Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Windows Operating Systems Software Bug Security

Vista Security Claims Debunked 315

Posted by CowboyNeal from the setting-things-straight dept.
An anonymous reader writes "Apparently Microsoft still hasn't learned that counting vendor acknowledged vulnerabilities isn't a good way to establish the security of an OS. As an analysis of Microsoft's claims on Full Disclosure shows, we see that the methodology used was badly flawed. A bug in Firefox (not to mention emacs), counts as a flaw for Linux, while IE bugs get ignored on Vista's chart. Then we see that vulnerabilities aren't vulnerabilities when they're security-challenged features such as Vista's Teredo. Also, there's far too little consideration given to severity, given that it stoops to counting even extra access restrictions on a file in OSX to have something to show. In short, the original Microsoft analysis was good PR and poor research."
This discussion has been archived. No new comments can be posted.

Vista Security Claims Debunked More

Vista Security Claims Debunked

Comments Filter:

  • Re:The Microsoft guy did a second report (Score:3, Informative)

    by dhasenan ( 758719 ) on Thursday June 28, 2007 @08:59PM (#19684157)
    The second report lacked detail. It mentioned that the writer had removed some packages but kept GNOME around, but only about five lines were dedicated to each distro (there were four, though I believe two were Red Hat or strongly Red Hat based).

    Also, none of the vulnerabilities were enumerated, so you couldn't guess at what software was installed on that basis.

    So it's quite possible that the report was based on Linux, X11, and GNOME with the minimal amount of other stuff to make the system run, but somehow I doubt that.

  • Re:er (Score:3, Informative)

    by daeg ( 828071 ) on Thursday June 28, 2007 @09:16PM (#19684265)
    The problem exists on any NT-based system, actually. What is happening is that when the installer runs, it is running with Administrator credentials. The retarded, non-user account aware installer installs the icon in the "All Users" desktop. You, a non-administrator, cannot remove it from your desktop because you can use the "All Users" desktop, but cannot alter it. The failing silently thing can also happen on 2000/XP, albeit rarely. Sometimes the "Permission Denied" box can take many minutes to display for apparently no reason at all, particularly on some computers with strange software installed (I've noticed many similar failures when the Dell support tools are installed).

    Of course, the solution is blindingly simple. If an icon is on the "All Users" desktop, and you delete it, it simply marks it deleted for *your copy* of the desktop. If you rename it, it's the same icon.. just renamed on your desktop. If an administrator wants to delete it, give them another context menu option, or let them delete it from the actual "All Users\Desktop" folder.

    Arguments in terms of Active Directory/Domains are moot--you could simply administer that right via group policies to prevent users from renaming, for example, the icon for Outlook.

  • Re:Teredo (Score:3, Informative)

    by DECS ( 891519 ) on Thursday June 28, 2007 @09:19PM (#19684291) Homepage Journal
    No you are absolutely wrong.

    A vulnerability is a vulnerability regardless of whether other systems have similarly flawed mechanisms.

    If Mac OS X had a vulnerability in its Apple File Service, it wouldn't be dismissed simply because Windows doesn't natively support the AFP service.
  • It mentioned that the writer had removed some packages but kept GNOME around, but only about five lines were dedicated to each distro (there were four, though I believe two were Red Hat or strongly Red Hat based).

    Some of the issues I noticed in the second report include:

    • choosing to assess Ubuntu 6.06 instead of 7.04 because "Ubuntu has only committed to long term support for 6.06 and not later releases."
    • The "apples to apples" feature set didn't compare actual default applications. Windows does have a very minimal application set on install compared to Linux. It would have been easy to compare vulnerabilities for just the comparable products - gedit for wordpad, for example.
    • His chosen metric doesn't actually assess the security of the product. Interestingly, he was advised this via a comment back in October 06, but chose to continue.
    There's a bit more discussion of his methodology in his own blog here.
    http://blogs.technet.com/security/archive/2006/10/ 06/Red-Hat-and-Windows-_2D00_-Defining-an-Apples_2 D00_to_2D00_Apples-Workstation-Build.aspx [technet.com]

    I'll leave the final comment to the man himself;

    NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure.
    November 07, 2006, Jeff Jones
    That Microsoft published the results as a valid security assessment tells you a lot about the company and their commitment to real security in their products.

