Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

6 Months On, Vista Security Still Besting Linux

kdawson posted more than 7 years ago | from the maybe-because-nobody's-using-it dept.

Security 478

Martin writes "Great report on security vulnerabilities for MS/Linux/OS X. This is a revised version of the one Jeff Jones did back on March 21: Windows Vista — 90 Day Vulnerability Report. This time he did what the Linux community had asked. Everyone complained that he did the report based on a full Linux distro including optional components, not on just a base OS install. So this time he did both; Vista still came out on top. I was shocked that Apple was even on the list as I believed all those Mac commercials!"

cancel ×

478 comments

Sorry! There are no comments related to the filter you selected.

Fine... (5, Interesting)

Progman3K (515744) | more than 7 years ago | (#19661319)

Point me at the problems in Linux and I'll fix them.

What? Can't do that with Vista?

I'll take Linux, thank you.

Re:Fine... (0, Flamebait)

Anonymous Coward | more than 7 years ago | (#19661367)

uh, yeah. bet you will. if this is so true and the linux community is just thriving with talent like yours than why are there still problems at all? you linux guys are always good for a laugh.

Re:Fine... (0)

Anonymous Coward | more than 7 years ago | (#19661661)

Well at least those Linux folks don't have to jump through hoops to get patches. I have a problem right now that there is a patch for, but I'm way too lazy to call MS to get it. Why not just let me download it? Include a big fat red "this code might blow up your system" to scare of the morons.

Re:Fine... (5, Insightful)

gravos (912628) | more than 7 years ago | (#19661379)

So what are you waiting for exactly? You could fix them today and then prove the author wrong. Oh wait, maybe you couldn't...

Re:Fine... (4, Informative)

toleraen (831634) | more than 7 years ago | (#19661429)

Here ya go! [linuxsecurity.com] Let me know when you're finished, thanks!

Re:Fine... (2, Insightful)

Effugas (2378) | more than 7 years ago | (#19661435)

Really? I can file bugs against you?

I suspect you've fallen into the falacy that just because people can look at the source, people actually do. If you really want some stuff to fix, believe me, there's no end of stuff to throw your way.

Re:Fine... (4, Interesting)

stevey (64018) | more than 7 years ago | (#19661671)

People do though, thats the thing.

I've spotted many security issues, and the fact that we see more reported every week is proof enough that people do look at the source. If nobody looked we'd have no new reports, right?

Re:Fine... (5, Interesting)

Ravnen (823845) | more than 7 years ago | (#19661727)

A good argument against this myth is made in a Guardian article [guardian.co.uk] from a couple of years ago about OpenOffice, which includes the following comment about external contributions, i.e. those not made by the 100 or so full-time developers paid by Sun to develop it:

But what about the innumerable volunteers who can download the code and fix what they like? They take one look at the effort involved and run. OpenOffice is an extremely complex mountain of source code. As far as I know, in the five years it has been available as open source, not one contribution to the program has come from amateurs. The outsiders who have provided input have been full-time professionals employed by Linux companies to help make the software credible.

Re:Fine... (-1, Troll)

wwmedia (950346) | more than 7 years ago | (#19661487)

ok make me please a universal SINGLE way of installing apps,

i want to be able to install programs easily across ALL distros EASILY (like people do on windows now)

none of that ./configure && make && make install nonsense or a miriad of package managers (yast, smart, yum etc etc)

you see on windows ur guaranteed your app will work across all versions on linux forget about it

Re:Fine... (0)

Anonymous Coward | more than 7 years ago | (#19661571)

Bullshit! You have apt-get install, that's easier to use than any windows installation software EVER!

The thing is different if you don't have all the mirrors and you try install stuff like you would do with windows. Good linux programs are commonly one-packet-for-every-platform-and-architecture, distributed as source code. This means you need to do the ./configure and make to first compile, then make install

It's not that hard unless the thing won't install from some reason.

Re:Fine... (1, Informative)

Anonymous Coward | more than 7 years ago | (#19661575)

>none of that ./configure && make && make install nonsense or a miriad of package managers (yast, smart, yum etc etc)
>
>you see on windows ur guaranteed your app will work across all versions on linux forget about it

No, you're not guaranteed that your app will work on all versions at all. And, to boot, you have to F aorund with all the other problems that every single Windows user out there is well familiar with - you included.

Do you want an OS where none of that exists? An OS where there is a single, universal way of both containing and "installing" apps? Go try Mac OS X.

Re:Fine... (5, Funny)

Evanisincontrol (830057) | more than 7 years ago | (#19661587)

you see on windows ur guaranteed your app will work across all versions


Ha..hahaha...HAHAHAHAHAHAHAHA!

Re:Fine... (2, Informative)

simm1701 (835424) | more than 7 years ago | (#19661619)

A self extracting tar file with installer?

Its a very old trick thats been on unix for years. you make an install shell script, you put a tag that signifies the end of it, then you appaend the tgz of the package you want to install.

Set this installer to executable and voila you have a self extracting installer - feel free to add gui's etc.

You might be familiar with the concept - pretty much every installer you use on windows employs this kind of system - its not exactly difficult to create or use.

