What if Microsoft is right? (about open source insecurities)

What if Microsoft is right? (about open source insecurities)

Summary: Over the last few years, particularly as server-based deployments have eaten away at the software  giant's bottom line, Microsoft has routinely derided open source software as being less secure than its own closed-source proprietary offerings.

SHARE:
TOPICS: Open Source
136

Over the last few years, particularly as server-based deployments have eaten away at the software  giant's bottom line, Microsoft has routinely derided open source software as being less secure than its own closed-source proprietary offerings.  Microsoft executives used to routinely take security-related pot shots at Linux and more recently (a little less than a year ago), the company funded a study (the findings of which were presented at last year's RSA conference under dubious conditions) that backed up Microsoft's long standing assertions that Linux is riskier than Windows. 

<digression>Even when vendors leave the methodologies behind such studies up to the researchers, I take them with a grain of salt.  That's because the vendor controls whether the study gets published or not.  In other words, if the results don't favor the vendor(s) who commission the studies, those studies almost never see the light of day. </digression>

Now, with its increasing reliance on open source software, the US Government (Dept. of Homeland Security) wants to get to the bottom of the burning question, according to News.com:

The U.S. Department of Homeland Security is extending the scope of its protection to open-source software...Through its Science and Technology Directorate, the department has given $1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coverity's commercial tool for source code analysis....The list of open-source projects that Stanford and Coverity plan to check for security bugs includes Apache, BIND, Ethereal, KDE, Linux, Firefox, FreeBSD, OpenBSD, OpenSSL and MySQL....

No matter how this news is sliced, it isn't good for providers of commercial alternatives to these open source products.  Nor is the timing.  If there are security problems (as Microsoft has long asserted), this program is certain to root many of them out to a point that, from a security perspective,  the aforementioned open source projects would be on par with their closed-source counterparts (if they're not there already.... which many believe they are) or even worse, improve them beyond the securability of those closed-source counterparts.  OK. So, what can $1.24 million really get you.  10 bug fixes?  20?  100?   Even so, what could be worse for competitors to open source than the US government taking measures to make open source even better.  Not only that, but the move comes at a time when Microsoft -- which itself has taken a beating on the security front -- is looking to improve its own security image, relatively speaking.

Topic: Open Source

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

136 comments
Log in or register to join the discussion
  • It depends

    Are we talking OSS running under Windoze? Or are we talking about all apps under Linux? Are we talking about applications or operating systems (or comingled chimeras)? You need to frame the argument FIRST before you start drawing conclusions.

    I would suspect that Apache running under Windoze has more security problems then it running under Linux. HOWEVER, that Linux box might have some other OSS running that has big security issues. The permutations are just maddening!

    If your assertion is that Windoze OS is more secure than Linux OS - I would say go jump in the lake, but once you start adding applications (comingled or OSS) the "true" picture gets murky.
    Roger Ramjet
    • It depends

      That's what your government is going to decide. Or did you not read the article?
      c-o-b
      • Bottom Line

        The bottom line, whether you like it or not, is that the US Government uses Microsoft because, despite many of it's flaws and what not, it is simply the better OS. And it's the standard, universal........
        meaning: It's ready to go, without having to assemble the code or figure out how to make a certain app work. Same reason they use Dell Machines. Dell is a workhorse....I personally own 3 of them, the first one I bought in 98. OS hackers hate the industry standard, because they themselves can't get something running to compete with the Microsofts and the Apples of the world.
        Tell Linus Torvalds to code an OS that he can market in the US, with all of the apps and etc to rival both Apple and Microsoft, then I'll believe the Open Source hype. The government's gonna decide what they decide. Locks on the doors is way better than staying unlocked, in this day and age.
        magick6
    • The Big Picture!

