair enough not all vulnerabilities are created equally but I'd bet at least 10% are serious enough to get your system taken over if you're not careful. That's a lot of ways to break in to my system and it's a lot of work to make sure you're not vulnerable.

We have such a long way to go. For example, in PHP if they'd just follow Microsoft's example and put a SQL injection and XSS attack filter on information passed to web-pages we could close a serious hole in many web-applications. I've not looked at Ruby on Rails but I bet it fails this test too.

For gods sake, if you're not writing an operating system you have no business using C. Read me lips: YOU CAN'T WRITE SECURE C. Not now, not after 20 thousand hours of training, not ever. Sure, it's possible to write secure C in theory but the difference between theory and practice is that in theory they're the same and in practice they are not. In practice, you have deadlines, in practice you have people on the team who have less security training than others, in practice you have developers who have just had children and don't get a lot of sleep. In practice, people make mistakes. Code reviews may help but they wont remove everything. If you write your software in C you're doomed to having silly security bugs. If you want to remove most of the worry about overflows, use a language that rules them out.

Another thing, why should code we execute on our computers run at the maxmium privellege set of the user who's running it? Suppose my program checks a HTTP page against an MD5 hash periodically and sends an SMS through an internet based SMS gateway. Why should that program, if it wants to, be allowed to access the disk? I don't know about Java but C# has got a set of attributes that can control this type of behaviour. Really, we should be forcing declarations at the language level about what permissions each method of the program needs - the default being none of course.

Simon.

Re:The state of security (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#14370100)

Whats the fucks wrong with you?

get up on the worng side of the bed?

Its perfictly possible to write secure c! There are many examples of this

its just that too many idiodt don't even think about security!

Re:The state of security (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14370105)

Whats the fucks wrong with you?

get up on the worng side of the bed?

Its perfictly possible to write secure c! There are many examples of this

its just that too many idiodt don't even think about security!


You can't even write secure English!

Re:The state of security (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#14370140)

Sorry but I'm English Second Language...

My first language is C!

Re:The state of security (0)

Anonymous Coward | more than 8 years ago | (#14370121)

For gods sake, if you're not writing an operating system you have no business using C. Read me lips: YOU CAN'T WRITE SECURE C. Not now, not after 20 thousand hours of training, not ever.
Save it for Dan Bernstein [cr.yp.to] because C and ASM are still the only choices for coding performance sensitive applications. Read my lips: YOU CAN WRITE INSECURE CODE IN ANY LANGUAGE.

Re:The state of security (2, Interesting)

Decaff (42676) | more than 8 years ago | (#14370146)

because C and ASM are still the only choices for coding performance sensitive applications

No. If you look at an area where performance and reliability is critical, you will find that Ada is the dominant language (with Java having increasing use)

Re:The state of security (0)

Anonymous Coward | more than 8 years ago | (#14370158)

I was right with you until you mentioned Java, thanks for the laugh.

Re:The state of security (1)

Decaff (42676) | more than 8 years ago | (#14370299)

I was right with you until you mentioned Java, thanks for the laugh.

Enjoy your laugh. Boeing is using Java for real-time aeronautics.

Re:The state of security (3, Interesting)

Decaff (42676) | more than 8 years ago | (#14370329)

I was right with you until you mentioned Java, thanks for the laugh.

http://mae.pennnet.com/Articles/Article_Display.cf m?Section=Articles&ARTICLE_ID=234337&VERSION_NUM=2 &p=32 [pennnet.com]

"Aonix engineers have demonstrated hard-real-time Java that reaches the run-time efficiency of C, which makes it able to meet the needs of command-and-control applications such as network-centric warfare, Future Combat Systems, and low-level telecommunications control-plane software, Aonix officials say."

"The Navy Open Architecture guidelines also state that all new development will be done in Java and C++, he adds. "

Laughing now? Or perhaps feeling a little foolish?

Hard real-time != fast (1)

Anonymous Brave Guy (457657) | more than 8 years ago | (#14370399)

It's fascinating that there are two replies to the GPP, post mentioning using Java in a real-time context, as if that somehow implies that its performance is equivalent to something like C or C++. "Hard real-time" and "fast" are completely different qualities, and having one does not imply the other either way around.

Re:The state of security (1)

Fordiman (689627) | more than 8 years ago | (#14370159)

Please take, for an example, the well-tested sections of the Linux Kernel as an example.

If you have some issues with the performance, reliability or security of Linux, look sidelong to the Mach kernel.

Now, if you don't mind, please pull your heade from your ass.

Re:The state of security (1)

Decaff (42676) | more than 8 years ago | (#14370313)

Please take, for an example, the well-tested sections of the Linux Kernel as an example.

If you have some issues with the performance, reliability or security of Linux, look sidelong to the Mach kernel.


I have no issues with the performance or reliability of Linux or Mach. Did I say otherwise?

What I have issues with is someone saying that only C or assembler are suitable for critical high-performance work. Other languages have been used for this for decades. It is just that C has been the traditional language of Unix/Linux for a long time.

Now, if you don't mind, please pull your heade from your ass.

Great way to debate. Perhaps you might want to actually educate yourself about such matters before posting?

