Schneier on Security
A blog covering security and security technology.
« Security-Related April Fool's Jokes |
| TSA Failures in the News »
April 2, 2007
2006 Operating System Vulnerability Study
Long, but interesting.
While there are an enormous variety of operating systems to choose from, only four "core" lineages exist in the mainstream -- Windows, OS X, Linux and UNIX. Each system carries its own baggage of vulnerabilities ranging from local exploits and user introduced weaknesses to remotely available attack vectors.
As far as "straight-out-of-box" conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities. Even before enabling the servers, Windows based machines contain numerous exploitable holes allowing attackers to not only access the system but also execute arbitrary code. Both OS X and Windows were susceptible to additional vulnerabilities after enabling the built-in services. Once patched, however, both companies support a product that is secure, at least from the outside. The UNIX and Linux variants present a much more robust exterior to the outside. Even when the pre-configured server binaries are enabled, each system generally maintained its integrity against remote attacks. Compared with the Microsoft and Apple products, however, UNIX and Linux systems tend to have a higher learning curve for acceptance as desktop platforms.
When it comes to business, most systems have the benefit of trained administrators and IT departments to properly patch and configure the operating systems and their corresponding services. Things are different with home computers. The esoteric nature of the UNIX and Linux systems tend to result in home users with an increased understanding of security concerns. An already "hardened" operating system therefore has the benefit of a knowledgeable user base. The more consumer oriented operating systems made by Microsoft and Apple are each hardened in their own right. As soon as users begin to arbitrarily enable remote services or fiddle with the default configurations, the systems quickly become open to intrusion. Without a diligence for applying the appropriate patches or enabling automatic updates, owners of Windows and OS X systems are the most susceptible to quick and thorough remote violations by hackers.
Posted on April 2, 2007 at 7:38 AM
• 32 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
How did OS/X with its BSD Unix ancestry manage to become the least secure *nix variant?
Adds to the joy of being diligent with second and third party solutions to secure one's operating system and connection.
This makes me wonder whether (and by how much) Windows would be more "secure" if it was harder to use and thus required a bit more training for the users.
Security is far too well spread over all areas, and as Linux continues to get easier, the Carbon Layer attacks will become more prevalent even on the deemed-to-be-secure Unixes.
I don't give much for the straight-out-of-the-box analysis, because that looks equally bleak for all OSes.. whether I install an off-the-shelf WinXP or any Linux stable release CD from 2003 (yes, XP is already that old..) and connect it to the internet, my box will be rooted within a few hours.
Linux profits a lot from its quicker release cycles - most distributions offer new boxes on the shelves every few months, compared to several years for Windows, which leads to all but the most recent vulnerabilities already being patched. This is especially critical for OEMs - I have seen several companies in the last few months who were able to ship new PCs with the most recent Linux discs, but regularly shipped WinXP CDs that didn't contain any service packs, let alone the cumulative security fixes.
It is hilarious how they claim "out of the box" OS X means "actually turn on all the services that are disabled by default, without turning on the firewall". An axe to grind, perhaps?
Oh, and they separately review OS 9, as if you can still buy a machine that can run it.
Bruce uses Windows so it has to be best.
"Bruce uses Windows so it has to be best."
I don't think that follows. People generally make security decisions for non-security reasons.
In addition to staying current on patches, the other things you should do, in order of importance, are:
1. Turn off HTML email. A text-only is sufficient, and much safer.
2. Use a browser other than Internet Explorer, such as Mozilla Firefox.
3. Don't download applications except from trusted sources.
4. Don't install video applications unless you absolutely need them. That means, no Flash, no Quicktime, no Real Player, etc.
5. Turn off Java (there are plug-ins for Mozilla Firefox, that let you turn it back on for specific websites.)
It seems to me that all platforms are roughly equivalent when it comes to innate, baked-in security. The biggest security threat is from uneducated users, and that disproportionately affects the Windows ecosystem because of its huge lead in marketshare.
