OpenBSD has had 55 advisories in the last 3 years, 2 of which were critical and one which remains unpatched. True, that’s a lot better than most OS’s but Win2K03 had 65 advisories, 1 of which was critical and 8 unpatched and 1 partial patch. The partial patch was to a highly critical advisory, the rest were for “less critical” or lower.
I would say that is as close to parity as you can get when talking about something as complex as OS security.
I’m trying to keep this as objective as possible and not have it devolve into “he said, she said” but if you look at Microsoft products conceived and developed after 2001, then I don’t really see how you can spin the data any way but positive for MS.
And as far as .NET… crack the box, and you own the program. Doesn’t matter how secure .NET is, then.
List of currently unpatched vunerabilities…
Eh. I dunno. Sure, it’s more secure… but it’s not perfect. Oh, and keep your ears open. I have this sense we’re going to see a new generation of viruses soon.
The first advisory for 2k03 was in april 2003, the first for OpenBSD was in January. If you really want to pick nits, OpenBSD had 45 advisories since april 2003 which is a comparable period to Win2K03. Then again, you would naturally expect a product to generate more advisories at the start of it’s life cycle compared to a mature platform.
Yeah, but counting numbers in that way does not really tell you much. Many of Windows’ security holes are there in the default install, and allow remote execution of arbitrary code. With a fresh install on an unfirewalled internet connection, it is common for Windows to get infected by some sort of worm before you can download patches to the vunlerabilities. Part of this is surely due to Windows’ popularity, but again, if they really cared, they would ship the patches with the install CD. They can certainly afford to. Add to this the fact that some of their vulnerabilites go unpatched for years, and I still get the feelting that they are thinking about something other than security most of the time.
On the other hand, most of the OpenBSD advisories are for potental local exploits. In other words, you have to already be allowed on the box before you can do anything nasty. Most of these vulnerabilites have no real-world examples of being exploited, and well, they may not, but they might, and they care enough to tell you about them, and patch them. The lack of expolits in the wild may be due to the rarity of the o/s in the home, but the potental gain from compormising your average BSD box would be much greater than if you compromised the average Windows box.
So, comprable numbers of advisores, but all advisories are not the same. Not by a long shot.
I did say MS was showing improvement. As far as security goes, I still consider their o/s not to be any more secure than the cardboard of its packaging. I surely would not pay them for security software, at least not until they have proven themselves to be changed across a couple of software lifecycles. But if they did that, the security sofware would not be necessary, now would it?
Your talking about the situation 4 years ago. Win2K03 ships secure by default, even XP SP2 ships with the firewall on by default. Vista is supposed to ship secure by default but we’ll see how well that goes. A default install of Win2K03 put on the web should be perfectly safe. The secunia summary states that 58% of the advisories for OpenBSD are for remote access and 58% of the ones for Win2K03 are for remote access. OpenBSD has more “Extremely critical” advisories, 2K03 has more “Highly Critical” advisories.
Their security software is for spyware, viruses and rootkits. Such things would be neccesary on any operating system that was worth targeting because no amount of security settings will stop a determined, stupid user.
I’d say its more like a car manufacturer selling you the basic model and charging you extra if you want additional safety and security features, such as passenger/side airbags, seatbelt pretensioners, anti-lock brakes, anti-theft alarms, etc. Last time I checked, this is exactly the sort of thing that car manufacturers do.
Suuure, but from the same site, 2003 has 12% unpatched, and 2% “partial fix” OpenBSD has 100% vendor patched. Again, it shows who focuses on what.
Spyware and rootkits usually exploit holes to get into the system, or escalate the mailicous’ access. “Stupid” users who are vulnerable to them are stupid for doing nothing other than choosing the o/s that allowed the exploits. Certainly you knew that.
Yes, but the unpatched ones are all “less critical” or below which pretty much means it’s pretty damn hard to exploit them. And given that it takes 41 people to change 1 line of code, it’s kind of understandable why they would not bother patching them. Interesting that OpenBSD had 1 unpatched the last time I looked but it’s already been patched.
Due to some rather stupid decisions with ActiveX, current spyware mostly gets installed through a big gaping hole in IE. However, since this will be fixed in IE7, most likely nearly all future spyware will require some sort of manual intervention.
Yes, there is debate. Lots of debate. Constant debate.
Windows did not become the most widely-used operating system because it’s better. It happened because of the marketing genius of Bill Gates and Microsoft. Today, intertia works in Microsoft’s favor. If I could get a bookstore management software package for Mac or Linux, I wouldn’t be using a Windows machine to type this. A company I used to work for required everyone to have a Windows computer at home if they wanted to telecommute. I’ve been forced to use Windows, as have many, many other people.
As for the OP, they’re called security flaws for a reason. When there’s a flaw discovered in Windows, I expect it fixed in the next update. I don’t expect to have to pay Microsoft for security software (or antivirus software, or “tune-up” software…) to correct flaws in their products.
You might not want to, but you should certainly EXPECT it, inasmuch as it’s a pretty common practice in the software industry. If you buy a Cisco or Nortel PBX or KSU or switch or what have you, security and functionality updates are gonna cost you money. (Or cost your dealer money, depending on your service deal.) If you buy a ticketing system like Remedy or TigerPaw, you can expect additional security modules to cost you money. What, you want a business system like JDE or SAP? You want updates? Get out your checkbook.
