Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Top 12 Operating Systems Vulnerability Survey

Zonk posted more than 7 years ago | from the just-in-case-you-were-feeling-secure dept.

Security 206

markmcb writes "Have you ever wondered how vulnerable your computer is from the first bit you write to the hard drive all the way until you have a fully patched system? If so, Matthew Vea has posted a concise summary of security strengths and shortcomings for twelve of the major operating systems of 2006/2007. In his summary, Matt tests each OS with widely available tools like nmap and Nessus, and notes responses at install, pre-patch, and post-patch times for each system. After the tedious job is done, he produces results that will make both the Apple and Windows communities cringe with regards to security. From the article: 'As far as straight-out-of-box conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities ... The UNIX and Linux variants present a much more robust exterior to the outside. Even when the pre-configured server binaries are enabled, each [Linux] system generally maintained its integrity against remote attacks.'"

Sorry! There are no comments related to the filter you selected.

SAY IT AINT SO JOE (1, Troll)

stratjakt (596332) | more than 7 years ago | (#18531457)

As far as straight-out-of-box conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities

The difference is, the exploits for the mac just work, but you have to trick a stupid windows user into running them to hack XP.

Also, Macs are Jimmy Fallon-esque metrosexuals.

Re:SAY IT AINT SO JOE (4, Funny)

iangoldby (552781) | more than 7 years ago | (#18531637)

The difference is, the exploits for the mac just work, but you have to trick a stupid windows user into running them to hack XP.
That's not remotely funny -- even with the firewall disabled.

Re:SAY IT AINT SO JOE (2, Funny)

Jaqenn (996058) | more than 7 years ago | (#18532343)

I thought it was funny, but maybe because I had a co-worker who always went on about how everything on the mac 'just works'.

huh? (0)

stim (732091) | more than 7 years ago | (#18531487)

where is the 'duh' tag on this one?

Open port |service!= vulnerability (2, Informative)

Anonymous Coward | more than 7 years ago | (#18533405)

Test "tests" run are plain silly. Open ports do not mean vulnerabilities. Open services do not mean vulnerabilities as long as the authorization functions of the services work. In other words: Using completely patched systems all of the systems had 0 vulnerabilities.

This was the most stupid and moot article in ages on /.

No OpenBSD? (1, Interesting)

sunwukong (412560) | more than 7 years ago | (#18531529)

Considering that server OSs were examined, why no OpenBSD? Too "obvious"?

Re:No OpenBSD? (4, Informative)

soloport (312487) | more than 7 years ago | (#18531871)

Considering that server OSs were examined, why no OpenBSD? Too "obvious"?

Title says, "Top 12"? (Am guessing.)

Re:No OpenBSD? (0, Flamebait)

Seumas (6865) | more than 7 years ago | (#18532001)

This whole article is under an idiotic premise.

Installing systems with no patches or older patches and putting them online will open them up to a lot of vulnerabilities. No kidding, Einstein?! Maybe that's why patches were released for them later, huh?

Calm your self... (4, Insightful)

CasperIV (1013029) | more than 7 years ago | (#18532989)

Just because the study says something you don't want to hear is no reason to bash the study. There was a very legitimate goal in testing the systems right out of the box; Many users do not immediately download updates. I worked in tech support for a little while and still keep in contact with people in the field. The average Windows user is 6 months or more out of date, based on the calls received by tech support at an ISP I worked for. Whats worse is that many users buy a machine, then order an internet connection, but never get updates. There are several reasons why they don't, but the three most common I here are:
1) Ignorance (They don't know they need them)
2) Slow Connections (They don't want to wait 3 days for updates to download)
3) Incompatibility (They are afraid that if they download a patch from MS it will break something)

With 90% of the market being controlled by windows users and the majority of those users being nontechnical home users, you can see the problem. It is the exact reason the US tops the list for infected systems for viruses and spyware.

Re:No OpenBSD? (1)

IMightB (533307) | more than 7 years ago | (#18532825)

Dude don't you know? BSD is dying... Netcraft confirmed it.

come on... (4, Insightful)

cosmocain (1060326) | more than 7 years ago | (#18531575)

... i'm no M$-fanboy at all, but testing a 2001-XP against a end-2006 fedora is not actually making any sense. install a 2001-red hat to compare and then tell me the numbers. i'm quite sure that there are no breaches as severe as the lsass or rpc/dcom stuff, but this comparison just doesn't make any sense...

Re:come on... (4, Insightful)

drinkypoo (153816) | more than 7 years ago | (#18531943)

... i'm no M$-fanboy at all, but testing a 2001-XP against a end-2006 fedora is not actually making any sense. install a 2001-red hat to compare and then tell me the numbers.

My only complaint is that Windows XP should be tested as installed from SP2, since any XP CD distributed through authorized channels today has SP2 built in.

But you have to realize that Windows XP is the most common version of Windows in use today, and so it is reasonable to test it today...

Re:come on... (2, Informative)

cosmocain (1060326) | more than 7 years ago | (#18532123)

for sure it should be tested. and as you said: at least as shipped by now with SP2 pre-installed. that's what comparisons are for: take the available product and compare it to another available product. XP really HAS a bad security record, there's no point in arguing that, but this is no news, it's widely known.

Re:come on... (1)

thanksforthecrabs (1037698) | more than 7 years ago | (#18532927)

Actually, new CDs come with SP 2a

(as if it makes THAT big of a difference...)