Personally though I much prefer apt-get and .debs

Re:Fine... (0)

Anonymous Coward | more than 7 years ago | (#19661659)

you see on windows ur guaranteed your app will work across all versions on linux forget about it
Applications are usually much more likely to work across multiple major versions of Linux like 2.2.x, 2.4.x, and 2.6.x than across major versions of Windows (Windows98, Windows 2000, Windows XP, Windows Vista). The Linux kernel interface hasn't really changed much since the switch from a.out to ELF binaries. Your problem is that you're confusing different distributions of GNU/Linux with the Linux kernel itself. Ubuntu GNU/Linux is equivalent to Windows XP for instance. An app written that will work for Ubuntu GNU/Linux 7.04 will work on all Ubuntu GNU/Linux 7.04 installs. You're trying to say you should be able to take an Ubuntu GNU/Linux 7.04 app and run it on Fedora Core 6 and it should run fine right? That's like trying to run a FreeBSD app in OS/2. It's unlikely as hell to work.

Re:Fine... (2, Insightful)

SQLGuru (980662) | more than 7 years ago | (#19661837)

I think your version comparision is flawed. Windows XP has had service packs, that is more equivalent to your point releases of Linux than the jump from Win95 to WinXP. Can you take Linux 1.x.x apps and run them on Linux 2.x.x? Likely, but just as likely to work for Windows apps, too.....I do believe that many older Windows apps run in Windows XP in compatibility mode.

Now, go the other way (XP -> 95 or 2.x.x -> 1.x.x). Neither will work very well. Something required will very likely be missing.

Layne

Re:Fine... (4, Insightful)

kjart (941720) | more than 7 years ago | (#19661523)

Wait, assuming both assumptions here are true (i.e. Windows has fewer vulnerabilities and you would fix all security problems brought to you in Linux), you would still rather _personally_ fix a lot of bugs over having a more secure platform (again, big assumption there)?

Re:Fine... (0)

Anonymous Coward | more than 7 years ago | (#19661561)

Could you provide examples of problems you've fixed please?

Re:Fine... (1)

Goaway (82658) | more than 7 years ago | (#19661573)

+5, Rationalizing Away Problems

Re:Fine... (5, Insightful)

b1ufox (987621) | more than 7 years ago | (#19661667)

Looks like Mr Jeff Jones works at Redmond.

https://209.34.241.68/user/Profile.aspx?UserID=780 3 [209.34.241.68]

No wonder Windows Vista is best in his review.

I am not convinced, next please Mr Jones.

Re:Fine... (3, Funny)

Skapare (16644) | more than 7 years ago | (#19661723)

What? Can't do that with Vista?

"No user serviceable parts inside"

Sorry, I have to laugh. (2, Interesting)

Shivetya (243324) | more than 7 years ago | (#19661735)

Because, most likely you cannot, more than likely someone else won't, and even then you might not apply the fix should it become available.

Its human nature. Its far easier to take an easy shot at someone else other than act. Oh sure I can say I will fix it, but fact is its easier to say so on some message board that take the action.

Look, with Vista they have a vested interest in correcting the bugs. For those in Linux I cannot overcome I can only hope someone else sees it as important enough to warrant a fix. Thats the crux of it. Sure I could do it, if I had time, if I had the knowledge, if I had the resources. Saying "with Linux you can just change it" is akin to handing someone a bunch of parts and telling them if they don't like the car they can fix it. Being able to use something, having an generalized knowledge of how it works, is all a far cry from being able to actually change it.

So while cheap shots at MS are the forte of many we can't forget that just because its open source, its linux, that we have the power. The opening is there, just don't expect someone to walk through it

easier to use as well (cue the fanboys) (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#19661325)

Linux needs to get its act together

Linux is *not* user friendly, and until it is linux will stay with >1% marketshare.

Take installation. Linux zealots are now saying "oh installing is so easy, just do apt-get install package or emerge package": Yes, because typing in "apt-get" or "emerge" makes so much more sense to new users than double-clicking an icon that says "setup".

Linux zealots are far too forgiving when judging the difficultly of Linux configuration issues and far too harsh when judging the difficulty of Windows configuration issues. Example comments:

User: "How do I get Quake 3 to run in Linux?"
Zealot: "Oh that's easy! If you have Redhat, you have to download quake_3_rh_8_i686_010203_glibc.bin, then do chmod +x on the file. Then you have to su to root, make sure you type export LD_ASSUME_KERNEL=2.2.5 but ONLY if you have that latest libc6 installed. If you don't, don't set that environment variable or the installer will dump core. Before you run the installer, make sure you have the GL drivers for X installed. Get them at [some obscure web address], chmod +x the binary, then run it, but make sure you have at least 10MB free in /tmp or the installer will dump core. After the installer is done, edit /etc/X11/XF86Config and add a section called "GL" and put "driver nv" in it. Make sure you have the latest version of X and Linux kernel 2.6 or else X will segfault when you start. OK, run the Quake 3 installer and make sure you set the proper group and setuid permissions on quake3.bin. If you want sound, look here [link to another obscure web site], which is a short HOWTO on how to get sound in Quake 3. That's all there is to it!"

User: "How do I get Quake 3 to run in Windows?"
Zealot: "Oh God, I had to install Quake 3 in Windoze for some lamer friend of mine! God, what a fucking mess! I put in the CD and it took about 3 minutes to copy everything, and then I had to reboot the fucking computer! Jesus Christ! What a retarded operating system!"

So, I guess the point I'm trying to make is that what seems easy and natural to Linux geeks is definitely not what regular people consider easy and natural. Hence, the preference towards Windows.

Re:easier to use as well (cue the fanboys) (3, Interesting)

Aladrin (926209) | more than 7 years ago | (#19661425)

I guess you know you're trolling, and that why you posted AC. I'm going to bite anyhow, even though I know better.

Yes, Linux is not entirely user friendly yet. No denying that. But maybe you mean 1%, as you said... It's not really a good troll your way.