Re:The state of security (1, Troll)

fimbulvetr (598306) | more than 8 years ago | (#14370196)

DJB writes his software exactly like he wants. No features, no options, etc. Qmail needs special patches that he hasn't blessed to read from ldap. Djbdns won't even listen on a different port unless you edit the code manually.

Calling his code secure is like buying a 1929 Model A and saying the wiring is reliable. There is nothing outside of the coil/spark plugs. The power windows/locks/brakes/steering/fuel pump never fail, because it's impossible for them to.

Plus it's always nice when you get to deny that flaws exist in your software and your rabid fan guild protect you to the death.

A better example of a secure code writer is W. Venema or even Torvalds.

Re:The state of security (5, Interesting)

canuck57 (662392) | more than 8 years ago | (#14370186)

For gods sake, if you're not writing an operating system you have no business using C. Read me lips: YOU CAN'T WRITE SECURE C.

I beg to differ, C can be real secure if written that way. The problem comes in that most people do not know how C works inside yet they code something. Then of course to your next point:

Code reviews may help but they wont remove everything.

This would solve alot of issues. How many environments routinely run bounds checking and code reviews for functionality AND security? How many people who really understand C reviewed the code?

And security problems are not just C problems, any language like Java, .NET, PHP, C# can also have their issues. CERT and others concentraight on the operating systems that we all use but generally skirt applications security which can be very bad. Job schedulers written in Java that allow root access, data warehouses that give up encoded (but not encrypted) UIDs/passwords ovr the net, the list is long. And how many people use unencrypted telnet/ftp/imap/pop3 even though secure options exist? I know senior NT and UNIX admins that don't know what a key pair is let alone what a certificate chain is. But they have a half dozen certifications.

But secure code begins with it's priority, in design and takes more time to code no mater what language you use. Having knowledgable coders helps alot. But we are in a day and age where we only want cheap coders. And here is a hint, cheap coders are never good coders or they would not be cheap. There in is the issue, more time is something people do not want to do either in training, coding or review.

Re:The state of security (2, Funny)

dsanfte (443781) | more than 8 years ago | (#14370404)

I've never seen "concentrate" spelled quite like that. +2 points for originality.

Re:The state of security (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14370194)

The real problem is the religious fucken bullshit about languages.

When anyone says language x is secure becuase y then are not on the lookout for issues in their code.

Anyone with this attuituse will write insecure code!

Re:The state of security (0, Flamebait)

DrSkwid (118965) | more than 8 years ago | (#14370240)

secure C is perfectly possible

stop trolling f00l

Language choice? (2, Informative)

Anonymous Coward | more than 8 years ago | (#14370046)

I would like to see some data showing the correlation between applications written in unmanaged languages and those with buffer overflow and similar exploits.

Modern unmanaged C++ is fine (STL containers instead of arrays, RAII, etc.), but I often wonder why people still write in C at all, particularly when it comes to Open Source software. We are not the bearded heroes of the 70s - it's time to write in a modern language. If you don't want to sacrifice speed and system level programming for a managed environment, write in modern C++.

Re:Language choice? (3, Insightful)

penguin-collective (932038) | more than 8 years ago | (#14370164)

Modern unmanaged C++ is fine (STL containers instead of arrays, RAII, etc.),

Modern unmanaged C++ is NOT fine; STL permits many kinds of bugs that are analogous to buffer overflows. Furthermore, modern software systems are composed of many different modules, and just because you happen to be careful in your modules doesn't mean others are careful in theirs. Finally, without full garbage collection, you cannot have full runtime safety.

but I often wonder why people still write in C at all, particularly when it comes to Open Source software.

People prefer C to C++ because for the small increase in safety that C++ gives, it's far too complicated and complex a language. People don't use languages other than C/C++ because those languages interoperate poorly with existing C/C++-based libraries (this is C/C++'s fault), tend to have bloated runtimes, and have only a tiny user community. And, yes, many people don't even realize that there is a problem.

We are not the bearded heroes of the 70s - it's time to write in a modern language.

The bearded heroes of the 70s actually knew better. Back in the 1970's and 1980's, C was of no significance. When people were using HLLs back then, those languages were generally a lot safer than C. The rise of C was a historical accident, related to the rise of BSD UNIX and microcomputers.

But, yes, I share your sentiment: it would be good to see security bugs by language choice. And I'll give you this much: C++ is an improvement over C, but it's not a solution.

Re:Language choice? (1)

Fordiman (689627) | more than 8 years ago | (#14370165)

Really simple, actually: C requires less planning, is easier to learn, and is more likely to be guaranteed cross-platform. If you're writing a simple command-line utility for your own use, it's either C or shell scripting.

Re:Language choice? (1)

jacksonj04 (800021) | more than 8 years ago | (#14370368)

Perl, Python, Ruby...

Re:Language choice? (4, Insightful)

jc42 (318812) | more than 8 years ago | (#14370212)

I often wonder why people still write in C at all, ...

Well, my last big project was written almost entirely in C for the simple reason that that's what the client wanted. We did a lot of prototyping in perl and python, but that code wasn't acceptable for delivery; we had to rewrite all the production code in C. If not, it wouldn't be accepted.

Much of the explanation was that the client had accepted C++ and java in earlier projects, and they were disasters for all the familiar reasons. They were determined that this wouldn't happen again, so they went with a "proven" language with a track record of use in major successful systems.