  • Re:The really sad part.... (Score:5, Informative)

    by Sigma 7 ( 266129 ) on Friday June 29, 2007 @01:56AM (#19686145)

    Perhaps because Windows XP and Vista don't show BSODs anymore but rather just restart the whole system silently, leaving it up to the user's imagination what has caused this?
    Right click on My-Computer, select properties. Click on Advanced System Settings. Under the advanced tab, click settings for Startup and Recovery. Uncheck Automatically Restart.

    Alternatively, press F8 during bootup and disable automatic restarts.

    I am not trying to rant (well.. okay, partially I do) but how exactly does stability issues concealment count as good engineering?
    Unless you are in a reboot loop, or have a persistent failure of your system, you generally want to restart the computer if there's a STOP error.

  • Re:Don't accept abuse. MS apparently lied. (Score:4, Informative)

    by Lonewolf666 ( 259450 ) on Friday June 29, 2007 @04:13AM (#19686669)
    My rule number one in dealing with Microsoft: Unless forced by circumstances, never upgrade to a new version of Windows until the second service pack is released. Let other people have the grief. The huge number of bugs in Windows XP before SP2 was very expensive for us. If I remember correctly, SP2 fixed more than 630 bugs, and some of the fixes were not documented. It is not only the vulnerabilities that are expensive.
    Better yet:
    Wait until the service pack is out and independent reviewers are happy with it. Because if people stick to the rule "after SP X things are fine", it is merely an incentive for Microsoft to rush the service packs until the number X in question is reached.
    In the case of Vista, it seems Microsoft was already organizing the beta testing for SP1 before the OS was released to end users:
    http://news.com.com/2100-1016_3-6152704.html [com.com]
    That article was from January 23rd. Looks like the beginning of a trend to increase the SP count as fast as possible.

  • Re:Where is the debunking? (Score:5, Informative)

    by GreatBunzinni ( 642500 ) on Friday June 29, 2007 @05:28AM (#19686917)

    I read the article pretty carefully. I don't see any actual numbers to back up this "debunking".

    That's because you are gullible enough to believe the hype, aggravated by your lack of will to perform a basic search for the facts. Here is a bit of debunking from a quick google search.

    From Secunia's advisory atatistics:

    Those are real world facts supported on real world evidence which is freely available to the public. It isn't a random blog entry which is based on god knows what data which is only known by the author and possibly doesn't even exist. So where in fact is there a need to "debunk" a moronic, unsubstantiated claim made by some microsoft employee, specially when there is all that evidence right in front of everyone's face?

  • Re:The really sad part.... (Score:4, Informative)

    by SCHecklerX ( 229973 ) <greg@gksnetworks.com> on Friday June 29, 2007 @06:35AM (#19687161) Homepage

    Back when windows 95 shipped it was head and shoulders technically better than the other operating systems targeting average everyday folks.


    No it wasn't. OS/2 was waaaaay ahead of win95 in pretty much every way.

  • Re:Microsoft found making PR-FUD-ing research (Score:5, Informative)

    by digitig ( 1056110 ) on Friday June 29, 2007 @08:13AM (#19687535)

    - If many people are analysing code, you will find more bugs. If you don't review your code (or for example, don't have peer review - which closed source often lacks.) Then no bugs at all will be discovered.

    - The existing number of unfound bugs is related to the number of discovered bugs. Well no not really: The number of found bugs is actually related to how long and how many researchers have been testing and actively looking for the bugs and second to that is how buggy the software is. I can assign a team of one researcher with no experience and they'll never find any bugs in the poorest of software.

    There's a good discussion of this from software metrics guru Norman Fenton at http://www.dcs.qmul.ac.uk/~norman/papers/metrics_r oadmap.pdf [qmul.ac.uk], which shows that the existing number of unfound bugs is related to the number of discovered bugs. It's related negatively. In one sense this is a "well, duh!" finding -- that the more bugs you've discovered, the fewer are undiscovered. But much software quality assurance is founded on the assumption (which realise is what you were really challenging) that number of bugs discovered is positively correlated with number of bugs undiscovered. The empirical data says otherwise.

Slashdot Top Deals

Genetics explains why you look like your father, and if you don't, why you should.

Close