And yes, apt-get is a -lot- easier. Why? Because you left the steps out on the Windows side where you search for some utility on the web and have to wade through search results that mean nothing and attempt to find what you want, or you could just apt-get install it. 1 step, not several.

As for your game installation example, maybe you should pick something actually made FOR Linux, instead of hacked onto it later. Darwinia, for example: http://www.darwinia.co.uk/downloads/demo_linux.htm l [darwinia.co.uk]

Check out those complicated instr... err, no. You just download and run the file. Okay, you have to make it executable first. Just a bit of security there. At least it didn't ask you 'cancel or allow?' about 5 times.

Including the steps to set up video properly is a bit disingenuous unless you include the steps for Windows as well. Including finding and downloading the proper drivers for sound, video, motherboard chipset, etc. Is it easier on Windows? A bit, yes. But the steps still exist.

Re:easier to use as well (cue the fanboys) (1)

caluml (551744) | more than 7 years ago | (#19661553)

A good way to reduce the possibility of malware affecting you in Linux is to run your browser as another user [calum.org] . It's easy to set-up, almost pain free, and means that, barring local root exploits, it can't delete/alter your data, modify your login scripts etc.

I'm sure it's possible to do in Windows - runas firefox.exe - but I haven't tried it.

Thanks, but... security hole! (0)

Anonymous Coward | more than 7 years ago | (#19661663)

I've been intending to run firefox as another user for some time, so thanks for your guide.

However, there is one security hole that I should point out to you: xhost 127.0.0.1 gives all processes on your system access to the X display, including Firefox and any malware it might execute. This is sufficient to run a keylogger, grab screenshots, etc.

I don't have a good solution for this. If you don't allow Firefox access to X, it can't appear on screen. Copying the .Xauthority file to ~ff instead of using xhost does not solve this, because processes running as ff still get access to X. Running Firefox on a separate X display (e.g. with Xvnc), or better still within a virtual machine, would do the trick - but at the cost of performance and some usability.

Re:Thanks, but... security hole! (1)

koh (124962) | more than 7 years ago | (#19661763)

Sux [fgouget.free.fr] is your friend, despite its name.

Re:Thanks, but... security hole! (0)

Anonymous Coward | more than 7 years ago | (#19661849)

That's very interesting, thankyou.

I bet the troll who started this thread never imagined that some actual useful information might be exchanged as a result of his copying and pasting.

Re:easier to use as well (cue the fanboys) (1)

gilesjuk (604902) | more than 7 years ago | (#19661701)

I keep hearing that Linux isn't user friendly. But people are so used to Windows that they find anything else pretty much alien to them.

But then you read stuff like this and realise it's not as hard as people think.

http://www.cio.com/article/120452 [cio.com]

Sure, if stuff breaks it can be hard to put right, but the same is true if your Windows PC won't boot and you don't know much about computers.

Re:easier to use as well (cue the fanboys) (4, Insightful)

buffer-overflowed (588867) | more than 7 years ago | (#19661439)

Why should I care whether or not people run Linux, or Windows, or *BSD, or Mac OSX, or Novell, or freakin' Amigas? At home.

Run whatever the fuck you want.

Re:easier to use as well (cue the fanboys) (2, Insightful)

Anonymous Coward | more than 7 years ago | (#19661739)

Why should I care whether or not people run Linux, or Windows, or *BSD, or Mac OSX, or Novell, or freakin' Amigas? At home.

Run whatever the fuck you want.


Because the spambots that have pretty much ruined email are running on window machines.

Re:easier to use as well (cue the fanboys) (3, Interesting)

Broken scope (973885) | more than 7 years ago | (#19661495)

....
I installed quake 3 On my first day of Linux. Copied the files from the disk, ran the linux stuff for Id. IN all I had to use 3 maybe 4 commands total, and the only web site I went to was Ids site. It was basically the first thing I installed after doing my redhat installation. I never really got into using linux, but its not the quagmire you for believe it to be.

Re:easier to use as well (cue the fanboys) (0)

Anonymous Coward | more than 7 years ago | (#19661549)

Zealot: "Oh God, I had to install Quake 3 in Windoze for some lamer friend of mine! God, what a fucking mess! I put in the CD and it took about 3 minutes to copy everything, and then I had to reboot the fucking computer! Jesus Christ! What a retarded operating system!"

Wait a minute. You had to reboot because you installed a game? WTF. Now THAT is a retarded operating system.

Also, that "classic" troll really needs updating for this decade. Might as well include a flame about how you had to recompile your kernel to get your Soundblaster Pro to work.

Re:easier to use as well (cue the fanboys) (1, Funny)

digitig (1056110) | more than 7 years ago | (#19661601)

linux will stay with >1% marketshare.
I'm sure even the most ardent Linux zealot will be happy with that. After all, 100% is >1%

fp (5, Funny)

Anonymous Coward | more than 7 years ago | (#19661329)

Jeff Jones ... This time he did what the Linux community had asked.

He went and f*cked himself?

Useless studies (4, Insightful)

Vicegrip (82853) | more than 7 years ago | (#19661655)

Since Open Source rigorously discloses every flaw known in it, what is the value of comparisons of one Vendor's chosen disclosures versus that which is 100% transparent?

None

Microsoft only discloses what it has to and is often at odds with security researchers about problems only to be proven wrong later. One claim from a blog was that Vista shipped with 60,000 bugs. How many of those are documented for the public?