Similarly, I have a couple of friends who recently did a project in Cobol. They hated it, but they wanted to get paid, and that's what the client would accept.

In the Real World[TM], the decision about which language to use is very often made by managers who aren't programmers and don't have a clue about the real issues. So they make decisions based on things that they can understand and measure.

Re:Language choice? (0)

Anonymous Coward | more than 8 years ago | (#14370214)

While using STL certainly makes the code cleaner than plain C, it does not significantly improve security.
There are still myriads of ways to overrun a buffer, use an uninitialized variable or iterator, etc.

For example:
1) Uninitialized iterators pointing to random memory
        vector::iterator it; // using *it or *(it+index) now may lead to system compromise

2) Iterators pointing to random memory due to violation of STL container semantics:
        vector vec;
        vec.push_back(123);
        vector::iterator it = vec.begin();
        vec.push_back(456); // using *it or *(it+index) now may lead to system compromise

3) Buffer overruns
STL copying/transformation algorithms do not provide any protection against buffer overruns.
        vector vec1; // ... fill vec1 with data
        vector vec2;
        vec2.resize(100);
        copy(vec1.begin(), vec1.end(), vec2.begin()); // if vec1 had more than 100 integers, we have a potential for system compromise

4) Using incompatible iterators (mostly due to typos) in algorithms
        vector vec1; // fill vec1
        vector vec2;
        vec2.resize(vec1.size());
        copy(vec1.begin(), vec2.begin(), vec2.end()); // attempt to copy vec1 elements to vec2
Whoa - a typo!
We have copied all the elements in vec1, then a chunk of memory between the end of vec1 and the beginning of vec2, and all this data was copied *past* the end of vec2.
This is almost certainly exploitable.

Slashdot ate my angle brackets (0)

Anonymous Coward | more than 8 years ago | (#14370241)

vector was meant to be a vector<int>.

Re:Language choice? (1)

exa (27197) | more than 8 years ago | (#14370377)

Most programmers are too lazy/stupid to learn standard C++ or another better language.

Hooray \o/ (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14370047)

So Microsoft indeed is more secure than Unix/Linux.

Oh, off to switch back to windows ->

Re:Hooray \o/ (2, Insightful)

spike1 (675478) | more than 8 years ago | (#14370080)

So, where did you read that windows is more secure all of a sudden?

You didn't take those figures at face value did you?
Those figures said they were for linux AND other univx variants like OSX...

So, 2500 between OSX, openBSD, netBSD, freeBSD, Linux, Solaris, etc... (not to mention all the flaws listed for the dfifferent linux distributions probably got duplicated across several distros)

versus 900 for windows
(I'm rounding up)
Was this 900 split between 95/98/98SE/ME/2000/XP/Vista?
or just for XP?

There're lies, damned lies, and statistics

OSOS (3, Funny)

Konster (252488) | more than 8 years ago | (#14370053)

812 flaws in the Windows operating system? When did they start counting flaws? December 28th?

Re:OSOS (0)

Anonymous Coward | more than 8 years ago | (#14370162)

I expected to see 5197 of them in IE alone...

Re:OSOS (1)

TubeSteak (669689) | more than 8 years ago | (#14370311)

I think you're confusing the "Error Report" window with "flaws"

Error Reports are a feature, not a bug.

Explorer vs Firefox (5, Funny)

dynamo52 (890601) | more than 8 years ago | (#14370060)

Firefox: 1
Explorer: 45
Explorer wins!

Re:Explorer vs Firefox (0)

Anonymous Coward | more than 8 years ago | (#14370078)

You may want to revise that statement when you'd actually had a look at the article.

Re:Explorer vs Firefox (1)

dynamo52 (890601) | more than 8 years ago | (#14370085)

It was a joke.
I was referring to the amount of vulnerabilities listed for each.

Re:Explorer vs Firefox (1)

Kawahee (901497) | more than 8 years ago | (#14370157)

That made me laugh. To the dumbass who didn't get the joke, register a /. account so we can mod down your karma.

This count must be wrong! (3, Funny)

corvair2k1 (658439) | more than 8 years ago | (#14370063)

I've released more than that by myself this year!

Re:This count must be wrong! (1)

rapidweather (567364) | more than 8 years ago | (#14370249)

Me too. Count all the bugs for apps that don't work right the first time around, also.
As far as all of the security bugs goes, I suppose that includes us LiveCD people.
Probably doesn't matter how one gets the OS up and running, HD or CD, it will have bugs, etc.
I do write C++ apps similar to what is found in Knoppix, and use TCL/TK also.
Somehow, though, I feel better running my Knoppix remaster than using XP or (gasp) Windows 98 when going on the internet. I use both Dial Up and Cable Broadband, and sometimes turn the Broadband off if I do not have to connect to the internet at the time. Just to be safe.
I do that all the time when using XP. I did have that OS become unbootable once, and spent
$240 on a new hard drive and security software to get it running again. Looking at the bright side of that, I do have 320 GB of space now, it's just that 120 GB of it is not bootable anymore. Only problems I have had with Knoppix machines is power supply going out from adding too many cards, etc. That has nothing to do with the OS.
I am thinking about doing apt-get install firestarter on my Knoppix remaster, but I hesitate to put something in there that will keep the ordinary user as busy as the XP users updating their security software. Spending time doing that, rather than what they wanted to do in the first place. I have run Firestarter on Debian hard drive installs, and it does a nice job, so I am leaning toward putting it in.