      The big picture is that, with the open source software....and by definition, we are talking open source code that is unchecked and unsecure, then yes! Because your code is open source, the door is left wide open for any number of assaults and due to the lack of very few knowledgeable coders and programmers (aka so called hackers) who say they are
      'down with Linux', it has all of the workings of trying to rob your grandmother. Noone bothers with
      hacking malicious stuff into Linux, because chances are, the coders, simply don't know how to arm themselves. There's nothing to be had on a Linux system anyway! Giving out open source is like....giving you the KFC recipe ingredients. Most of you would not know what to do with it anyway, so what good would it do if I decided to knock your open container out of your hands? You don't have fried chicken, you can't make fried chicken and chances are, you aren't quick to secure what you had in your bowl of ingredients, so you LOSE!
      Pretty bad analogy. But I am assuming that at least 75% of those proud Linux consumers could not code themselves a decent OS to even stand up against Microsoft, much less Apple.
      magick6
  • M$ Has no right too say anything about anything being insecure...

    They can't say anything about any Open Source product being less secure than theirs.

    They have the utter nerve too say this when not too long ago they had an Extremely critical WMF exploit and I do not think Linux has been affected by it.

    Open Source is more secure by far mainly because people cna access the code and create patches much faster,. normally even before the virus writers and hackers can even get information on it with M$ no-one knows about it then you have hundreds of viruses - that simply does not happen with open source.

    Microcrap are just upset because they are loosing bussiness too free software.
    RyanJones
    • Gotta love linux zealots!!

      [i]They have the utter nerve too say this when not too long ago they had an Extremely critical WMF exploit and I do not think Linux has been affected by it.[/i]

      Using your logic, Windows is more secure than Linux since Windows was not affected by Ramen.

      Yay, I love zealot logic!!!
      NonZealot
      • Right...

        Ramen circa 2000-2001
        WMF just a week ago!

        Get a clue, if that's the best you can do then go back to your cubby.
        Linux User 147560
        • Fair enough, try this one from Jan 6, 2006

          http://www.gentoo.org/security/en/glsa/glsa-200601-06.xml

          Now, technically speaking, xine is not in the Linux Kernel but then neither is WMF in the NT kernel. Both are libraries that you would expect to see on a home PC though and both allow for remote execution of code. Since Windows doesn't have xine and is therefore not affected by any exploits built around this vulnerability, Windows must be more secure than Linux.

          Seriously guys, you only make yourselves look like zealots when you support the ridiculous statements of zealots. Linux User 147560, you actually usually come across as a very intelligent person. Are you going to sit here and tell me that the following is a logical statement?

          [i]They have the utter nerve too say this when not too long ago they had an Extremely critical WMF exploit and I do not think Linux has been affected by it.[/i]

          Keep in mind that I'm not even suggesting that Windows is more secure than Linux, I'm only suggesting that RyanJones' argument is based on pure zealotry, even if his conclusion may be correct.
          NonZealot
          • What is Xine Again?

            Xine is an optional media palyer. It isn't even the most popular Linux Media Player.

            It can also be uninstalled. There are other choices of media players for Linux such as Helix, MPlayer, XMMS, VLC, RealPlayer for Linux, Beep-Media-Player, and so forth and so forth.

            The WMFs can be rendered through MSIE, which effects all Windows machines, which can not be uninstalled. Also the WMF flaws effect the MS Fax/Image viewer.
            Edward Meyers
          • Ah, so it doesn't matter?

            [i]Xine is an optional media palyer.[/i]

            The flaw was in the library so any player that uses xine-lib is affected. Who cares if it isn't the single most popular one, it is popular enough to be on a large percentage of home Linux PCs. It is certainly on mine.

            [i]The WMFs can be rendered through MSIE, which effects all Windows machines, which can not be uninstalled. Also the WMF flaws effect the MS Fax/Image viewer.[/i]

            Sure, it CAN be rendered through MSIE but if I don't use MSIE (I don't) then I'm not vulnerable. I could have the most dangerous code in the world sitting on my hard drive but if I don't use it, it isn't dangerous. "Oh, but you use it when you use Windows Explorer". I don't use Windows Explorer. Next! "Oh, but you are vulnerable if you use Fax/Image viewer!" I don't use Fax/Image viewer. Next! Finally, you CAN uninstall all Windows WMF functionality by unregistering shimvgw.dll. Next!