I can say that on my test certified Vista machine, brand new from Dell, I've already seen the network card totally disappear from the system only to reappear again an hour later. The Broadcom diagnostic tool reported no hardware issues. The Explorer shell still crashes/stalls frequently. Files get locked with no way aside from a reboot to unlock them. Wifi fails to reconnect to the same network it was previously connected to when sspi broadcast for that network is disabled. I just tried restoring a hibernated laptop, previously connected to a domain. Black screen & hard reboot.

Beyond that, on this brand new machine, specced for Vista. Vista is SLOW.

MS, concentrate on making Vista better instead of having people do useless studies. kthnxbye

Re:Useless studies (3, Funny)

plague3106 (71849) | more than 7 years ago | (#19661681)

One claim from a blog was that Vista shipped with 60,000 bugs.

OMG IT MUST BE TRUE ONE BLOG REPORTED IT OMG!!!!111!!!11

Re:Useless studies (2, Informative)

pogson (856666) | more than 7 years ago | (#19661903)

It is well known that FLOSS has fewer bugs per 1000 lines of source code. The bloat that went into Vista brought in plenty of bugs to be sure. Key differences between Linux and M$ stuff:

  • M$ gets stuff determined by the sales department. We know how well salesmen design systems.
  • Linux is designed to be modular so the complexity of each piece is less. M$ has stuff where the browser installs code, printing a document can cause pieces of the file to be executed, etc.
  • There are far more projects in FLOSS than there are coders in M$. More manpower, with properly filtered output results in more correct code.
  • If a bug bugs me, I can look at the code, file a bug report, or suggest a patch. There is no way that can be done with M$'s way of doing things. Vista release was as buggy as a Linux release candidate.

see Cyberinsecurity at http://www.ccianet.org/filings/cybersecurity/cyber insecurity.pdf [ccianet.org]

see release-critical bugs at http://bugs.debian.org/bugs/release-critical [debian.org]

Where have you seen transparent quality control like that at M$?

This proves it. (0)

Anonymous Coward | more than 7 years ago | (#19661331)

I'm switching.

Re:This proves it. (0)

Anonymous Coward | more than 7 years ago | (#19661383)

You are switching to Windows Vista. Allow or deny?

Re:This proves it. (0)

Anonymous Coward | more than 7 years ago | (#19661709)

You do not have permission to allow yourself to switch to Windows Vista. Would you like permission? Continue or Cancel?

Re:This proves it. (1)

mrbluze (1034940) | more than 7 years ago | (#19661577)

I just RTFA, and like most research, the thing is a bit artificial. Ok, I'm not a security expert, nor a statistician, but the thing reads like a drug company pamphlet. The nature of vulnerabilities, their implications on end users, are not taken into account. They weren't in the previous research either.

And just like a new drug that comes onto the market (not talking about XP, though I've just come to like it - pity it's on its way out), Vista has the benefit of 'beginner's luck' because

  1. It's closed source - there is a lag between release and analysis.
  2. It's difficult to analyze the inner workings at this point in time, but this will inevitably change.
  3. Its userbase is only just beginning to become sizable, with vista-specific software coming on the market gradually -.
  4. As more programmes are released, the way they interact with the OS will become clearer and hence more vulnerabilities will surface.

At least that's how I see it. The best way to judge the security of an operating system is by anecdotes of security breaches, what they cost to companies and and how easy it was to recover from them.

When you hear about teenagers having keyloggers in thousands of Windows XP boxes, then it quickly becomes apparent what kind of security XP offers. It's great for games, for file sharing, for shit that doesn't matter. It's not great for storing your accounting records, tax returns and doing online banking. Similarly, using Vista for the same thing is a bit foolish. Not advisable to trust your life savings to an OS during its honeymoon period.

Hmm (0)

Anonymous Coward | more than 7 years ago | (#19661343)

What build was it tested on, does it say? I would check, but am at work...

And I've forgotten my password too...

dead (1)

poptones (653660) | more than 7 years ago | (#19661345)

One comment and it's already dead - and not a cache link to be seen. Oh well, tune in tomorrow...

Darn it (-1, Troll)

mrbluze (1034940) | more than 7 years ago | (#19661351)

The site's slashdotted already. Was it running vista?

Re:Darn it (1)

dreamchaser (49529) | more than 7 years ago | (#19661417)

According to Netcraft it's running Linux ;)

64.28.79.84 Linux Apache/2.0.46 Unix PHP/4.3.3 13-Mar-2007

Re:Darn it (1)

mrbluze (1034940) | more than 7 years ago | (#19661603)

According to Netcraft it's running Linux ;)

I had to laugh, but funnily enough, as soon as I posted, the site loaded and I got to read the article, heh heh.

Re:Darn it (1, Flamebait)

wwmedia (950346) | more than 7 years ago | (#19661535)

Linux Apache/2.0.46 (Unix) PHP/4.3.3 [netcraft.com]

lol

yea whats up with apache being such a ram memory hug? i recommend the author switches to lighttpd [lighttpd.net] or nginx [nginx.net]

Google cache version (3, Informative)

mgkimsal2 (200677) | more than 7 years ago | (#19661353)

Wrong cache link - full text here (2, Informative)

mgkimsal2 (200677) | more than 7 years ago | (#19661365)

Sorry - the previous google cache link was to the 90 day writeup, not the 6 month writeup. Here's the text of the 6 month writeup... (site is very slow right now).