Original Article from us-cert (0)

Anonymous Coward | more than 8 years ago | (#14370066)

http://www.us-cert.gov/cas/bulletins/SB2005.html [us-cert.gov]

Summary does not even bother to link the original article!

Excellent news! (0)

Anonymous Coward | more than 8 years ago | (#14370071)

"According to US-CERT...researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included)."

Excellent news! I think it's clear now that Windows OS is about three (3) times more secure than Unix/Linux/Mac!

Oh, wait a minute... [slashdot.org]

Re:Excellent news! (1)

canuck57 (662392) | more than 8 years ago | (#14370236)

Excellent news! I think it's clear now that Windows OS is about three (3) times more secure than Unix/Linux/Mac!

One could also view this differently. MS is closed source, so if that many were found by people who don't have the source how bad would it be if they had the source?

The second issue is with Linux sources, the bugs are being vetted out of the code at a much faster pace making it ulimately more secure.

Statitics lie when taken out of context. We could also look at the tally of "infections" as it may also be an indication of the ease and severity of vulnerabilities - and certainly the impact to society.

Re:Excellent news! (1)

TubeSteak (669689) | more than 8 years ago | (#14370353)

Are the Linux bugs that "are being vetted out of the code at a much faster pace..." new bugs or old ones?

Linux is constantly adding new code while Microsoft is pretty much patching their existing code base. SP2 added new features to WinXP, but it also borked a lot of installations at its launch.

I just wonder how many of the patches are for old code compared to relatively fresh stuff. EX. the wmf exploit is based on code that's been lying around since Win98

Microsoft... (1)

zsadiq (942364) | more than 8 years ago | (#14370075)

I know Microsoft issued a lot of patches this year that fixed quite a few vulnerabilities ... but 812? My suspicion has always been that Microsoft sometimes fixes multiple flaws with a single patch, even though its advisories may make it appear as though the patch addressed a singular issue.

I'd love to know just what percentage of those reported Windows flaws have been fixed. For that matter, it would be lovely to know that for all of the flaws reported last year.


Anyone?

And is this the first year that these statistics have been gathered on a scale like this?

Re: Microsoft... (1)

ncurtain (937487) | more than 8 years ago | (#14370124)

Which Windows Operating System are they talking about or should IRTFA?

Re: Microsoft... (1)

zsadiq (942364) | more than 8 years ago | (#14370152)

Mostly XP SP2 I believe.

Please don't hold my balls to it though.

519,8 pickup-tries (1)

maggern (597586) | more than 8 years ago | (#14370093)

5198 bugs is interestingly excately 10% of the number of times I tried picking up girls a bars in 2005. ...they kept calling med a creep, not a bug, though. *cough* *cough*

Re:519,8 pickup-tries (0)

Anonymous Coward | more than 8 years ago | (#14370128)

Hell, man, with wit like that, the chicks ought to be throwing themselves at you. Really.

Re:519,8 pickup-tries (1)

Paradise Pete (33184) | more than 8 years ago | (#14370303)

Ya gotta admire his stamina, though. That's 142 attempts per day.

It's da new style (1)

Lime Green Bowler (937876) | more than 8 years ago | (#14370096)

Finding software flaws -ahem- 'exploits' ... is en vogue at the moment. Unfortunately this is also the catalyst for additional needless security, DRM, policies. Instead of putting resources towards development or improvement, the resources are wasted on finding minute problems. Sure this effort could make software better for the future (reliable, secure), but the bureaucracy is putting us farther behind, and is creating more work with less usable results.

shocking numbers (4, Interesting)

CDPatten (907182) | more than 8 years ago | (#14370099)

"researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included). "

If we listened to just the media you would have thought Windows has thousands and the others only had a few dozen. I promise I'm not trolling, but do those numbers stop and make anyone on the site re-think stances? We all saw the numbers that put Firefox with more holes then IE earlier this year too. Could MS be doing a better job, but just getting hammered in the press (who are mostly Apple users by the way)? MS holes get lots of press while other operating systems get a free pass.

"I know Microsoft issued a lot of patches this year that fixed quite a few vulnerabilities ... but 812? My suspicion has always been that Microsoft sometimes fixes multiple flaws with a single patch, even though its advisories may make it appear as though the patch addressed a singular issue. "

MS always has an attached KB article that details everything their path does. I don't think that statement is denial.

I find myself defending MS allot on this site, and it's nice to have some numbers from a respected neutral organization to debate some of you guys with. I'm sure after this piece they will be re-classified as MS zealots, but what can ya do.

Re:shocking numbers (2, Insightful)

penguin-collective (932038) | more than 8 years ago | (#14370149)

If we listened to just the media you would have thought Windows has thousands and the others only had a few dozen. I promise I'm not trolling, but do those numbers stop and make anyone on the site re-think stances?