Agreed, but I think InvisibleWombat was refering to patches of problems…which, afaict from reading WON’T be charged for. Service Packs have always been free from MS. Even their cheezy firewall software for XP was free IIRC. ADDITIONAL security, antivirus protection, etc though you are absolutely correct…everyone charges for that. From what I can tell Microsoft is just letting it be known that they are jumping into those aspects of the game now. No big surprise as thats been their model forever…wait until there is a market, buy up a few key companies then jump in guns blazin. Its pretty much how they originally got into the OS game after all.
I will modify my original analogy and say it’s like the world’s largest auto manufacturer selling you a car whose locks can be opened WAY to easily and then selling you hardware to fix it.
I understand how that works. I used to own a software company. The standard in the biz then was that you could expect to spend about 10% of the list price of the software each year to get telephone tech support and software updates. I would be happy to do that if I could actually get useful tech support and I got updates.
But, as xtisme correctly noted, I’m talking about fixing problems. Security should be a part of an operating system, not an extra-cost add-on.
And, by the way, when I got my first IBM PC, the operating system was around 1% of the cost of the system (hardware was $2,500 and you could buy a copy of DOS for around $25). Today, the operating system cost is around 40% of the system (my last wintel system cost $499, and buying a new copy of Windows XP for it is $199). I think they can afford to fix their flaws.
Well, OpenBSD seems to think that any hole is unacceptable, and patches them. They obviously have a process to patch them as soon as possible. Again, the MS approcah shows their a lack of commitment to security. Why do you fail to see this?
As I have said before, they have had ample oppourtunity to see the error in their ways. They did not see the problems in IE6 (or IE5, or IE4, noone sane used IE3) before they released them to the public, and they have refused to patch some of them after they came to light. In fact, they welded the browser into the operating system, and kept it there with no technical reason to do so. In itself, this is a decision that has caused security problems, and has not been fixed. What is there to make me trust that they will spot even the most basic problems in IE7 before they release it? I repeat my earlier statment that they will have to have sucess in this area for a couple of software lifecycles before I consider their products as anything but insecure.
BSD, of which OpenBSD and FreeBSD are direct derivatives, has had thousands of security vulnerabilities in the past. You can’t trumpet the successes of OpenBSD and then lump “Windows” under a single banner. (And, for the record, I use OpenBSD for infrastructure boxes at my company; I have no quarrel with the OS at all.)
I do not debate that Unixes have had vulnerabilities at all. Every o/s so far has had them. The difference is that they patch them. I deal with Windows and Unix all day long at work. The truth is, that the Unix boxes and Windows boxes get hacked. The difference is: 99.9% of the Unix hacks are of the variety of a local user writing out to /tmp and running a program they are either not supposed to be running, or brute force password attacks (usually the first is an avenue to the second). The Windows exploits are usually remote, usually through holes in SQL. I spend 50% of my time on 20% of our boxes. Guess which variety of o/s that 20% runs.
Disclamer: I am not responsible for security on these boxes, they are administered by our customers. If they are disruptive to the network, or the hacked box is reported by the customer, then we get involved. I just may not see the remote hacks for Unix because the offenders do not get noticed. That said, I never had to dehack any box of the BSD variety (crosses fingers). Yep, not data, just my personal anecdote.
When it comes to ease of use it is better. As you have proven. That isn’t to say head-to-head it’s better, but it is better if you want something done. As you said you, being forced to use Windows, are familiar with the OS. How many Windows users can say the same of Mac/OS or Unix? It’s bad wording on my part to say Windows is inherently better, but it’s what people use. It’s what 90-95% of the world is comfortable with. It has flaws, obviously, but most know how it works. When I say ease of use, I’m referring to the fact that most users worlwide are able to use Windows in a way that lets you work with them.
Try getting on the same page with a majority by using a system used by a minority. Love Mac all you want, nothing wrong with that. But in the real world, as you know, Windows is the standard.
None of this is meant in a confrontational tone. Please don’t take it as so. You all know my wording style.
With the flaws, often they are fixed. The problem occurs when the new version is released without years of testing. The Windows OS is so large that it will never be feasable to work out the kinks before each release. It’s a risk (though, really, a comparably small one) that is taken with upgrades. If Microsoft makes sure there are no weak spots (keep in mind there will always be people rabid enough to spend every waking hour looking for them), we’ll get a new upgrade every decade. Then they’ll be facing criticism that the OS can’t keep up with that furious pace of technology advances.
Personally, I’d rather blame the crooks for exploiting the weaknesses than the victims. It’s a little like Ford being blamed for someone not locking the door when Ford knows damn well something can be stolen if the doors don’t automatically lock once the door is closed. At some point a user needs to take some responsibility.
The terminology seems to be our problem here. You’re saying that “when it comes to ease of use” Windows is better, while admitting that Windows is not necessarily easier to use.
THAT is my point, exactly. More people know Windows, but that doesn’t mean it’s easier to use.
Many things are just plain harder to do on Windows machines than they are on other types of systems. Heck, I have two Windows computers at home that simply won’t talk to each other correctly on the network. I’ve spent hours trying to make it work, and it just plain won’t–and I used to work in the network business. I got a Mac a few months ago. Took it out of the box, plugged it in, gave it a name, and it immediately recognized both Windows machines. They’ll both talk to the Mac. The Mac will talk to both of them. But they won’t talk to each other.
Historically, the problem isn’t so much that Windows is inherently easier to crack into – it’s that Windows ships with a plethora of take-me-I’m-yours default settings (e.g. user has full admin privileges unless he goes out of his way to create a limited “user” account) and elements (e.g. ActiveX).