Windows Vista - 6 Month Vulnerability Report
Submitted by Jeff Jones on Thu, 2007-06-21 11:53. Topic(s): | Client | Corporate Management | Information Security | Operating Systems

I was somewhat surprised (but pleased) at the level of interest back when I published my Windows Vista - 90 Day Vulnerability Report. It was about the earliest span of time I thought might give us some indicators, and the indicators did look good. (Though, I did not give us an "A+", in spite of some of the attributions ;-)

Six months is a much more interesting time frame, and gives us the opportunity to see if the early trend indicators are holding up, or if the early signs of progress were a short-term gain. Also, I thought it was worth going a little deeper in the analysis to look at the total fixed and unfixed vulns as I did last time, plus these additional views:

        * Include a comparison view of Linux distribution workstation builds that exclude vulnerabilities non-default optional components as well as OpenOffice and other applications that do not have equivalents on Windows XP.
        * Include a comparison view that excludes Low and Medium severities to just focus on High severity vulnerabilities fixed and unfixed in the first 6 months, and
        * A comparison view that combines both of these

For the full details, or to print the report, you can download the report in pdf.

For those that only want the executive summary, here is a key chart that shows the publicly disclosed High severity vulnerabilities during the first 90 days of availability, broken down by vulns fixed and vulns unfixed. Note that this chart is showing the reduced Linux builds that exclude non-default and optional components without equivalents on WIndows. (clicking the chart also gets you to the full report.)

  High Severity Vulns, Fixed and Unfixed in First 6 Months of Windows, Red Hat, Novell SUSE, Ubuntu, Apple Mac

The results of the analysis show that Windows Vista continues to show a trend of fewer total and fewer High severity vulnerabilities at the 6 month mark compared to its predecessor product Windows XP (which did not benefit from the SDL) and compared to other modern competitive workstation OSes (which also did not benefit from an SDL-like process).

If you share the opinion that Windows and applications ported to Windows get a higher level of researcher scrutiny than other OSes, then the 6-month results are even more positive. If you don't share that opinion, then they still stand on their own ...

Read, Enjoy, Forward.

Best regards ~ Jeff

Full Disclosure: I work for Microsoft - read my previous blog post, Exactly how biased am I?.

Also, I'd like to make a shameless plug for my other blog, http://blogs.technet.com/security [technet.com] , where I sometimes post more personal entries such as The Saga of My Luggage & British Air and Building My Windows Vista Media Center - Part 1 - The System.

What about the user experience? (5, Insightful)

s31523 (926314) | more than 7 years ago | (#19661361)

Sure, if EVERY action you do prompts a "You are clicking your mouse, cancel or allow", or some other message, sure that is security, but then you are left with a crappy user experience. I think Linux and Mac have got a better balance between allowing actions in user mode without authorization and actions requiring authorization.

Re:What about the user experience? (2, Insightful)

grimdawg (954902) | more than 7 years ago | (#19661507)

Why in hell does this get modded up?

It's LITERALLY a paraphrasing of a Mac advert. The article is about security, and they've done some work and found some evidence that Vista's not as evil as some people think.

Now I'm an XP user, and will be until Vista is a lot older and more settled - that's if I ever install it. But just as I haven't jumped on the 'zomg it looks pretty I need it' bandwagon, I won't jump on the 'Vista is evil' bandwagon. I'll judge it on its merits.

As for the 'cancel or allow' ads, I know I'd prefer to click 'allow' once in a while than 'allow' my system to be compromised. It might get annoying, but I'm a guy who likes to be safe and not sorry.

You are coming to a sad realization (0, Troll)

geoffrobinson (109879) | more than 7 years ago | (#19661779)

Cancel or allow?

Re:What about the user experience? (0)

Anonymous Coward | more than 7 years ago | (#19661533)

Yes, but the kind if person who is capable of disabling that sort of option is probably tech-savvy enough to not need it in the first place (I've never had any sort of security or anti-virus on my XP box, and it's running fine). Having it enabled by default was a smart move by Microsoft in that it's there for those who need it (read: your magic-box type of use), and it's easily removable by those capable of doing so.

Sure, it's not a great user experience, but I personally think that is something you need to EARN with computers by showing just a little bit of know-how.

Re:What about the user experience? (0)

Anonymous Coward | more than 7 years ago | (#19661771)

I've never had any sort of security or anti-virus on my XP box, and it's running fine

Thanks for all the spam, bot-boy.

Re:What about the user experience? (1)

kjart (941720) | more than 7 years ago | (#19661557)

Sure, if EVERY action you do prompts a "You are clicking your mouse, cancel or allow", or some other message, sure that is security, but then you are left with a crappy user experience. I think Linux and Mac have got a better balance between allowing actions in user mode without authorization and actions requiring authorization.

Agreed. Hopefully it will be ironed out a bit more in SP1 - I think OS X handles this sort of thing more gracefully at present. That being said, it is a significant step up from XP, for which I (and the rest of the internet) am grateful.

Re:What about the user experience? (3, Insightful)

Dude McDude (938516) | more than 7 years ago | (#19661749)

You'd have a point if that was true. You only get a UAC prompt if you're making system-wide changes, or if you're trying to run software that requires elevated privileges.

If Vista ever gets..... (5, Funny)

Farfnagel (898722) | more than 7 years ago | (#19661375)

...as popular as Linux, then it will be targeted, too. Or something like that.

Update. (4, Informative)

Anonymous Coward | more than 7 years ago | (#19661381)

http://www.microsoft-watch.com/content/security/mi crosoft_is_counting_bugs_again.html [microsoft-watch.com] Updated response "Jeff Jones Vista security progress."

Wakeup call (2, Funny)

Anonymous Coward | more than 7 years ago | (#19661387)

This should be a wakeup call to all those businesses holding back on Vista migration. Vista is clearly the better choice.