No, it doesn't. First of all, there are a dozen different versions of UNIX and Linux, each with their own set of flaws. MacOS is an almost entirely different system except for a kernel compatibility module and a bunch of command line utilities. Second, the number of bugs discovered or number of bugs fixed tells you little about the security of an operating system. Individual bugs have very different consequences for system security.

I find myself defending MS allot on this site, and it's nice to have some numbers from a respected neutral organization to debate some of you guys with. I'm sure after this piece they will be re-classified as MS zealots, but what can ya do.

If you are using numbers like these to make an argument that MS products are "more secure", the zealot is you. But, then, you already admitted as much.

a nugget of wisdom (0, Troll)

User 956 (568564) | more than 8 years ago | (#14370170)

If you are using numbers like these to make an argument that MS products are "more secure",

I've got a nugget of wisdom for you: Whichever OS is the most popular is going to end up being the least secure. It doesn't matter who makes it.

Re:a nugget of wisdom (0)

Anonymous Coward | more than 8 years ago | (#14370252)

The operating system running on the greatest amount of computers in the world at this time is TRON/iTRON. It's not the least secure, as it's very simple.

If security only had a direct correlation with how many were using a piece of software, there would be no need for good design practices at all.

Re:a nugget of wisdom (2, Insightful)

wnknisely (51017) | more than 8 years ago | (#14370274)

Counter nugget:

Count the number of IIs exploits vs Apache and correlate to the number of installations. If your logic held, there should be many many more exploits out there for Apache.

Re:a nugget of wisdom (1)

j.bellone (684938) | more than 8 years ago | (#14370307)

Yes, but we're talking about Desktop operating systems here. You can't buy Apache at Best Buy.

Re:a nugget of wisdom (1)

User 956 (568564) | more than 8 years ago | (#14370308)

Web server != entire operating system. thanks for playing.

Re:a nugget of wisdom (2, Insightful)

imroy (755) | more than 8 years ago | (#14370380)

So why don't web servers count when 'entire operating systems' do? Web servers are always connected to some sort of network, if not the Internet. They wouldn't be much use otherwise. They often have all sorts of modules/plugins loaded, some third-party. They often have to run all sorts of interpreted languages (Perl, Python, PHP, ASP, etc) with scripts written by all sorts of people. They can also run other executables on the host system. They often have to access a database, either on the same machine or over the network. They often send email and even receive it (e.g confirmation emails).

Most importantly, they're often very public machines (not including intranets). And they can be holding (or have access to) very valuable data e.g banking details, email addresses, passwords. Web servers may be out-numbered by desktop machines, but they're still very attractive targets.

So, would you like to have another try at explaining why Apache HTTP server has been the most used web server [netcraft.com] for almost ten years now, but is not the most attacked?

Re:a nugget of wisdom (1)

jerw134 (409531) | more than 8 years ago | (#14370357)

IIS (2) [secunia.com] vs. Apache (29) [secunia.com]

Re:shocking numbers (1)

Fordiman (689627) | more than 8 years ago | (#14370178)

I'd like to see the numbers for basic core aplications.

For example, on the windows side, problems with the OS and core packages. Things like notepad, control panel, wordpad, etc, and on the linux side, you'd have to do some averaging: Linux 2.4 v 2.6, KDE v. Gnome core apps. Meanwhile a comparison between Openoffice and Office would be in order. It's been a while sice the last good study of how one works next to the other in their 'naitive' environments.

Re:shocking numbers (0)

Anonymous Coward | more than 8 years ago | (#14370226)

> I'd like to see the numbers for basic core aplications.

I agree. Are we comparing apples with apples when looking at these numbers? Since a windows installation limits what you can avoid installing, while some linux installations install 5 different text editors, and multiple browsers, etc., and these all have some holes, what would just the core show?

Re:shocking numbers (1)

shaitand (626655) | more than 8 years ago | (#14370349)

I'd like to see OS versus OS. For linux you count kernel flaws (everything else is user space and can be swapped out with other apps). For windows you count flaws in the software that remains after you remove everything you can through proper channels (uninstall, not simply delete).

Not so shocking ... (4, Insightful)

lasindi (770329) | more than 8 years ago | (#14370221)

"researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included). "

If we listened to just the media you would have thought Windows has thousands and the others only had a few dozen. I promise I'm not trolling, but do those numbers stop and make anyone on the site re-think stances? We all saw the numbers that put Firefox with more holes then IE earlier this year too. Could MS be doing a better job, but just getting hammered in the press (who are mostly Apple users by the way)? MS holes get lots of press while other operating systems get a free pass.


If you look at the first post [slashdot.org] , you'll see that the real count of vulnerabilities isn't so shocking after all:

Windows 671
UNIX/Linux 891
Multiple 1512


Also, when you consider the fact that "UNIX/Linux" includes many different operating systems (e.g., GNU/Linux, *BSD, OS X, etc.), you can't give any one Unix operating system the blame. Remember that although some code is shared between projects, GNU/Linux and the *BSD are more or less completely different code bases. In any case, the simple counts of vulnerabilities don't take into account the severity of each, so the real winner is even more ambiguous.

I find myself defending MS allot on this site, and it's nice to have some numbers from a respected neutral organization to debate some of you guys with. I'm sure after this piece they will be re-classified as MS zealots, but what can ya do.