(and why did my confirmation post word come up as "incest"? Isn't that a little too rough of a word to use?)

Re:come on... (1)

DanCo (576091) | more than 7 years ago | (#18533681)

It does seem a bit strong, doesn't it?

precisely (1)

Walter Carver (973233) | more than 7 years ago | (#18533491)

winXP is inside the support cycle. He could even test Win2000 since it is still supported. A big number of corporations run Win2000 today ("if it ain't broke...") not to mention the ones still running Win98.

Re:come on... (1)

dpilot (134227) | more than 7 years ago | (#18532089)

Maybe, maybe not. What do you get today when you buy a Retail copy of XP? Is SP2 slipstreamed, at the very least?

I recently reinstalled an XP machine for my sister-in-law, and when I was done with the recovery CD, I'm not sure if the system was at base, or at SP1. I had to install a pile of updates with numerous reboots, and THEN I was able to install SP2, plus then I went on to install yet more updates. Maybe I did it the hard way, maybe I'm a noob with Microsoft products, maybe it has something to do with the fact that the screen was VGA resolution, starting at 256 color and changing to 16 color partway through, and I couldn't fully grok the MS Updates website with so little real estate. I finally got the right drivers loaded some time after SP2.

Of course now you can't buy XP preloads any more, but the relevant data point would have been a freshly-preloaded XP system from late last year.

It's a box-to-box comparison.

Re:come on... (1)

cosmocain (1060326) | more than 7 years ago | (#18532249)

all versions you by right now have SP2 integrated. you possibly can't get any LEGAL box consisting of XP "pre-alpha", as it was shipped in 2001. so it's no box-to-box, as you won't be able to buy a 2006-XP without SP2 integrated. as i said: if you wanted to make a comparison like that, take a 2001-red hat, compare those two and then: update all the patches of every year, check again and so on. i'm quite sure XP would not in any way actually WIN this comparison, but this is the only way to go to have any sense in this comparison: either take a XP SP2 as shipped or take a redhat as shipped in 2001.

Re:come on... (1)

pembo13 (770295) | more than 7 years ago | (#18532207)

It's not the testers fault that there's no Windows 2006.

Re:come on... (1)

cosmocain (1060326) | more than 7 years ago | (#18532495)

but there is a XP SP2 integrated...

oh my, there are enough flaws in M$-soft, you don't have to fake statistics. that's all i'm nagging about: it's statistical nonsense to compare two products that were released more than a half decade apart and test them in there original shipped condition. that's kind of "fuddish", even though normally this is M$' domain. compare them in their shipped-by-now condition and all is fine...

Re:come on... (1)

melonman (608440) | more than 7 years ago | (#18533595)

Also,

The UNIX and Linux variants present a much more robust exterior to the outside

might be true until you install most PHP apps in non-CGI mode, whereupon in most cases you've set up a race condition as to who runs admin.php first, and that's if your end user remembers to turn off execution permissions after running the script, and, if (s)he doesn't, your entire machine is compromised because every single PHP app is running under the same users...

Where's BeOS? (0)

Anonymous Coward | more than 7 years ago | (#18531589)

Yes, I still use BeOS more than OS X. BeOS has never had a remote hole and it is much better than *nix & Windows for graphic applications. I also maintain my own patches since it is no longer updated.

C'mon /., I thought this was a 'News for Nerds' site...

Re:Where's BeOS? (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#18533459)

I'm probably going to be modded offtopic or troll, but what the heck is BeOS?

What? (-1, Troll)

Orion_II (1073458) | more than 7 years ago | (#18531623)

You mean Macs have security issues and could even get viruses?

How could those little Apple ADs on TV be wrong?

Re:What? (-1, Troll)

EraserMouseMan (847479) | more than 7 years ago | (#18531809)

Are you crazy? This researcher obviously "doesn't get it.". Every Mac is inherently a flawless piece of art.

It's like talking about how the paint used on the Mona Lisa degrades in UV rays. People! It's The Mona Lisa! And all you can think about is how durable it is? Look, just go back to your cube you unsophisticated PC scum! You'll never understand . . .

Are you anti-mac people just trolling? (0)

Anonymous Coward | more than 7 years ago | (#18532065)

It's hard to tell - maybe I'm pro-mac because I never had to clean my family's mac from malware and virus infestation, unlike the previous Windows computer, but what is always with the anti-mac posts when it comes to viruses and crap?

Yead, duh -- in theory and limited circumstance they can get viruses and malware like any other computer - but in practice this happens far less than Windows. I don't get the feeling of superiority here from the Windows community - their computers get pwned daily and they feel smug over a theoretical situation on the other side.

BTW: I personally don't have a mac (but thank Steve that I don't have to maintain a computer for the family anymore and they like the Mac > Linux, otherwise I would be in Windows hell) but run Ubuntu - I wasn't happy to see that it is vulnerable too - and am working to close those ports. But my computer hold little that is of interest - otherwise I would be running something like SELinux or whatever.

Re:Are you anti-mac people just trolling? (1)

The Great Pretender (975978) | more than 7 years ago | (#18533333)

"but what is always with the anti-mac posts when it comes to viruses and crap?