Greets

UbuntuBoy

Of course it will (4, Insightful)

oztiks (921504) | more than 7 years ago | (#19661391)

This is stupid, Linux as a distro is a complete solution from A-Z ... Vista is a bit of a solution as its just an operating system with limited services. Why did he do it to Vista anyway? shouldn't he be doing it to a server edition of Windows?

When i see a windows system and linux system that do exactly the same things have the same purpose software installed on them i can see the viability of the test.

Further, malware runs rampet in Windows, nearly 50% of Vista's vulns were not patched, where regardless of how many Linux has they get fixed when found. More secure? You tell me is a nightclub more secure when the bouncer only kicks out half the troublemakers whole a tougher and meaner club down the street deals with all of them?

Re:Of course it will (1)

toleraen (831634) | more than 7 years ago | (#19661459)

This is stupid, Linux as a distro is a complete solution from A-Z ... Vista is a bit of a solution as its just an operating system with limited services.

That's why he did just a minimal base install this time. No bells and whistles, just the operating environment.

Re:Of course it will (1)

WindBourne (631190) | more than 7 years ago | (#19661717)

Actually he did not. He picked it based on the graphical install and what he thought was == in windows. By the sounds of it, he left in a LOT that he should not.But at least he did try to equate the 2.

Actually, he supposedly == them (2, Insightful)

WindBourne (631190) | more than 7 years ago | (#19661639)

THe problem is that he is like me; He does not know the enemies OS. So, what he did, was pick through the OS install and decided what sounds like it belongs and what does not.

What is needed is for a Linux distro guy who has good knowledge of Windows (or perhaps somebody from wine) to re-do this report. And if it shows that MS did a better job on addressing security, I would suggest that the distro's need to get their act together. For the last 5 years, the windows fanboys have ran around saying that the # of windows is the attraction for security problems, while those in the know, say it has to do with ease of cracking. If this report is real, then Linux just went below MS and that will attract the vermin to us. IOW, we MUST remain above MS in terms of security to prevent having the security attacks that MS has.

This seems to (2, Interesting)

kid_oliva (899189) | more than 7 years ago | (#19661393)

Contradict another post on the front page http://it.slashdot.org/article.pl?sid=07/06/27/001 8252/ [slashdot.org] . If Vista is on top than how could Microsoft Security be one of the worst jobs? What are they doing too good of a job???

Oh my giddy aunt... (0, Offtopic)

kiwimate (458274) | more than 7 years ago | (#19661833)

I read the post about the worst jobs for a couple of minutes before getting fed up with all the inane comments from people who didn't read the article. It's probably pertinent however:

Do you flinch when your inbox dings? The people manning secure@microsoft.com receive approximately 100,000 dings a year, each one a message that something in the Microsoft empire may have gone terribly wrong. Teams of Microsoft Security Response Center employees toil 365 days a year to fix the kinks in Windows, Internet Explorer, Office and all the behemoth's other products. It's tedious work. Each product can have multiple versions in multiple languages, and each needs its own repairs (by one estimate, Explorer alone has 300 different configurations). Plus, to most hackers, crippling Microsoft is the geek equivalent of taking down the Death Star, so the assault is relentless. According to the SANS Institute, a security research group, Microsoft products are among the top five targets of online attack. Meanwhile, faith in Microsoft security is ever-shakier--according to one estimate, 30 percent of corporate chief information officers have moved away from some Windows platforms in recent years. "Microsoft is between a rock and a hard place," says Marcus Sachs, the director of the SANS Internet Storm Center. "They have to patch so much software on a case-by-case basis. And all in a world that just doesn't have time to wait."

The real security test will be outside the lab (1, Insightful)

Anonymous Coward | more than 7 years ago | (#19661395)

Article seems to be slashdotted already. I think the real security test will be outside the lab in the hands of the common user. If one of the major factors in determining the security of Vista was based on Microsoft's allow/deny pop ups, then just how secure will Vista be in a year or less when the common user is tired of seeing those boxes and just starts clicking 'Allow' and lets everything through? The OS is as secure as its user is vigilant and when the user becomes apathetic to security concerns the OS loses whatever edge it had against trojans, root kits, backdoors, viruses, etc.

Look! (5, Insightful)

Eddi3 (1046882) | more than 7 years ago | (#19661397)

Look, Everybody! A company is trying to use statistics to make themselves look good, when that's not necessarily the case!

Nothing to see here, please move along...

lies, damned lies and... (5, Informative)

arun_s (877518) | more than 7 years ago | (#19661401)

This has already been analysed at microsoft-watch [microsoft-watch.com] , and several flaws are pointed out there, the most basic one being that counting flaws is not a good measure of security anyway.

Re:lies, damned lies and... (1)

QuietLagoon (813062) | more than 7 years ago | (#19661621)

the most basic one being that counting flaws is not a good measure of security anyway.

That is the only way that they can make Windows look halfway secure. You have to go with what makes you look good.

Re:lies, damned lies and... (1)

UnknowingFool (672806) | more than 7 years ago | (#19661669)

Even if you count just the number of flaws, that wasn't the worst thing about his methodology. "Near as I can tell, Jones' counting ignores operating system components."

Re:lies, damned lies and... (3, Informative)

Bert64 (520050) | more than 7 years ago | (#19661731)

Reported issues is also an unfair comparison.
If an issue is found in open source software, it is typically published openly and patched. If the original author finds an issue, he will fix it and tell people about it so his end users can patch themselves.
By contrast, if a vulnerability is found internally to microsoft it will still get fixed, but the fix will be rolled in with other fixes. It won't get published, and microsoft won't admit to the vulnerability unless it's already public. A good example being the ASN.1 vulnerability from a couple of years back, there were actually 2 issues fixed in the same patch, but microsoft only admitted to one of them because the other wasnt public. It was found later by reverse engineering the update.