While Brian Krebs might be tainted by his misrepresentation (see the post I got the numbers from), I can't imagine anyone here claiming that US-CERT is somehow a bunch of MS zealots. In fairness to Microsoft, they've definitely come a long way with SP2, and I don't feel nearly as vulnerable when using an SP2 machine as I did with previous Windows versions (though the recent WMF hole makes me a bit more worried). without considering the severity of each vulnerability. But they're still no where near the point where I would switch from Linux.

Your not a troll, just an idiot (1)

SmallFurryCreature (593017) | more than 8 years ago | (#14370344)

Windows is one OS with 800 bugs, unix/linux/os-x/bsd is a whole collection from a whole slew of different companies.

Only a MS-tool would not instantly spot this. Others have already pointed this out but of course they are just Unix and OS-X and BSD and Linux hippies. Oh and wich OS makes it unsafe to simple browse the web right now? Thank you. Bill Gates called, he is about to take a dump and needs you to swallow it all.

All this article shows is how easily statistics can be used to tell a complete lie.

Does Redmond... (0)

Anonymous Coward | more than 8 years ago | (#14370102)

...report all the flaws to CERT that they find internally? Is CERT counting all open source project flaws then comparing that number to a limited number of windows-shiped products and ignoring most third party windows apps because they are closed source and those devs aren't in the habit of revealing vulnerabilities if they don't hjave to? I mean, there's a rather glaringly LARGE difference with what you get with a windows XP operating system direct from Redmond or any of the big box vendors compared to any of the major distros and what comes on their disks. What's a "system" then?

      I looked at the CERT link from the blog link in this article, where are all the windows apps? That list is ALL the windows third party apps vulns? Why am I not believing this? Are all the third party windows apps devs actually reporting vulns, or just shipping new and improved and clamming up over anything they find?

    Good thing CERT has a disclaimer at the top saying they have no idea if any of what they have there is complete or not, or even true. At best this CERT list is a really vague guess.

Well, it's how you look at it... (0)

Anonymous Coward | more than 8 years ago | (#14370109)

Let's compare entries in the vulnerability database.

Linux
Optimistic TCP acknowledgements can cause denial of service
Gaim vulnerable to HTML processing denial of service

Windows
Windows XP
Windows 2000

Yes, I can see where those numbers come from.

Sensational, and meaningless (0)

Anonymous Coward | more than 8 years ago | (#14370116)

I'm sure all of us on Slashdot can see that these numbers have little meaning, because:
  • You find where you look. If people started looking for security flaws in NetBSD and stopped looking everywhere, surprise, we would find thousands of flaws in NetBSD and none anywhere else, telling us... nothing
  • More people looking will (generally) mean more holes are found.
  • The definition of a security vulnerability changes over time, and depends on the vendor. One man's feature is another man's vulnerability.

One bad thing is that software is getting more complicated and secure design methodologies are lagging behind. We've had secure development environments like Java for a long time now, and we have known for the past decade that large pieces of software developed in unsafe languages (C) can never be safe, and yet... we continue to use these unsafe tools. Until tools and design methodology change, we're going to keep having more holes as software systems get bigger.

Someday that will change. People will (eventually) shift to "safe" languages, where "safe" means no unchecked memory access, bounds checking on arrays, type safety, etc. The more we get to that the fewer vulnerabilities we will be seeing.

---------------
Drag-and-drop file upload [chiralsoftware.net] in your browser

Mod parent idiot. (0)

Anonymous Coward | more than 8 years ago | (#14370229)

I should like to note that I would be very impressed with any language which does not allow direct memory access and which doesn't need one that does in order to function.

Also, using Java as an example of a secure development environment is like using OS/2 as an example of a secure OS: Nobody uses it, so you can't prove it's secure.

Do the math... (0, Offtopic)

Ancient_Hacker (751168) | more than 8 years ago | (#14370119)

800-some isnt so bad. Do you remember when part of the Windows source code got out, and a little GREPping showed about 48,000 uses of untamed strcpy, strcat and sprintf?

If you assume only 5% of those calls could overflow a buffer, Windows is doing 4x better than expected!

UnixWindows (1)

harris s newman (714436) | more than 8 years ago | (#14370123)

Well, which were more serious?

These numbers are meaningless. (4, Informative)

master_p (608214) | more than 8 years ago | (#14370141)

Ok, I've made a 'hello world' program in C++...I had 0 bugs in it, do I win?

Seriously now, these numbers are useless without mentioning lines of code and programming languages. Suse Linux 9.3, for example, has over 7,000 RPMs, which is an enormous amount of software.

Absolute bug numbers are meaningless.

Re:These numbers are meaningless. (0)

Anonymous Coward | more than 8 years ago | (#14370207)

----Pick your comment------

1. A feature is a bug with seniority
2. My software never has bugs. It just develops random features.
3. Bugs come in through open Windows

I choose 3.

Re:These numbers are meaningless. (1)

TubeSteak (669689) | more than 8 years ago | (#14370216)

There are lies, damn lies and statistics.

This is why absolute numbers are meaningful.

This isn't necessarily directed at your statement (because you're asking for more hard numbers in the form of programming languages and lines of code) but it's worth saying.

Yes, we can weight the various bugs to make the comparison more 'accurate', but the second we begin doing that, we've injected someone's opinion of what is and isn't important.

