From: Eric Chamberlain, CISSP (eric_at_uclink.berkeley.edu)
Date: Mon Aug 25 2003 - 13:39:07 PDT
Aron,
I don't think you are making accurate comparisons by comparing a variety
of Microsoft products to specific non-Microsoft operating systems.
Slammer exploited a database, Blaster exploited the OS, and SoBig
exploited users. Each of these exploits have had minimal impact on
systems that are properly managed. In all the mentioned cases,
administrators have had ample warning to patch their machines.
--
Eric Chamberlain, CISSP
Campus Active Directory Architect
Central Computing Services
University of California, Berkeley
http://calnetad.berkeley.edu
> -----Original Message-----
> From: owner-micronet-list_at_uclink4.berkeley.edu
> [mailto:owner-micronet-list_at_uclink4.berkeley.edu] On Behalf
> Of Aron Roberts
> Sent: Monday, August 25, 2003 12:18 PM
> To: Micronet-UCB microcomputer support user group; ucb-security list
> Cc: Craig Lant
> Subject: [Micronet] Windows: insecure by design?
>
>
> A perspective in the aftermath of Slammer, Zlez, Blaster, SoBig,
> and others, which have resulted in long hours for departmental
> computing support staff, as well as for the hard-working SNS and CNS
> folks ...
>
> On November 5, 2002, our campus security officer, Craig
> Lant, wrote
> (as appended below):
>
> >... the reason I don't recommend deploying services on Windows is
> >precisely because so many more vulnerabilities are found in Windows
> >than in any other platform.
>
> However, Craig tempered this by stating that Windows' market
> dominance is the reason that so many Windows vulnerabilities have
> been found, rather than any design characteristics intrinsic to this
> operating system.
>
> Here's an interesting article, in direct contrast to
> Craig's assessment:
>
> Rob Pegoraro
> "Microsoft Windows: Insecure by Design"
> Washington Post, August 24, 2003, p. F07
>
> http://www.washingtonpost.com/ac2/wp-dyn/A34978-2003Aug23?lang
> uage=printer
>
> Some excerpts, with certain individual points annotated with
> bracketed numbers ("[1]"):
>
> >In its default setup, Windows XP on the Internet amounts to a car
> >parked in a bad part of town, with the doors unlocked, the key in
> >the ignition and a Post-It note on the dashboard saying, "Please
> >don't steal this." ...
> >
> >[1] Windows XP Home Edition ... ships with five ports open, behind
> >which run "services" that serve no purpose except on a computer
> >network.
> >
> >"Messenger Service," for instance, is designed to listen for alerts
> >sent out by a network's owner, but on a home computer all it does is
> >receive ads broadcast by spammers. The "Remote Procedure Call"
> >feature exploited by Blaster is, to quote a Microsoft advisory, "not
> >intended to be used in hostile environments such as the Internet."
> >
> >Jeff Jones, Microsoft's senior director for "trustworthy computing,"
> >said the company was heeding user requests when XP was designed:
> >"What customers were demanding was network compatibility,
> >application compatibility." ... Now, Jones said, Microsoft believes
> >it's better to leave ports shut until users open the ones they need.
> >But any change to this dangerous default configuration will only
> >come in some future update.
> >
> >In comparison, Mac OS X ships with zero ports open to the Internet.
> >
> >[2] Windows XP, by default, provides unrestricted, "administrator"
> >access to a computer. This sounds like a good thing but is not,
> >because any program, worms and viruses included, also has
> >unrestricted access.
> >
> >Yet administrator mode is the only realistic choice: XP Home's
> >"limited account," the only other option, doesn't even let you
> >adjust a PC's clock.
> >
> >Mac OS X and Linux get this right: Users get broad rights, but
> >critical system tasks require entering a password. If, for instance,
> >a virus wants to install a "backdoor" for further intrusions, you'll
> >have to authorize it. This fail-safe isn't immune to user
> >gullibility and still allows the total loss or theft of your data,
> >but it beats Windows' anything-goes approach.
> >
> >[3] Windows XP includes basic firewall software (it doesn't monitor
> >outgoing connections), but it's inactive unless you use its "wizard"
> >software to set up a broadband connection. Turning it on is a
> >five-step task in Microsoft's directions (www.microsoft.com/protect)
> >that must be repeated for every Internet connection [e.g. broadband
> >or dial-up - Aron] on a PC.
> >
> >Mac OS X's firewall isn't enabled by default either, but it's much
> >simpler to enable. Red Hat Linux is better yet: Its firewall is on
> >from the start.