As a seasoned Windows-user, I'm so disconnected from the notion that Windows is insecure. I haven't had any virus or spyware problems since SP2, so when other people complain of having problems I think, "What the heck are they up to?"
> Bruce uses Windows
Let me guess: Got nothing to hide or what? ;-)
"Don't install video applications unless you absolutely need them. That means, no Flash, no Quicktime, no Real Player, etc."
well - that certainly enhances my internet experience. I think many of us are missing the bigger picture here. Yes - we can make the OS more secure by disabling many of it's features - but why are we so willing to give that up? I want Flash - I want Quicktime - i want more robust, feature rich content on the internet. I want excellant and useful web enabled applications that do things I need and things I want. There must be a better way to solve the security problem - to simply advise people 'not to use it'
I'm not fond of that "study". Example from my favourite (Ubuntu):
"Installing the server edition of Ubuntu 6.10 revealed the same installation environment only without the GUI. The system was only visible on-line to an ICMP ping but did not reveal any open network ports."
So, the default install would be considered immune to all worms that could not exploit a flaw in TCP/IP or ping, right?
"Following a reboot, the CUPS, SMB, SSH, and VSFTPd services were added using apt-get."
So, let's throw other stuff in there and see if we can make it less secure.
"Despite having to manually add the servers, no further configurations were made."
What the ... ?
They're left off of the default install for a REASON!
If you're going to add additional services that depend upon open ports, you need to consider the implications.
In the latest example, Microsoft has shown that zero day bug disclosure really does hasten vendor patches. Microsoft has been sitting on the animated cursor vulnerability since December, but just days after the public release of exploit code it will be patched.
How safe/secure are you if, while tweaking your firewall in OpenBSD, you are eating a pizza with 12 grams of trans fat or have an aquarium mounted over your CRT monitor? Don’t lose sight of the forest for the trees.
It seems as though the more users use a product - the more unsecure it becomes over time. You could deduce that it is the human's desire for ease of use, which accepts more risk and 'cause and effect' a mainstream OS to decline.
@supersnail: it got so insecure by bowing to market pressures, demanding ease of use. Remember, security * convenience = a constant. :-)
I agree with gary--turning off useful services is an unsatisfactory way to improve security. We can be perfectly secure by not using the machine. Who cares?
Maybe the best solution is the OLPC Bitfrost approach of running each app in separate virtual machine with limited permissions. To me that makes more sense than eliminating useful features in the browser.
Hey, where's Plan 9?! Why didn't they test Plan 9? It's the most secure OS in the world...only 3 people use it and nothing runs on it!
While there are an enormous variety of operating systems to choose from, only four "core" lineages exist in the mainstream -- Windows, OS X, Linux and UNIX.
How can I trust anything they say when they get such a basic fact wrong? OS X and Linux are Unix variants. Why are they different then Solaris, AIX or HP/UX? In the end, they're all based on AT&T Unix, the only big question is are they more BSD or SVR4?
Not understanding that - that OSX and Linux are descendants of the same things that "UNIX" is serious compromises my ability to trust their judgments in securing these operating systems.
I think you missed a huge point, the one that Linux users generally miss. The article speaks to it: most people who install Linux already know something about Linux administration, whereas an average Windows user knows nothing about any system administration.
If Linux or OS X ever become viable as a desktop OS for the mainstream, there will be a lot more of this happening. It's already happening on OS X. User buys computer; user downloads package that says, "hey, we can do this, that and the other thing if we just turn on your ____ server;" user turns on server without knowing implications. If you know how to administer Windows properly, it's as secure as anything else.
Most security violations aren't about the paranoid, educated, benign and informed. They're about the malicious preying on the uninformed.
@Erik V. Olson
"OS X and Linux are Unix variants. Why are they different then Solaris, AIX or HP/UX? In the end, they're all based on AT&T Unix, the only big question is are they more BSD or SVR4?"
It's wrong to say "based on". It presumes a common code base.
Mac OS X is a BSD variant actually based on the BSD source code, i.e. derived from it.