Probably it's something to do with Mac's add campaign pointing out all the flaws in Windows, while implying that Mac's have no flaws. People love to pick holes in pompous statements. It's sort of like the US pointing their finger at Chinas human rights abuses all the time and then the US wondering why people get excited when others show the US is also abusing human rights. (Disclaimer: I don't believe that operating system flaws are on par with human rights abuse, it was just an analogy)

Re:What? (2, Insightful)

Anonymous Coward | more than 7 years ago | (#18532095)

This article *CLEARLY* points out that neither OSX client or server is vulnerable to ANY attack in it's default state. The summary at the end is bogus because it clearly contradicts his own findings.

One you turn on every bell and whistle you *might* disclose usernames on the system or be able to crash daemons, but non appear to allow a virus to propagate.

Missing option..... (0)

Anonymous Coward | more than 7 years ago | (#18531713)

I'm always astonished that these OS security articles pretty much always leave out the Unix-type OS most focused on security (i.e. OpenBSD). This always leaves me wondering about the credibility of the review in general. It's like he's looking for champion of fuel-efficiency, but only testing sports cars and SUVs.

Re:Missing option..... (0)

Anonymous Coward | more than 7 years ago | (#18532031)

No, it'd be like looking at fuel efficiency of the most popular cars on the road. And since he covered XP and Mac OS Classic it wouldn't even have to be a comparison of latest models. OpenBSD is left out of this comparison because it should be left out.

I would question their 2003 results (0)

Anonymous Coward | more than 7 years ago | (#18531733)

First they stumble through the server role wizard enabling default options that no respectable admin would do.

Also, it appears they roll over the SP1 and SP2 upgrades, which does apply to many updaters, but for a long time, native SP1 and SP2 installs block the inbound network until the first iteration of windows updates completes.

2003 is not perfect, but you really have to work to fuck it up, unlike XP.

Concise? (3, Insightful)

jonknee (522188) | more than 7 years ago | (#18531743)

Matthew Vea has posted a concise summary of security strengths and shortcomings for twelve of the major operating systems of 2006/2007.


Concise? Forgive me, but I was expecting a table or something that makes it easy to see the results. Instead it's 20 printed pages. I'd hate to see the expanded version!

Re:Concise? (3, Insightful)

solevita (967690) | more than 7 years ago | (#18531957)

Who reads printed pages anyway? Just scroll down and read the relevant test results for every OS. No need to read all the blurb about when XP was first released or in what university BSD first came about; just scroll down and read every bit that starts "Nmap". You'll get through it very quickly.

It was much nicer than most stories that make it to the front page; I didn't have to keep clicking the next page button every 50 words. It was good stuff, there were no ads (although I do run adblock) and a great deal of easy to read information.

Let's just hope that /. provides us with more of these.

Stupid Comparison (1)

Archangel Michael (180766) | more than 7 years ago | (#18531749)

Okay, We all know that 2001 version of XP, totally unpatched is vulnerable. Duh

I update all my WinXP installs OFFLINE, making sure that they are FULLY patched and running the latest AV before putting them on the wire. The issue is that Microsoft doesn't make it easy to do this, and I have to use third party products to properly secure their systems before they go online. (90+ Patches from SP2?????)

To me, that is the greatest of all faults.

Not A Stupid Comparison (1)

drinkypoo (153816) | more than 7 years ago | (#18531791)

The reason it is not a stupid comparison is that Microsoft doesn't make it easy to do, so most people do it online. Granted, most of us do it from behind a firewall, but a compromised machine on your network listening to DHCP requests and responses might very well hack your ass in moments.

MS makes installing SPs offline easy (1)

davidwr (791652) | more than 7 years ago | (#18531999)

First off, they roll them out to the channel.

That means if I bought XP at a store 3 months ago, it would come with SP2 already in it.

Second off you can download the SP and burn your own CD fairly easily. Well, you do have to have a computer and maybe IE handy but that's not a handicap if you already have a Windows machine around.

Now the individual post-last-SP patches, those are a pain to do offline mainly because there are so many of them.

Re:MS makes installing SPs offline easy (2, Insightful)

drinkypoo (153816) | more than 7 years ago | (#18532149)

Now the individual post-last-SP patches, those are a pain to do offline mainly because there are so many of them.

That's what I'm talking about. I comment in another location that they should be testing against the SP2 version because if you get XP today, that's what you're installing.

But the period between SP2 and the patches, that's a time when the machine is typically on the 'net and potentially vulnerable.

Re:MS makes installing SPs offline easy (1, Interesting)

Anonymous Coward | more than 7 years ago | (#18533145)

Now the individual post-last-SP patches, those are a pain to do offline mainly because there are so many of them.

This can be minimized by using a combination of nLite [nliteos.com] and RyanVM's update pack [ryanvm.net] to build your install ISO. Again, these are both third party, non M$ approved apps.

Re:Not A Stupid Comparison (2, Insightful)

InsertCleverUsername (950130) | more than 7 years ago | (#18533129)

Parent makes an important point. I think the MS automatic updates are a great help to Joe Average User, but if they wanted to do things right, MS would lock down almost all networking other than HTTP connections to update.microsoft.com until the fresh install was fully patched.

This is a survey of security? (5, Interesting)

MonGuSE (798397) | more than 7 years ago | (#18531755)

Since when does throwing up 12 boxes and running a quick nessus scan over them count as a security survey?

Re:This is a survey of security? (1)

Chacham (981) | more than 7 years ago | (#18532255)

Since when does throwing up 12 boxes and running a quick nessus scan over them count as a security survey?

...since everybody else became too lazy to do it themselves.