            So, when can I expect to see the first xine-lib exploit published? $10 says no one even bothers even though this is a gaping attack vector. Why not? M..A..R..K..E..T..S..H..A..R..E..!!!

            Oh, hope you don't use KWord or KPDF since there was a remote code execution vulnerability found in those programs on Jan 4, 2006. Feel safe because you don't use either of these programs? You probably shouldn't since the vulnerability is in the Xpdf library. Unless you are sure that your PDF viewer does not use the affected version of Xpdf, you should avoid viewing any PDFs until you patch, patch, and patch again!!
            http://www.gentoo.org/security/en/glsa/glsa-200601-02.xml
            [i]Programs affected: xpdf, gpdf, kpdf, pdftohtml, probably others.[/i]
            http://scary.beasts.org/security/CESA-2005-003.txt

            Another $10 says the PDF vulnerability doesn't have a single exploit written against it. Care to guess why? :)
            NonZealot
          • give it up... you lost...

            and are looking just silly now.
            All OSes have vulnerabilities, and he's right; MS should be the last one pointing fingers.

            And stop saying..."Sure, it CAN be rendered through MSIE but if I don't use MSIE (I don't) then I'm not vulnerable"... Then turning around and pointing fingers at other apps.
            It's like the pot calling the kettle black.
            el1jones
          • wow, one of the best posts on this topic I've ever seen

            This is the most informative post I've ever read in this linux vs windows debate (a debate that is older than history ... :)

            To complete the message above, for the wmf exploit at least there's an automatic patch while for the xine or the xpdf library there probably isn't. There are more vulnerabilities in windows but the automatic update feature makes them very difficult to exploit for all but the most active hackers. On the other hand, bugs in linux are slower to get patched therefore giving more time to hackers to compromise a system.

            A few months ago my job responsibilities changed to include managing a linux webserver. I was amazed at the number of bugs that linux had. On a fresh install I run a security scanner and I got a big bunch of (known) vulnerabilities that I had to patch. I was under the impression that linux is a perfect operating system, a perfect place where few if any bugs exist. The process of patching itself was really painful (the fact I'm a linux newbie didn't help either).
            cgrecu
          • No, I won

            [i]And stop saying..."Sure, it CAN be rendered through MSIE but if I don't use MSIE (I don't) then I'm not vulnerable"... Then turning around and pointing fingers at other apps.
            It's like the pot calling the kettle black.[/i]

            I won because I just got you to admit that Linux is no better than Windows. Both have vulnerabilities that can be worked around. Not once did I ever try to say that Windows was better. The only time I came close to saying that was to show him that I could use his screwed up logic to prove that Windows was more secure. I specifically stated that the logic used to come to that conclusion was flawed.
            NonZealot
          • Actually You Lost

            Just becuase you don't use MSIE, which then I would like to know what file manager you are using for MS Windows?, does not mean that Affected MSIE componets are not called to render HTML. This is true of MS Office, Outlook, And a bunch of other Windows apps. Unregestring the DLL breaks the Windows File manger preview and the WMF rendering features in all Windows Apps that use those DLLs.

            The fact that MSIE can not be removed is a problem.

            2. Helix, RealPlayer for Linux, and Beep do not use the underlying Xine libraries.

            Xine's estimated Marketshare of Linux Desktops is 7%. VLCs is 9%. The most popular Linux media player is MPlayer.

            I never said you don't have to patch Linux machines... In fact any OS is likely to need patching- Certainly I you should patch your Windows machine as often as you can. BTW in Gentoo patching is not hard, neither is it hard in Red Hat Fedora, or Debian/Ubuntu , or Suse- all have a built in patch notifier and if you don't like that you can manually patch through the CLI or set up a Cron job to patch.

            Anyhow you are behind on your FUD DuJour as today it is "News Analysis: Tests at Microsoft's Linux lab show that counting the raw number of security updates required by the various operating system flavors is not as meaningful as examining the efficiency of the update process. "

            A blog on the quality and timely-nes of MS Windows patches.

            http://blogs.washingtonpost.com/securityfix/2006/01/a_timeline_of_m.html
            Edward Meyers
          • No, I won, YIPEE!! (damn ZDNet depth limits!)