On the back of recent news (5, Insightful)

QX-Mat (460729) | more than 7 years ago | (#19661411)

On the back of recent news that less than half of Vista "issues" have been patched, yet alone publicly announced, we get another article touting the merits of two things that can't be directly compared.

Sometimes I see Open Source kicking itself in the face with all the transparency it offers, yet I'm overwhelmed with a sense of pride and happiness that communities can develop such a transparent process in the public eye.

Discovering problems and exploiting them in a closed source product is quite a daunting task - I'd say almost 4 times as much work as exploiting a system where you can compile debug symbols into the binary, and nothing short of 1000 times harder than if you had the source code. What these "reports" and discoveries show is that layers of obfuscation act to confuse people as to the actual level of vulnerability you're exposed to.

There are many vulnerability hunters out there, now, employed by governments across the world simply to "dive in" at a deepend of closed applications looking for exploitable code - closed source simply means that only wealthy, bigger teams will be successful. Open Source means that anyone can help thwart these hunters, makes vulnerability research fair game, and most importantly, accepts community involvement into the fixing and pre-emptive policy that makes OS software better software.

Matt

Security through obscurity? (5, Insightful)

mgkimsal2 (200677) | more than 7 years ago | (#19661415)

One canard trotted out by MS defenders *used* to be "Windows has more vulnerabilities discovered because it's so popular, everyone attacks it!". Watch for that line to be modified in the coming months as more MS proponents switch to "it's more secure by design". Keeping the "only more vulnerabilities discovered because it's so widely installed" would imply that Vista is not widely installed/used, which is not good PR.

So, when Linux had fewer vulnerabilities, it was because it was obscure. When Vista has fewer vulnerabilities, it's because it's fundamentally more secure. I'm not trying to be sarcastic here - it may very well be *true*. It's just something to keep in mind as you watch the never-ending stream of these 'vulnerability/exploit' reports come out every few months.

Re:Security through obscurity? (0)

Anonymous Coward | more than 7 years ago | (#19661695)

Uh, hate to play the logic police here, but...

Windows has more vulnerabilities discovered because it's so popular, everyone attacks it!". does not imply "when Linux had fewer vulnerabilities, it was because it was obscure".

I think the arguement has always been IF windows had a market share similar to linux, there would be very little malware designed for it, regardless of how secure or not it is (hackers just wouldn't bother, etc).

No, still not a good comparison (5, Insightful)

jhdevos (56359) | more than 7 years ago | (#19661437)

There are still a lot of problems with this 'comparison'. For instance:

- The 'reduced feature set' used for the comparison still contains a lot of software not include with windows
- All information is based on what the company behind the software discloses. I believe that not all holes in Vista that MS knows about are disclosed. It is also not unlikely that what Microsoft calls 'critical' is not the same as what Canonical calls 'critical'. In any case, different measures are used for the different OS's, and you can't compare things that are measured in different ways.
- The usual 'less known holes != safer' discussion...

I personally don't know which OS is safer, but based on these numbers, I am not going to draw any conclusions.

Jan

no back up (0)

Anonymous Coward | more than 7 years ago | (#19661451)

lets see a list of the vulnerabilities that make up those graphs so we can evaluate how accurate they are.

Popularity proportional to vulnerability? (0)

Anonymous Coward | more than 7 years ago | (#19661463)

I'm a mac guy (which is why I post anonymously).

All the time I hear windows users say "Of course we have more security issues, we're a bigger target. No one wants to mess around with the handful of people that run macs."

So following that line of logic, does this mean Vista is so unpopular even hackers can't be bothered with it?

Ummm. Duh (1)

avb85 (1007803) | more than 7 years ago | (#19661471)

Full Disclosure: I work for Microsoft - read my previous blog post
Go figure.

Wow (1)

dhasenan (758719) | more than 7 years ago | (#19661481)

This actually looks like a fair comparison.

On the other hand, nobody's vetting the Vista source right now. And there's no indication of what the various vendors mean by "High Priority" -- is it something that only the locally logged in user could trigger? Is it a vulnerability that would allow for remote exploits? Is it a remote attack at all, or does it just open up the possibility for trojans?

What we'd need is an independent service listing the vulnerabilities and ranking them themselves using the same criteria for each operating system. Until that comes out, I'll say Vista is more secure for now. But as crackers become more familiar with the system, the rate at which new vulnerabilities in Vista are identified will increase.

Re:Wow (1)

buffer-overflowed (588867) | more than 7 years ago | (#19661785)

Well, for RedHat, a critical vulnerability is any remotely exploitable vulnerability that an unauthorized user can exploit. This includes things like telnet, oddly, which no one enables.

Selective use of facts I think... (5, Insightful)

Anonymous Coward | more than 7 years ago | (#19661483)

He's not comparing vulnerabilities - he's comparing vulnerability disclosures.

It's not a measure of how secure the OSes are - it's a measure of how secretive the makers of the OSes are.

A few points (2, Insightful)

gilesjuk (604902) | more than 7 years ago | (#19661505)

1. Vista isn't exactly in widespread use. The sort of people who poke holes in Windows and use it for spam bots etc will concentrate on XP for now as it is much easier. The anti-piracy and activation make pirating Vista a little harder, again this means the low life will not use it for a while.