Re:This is a survey of security? (0)

Anonymous Coward | more than 7 years ago | (#18533755)

It's an omninerd article. What did you expect?

Re:This is a survey of security? (1)

SatanicPuppy (611928) | more than 7 years ago | (#18532375)

THAT is what I was thinking.

"I ran Nessus and then nmap, and this is what it said." Ooo, let me bow to your geekdom. And then he picks a raw version of XP...that's so unfair there aren't even words...Seriously, most of those flaws were fixed years ago, and you can't even buy XP like that anymore.

It would have been totally appropriate (1)

sheldon (2322) | more than 7 years ago | (#18533051)

If Windows had come out as the worst.

Since it did not, we here at /. must do our best to totally discredit the survey.

Macs Still Safe in Default State (5, Insightful)

adavies42 (746183) | more than 7 years ago | (#18531757)

The guaranteed-to-be-overlooked key point: all the Mac vulnerabilities exist in services that are off by default. Yes, it's annoying that Apple isn't faster at patching them (and other known local holes), but it still beats the hell out of XP's default state on first boot.

Re:Macs Still Safe in Default State (1)

EraserMouseMan (847479) | more than 7 years ago | (#18531877)

Yea, but what's the very first thing you do after the first boot? Right, get latest updates. So 1hr after first boot Mac is not beating the hell out of XP.

Re:Macs Still Safe in Default State (2, Insightful)

dpilot (134227) | more than 7 years ago | (#18531923)

But unless you're already behind a firewall of some sort, 1 hour is more than long enough to be compromised, BEFORE the updates are done.

Re:Macs Still Safe in Default State (1)

Slightly Askew (638918) | more than 7 years ago | (#18532041)

unless you're already behind a firewall of some sort

Exactly, and how are you going to get that firewall installed on XP SP2 before you are able...to...uh, never mind.

Re:Macs Still Safe in Default State (2, Funny)

crayiii (679161) | more than 7 years ago | (#18532815)

come on, you're saying that in 1 friggen hour, while I'm downloading SP2 on a new XP box that I'm going to be "infected?" Sounds a little far fetched to me...

Re:Macs Still Safe in Default State (3, Informative)

Anonymous Coward | more than 7 years ago | (#18533241)

Um...Yes. That's exactly what is being said. RTFA! or RRTFA. Machines have been infected in as little as 20 SECONDS!

Re:Macs Still Safe in Default State-What about XP? (0)

Anonymous Coward | more than 7 years ago | (#18533375)

come on, you're saying that in 1 friggen hour, while I'm downloading SP2 on a new XP box that I'm going to be "infected?" Sounds a little far fetched to me...

Next time you think that you're going to be overlooked for a one hour period and your as-yet unpatched box is safe because of that, try logging all the traffic knocking at your door for a one hour period- after you've patched, of course.

Just an hour's worth of the httpd logs on a machine stuck out into the net can net a hefty amount of logfile when it gets busy, making it seem that every script kiddy in the world is checking to see if your door is locked (almost exclusively poking around for Windows exploits).

An hour? I'd say you have closer to five minutes before the horde descends to see if your forgot to lock the door- if you're lucky.

Re:Macs Still Safe in Default State (2, Informative)

Mister Whirly (964219) | more than 7 years ago | (#18533279)

XP SP2 comes with built-in firewall turned on by default, the XP CDs out now are slipstreamed XP2 version. So, to answer your (albeit facetious)question, the firewall is already enabled before you go online to get the rest of the patches. Not bulletproof but better than nothing.

Re:Macs Still Safe in Default State (4, Insightful)

Cheefachi (970662) | more than 7 years ago | (#18532603)

I think what the parent poster was saying was that by default OS X has many services that can be compromised turned off and they remain turned off no matter how many times you perform an update or reboot. The article mentioned that all these services were manually turned on to perform the test so out of the box OS X is so secure they didn't even bother to test it out of the box.

Re:Macs Still Safe in Default State (4, Insightful)

vux984 (928602) | more than 7 years ago | (#18532755)

The article mentioned that all these services were manually turned on to perform the test so out of the box OS X is so secure they didn't even bother to test it out of the box.

But then they conclude OSX is rife with vulnerabilty during the patching process, which is pretty misleading if you ask me.

Re:Macs Still Safe in Default State (1, Informative)

Anonymous Coward | more than 7 years ago | (#18532785)

The guaranteed-to-be-overlooked key point: all the Mac vulnerabilities exist in services that are off by default.

On the other hand, so is the firewall. Thus if any of those services do get turned on (e.g. CUPS because you installed a printer which requires it -- and note that Apple patched a CUPS remote DoS vulnerability this very month), then you may have a problem. Although I agree that this particular overview was unfair, I also think that in a more "real world" scenario people will end up opening ports (tcp 3689 anyone?) to the world, so OS X isn't completely off the hook either.

Nessus and Nmap (5, Informative)

demonbug (309515) | more than 7 years ago | (#18531775)

It seems that this "analysis" is rather over-dependent on Nessus. The article even points out that the tools used couldn't actually see any vulnerabilities (at least for the most up do date versions of the OSes), rather those listed were based on the "database" of vulnerabilities from Nessus. Seems like it would have been equally useful just to look in the Nessus database in the first place.

Re:Nessus and Nmap (1)

jimicus (737525) | more than 7 years ago | (#18532327)

The only realistic alternative (if you want to do such a scan without spending thousands on commercial software) is to start testing for vulnerabilities by hand.