            [i]Just becuase you don't use MSIE, which then I would like to know what file manager you are using for MS Windows?[/i]

            Command line. GUIs are for losers. ;) Next!

            [i]Unregestring the DLL breaks the Windows File manger preview and the WMF rendering features in all Windows Apps that use those DLLs.[/i]

            Wow, that is just so uniquely a Windows problem!! I mean, deleting shared libraries in Linux causes absolutely no problems at all, right? Sorry but your statement is just so DUH that I've already given it too much credit just by acknowledging its existence.

            [i]Xine's estimated Marketshare of Linux Desktops is 7%. VLCs is 9%. The most popular Linux media player is MPlayer.[/i]

            Yawn. Within 5 seconds I found one for September 2005.
            http://www.mplayerhq.hu/homepage/design6/news.html
            You really are having trouble with this whole exercise, aren't you?

            [i]I never said you don't have to patch Linux machines...[/i]

            Wait a sec, I spoke too soon. Maybe you do understand after all! There are hundreds of remote code execution vulnerabilities in Linux distros, many of which would be found on a large number of home PCs (if a large number of home PCs had a Linux distro on it). To say that Windows is inherently more insecure because it had a WMF vulnerability (as the original poster suggested) is just ludicrous. As a bonus, this whole thread also just gave the marketshare argument a ton of weight too.

            [i]BTW in Gentoo patching is not hard, neither is it hard in Red Hat Fedora, or Debian/Ubuntu , or Suse- all have a built in patch notifier and if you don't like that you can manually patch through the CLI or set up a Cron job to patch.[/i]

            Agree 80% since I have a bit of experience with SuSE patching and much more with Gentoo. I disagree 10% since I find that I have to spend time merging config files with Gentoo and another 10% because I experienced serious dependency hell with SuSE. Fortunately the dependency hell I experienced was with programs I didn't really need to install.

            [i]Anyhow you are behind on your FUD DuJour as today it is "News Analysis: Tests at Microsoft's Linux lab show that counting the raw number of security updates required by the various operating system flavors is not as meaningful as examining the efficiency of the update process. "[/i]

            FUD? Saying (and providing links) that Linux has remote code vulnerabilities is FUD? Hmm, see why people like you are labelled "Zealots"? Are we not allowed to be factually critical of Linux? Notice I never once said that Linux sucked or even that Windows was better! Yet I'm still spreading FUD? Wow, just wow.

            About the update process, while it is nice that I don't have to reboot my gentoo server when I patch it, I still think that Microsoft's update system is pretty good. I really LOVE the flexibility of Portage but I see the advantages as being mostly geeky in nature. YaST was pretty good too as long as you didn't have any "exotic" software installed. I have to admit that it is nice having 1 update system that updates pretty much all your software (even non OS software) whereas Windows Update only updates certain things. So yes, I happily agree that Linux has better update systems. See, I'm not a zealot because I can freely admit the strengths (and weaknesses) of all the OSs that I use. :)
            NonZealot
          • No You Still Lost

            Nobody is going to use CLI only in Windows. So your own argument fails. By bundling MSIE those flaws are now core OS flaws- unless of course you sugest that MS perjured themselves in court when they said that MSIE can not be removed from the OS.

            You missed the other Link and the Fud DuJour is from MS, and yes it is FUD, straight from Microsoft and reported courtsey of Eweek http://www.eweek.com/article2/0,1895,1909747,00.asp?kc=ewnws011106dtx1k0000599

            Eweek Actually interviewed Red Hat Mark Cox and he has this to say about the date they "Randomly" choose to compare updates;

            "Red Hat's Cox pointed out that the second update release for RHEL4 was issued Oct. 5, resulting in a very large number of updated packages over the period of a day or two, "which is what Hilf saw. We only issued two Update releases for RHEL4 in 2005, so he was quite unlucky in his choice of a random snapshot," he said, tongue in cheek."