Linux, however, is an independently developed product PATTERNED AFTER AT&T Unix, but not sharing a common code base with it. There are any number of other POSIX-compliant OSes that don't have common code bases.
The report's problem may just be due to poor choice of words. "Lineage" is a poor choice. "Product line" might be better, except it still clumps together all the "other Unix" products in a single category, which is crazy if you understand that different source-code ancestries have different bugs and bug-histories.
"I think you missed a huge point, the one that Linux users generally miss."
Nope. The single biggest security issue with home computers is the DEFAULT CONFIGURATION.
You CANNOT depend upon any user performing any additional tasks to secure the machine.
It has to ship in as secure a configuration as possible.
Reading that article, I noticed that they found that Mac OS 9 (once you turn on the not-on-by-default web server, anyway) is vulnerable to a bug that lets you crash Oracle 9i.
Oracle 9i doesn't come with Mac OS 9, and AFAIK doesn't run on Mac OS 9 in any way whatsoever....
From the article:
"By 2004, the average unprotected computer was compromised in less than a minute, sometimes as quickly as twenty seconds."
I thought that hacking was supposed to be more common now than in 2004. I often leave my cable modem and router switched on. accoring to the router logs, I typically get an unrecognised connection attempt roughly every 5 to 10 minutes. The numbers in the report don't look right to me.
"Unlike the UNIX systems which required simply enabling the application, Windows Server 2003 required configuring via built-in wizards."
Wrong. You can use the wizards if you want or just install the software components instead.
"The configuration of the file server required selecting a folder which resulted in sharing the "My Documents" folder from the Administrator's account."
Rubbish. If you don't know how to handle file sharing, you shouldn't be administering a Windows server. The context of the report seemed to imply using Windows file sharing over the internet?! WTF!
The only part of the report that I agreed with is that Windows is shipped with too many software components activated. It would be really nice if Microsoft offered a simple configuration utility to switch off SMB/CIFS, DCOM, NetBIOS, ... for pure Internet only use.
Overall, I was unimpressed by this report.
Turn off Java? In case you'd forgotten, Java is just about the only form of mobile code that is designed to be run despite being untrusted.
I use Norton Utilities; I'm safe.
@ gary, alan:
> Yes - we can make the OS more secure by disabling many of it's
> features - but why are we so willing to give that up?
I think the bigger problem is that people aren't willing to give it up. Moreover, they want their computer to be equally secure in all operational modes, and they aren't willing to have to manually transition between modes... they want to treat their computer as if it should be equally trusted when browsing, sending mail, receiving mail, doing their taxes, downloading files of dubious content, creating their MySpace page, editing redeye out of their photos, etc. etc... and they don't want to have to fuss with making sure that each of those activities is "safe".
> I want Flash - I want Quicktime - i want more robust, feature rich
> content on the internet.
The third is not dependent upon the first two. Think about how many media players there are. What, really, do they all do? They show you media. Why do we need quicktime, real player, flash, windows media player, winamp, shockwave... there's a gigantic wikipedia entry just to list media players (http://en.wikipedia.org/wiki/List_of_video_players_%28software%29).
With all this choice, why are they all so miserably insecure?
> I want excellant and useful web enabled applications that do
> things I need and things I want.
By definition, then you have trust issues with your computer, your network connection, and the hosting service. That a lot of trust to turn over to a dozen or more software companies... all with competing business models and none of whom are liable for the potential damage that can occur if they write bad code, opening you up to an exploit that endangers your tax information as well as your web browser
> There must be a better way to solve the security problem - to
> simply advise people 'not to use it'
Use it for a defined class of activities, and make sure that you silo your activities to help prevent cross-contamination. Don't assume that your computer is trustworthy. Be aware that the more things you use your computer for, the more things you're going to be exposed to and the more vulnerable you're going to be. As long as "I want to see this proprietary video format and I want to see it now" overrides "I don't want to use this insecure media player", we're stuck.
your default osx firewall is useless, for udp it either allows anything with a source port of 67 or 53 through, or everything. For TCP it allows anything that is fragmented through, if you click the 'make me invisible' option or whatever, it just doesnt respond to pings.