>
> To Microsoft's credit, some of the vulnerabilities in the default
> configurations of Windows 2000 and XP have been reported to have been
> removed in the company's latest OS, Windows Server 2003. Several of
> these reports have attributed these changes to Microsoft's much
> touted "Trustworthy Computing" initiative, as discussed on the
> company's one-year anniversary page,
> <http://www.microsoft.com/presspass/features/2003/Jan03/01-15t
> wcanniversary.asp>.
> Another reflection of Microsoft's newfound security consciousness is
> its recent, blanket recommendation that customers enable XP's
> integral firewall
> <http://www.microsoft.com/security/protect/default.asp>.
>
> We can expect to see more changes in this direction from Microsoft
> over time, although they might seem slow in coming to beleaguered
> campus support providers, at least after the last several weeks :-(.
> An outside evaluation of the "Trustworthy Computing" initiative at
> the one year mark frankly identifies the long-term nature of this
> effort:
>
> Robert Lemos
> One year on, is Microsoft 'trustworthy'?
> CNET News, January 16, 2003
> http://news.com.com/2100-1001_3-981015.html?tag=rn
>
> >"We said that Trustworthy Computing is a 10-year project, sort of
> >like (President) Kennedy sending people to the moon," said Scott
> >Charney, chief security strategist for Microsoft. "We're (only) a
> >year into it. ..."
>
> FYI,
>
> Aron Roberts
> Workstation Software Support Group
>
> ---------------------------------------------------------------
>
> Date: Tue, 05 Nov 2002 14:18:13 -0800
> From: Craig Lant <craig_at_ack.berkeley.edu>
> CC: ucb-security list <ucb-security_at_uclink.berkeley.edu>
> Subject: Re: [Security] PR regarding attacks, vulnerabilities of
> various platforms
>
> Thanks Aron,
> This is a very interesting report and can, I think, be useful. I
> don't agree with the conclusions drawn in the report. Clearly the
> numbers simply reflect the number deployed systems for each platform.
> The more systems there are of a particular type out there, the more
> attacks you'll see and the more vulnerabilities will be found. Duh!
> I certainly don't think it's valid to conclude that SCO Unix and Mac
> OS are less vulnerable than the others. It's not that they don't
> have as many vulnerabilities. It's just that fewer people are
> looking for those vulnerabilities. So, they just aren't found (yet).
> On the other hand, the reason I don't recommend deploying services on
> Windows is precisely because so many more vulnerabilities are found
> in Windows than in any other platform.
>
> Thanks,
> Craig
>
> Aron Roberts wrote:
> > No flames, please -- just some food for thought regarding the
> >security vulnerability of various computing platforms ...
> >
> > mi2g, a private computer security tools, services, and consulting
> >firm in the UK, issued a press release last week
> ><http://mi2g.com/cgi/mi2g/press/311002.php> (full text below),
> >identifying the numbers of 'overt attacks' and 'known software
> >vulnerabilities announced' for various software platforms,
> >ostensibly for a ten-month or twelve-month period ending at the date
> >of the release (October 31, 2002):
> >
> > Overt Attacks Known Software
> Vulnerabilities
> >Platform (in 2002) Announced (in 2002)
> >-------- ---------- ------------------------------
> >Microsoft Windows 54% 44%
> >Linux 30% 19%
> >BSD Unix 6% 9%
> >Solaris 5% 7%
> >SCO Unix 0.2% 0.5%
> >Compaq Tru64 0.02% 1.9%
> >Mac OS 0.005% 1.9%
> >
> > As a rough first approximation, perhaps these numbers might be of
> >some value in at least retroactively assessing the risk profiles of
> >various OS platforms. (As noted in mutual fund literature: "past
> >performance is no guarantee of future returns." ;-)
> >
> > However, it is very difficult to know how much credence, if any,
> >to grant to these or any similar such set of figures (as noted in a
> >discussion of some apparent flaws in this press release, below), and
> >how any such numbers -- even more credible ones that might be
> >available from other sources -- might best be used to inform
> >computing policy discussions.
> >
> >[Long discussion in the original omitted here ...]
> >
> >Aron Roberts
> >Workstation Software Support Group
>
> ...
>
> -------------------------------------
> Sent via the ucb-security mailing list.
>
> --------------------------------------------------------------
> ----------
> The following was automatically added to this message by the
> list server:
>
> For information about Micronet, including subscribing to
> or unsubscribing from its mailing list and finding out
> about upcoming meetings, please visit the Micronet Web site:
> <http://micronet.berkeley.edu/>.
>
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Mon Aug 25 2003 - 15:03:04 PDT