Admittedly, you could extend the superficial analysis the author did without having to start making assumptions, but then we'll criticize that analysis too.

To illustrate my point: Would it be fair to say that (as far as the entire world is concerned) a bug in Mac OSX isn't nearly as important as a bug in Windows, no matter how serious the flaw is?

Don't forget, when /.'ers say "you usually end up with x number of bugs per million lines of code," that's just a avg/best guess

Re:These numbers are meaningless. (1)

fimbulvetr (598306) | more than 8 years ago | (#14370225)

It's also meaningless because it unfairly groups Apple in with Linux/Unix. Solaris might have its share of bugs, and linux surely has exploits more often than we'd like, but if you browse through the Apple vulnerabilites, you'd see that most of them are blatent, stupid oversights that people should be fired for. I wouldn't be suprised if Apple has the majority in the unix/linux group - commonalities aside.

Apple needs to get someone who knows a thing about security, because the false belief "its unix its secure" is about to crumble.

Re:These numbers are meaningless. (1)

Paradise Pete (33184) | more than 8 years ago | (#14370276)

Ok, I've made a 'hello world' program in C++...I had 0 bugs in it, do I win?

Maybe. Go ahead and post it so the judges can see for themselves.

Re:These numbers are meaningless. (1)

FromWithin (627720) | more than 8 years ago | (#14370305)

Ok, I've made a 'hello world' program in C++...I had 0 bugs in it, do I win?

Well that all rather depends on your compiler, doesn't it?

Re:These numbers are meaningless. (0)

Anonymous Coward | more than 8 years ago | (#14370321)

Perhaps. But considering that the typical "C Hello World" has two bug, you might want to re-examine your code, just in case.

For the curious, the two bugs are:

* no return value -- so your program will return whatever junk is on the stack at the time to your OS. Any shell script using this value to determine the success of hello world would be in for random behaviour

* no check to see if anything is actually written out. It's possible to pipe hello world to a full disk. At the very least, you should check to see if the expected number of characters are printed out, and if not, return an error code from main().

Software Bugs (1, Insightful)

Ice Wewe (936718) | more than 8 years ago | (#14370143)

If I were you, I'd keep my eyes out for a Windows logo on that web site. *cough*kickbacks*cough* From my experience, if Microsoft doesn't have more bugs, then their software sure is shitty. I mean, FireFox is open source, IE is not. Who is more secure, doesn't crash as much, and has nifty plug-ins? If you said IE, you're living in the past. Sure, Open Source is going to have more bugs, it's hundreds of thousands, if not millions of people contributing code. Of course not all of them are going to get everything perfect. Now compare how many people Microsoft has working on bugs. A few thousand at best. Now you see the reality of this. Linux is going to have more bugs simply because it has more software. Microsoft is going to take longer to patch their bugs because they only have a fraction of the people working on it.

Well... (1)

The Ilia (933432) | more than 8 years ago | (#14370155)

What I want to know is how many they didn't find.

Umm am I stupid or something? (4, Insightful)

bogie (31020) | more than 8 years ago | (#14370156)

Because I know I just woke up but that CERT page is listing APPLICATIONS FLAWS and NOT OS flaws.

Is a flaw in "Gold FTP explorer" or Photoshop a Windows OS flaw?

Am I the only one seeing this?

Re:Umm am I stupid or something? (1)

jc42 (318812) | more than 8 years ago | (#14370237)

Shh! Most of the people here don't understand the difference between an OS and an "app". Many of them will even tell you with a straight face that a runtime library is part of the OS. (Really; look through the /. archive. ;-)

So let's keep quiet on the sidelines, and let the all make fools of themselves in public.

Re:Umm am I stupid or something? (1)

shaitand (626655) | more than 8 years ago | (#14370372)

*sighs* I know. It frustrates me to no end that Operating System is being redefined.
It has been changed from the layer of software that operates the hardware and provides the lowest level api for accessing it (kernel, and kernel api); to the layer of software that interacts with the user.

Re:Umm am I stupid or something? (1)

TubeSteak (669689) | more than 8 years ago | (#14370297)

Someone on blogs.washingtonpost.com has a lazy mind.
I know Microsoft issued a lot of patches this year that fixed quite a few vulnerabilities ... but 812? My suspicion has always been that Microsoft sometimes fixes multiple flaws with a single patch, even though its advisories may make it appear as though the patch addressed a singular issue.
...
...so attackers are looking at developing more exploits for applications that run on top of Windows and interact directly with the user (and are freely allowed in and out of software firewall applications).
He's even getting flamed in his comments section.

I want to say that he just squeezed out a quickie article before going on holiday and didn't bother engaging in much thought... but I read his last few posts and they don't have much substance to them.

Does anyone else see the humor if a blog (slashdot) linking to another blog which links to the original source?

Uhma ... (0)

Anonymous Coward | more than 8 years ago | (#14370160)

Actually, it seems that in the linux/unix section it is possible that some bugs have been reported twice or more.

It could be that one bug that effects the linux kernel could be reported as both as a bug in red hat, feodora and under the line of multiple vendors.

I would like them to seperate windows (versionnumber),linux kernel and then for apps.