            He also points out;

            "Over that six-day period, only three security updates were released, one rated "important" and two rated "moderate," Cox pointed out, adding that from the release of Red Hat Enterprise Linux 4 in February 2005 until Jan. 5, 2006, just 15 of the total 169 security errata package updates for the year were for issues rated "critical.""

            Also note the Patch times for Red Hat;

            ""Even vulnerability counts normalized, say, to CVE names are hard to compare given the difference in software shipped by each vendor," Cox said. "Although we shipped 168 security advisories for RHEL4 in the year, only 17 of the underlying vulnerabilities were of critical severity [using the same scales as Microsoft for vulnerability severity]."

            Of those 17 critical vulnerabilities, Red Hat made fixes for every one of them available to customers via the Red Hat Network within two days of the vulnerabilities being known to the public, with 87 percent of them being available the first day. "

            Match that with the Washington Post Article on the Average time for MS to Patch its Holes-

            http://blogs.washingtonpost.com/securityfix/2006/01/a_timeline_of_m.html

            "In 2003, Microsoft took an average of three months to issue patches for problems reported to them. In 2004, that time frame shot up to 134.5 days, a number that remained virtually unchanged in 2005."

            Even when Full Public disclosure (With Exploit Code) was made of the Flaw MS average patch time is 46 days http://www.averyjparker.com/2006/01/11/microsofts-speed-to-get-security-patches-out/

            I didn't say MPlayer was not effected by the same flaw as Xine... In fact I pointed out that it was becuase MPlayer, Xine, and VNLC all share the same underlying library that has the flaw. BTW the flaw is already patched.
            Edward Meyers
          • Dig that hole, zealot!!!

            <i>"2. Helix, RealPlayer for Linux, and Beep do not use the underlying Xine libraries."</i>

            Who cares. [url=http://www.gentoo.org/security/en/glsa/glsa-200507-04.xml]Realplayer[/url] and [url=http://www.gentoo.org/security/en/glsa/glsa-200510-07.xml]Helix[/url] have their own vulnerabilities and don't need xine's help.

            Beep is a fairly new port of XMMS (and it sucks, I've tried it). Give it some time, and I'm sure it will become functional enough to aquire it's very own vulnerabilities. ;)
            toadlife
          • Toadie- Are you sugesting MSWMP has No Flaws?

            All of the Linux players can be uninstalled- and you can pick and choose which has the least amount of Flaws at the time.

            Not so with MS Media Player- which is according to MS in the EU and Korea Antitrust cases so embedded into the OS that to remove them would severely reduce the functionality of Windows.

            BTW- From Yesterday
            "Hackers Tune In to Windows Media Player" http://www.eweek.com/article2/0,1759,1749993,00.asp

            Oh-Wait those aren't Bugs in WMP- Those are "features".
            Edward Meyers
          • Heck no!

            I stay away from IE, and WMP, as they are exploit magnets, and I run my machine as a regular user.

            What do you think, I dumb? ;)

            My point was - there is a huge amount of vulnerabilities for other platforms. Every semi-popular linux app you can think of has had them. Give linux a 90% desktop marketshare and people will start doing what they don't right now - that is, [b]bother[/b] to exploit them. Windows flaws are more dangerous because people exploit them all the time - not because they are easier to exploit, or that the consequences of exploitation are greater.
            toadlife
          • But You Are Using Them- Another Part of The DRM TrainWreck

            You just don't know it. If you preview a media file in the Windows File Manger you are using both MSIE and MS WMP.

            This is why bundling is a dumb idea...

            Likwise the flaws in Xine do not allow this;

            "After attempting to download the DRM, Edelman said: "On a fresh test computer, I pressed Yes once to allow the installation. My computer quickly became contaminated with the most spyware programs I have ever received in a single sitting."

            "All told, the infection added 58 folders, 786 files and an incredible 11,915 registry entries to my test computer. Not one of these programs had showed me any license agreement, nor had I consented to their installation on my computer," he added."

            Get that 786 instances of unwanted spyware and close to 12,000 changes to the system configuration. On a Unix or Unix-Like System the media player would not have access to the Configuration files unless you were running as Root- at which point you should be flogged for using the Media Player as root.
            Edward Meyers