Granted, this can, in the right hands, be a means of finding new vulnerabilities. But it's a hell of a lot more work and if you're only interested in known problems - why bother when someone else has already scripted the lot?

IMO, a well-maintained server's weakest link these days is stuff like weak passwords (for anything which requires user authentication, eg. ftp, POP3, IMAP) or something like poor code in a web application.

Obligatory missing option post. (2, Insightful)

Dusty (10872) | more than 7 years ago | (#18531811)

What no OpenVMS [hp.com] analysis?

Re:Obligatory missing option post. (3, Funny)

$RANDOMLUSER (804576) | more than 7 years ago | (#18531869)

Ha ha. My favorite oxymoron: "Open VMS". The question isn't really "Can you break in?" but "Why would you want to?".

MacOS X vs. UNIX? (1)

Anonymous Brave Guy (457657) | more than 7 years ago | (#18531817)

As far as straight-out-of-box conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities ... The UNIX and Linux variants present a much more robust exterior to the outside.

Hmm... MacOS X bad... UNIX good.

Presumably this contradiction is resolved by noting that on MacOS X, the vulnerable services are off by default, so MacOS X is in fact ripe with vulnerabilities out of the box, yet still presenting a robust exterior?

Nice Cherrypicking (5, Insightful)

AKAImBatman (238306) | more than 7 years ago | (#18531831)

As far as straight-out-of-box conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities ... The UNIX and Linux variants present a much more robust exterior to the outside.

The article also says:

By default, Apple OS X does not have its built-in servers enabled. For testing the standard binaries, [available services] were all enabled through the Preferences tool. After enabling the services, Nmap identified the freshly opened ports and Nessus found only a user enumeration vulnerability in the HTTP server.

Out of the box, OS X is highly secure. You make the active decision to risk remote exploits when you enable these services.

For OS X Server, they had this to say for it, "Out of the box":

During installation, Nmap fingerprinted the setup TCP/IP stack as OS X 10.3 or 10.4 and identified an open SSH port. Nessus did not identify any external vulnerabilities.

The lesson to be learned here is that an open connection is a potentially exploitable one. So don't open connections unless you're sure you want to do so. The second part of that lesson is if you're going to enable a remote port, make sure your security patches are up to date. "Out of the box" software is only secure for a short period of time.

Re:Nice Cherrypicking (5, Insightful)

SCHecklerX (229973) | more than 7 years ago | (#18532055)

The lesson to be learned here is that an open connection is a potentially exploitable one. So don't open connections unless you're sure you want to do so. The second part of that lesson is if you're going to enable a remote port, make sure your security patches are up to date. "Out of the box" software is only secure for a short period of time.


Which is one reason it's so hard to secure a windows system. Who knows what half of those listening services actually do and what depends on them.

Also, you missed the third part, which is to configure the services you do need conservatively (ie, configure apache to not allow methods you do not use for your site, disable anonymouse FTP, or if needed lock its permissions and probably chroot it, etc).

Security isn't *too* hard if you have admins that actually listen to their lead security guy:

  1. Run only the services that you need
  2. Configure those services securely
  3. Keep those services patched


Yes, there is a lot more to security, and how services are used factors into your response in how to mitigate any known problems, but the sysadmin security stuff boils down to the above list.

Re:Nice Cherrypicking (2, Insightful)

stratjakt (596332) | more than 7 years ago | (#18532085)

Who knows what half of those listening services actually do and what depends on them.

I do, lots of people do.

Which one do you have a question about?

It's not that hard to learn Windows.

Re:Nice Cherrypicking (2, Insightful)

Mister Whirly (964219) | more than 7 years ago | (#18533417)

"Who knows what half of those listening services actually do and what depends on them."

People that are serious about security and don't want their boxes compromised.... For instance, me.
An OS service is an OS service - figuring out *nix services is no easier or harder than figuring out Windows services.

Re:Nice Cherrypicking (1)

jeffasselin (566598) | more than 7 years ago | (#18532163)

Reading this strange blurb, I couldn't figure out how they'd arrive at the conclusion that OS X had more remotely exploitable vulnerabilities active before patching than say Linux or other UNIX variants, since it doesn't even expose any services to the outside by default!

Reading this, though, where they say they just "enabled all the services" shows that the methodology in this analysis is pretty bad. Did they also enable SMB and AFP file sharing services on the other systems? Enable Apache/IIS?

Re:Nice Cherrypicking (2, Insightful)

fazookus (770354) | more than 7 years ago | (#18533093)

"Although OS X features a robust implementation of IPFW (Internet Protocol FireWall), it was not enabled."

So they take a secure machine and start services to make it less secure, but they can't be bothered to turn on the firewall?

Odd...

Re:Nice Cherrypicking (1)

PygmySurfer (442860) | more than 7 years ago | (#18533711)

If they'd installed Solaris correctly, they'd have had the same out-of-box results - The Solaris 10 installer asks if you want to enable all of the services that were enabled by default on previous Solaris versions, or if you'd like to lock the box down and only have SSH enabled.

Relying on Nessus alone isn't much use anyway - basically all it does is compare banner output to what's in it's database. If you apply a patch that doesn't update the banner (say a patch backported to a previous version), Nessus will still flag it as a vulnerability. Nessus is great for identifying potential vulnerabilities, but you've got to go the extra mile and verify that you are indeed vulnerable.

big deal... (1)

MrJerryNormandinSir (197432) | more than 7 years ago | (#18531841)

I can run Nessus too!

