----- Original Message ----- From: "Dutch de Rijke" <[EMAIL PROTECTED]> To: "'San Diego Windows 2003 User Group'" <[EMAIL PROTECTED]> Subject: RE: [sdw2003] Woah ! non-IE browser vulnerability Date: Fri, 11 Feb 2005 13:07:48 -0800
> > I apologize for the delay in responding. I have been on business travel all > week and have been behind on my personal email. > > Some clarifications around the data: > > I am not posting BUG FIXES. I am using SECURITY DATA directly from the > vendors sites (public data). > > Windows Server 2003 <http://www.microsoft.com/technet/security/current.aspx> > > > Red Hat Enterprise Linux 3 Advanced Server > <https://rhn.redhat.com/errata/rhel3as-errata-security.html> > > Novell SuSE Linux Enterprise Server 9 > <http://www.novell.com/linux/security/advisories.html> > > The data that I included in my original comments is from what's included in > a default server and a default workstation install. This way, you take only > the base things (packages/apps) necessary and the differences such as > RedHat's 2000+ apps and Debian's 10000 apps fall to the wayside and you're > finally comparing something that's more "apples to apples". The default > RedHat desktop install is about 500 apps. Microsoft still wins, both in > vulnerability counts and average days of risk. This data has been correlated > by a non-sponsored study from Forrester researcher Julia Giera entitled "The > Cost And Risks of Open Source". > > An important point around this discussion. You can't derive a "missing > patch" analysis by looking just at bulletins. You have to drill down to the > vulnerabilities themselves, look at what other Linux distros are fixing, > based on the inclusion of the same packages. SuSE - you have to check in 5 > places to see if they fixed something, and one of which forces you to > actually be running SuSE, which is why their vulnerability counts appears to > be lower than the rest. Look past simple bulletin counts. It's > vulnerabilities that matter, what they apply to, how quickly vendors protect > customers, and of course most important, how quickly customers protect > themselves. > > I disagree with your statement that *nix is better for Enterprise > applications. We should probably define some "Enterprise" applications. > Enterprise apps general require relational DBs. Gartner says that Windows > is now the leading OS platform for Relational Database DB workloads. SAP is > pretty enterprise wouldn't you say? > > Microsoft delivers the lowest cost platform for SAP solutions > > Largest SAP customers choosing and running on the Microsoft platform today > > 45,000+ SAP installations on Windows, representing over 52% of existing > installs > > 63% of all new SAP installations based on Windows (Q2 2004) > > 53% of all new Windows-based SAP installations on SQL Server (Q2 2004) > > 20,000+ SAP installations on SQL Server > > SQL Server is reference platform for Windows development at SAP. SAP > technical staff sit with SQL dev in Redmond. > > *Numbers for SQL on windows as dominant platform is from Garner Dataquest. > SAP stats are from SAP. > > As for MySQL... > You would build an enterprise app on a DB that does NOT provide support for > stored procedures, triggers, cursors, or views? > You would build an enterprise app on a DB that developers must put more > database logic into the application itself? This adds unnecessary cost and > complexity to developers? > > Like you said, there are thousands of software packages in distros. This of > course increases the attack surface from various sources who are in charge > of running their own security. > > > From Netcraft > http://news.netcraft.com/archives/2005/02/08/phpbb_site_cracked_developers_l > ocked_out.html > "The server hosting the main site for the phpBB bulletin board has been > cracked, leaving the development team locked out of its primary server. The > open source project's web site was compromised using a vulnerability in a > separate program, AWStats, which was announced Jan. 17 and has also been > used to hack several popular weblogs in recent days. The phpBB.com site > blamed the intrusion on "a group of politically motivated hackers" wishing > to publicize an agenda. > > How about this one > > From Netcraft > http://news.netcraft.com/archives/2004/10/26/hacked_postnuke_site_distribute > s_malicious_code.html > Hackers have compromised the download server for the open source PostNuke > content management system, redirecting users to malicious code in place of > the .zip download of the PostNuke program. The hacked code was distributed > for more than 32 hours before PostNuke site maintainers addressed the > security breach. > > Alright. I have a plane to catch. > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Michael J McCafferty > Sent: Wednesday, February 09, 2005 9:33 AM > To: San Diego Windows 2003 User Group > Subject: RE: [sdw2003] Woah ! non-IE browser vulnerability > > Dutch, > Actually, I have seen times when I will go to patch a RedHat > Enterprise system when I need to download scores of patched software > packages (maybe 50 or more) because they were all built using other > vulnerable software. Such as zlib (compression) or openssl (encryption). I > am sure it's the same with other distros, but I don't use many other distros > very often, so I don't know first hand. I don't actually think that the > number of packages downloaded for patches is a good way to measure security > issues. As the example above might be a very small unexploitable bug fix > that could create errata for tons of software. Bug fix does not equal > security problem. > Also, the Distributions come with an INSANE pile of software. > RedHat Enterprise Linux for example come with at least one complete office > suite, a web server, two database servers, two Windowing systems, several > shells, clustering software, DNS server software, 2 mail servers, webmail > software, scheduling software, several compilers, several interpreted > languages (like Perl), SAMBA (which allows it to do Windows file and print > services, and be a domain controller), 4 web browsers, and much more. All of > it supported for your subscription fee. All them included in your > vulnerability counts. There is a lot of software in this list that MS > doesn't even make an equivalent to. > No matter what, it's never gonna be apples to apples between MS and > *nix vendors. I happen to think that MS is doing pretty darn good job. > It's very difficult to manage large software projects, like OSes, office > suits, and the like, without countless bugs and vulnerabilities. Large ships > change course very slowly. As for debating which is better... well, it's > been done over and over, and no one has ever "won" the argument. No facts > and figures will back up either "side's" claims inarguably. While there's > little doubt in my mind that Windows is a better desktop for the average joe > in a workgroup (my opinion), and there is little doubt in my own mind that > *nixes are better for Enterprise application servers (my opinion), there is > some space in the middle where they compete (MS SQL server is a very good > Transactional DB, and a technical power user can do some pretty cool stuff > with a *nix workstation. I am a Linux sysadmin / Security Engineer, and I > still have windows on my laptop. I can't use Visio on Linux and I have had > problems with compatibility with the open source office suits in the past > (but I hear they are much better now). I use VMWare to get my Linux platform > when I need it. The other Engineers in my group have opted to go with Macs > for their laptops because they can do BSD (another Unix like OS) things and > still use IE, and Office (still no Visio though). > > Shouldn't we include Mac OS X in this argument ? > > > At 09:09 PM 2/8/2005 -0800, you wrote: > > > The real race begins once Microsoft releases the security > > patches. That is when people reverse-engineer the code and post > > exploit code. > > > > If you look at those Firefox bugs I posted, several are months > > old. Seems like someone sat on them for XXX days after RTM of > > the software. > > Unfortunately, there are many many issues that run for *months* > > in the Linux world. I have been down this path many times and > > understand it is a "perception" problem. > > > > Here is some timeframe data from June 1 2002 - May 21, 2003 from > > Public data sources. The most important factor are your " All > > Days of Risk" (The time between vulnerability is disclosed and > > fix is available). Another interesting statistic in the Linux > > world is "Distribution days of > Risk". > > This is the time lag between the when security fix is released by > > the maintainer of the flawed component until it is issued by the > > platform maintainer (Debian, Red Hat, SUSE, MandrakeSoft). > > > > Microsoft averages 25 days between disclosure and release of a > > fix or All Days of Risk. Red Hat tied with Debian with 57 days > > for all days of > risk. > > > > All days of Risk > > Microsoft = 25 > > Red Hat = 57 > > Debian = 57 > > MandrakeSoft = 82 > > SUSE = 74 > > > > Distribution days of Risk > > Microsoft - 25 (used the all days of risk number) Red Hat = 47 > > Debian = 32 MandrakeSoft = 56 SUSE = 54 > > > > Microsoft fixed all 128 reported flaws during that time frame. > > Red Hat fixed 228 of their 229 reported flaws. > > Debian fixed 275 of their 286 reported flaws. > > MandrakeSoft fixed 197 of their 199 reported flaws. > > SUSE fixed 172 of their 176 reported flaws. > > > > I also know this is a rough month for patching but the record (last I > > checked) goes to Debian - Jun03, 35 single errata! > _______________________________________________ > sdw2003 mailing list > [EMAIL PROTECTED] > http://lists.mattware.com/mailman/listinfo/sdw2003 -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
