Security pro: Windows easier to 'own'
Summary
Topics
On Friday, David Aitel, a noted security professional and managingdirector of vulnerability assessment firm Immunity, published a paperstating that "owning" a computer--hacker-speak for compromising asystem--is easier if the target computer runs Windows. While couched inpuns and jokes, the paper takes a serious stance on the security ofWindows compared with modern Linux, Aitel said.
"We are having some fun with it, but the underlying data and conclusionsare real," he said.
The paper, titled "Microsoft Windows: A lower Total Cost of 0wnership,"mocks other, typically Microsoft-funded, research, such as a study done by IDC that maintains Windows costsless to implement in four out of five corporate applications. Another suchstudy, released by Forrester, found that a particular measure of thethreat of vulnerabilities was higher for Linux than for Windows--but thedata used by the study was broadly questioned.
The Aitel paper marks the first time that a security professional withhands-on experience of hacking both Linux and Windows systems hasweighed in on the issue.
His conclusion: The security of Windows computers is easier to breachthan modern Linux computers, despite more than two years of work byMicrosoft to secure its operating system under its Trustworthy Computing initiative. Microsoft declined tocomment on the paper.
The report has very little supporting data, however, making it less of achallenge to Microsoft and more of another voice in the long-running debate between the twooperating-system camps.
Based on their tentative data, Immunity's researchers found that theiraverage time to find a flaw in the Red Hat-sponsored Fedora Core 2distribution of Linux was about six days--twice as long on average as it took tofind previously unknown Windows vulnerabilities. Several factors affectthat time, including better tools for finding flaws in Windows systems, better kernel-level defenses inLinux, and more known points in Windows to execute attack code, theresearchers noted.
Microsoft recently released a massive security update for Windows XP, areaction to the massive spread ofthe MSBlast, or Blaster, worm a year ago, but that still will not closemost of the holes until a major security feature in PC processors is more widely available, Aitel said. That feature, known as the nonexecutable flag or write-XOR-execute bit, allowsprocessors to prevent attackers from executing code. However, only Advanced Micro Deviceshas introduced the technology, which it calls enhanced virus protection (EVP), into its mainstream processors.
Adding to the security issues he has with Windows, Aitel pointed out that, while getting customers to patch is a problemfor both platforms, Linux patching utilities update a wide variety ofapplications, not just the core operating system, as is typical ofWindows fixes.
Talkback - Tell Us What You Think
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Facebook Activity