Lies, damned lies... (1)

Gallech (804178) | more than 8 years ago | (#14370199)

and Statistics.

I wouldn't say that the guys compiling the stats had an agenda or something- but how do you count bugs/flaws? If you said Linux was one "thing" and didn't account for the various distros, is that realistic? And if you account for the various distros, you will undoubtedly end up with duplicates. Its very much like the problem faced when trying to figure out popularity of a website- do you count hits, page impressions, stickiness...and if you count things differently than I do, which of us is right?

One thing I can say with certainty: Linux does not have fewer flaws that Windows. I have as many (or more) patches to apply to my Linux servers at work each month as I do to my Windows servers. I think its reasonable, however, to say that the flaws that show up in Linux are more transparent. Knowledgable people can look at the code for certain coding practices and find flaws *before* they are reported in the wild- the availability of source code definitely gives Linux an edge in that regard.

Re:Lies, damned lies... (1)

ninja_assault_kitten (883141) | more than 8 years ago | (#14370314)

Why would you end up with duplicates? If someone finds a vulnerability in the Linux kernel, that's a single vul across any one uses the affected Linux kernel. If someone finds a vulnerability in sudo, you don't count it once for each operating system who uses the affected sudo. Also, why wouldn't you expect this? There are 293847239827 UNIX/Linux-based applications written by clueless newbie programmers and published to Freshmeat. Why wouldn't you expect more vulnerabilities on the OSS side of the house? There are far more OSS software developers who dev for UNIX/Linux than there are for Windows. If "Jeffs Super File Manager for Linux" is discovered to have a format string vulnerability, would it suprise you? Probably not, but it would certainly count as a vulnerability in Linux software. Don't get your panties in a bunch. The results are as expected.

Scope (1)

vorok (718954) | more than 8 years ago | (#14370206)

A quick browse over some of the vulnerabilities listed... I think that the issue of scope is not covered at all in the number-quoting.

Windows: XP,NT,Me,98,95
              note that these are all x86...

Unix/Linux (Oh yeah, and Mac too) : All variants of Linux, with all moderately current kernels, running on all architectures. All variants of Unix. Mac OS X.

On the other hand, there are a few positive sides: it included non-OS programs (web servers and user programs and such), which many studies often overlook, or selectively overlook and count Apache vulnerabilities for Linux and not Windows. It didn't try to pump the numbers TOO much. It was not actually a comparison between the merits of any one operating system over another (unlike most studies talked about, which are almost always funded by MS), but in fact was a compilation of the various vulnerabilities out there for each OS, including things like MusicMatch Jukebox, which very few people would claim is an integral part of the OS and can't be lived without, and thus completely eliminating that vulnerability from the numbers.

In regards to numberpumping, it is generally a lot easier to find a vulnerability in a Linux/Unix/OSX program than a Windows program, for the simple reason that a greater proportion of L/U/O programs are open source. You have two angles to attack from, and if you find some problem in the code, you can most likely find other instances in the code where the exact same mistake is made. Whereas the only way to find a vulnerability in a closed source program (most Windows programs, including the OS itself) is to observe and interact with it from the outside. Even if you do find a buffer overflow in some area, it counts as one vulnerability. You can't go look through the source for the rest of the OS and/or related programs, because you don't have it. Assuming a fairly large code base, any vulnerability (that is, a flaw in the underlying structure of the program, not a mistake) would probably be repeated at least 5 times.

If we use that estimate, and assume that only one such flaw was found in a Windows program and all 5 in a Linux/Unix/OSX program, that brings the numbers to this:
Windows 4060
LUO 2328
(ignore the multi-OS ones)

Now, assuming that Linux, Unix, and OSX collectively run on 5 architectures (QUITE modest), that is 5 times the code for any architecture and hardware related problems to arise in, although I would be willing to bet that it doesn't actually increase numbers that much.

However, all of my rampant assumptions aside, the numbers mean absolutely NOTHING, for ANYONE. This is not a study. It is a summary of the vulnerabilities found in 2005. In order for "vulnerability numbers" to mean ANYTHING, they have to be discovered and explored in an impartial study which clearly defines various levels of "vulnerability" beforehand and equally explores all test OS's/programs, which would most likely require source code for all OS's/programs in question, wihch essentially rules out including any Microsoft products in any such study.

Re:Scope (1)

vorok (718954) | more than 8 years ago | (#14370218)

Oh yeah... one more interesting gem. This item popped out at me:
IBM AIX 'RC.BOOT' Insecure Temporary File Creation

A vulnerability has been reported in the '/SBIN/RC.BOOT' script due to the insecure creation of temporary files, which could let a malicious user corrupt arbitrary files with superuser privileges.
It's just one more reason why the numbers are meaningless: creating temporary files in IBM's boot process is absolutely unrelated and has absolutely no impact whatsoever on OSX, or Linux, or BSD.

Ha (1)

ninja_assault_kitten (883141) | more than 8 years ago | (#14370293)

Look how defensive the Slashdot community gets... So freaking funny.

Another Way Of Looking at This (0)

Anonymous Coward | more than 8 years ago | (#14370382)

Evil doers devised 812 ways of raping women named Jane, and 2328 ways of raping women named Mary or the pets they own.

What we really want to know is who got fucked.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?