2. Linux is easily available to all. Plus people identifying security holes are helping out, they do it to improve the product. They would do this for Windows too, but they don't have access to the code.

3. Mac OS uses a lot of open source tools, gcc, samba etc.. these have bugs and holes identified from time to time. So Apple naturally has to plug them.

Re:A few points (0)

Anonymous Coward | more than 7 years ago | (#19661631)

2. Linux is easily available to all. Therefore people identifying security holes are finding it easier, they do it to create exploits. They would find this easier for Windows too, but they don't have access to the code.

There, fixed that for ya.

" I was shocked" (1)

Bender Unit 22 (216955) | more than 7 years ago | (#19661511)

"I was shocked"
Perhaps you were and cue the trolls and me.

I got my first Mac 3 months ago( a macbook pro) and I am not going back to Windows, perhaps Linux(have replaced my windows desktop with ubuntu at work log time ago)
But of course this is /. so I am not the average user.

Microsoft must be happy with the huge userbase that happily has bought their products for years until the day they could finally get what they were promised. Of course I am now trolling here, I have not tried Vista so I don't know anything about how good it is, but the story seems to be repeating itself for every OS release.

ID10T Error (0, Offtopic)

overlook77 (988190) | more than 7 years ago | (#19661569)

Vista better be more secure than Linux. Windows is the 'McDonalds' of OS's....it caters to the lowest common denominator. Someone who was able to tune a Linux kernel is not going to download "Stephen Speilberg gets Hilarious Prank Call.mp3.vba" off Limewire. Even if Vista was more secure, its because the users need to be protected from themselves.

A guy working for Microsoft.. (0)

Anonymous Coward | more than 7 years ago | (#19661585)

..finds out that Microsoft OS is the best OS out there. I must say, I'm shocked!

let them think what they want... (1)

tomstdenis (446163) | more than 7 years ago | (#19661589)

I'm still not buying Vista. I have an OS that does what I want and works well. I don't have to pay money for it, and all it requires in return is a bit of patience. It lets me run my applications, does so efficiently, without nag screen, cd keys, and other f'ing hassles.

Tom

Yet another meaningless "study" (2, Informative)

niiler (716140) | more than 7 years ago | (#19661605)

I've been running Linux as my desktop exclusively now for about five years. No viruses. No worms. No adware. Oh yeah, and it's free as in beer. The security on it just works. My vendor sets up the firewall for the appropriate level of paranoia "out of the box". Tools for system auditing (chrootkit, nmap, etc...) are usually installed by default. When windows can do all this for free, I'll give it another go. But until then, any such study I see is largely theoretical.

I can't see a value in such a study (0)

Anonymous Coward | more than 7 years ago | (#19661633)

I can't see a value in such a study:
- different software
- different models
- different life cycles

It's 90 days of a new product which uses closed software, at least partially newly written. Even considering the beta cycle it's totally different to products which are partially much older (with all their strengths _and_ weaknesses!), deployed for a long time and available to free analysis.

So there are less breaches in Vista? I hope so! Anything else would have been a disaster. But let's wait and see how it will come out eventually...

cb

As someone who does not know that much about this (5, Insightful)

Snowspinner (627098) | more than 7 years ago | (#19661641)

I approach this as someone who does not know a tremendous amount about how to measure security flaws, or what various security flaws really mean...

But the survey listed also shows Windows XP as the second most secure operating system of the ones surveyed.

I can believe that Microsoft improved their security with Vista. But if they also tell me their security was great with Windows XP, I have to conclude that they're fudging the numbers.

Time to apply that old standard to Windows (1)

MikeRT (947531) | more than 7 years ago | (#19661729)

As Windows' defenders are wont to say, "Windows only has more known defects because it is the most popular OS." In this case, Linux and OSX have more security defects because they have had more exposure, right?

Just sayin...

Astroturfing 2.0 (1)

Idaho (12907) | more than 7 years ago | (#19661795)

I was shocked that Apple was even on the list as I believed all those Mac commercials!


This part has "PR shill" written all over it. No techie would ever write this.

Probably Microsoft has hired some more people to work on "guerilla marketing" techniques, just like they did with the People Ready [technovia.co.uk] campaign.

Did I miss something (5, Informative)

MECC (8478) | more than 7 years ago | (#19661839)



Rather than take his word for it why not just check at Secunia. [secunia.com]

Vista [secunia.com]

Vendor Microsoft

Product Link View Here (Link to external site)

Affected By 10 Secunia advisories

Unpatched 20% (2 of 10 Secunia advisories)

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Microsoft Windows Vista, with all vendor patches applied, is rated Not critical


Ubuntu 6.06 [secunia.com]

Vendor Canonical Ltd.

Product Link View Here (Link to external site)

Affected By 147 Secunia advisories

Unpatched 0% (0 of 147 Secunia advisories)

Most Critical Unpatched
There are no unpatched Secunia advisories affecting this product, when all vendor patches are applied.


Market penetration (3, Funny)

HangingChad (677530) | more than 7 years ago | (#19661867)

I'd just like to say I'm thrilled to be able to say this.

If Vista was a bigger percentage of the PC market, there would be more exploits for it.

Pay back's a bitch, ain't it?

what a croc (1)

twoboxen (1111241) | more than 7 years ago | (#19661881)

I hate these flipping biased "reports" (from any side). But as far as UAC/Vista goes... anyone who thinks that it actually is worth a d4mn, just go to the command prompt and try to delete that folder that forced UAC authentication. What? It works?? Security my ace.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>