Read carefully what was done on MacOS X (5, Insightful)

david.emery (127135) | more than 7 years ago | (#18531861)

Note that on both MacOS X and MacOS X Server, there was a clean installation, followed by specific USER ACTIONS to ENABLE services. Thus it should not be a surprise if you turn on the Web service, for example, you now respond on port 80.

Now once you enable a service, it's legitimate to then analyze the exposed service for vulnerabilities, and I found that information interesting.

But it should have been clearly established that the vulnerabilities noted in Mac OS X are for services that the user specifically enabled. The general description does not call this out, and I think that the conclusions are flawed because of this.

          dave

Re:Read carefully what was done on MacOS X (1)

drinkypoo (153816) | more than 7 years ago | (#18532735)

But it should have been clearly established that the vulnerabilities noted in Mac OS X are for services that the user specifically enabled. The general description does not call this out, and I think that the conclusions are flawed because of this.

The FA is quite explicit in telling you that they enabled various services.

Are you complaining about the summary?

Re:Read carefully what was done on MacOS X (3, Insightful)

samkass (174571) | more than 7 years ago | (#18532779)

I think their analysis is fundamentally flawed once they put MacOS X and UNIX into separate buckets. Almost everything they tested on MacOS X is based on the UNIX underpinnings of MacOS X, and at that level MacOS X *is* UNIX (with 10.5, they even went through the trouble of getting it certified as such). It's not like they were testing Cocoa or the GUI.

Any remote network vulnerability that treats MacOS X as anything other than another UNIX distro has built-in bias.

Be careful jumping to conclusions on prepatched OS (2, Insightful)

davidwr (791652) | more than 7 years ago | (#18531875)

When it comes to prepatched or out-of-the-box configurations, be very careful jumping to conclusions.

An OS that was shipped in 2006 SHOULD have far fewer out-of-the-box holes than one that was shipped 6 years ago *coughXPcough*.

The "interesting" releases are the releases most likely to be installed by someone doing a fresh install today.

This usually means what he buys at the store, downloads as an ISO, or installs from the network plus any patches he can easily download, put on a CD or USB stick, and install prior to connecting the machine to a network. For example, for most Windows products this means the latest service pack or hotfix roll-up.

Also:

After testing Service Pack 2, one more round of patches were applied using Windows Update
In general this is not the best methodology. Frequently one patch prerequisites another patch.
A better methodology would be to install a round, test for remote exploits, then continue with additional rounds of patching until there were no more patches available. Report the results at each stage.

In this particular case, it's okay because

Upon rebooting, the patched Windows XP system did not exhibit any remotely accessible vulnerabilities (even with the firewall disabled).

Confusing conclusion (0)

Anonymous Coward | more than 7 years ago | (#18531895)

The conclusion mentions that linux and unix are more secure but have a higher learning curve for desktop users. Is that why he enabled daemons that no desktop user would ever run? On public facing servers I (and many other admins) manually compile/patch software, outside of the OS package manager.

What was he setting out to prove?

Article contradicts itself (1)

hvrbyte (537069) | more than 7 years ago | (#18531911)

In the section about OSX Tiger, the author states this:

Only after booting the system for the configuration phase was Nessus able to identify security issues. Although the issues were not remotely accessible, Nessus was able to determine the version of OS X and therefore enumerate the problems based on its internal database
And then:

By default, Apple OS X does not have its built-in servers enabled. For testing the standard binaries, Personal File Sharing, Windows Sharing, Personal Web Server, Remote Login, FTP Access, Apple Remote Desktop, Remote Apple Events and Printer Sharing were all enabled through the Preferences tool
And then at the end (and in the summary above):

As far as "straight-out-of-box" conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities.
So let me get this straight. In the summary he says that out of the box OS X is ripe with remote accessible vulnerabilities, but just a little higher up, he explicitly states that nothing was swithed on and that they had to go switch on all the services to get anything.

If nothing is switched on by default, it hardly means that the "straight-out-of-box" conditions are ripe.

Somethings a little rotten here. If the author can't even stick to his own facts, how are we to take him seriously?

Um, OpenBSD? (0)

Anonymous Coward | more than 7 years ago | (#18531927)

Well FFS if you're testing out-of-the-box security, OpenBSD wins it all. I mean say what you will about this metric, 10 years with only two holes in the default install, it still shames the others.

Vista was not visible... (2, Insightful)

jernejk (984031) | more than 7 years ago | (#18531955)

From TFA:

In order to identify any Vista services present, it was necessary to disable the default firewall after booting into the system for the first time. After disabling Vista's firewall, Nmap was able to identify three open ports for Windows networking and correctly fingerprinted the system Windows Vista.
Sorry, but what's the point in doing this? Out of the box, vista comes with no open ports. Deal!

It's just like saying "your-favorite-distro was not detected until telnetd was installed and root password was set to 'password'". Stupid.

And yes, I am a Vista user.

Above Vitsa user's post requests modding. (0)

Anonymous Coward | more than 7 years ago | (#18532331)

Please mod: Deny.