If you want "secure", you'd run VMS.
But, it seems that most people don't want security quite that much.
>Use it for a defined class of activities, >and make sure that you silo your >activities to help prevent cross->contamination. Don't assume that your >computer is trustworthy. Be aware that >the more things you use your computer >for, the more things you're going to be >exposed to and the more vulnerable >you're going to be. As long as "I want >to see this proprietary video format >and I want to see it now" overrides "I >don't want to use this insecure media >player", we're stuck.
Believe me Pat - I understand your points - they are valid and insightful. But explain them to my mother who just got a video from her friend's grandkids! The computer industry today is successful (define success however you want) ONLY because there are all these people engaging in all these activities using all these applications.
My only point is that attempting to improve computer security by asking users not to do the things they want to do is a business model predestined to fail!
Security is important, but the solution has to be something other than "mom, please don't watch that video of your grandkids - it's not safe" !!
> The computer industry today is successful (define success however you want)
> ONLY because there are all these people engaging in all these activities using
> all these applications.
I think you're making an "if and only if" out of an "if" and you're overgeneralizing. I'll agree with this version:
"The personal computer has seen a remarkable rate of adoption in the home in the last twenty years in large part because of the increasing availability of packaged software that requires little or no knowledge to install and use."
Sure, that's true, and I think that this is a good thing. The advent of the networked personal computer has certainly had a huge (overall beneficial) effect on the ability of people to communicate.
But, I think that one of the negative side effects of the commoditization of software is that people don't differentiate products properly... for two reasons: one, because there is no barrier to entry to use all this software; and two, because of proprietary formats. Most software consumers select their applications based upon something other than quality.
To clarify that last paragraph -> people download and install RealPlayer because they want to listen to media files that have been encoded as RealAudio files. People download and install Quicktime for the same reason.
So, it's not because "they want to watch media files" -> if every media player played every media format, you could differentiate on quality (including security).
Now, I'm not *entirely* blaming the vendors for this situation, since there is a large social context involved here. People who *create* media are part of this problem -> they choose their encoder based upon lots of different reasons (creative reasons, process related reasons, and distribution reasons)... but as a result they're unintentionally forcing their consumers into vendor lock-in.
But I digress. Essentially, I agree with you that "just don't do that" is advice that the general public, on the whole, isn't going to follow. On the other hand, borrowing Bruce's favorite line, "security is about trade-offs"... at some point, if you want a higher level of security, *somebody* somewhere in this chain has to accept a limitation.
Either (a) people who produce content/media need to start differentiating their files/encoders based upon quality, or (b) people who consume data/media need to start differentiating on quality, *or* (c) society has to adapt rules that force software providers to start producing quality.
Since (a) is unlikely, and since we both agree that (b) is essentially impossible in the marketplace, that leaves us with (c). Right now, software makers absolve themselves of responsibility and liability, so (c) isn't possible either.
Quite frankly, security isn't going to get better until one of these things changes, and (c) seems to be the only one that is practical.
"Things are different with home computers. The esoteric nature of the UNIX and Linux systems tend to result in home users with an increased understanding of security concerns."
While intended as a compliment to Linux users, this is actually inaccurate. Modern desktop oriented Linux systems are just as trivially easy for an end-user to administer and maintain as Windows or Mac systems.
I kept hearing this so often, usually from someone that's seen or used a server Linux distribution, that I setup a tutorial on the subject:
While Linux systems may, and likely do have better security, I would suspect that it's mostly due to the efforts of the distribution maintainers:
You missed the operating system that runs many customers business and that has had security built in to the OS and the hardware for decades and that is z/OS, the mainframe operating system.
Before you state that z/OS is not widely used note that some studies have shown that 85% of business's core data resides on a mainframe.
Most sophisticated customers realize that is is risky to put important data on platforms other than the mainframe.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.