Re:Above Vitsa user's post requests modding. (1)

Mister Whirly (964219) | more than 7 years ago | (#18533513)

Please mod:Flogging Dead Horse

Completely inconsistent (4, Insightful)

evought (709897) | more than 7 years ago | (#18532519)

Agreed. The premise of the article all around was rather foolish. They deliberately and rather randomly made adjustments to lower security but none to raise them, including turning on some legacy services on some platforms that have not been used since people threw sharpened sticks at each other and their only test was the vulnerability database of one product. Obviously Vista wouldn't show up because it is rather new and no exploits have had time to develop, and obviously the UNIX variants would come up with mostly the same results because they share source code.

Disabling the firewall on Vista was rather foolish and not enabling it on OS X, while making other changes equally so. That being said, Apple is still nuts for not enabling the firewall by default (technically it is enabled and running, but its configuration is empty).

Re:Completely inconsistent (1)

toadlife (301863) | more than 7 years ago | (#18533435)

That being said, Apple is still nuts for not enabling the firewall by default (technically it is enabled and running, but its configuration is empty).
It is my understanding that OSX comes with no daemons listening by default. If this is the case, the firewall being enabled by default only adds to the attackable surface area of the OS.

Also, (I'm just being curious here) can you define "empty configuration"? Is ipfw in OSX set up to "default to allow" by default?o

Re:Completely inconsistent- but friendly! (0)

Anonymous Coward | more than 7 years ago | (#18533949)

Also, (I'm just being curious here) can you define "empty configuration"? Is ipfw in OSX set up to "default to allow" by default?

"Empty" as in, "Nothing to see here. Move along. Shoo! Go away! I can't hear you!" i.e.- The default for undefined ports or those associated with services that aren't running is Deny. You can change that behavior of the firewall and add allowed ports through the Sharing system preference (which drove me nuts the first time I played with OS X, 'cause I was looking for configuration files and missed the bright, shiny 'Just Works!" button).

Re:Completely inconsistent (1)

evought (709897) | more than 7 years ago | (#18534067)

Also, (I'm just being curious here) can you define "empty configuration"? Is ipfw in OSX set up to "default to allow" by default?o

Yep. This is what 10.4.x has it set to when the firewall is 'off':

00010 divert 8668 ip from any to any via en0
65535 allow ip from any to any

Wait, why am I cringing? (3, Interesting)

Onan (25162) | more than 7 years ago | (#18532023)

I'll admit that I've only looked through the macosx vulnerability section in any detail, but I'm certainly not experiencing anything like the cringing promised by the writeup.

The upshot seemed to be that even when the examiner intentionally turned on every service and did not enable the firewall, the only vulnerabilities found were two timing-based user-enumeration attacks.

That's... that's the big shocking secret? That if I go out of my way to ask my system to be considerably less secure than its default configuration, Mallory out there can find out the names of accounts on my system? Quick, somebody get me some smelling salts!

Linux Most Secure OS (0, Flamebait)

sakusha (441986) | more than 7 years ago | (#18532063)

Linux is the most secure OS if you're a linux security geek. The preceding message was brought to you by a linux security geek.

This article was amateurish at best.

Re:Linux Most Secure OS (1)

fahrbot-bot (874524) | more than 7 years ago | (#18533899)

Linux is the most secure OS if you're a linux security geek.

For all other geeks, there's OpenBSD :-)

[Sorry, couldn't resist!]

Cringe? (4, Insightful)

CODiNE (27417) | more than 7 years ago | (#18532079)

Hardly.

By default, Apple OS X does not have its built-in servers enabled. For testing the standard binaries, Personal File Sharing, Windows Sharing, Personal Web Server, Remote Login, FTP Access, Apple Remote Desktop, Remote Apple Events and Printer Sharing were all enabled through the Preferences tool. Although OS X features a robust implementation of IPFW (Internet Protocol FireWall), it was not enabled.53 After enabling the services, Nmap identified the freshly opened ports and Nessus found only a user enumeration vulnerability in the HTTP server.


Then somehow this :

As far as straight-out-of-box conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities

The immediately following sentence :

Even before enabling the servers, Windows based machines contain numerous exploitable holes allowing attackers to not only access the system but also execute arbitrary code. Both OS X and Windows were susceptible to additional vulnerabilities after enabling the built-in services.


So how does "straight-out-of-box vulnerable" and "after enabling built-in services" make any sense?
Sure there's pre-patch vulnerabilities for all 2 year old OS' out there... hardly makes me cringe however.

Re:Cringe? (1)

_Sharp'r_ (649297) | more than 7 years ago | (#18532847)

One thing to note is that they followed this same install-then-turn-on-common-services approach with all the OSes.

For example, the result after they did that on FreeBSD 6.2 was "None of the service binaries exhibited any vulnerabilities to remote exploits."

So while its not a valid part of a "default-install-only" test, it is an interesting benchmark of what if you then run some common services.

In general, however, you're right, there are methodology changes they could have made to make the testing much more useful to a real person considering an OS.

Pretty superficial test (1)

extern_void (1041264) | more than 7 years ago | (#18532097)

Matthew should lunch "Nmap & Nessus: How they work togheter" test instead of
presented one. Those tests just told me tips about what information, Nessus specially,
has in its database, nothing beyond that.

many vulnerable services are disabled by default, for example that telnetd
on Slackware 11.0 and many others.
Nice try says me nothing.

Linux Lover's a dieing breed (-1, Troll)

pembo13 (770295) | more than 7 years ago | (#18532315)

The threads on this article are proof that fewer and fewer geeks use Linux. Interesting.

Re:Linux Lover's a dieing breed (1)

MMInterface (1039102) | more than 7 years ago | (#18533089)

Please elaborate on this. I'm not a Linux lover and I have noticed quite the opposite.

Hardware firewall is your friend (2, Insightful)

davidwr (791652) | more than 7 years ago | (#18532425)

The reality today is most home and small business non-dialup users have a NAT firewall. Most larger businesses have a regular firewall.

Either way, if you configure it to block incoming connections to the new machine and the rest of your network is uninfected and well-protected, you can almost always download patches safely.

Some OSes even come with inbound ports turned off by default using the built-in firewall.

If this is you, then "remotely exploitable vulnerability on an unpatched system" is pretty meaningless.

Pathetic article (0)

Anonymous Coward | more than 7 years ago | (#18532479)

I read the article and I'm sorry I did. What a waste of time. There are a couple of good ideas, probably the best of which is testing the security of systems as you're installing the OS, because if the installation procedure isn't secure, you're screwed. But beyond that, the article fails to make a distinction between using a machine as a server versus usage as personal desktop machine.

If you're testing servers, then by all means turn on httpd, pop3d, smtpd, etc. But there is a good reason why these services aren't turned on by default, and that's because the vast majority of computer users don't run their own servers. Furthermore, what percentage of people using plain Windows XP or Mac OS X are going to be running servers versus someone running FreeBSD or Linux. And then in the article they make the effort to turn on these servers, but they won't bother to turn on the built-in firewall. Oh well, like I said the article is a waste of time.

It seems that in order to make the article more sensational, or to satisfy their agenda, they decided to cherry-pick the configuration to facilitate getting the results they want. It's pathetic.

What about 10.4.9? (1)

Drizzt Do'Urden (226671) | more than 7 years ago | (#18532655)

I would have liked to see the results of MacOS X after the 10.4.9 update, since it resolved a lot of security vulnerabilities.

Re:What about 10.4.9? (3, Informative)

drinkypoo (153816) | more than 7 years ago | (#18532855)

I ran nessus 2.2.8 (on Ubuntu Feisty) with all included plugins active, against an up-to-date MacOSX 10.4.9 system which is sitting just to my right. The system has Windows Sharing, Remote Login, and FTP Access turned on. The closest it came to a vulnerability was with netbios-ns (137/udp) and it said "If you do not want to allow everyone to find the NetBios name of your computer, you should filter incoming traffic to this port." Hope this is something like what you wanted to know.

Attention Windows Clickarounds (0)

Anonymous Coward | more than 7 years ago | (#18532659)

Yeah i'm talking to you. The wannabe computer programmer who thinks they are good at computers because they can click around the computer enough times and find the reboot button and 'fix' an inherently flawed windows system. You think you're cool because you can pirate photoshop but not know anything about it, get Microsoft Office for free but have the literacy of a 1st grader when writing a paper, and get a copy of Norton Anti-virus because your inherently flawed system is useless without Administrative privileges. Get a clue, you are not smart, you are just a corporate sheep for a company that will bury you if you ever tried to write any software that did anything remotely useful. You are a clickaround and all you know if your ugly gray existence that is Windows.

Want the sourcecode to windows vista?

head -n 1000000 /dev/random > Windows.com

We need a comparison of pro-active security (2, Interesting)

twistah (194990) | more than 7 years ago | (#18532843)

I would like to see something different: a breakdown of proactive security measures taken by OS (or available in the OS) as a way of mitigating security issues. Security problems will pop up no matter what (whether in the OS or third-party software), and I'd like to see what OS do to prevent or reduce the impact of exploitation.

For example, WinXP SP2 introduced stack randomization and various other enhancements. Solaris has an option to mark parts of the stack non-executable. Third-party extensions like grsec and Bastille allow Linux to be hardened in a way which prevents race conditions, buffer overflows and more. This is a very much simplified list -- but that's exactly why I'd like to see a better breakdown.

Re:We need a comparison of pro-active security (1)

HomelessInLaJolla (1026842) | more than 7 years ago | (#18533623)

If you can help me become unhomeless I'll be more than happy to work on whatever security comparison you would like to see.

Dangerous "Out of the Box" (1)

Cytlid (95255) | more than 7 years ago | (#18532845)

I love how people tend to think Computers are simple machines, like a potato peeler or something. They're complex machines, and there's people who do not take that into account. The minute you do anything with a computer (even after it's "secured") you run the risk of lowering your security.

I bet if I went and bought a nice new shiny sports car, and drove 200 mph into a brick wall, I would die. Geez! How insecure is that? I mean after all I have to engage the seatbelt? It wasn't engaged when I bought the car!

I guess my point is ... plenty of security is your behavior. And many people don't even realize things they do have any kind of adverse impact.

This article should have been called "A list of default services running on different OSs that sometimes you have to enable manually".

I mean, we're talking security ... why didn't they take into account any other factors? Say vulnerabilities in the different implementations of the TCP stacks.

More Nerd, less "news" please.

Give me a break (0)

Anonymous Coward | more than 7 years ago | (#18533063)

This article was authored by a troll. It compares OSes of varying and inconsistent ages in the most vulnerable configurations possible, and calls that "out of the box".

Long Time Linux (0)

Anonymous Coward | more than 7 years ago | (#18533239)

I've been sitting here as root for 12 years now. Nothing. My son has while installing W2K been attacked to the point I ended up downloading all the packs and updates so he could even install the puppy.

  No contest.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?