Exploits, vulnerabilities, and questions

When I read a report showing an overwhelming security advantage for Windows over both Linux and MacOS X, I didn't immediately believe it and when I looked more closely I ended up with more questions than I started with - including a zinger: did Microsoft find and fix bugs in XP code for use in Vista, but not report or fix those bugs in XP?

Some time ago Jeffrey Jones, "a Security Strategy Director in Microsoft's Trustworthy Computing group", of PC style security vulnerability patches issued during the first quarter of 2008 for two Windows variants, two Linux variants, and two MacOS X releases.

Here's what he says about what he includes:

Note that I will not be counting every vulnerability that affects the hundreds of optional application components that ship with the Linux distributions. Instead, for both Red Hat and the Ubuntu products, I intall using the desktop installation defaults (which excludes most of the optional packages) and additionally:

  • excluding 'Office' packages (e.g. OpenOffice, Evolution, Thunderbird), since Microsoft Office is not included with the Windows client operating systems
  • excluding 'Graphics' packages (e.g. Gimp, ImageMagick), since Microsoft Expression products are not included with Windows client operating systems Note that this process means that Apache, MySQL and all of those optional 'server' components are not installed either. After installation, I use the appropriate package management tool (ie, rpm or dpkg) to list out the actual packages installed and use that to filter on affected components.

After extensive work he arrived at the following numbers:

Client OS Vulnerabilities fixed Security advisories Patch events
Windows Vista 9 6 2
Windows XP 12 8 2
Red Hat RHEL 5 (reduced) 60 19 12
Red Hat RHEL 4 (reduced) 75 18 14
Ubuntu 6.06LTS (reduced) 54 15 13
Mac OS X 10.5 Leopard 83 6 5
MacOS X 10.4 Tiger 81 5 5
Since numbers showing an overwhelming security advantage for Windows over both Linux and MacOS X are, at least for me, somewhat counter-intuitive, the obvious question is whether or not he's cooking the books here.

The big problem in doing this kind of this is, as he says in this report, that no two different OSes are directly comparable in terms of the content of default installs - and I'll add that the absence of effective standards on defining and counting either vulnerabilities or patches makes things even harder. Thus one group's "critical" can look unimportant to another, root cause patches affecting many vulnerabilities can be counted as one or many, and technologies considered part of the base OS in one community may have no counterparts in the other.

There is, for example, really no such thing as a Linux "client": Linux is Linux and works the same way whether you put it on your desktop or in the server room - meaning that any comparison between Windows and Linux "clients" is flawed from the gitgo.

What's needed to fix this is, of course, some measure of realized risk - the expected costs of loss and remediation for each exploit.

(Note too that only exploits count because a vulnerability indicates that a risk exists, but that risk cannot become a cost without an exploit - something that's so trivial in the x86 world that the terms have become virtually synonymous there. Outside x86, however, a vulnerability by itself is about as useful as Viagra without a girlfriend - this is why Apple has been in panic patch mode on their x86 products since their first release, but only updates the same MacOS X for the iPhone's firmware every three to four months.)

We don't have such a measure, and Jones doesn't provide a list of the patches and vulnerabilities he counted, but if you follow the references he provides to the source listings at Microsoft, Red Hat, Ubantu, and Apple you can get some hints about what's going on.

For example, I think he could reasonably have counted some version of RHSA-2008:0164-6 (covering CVE-2008-0062, CVE-2008-0063, and CVE-2008-0947) against at least three of the five Unix variants - here's part of Red Hat's writeup explaining it:

Updated krb5 packages that resolve several issues and fix multiple bugs are now available for Red Hat Enterprise Linux 5.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC.

A flaw was found in the way the MIT Kerberos Authentication Service and Key Distribution Center server (krb5kdc) handled Kerberos v4 protocol packets. An unauthenticated remote attacker could use this flaw to crash the krb5kdc daemon, disclose portions of its memory, or possibly execute arbitrary code using malformed or truncated Kerberos v4 protocol requests. (CVE-2008-0062, CVE-2008-0063)

This issue only affected krb5kdc with Kerberos v4 protocol compatibility enabled, which is the default setting on Red Hat Enterprise Linux 4. Kerberos v4 protocol support can be disabled by adding "v4_mode=none" (without the quotes) to the "[kdcdefaults]" section of /var/kerberos/krb5kdc/kdc.conf.

Similarly, I think he'd reasonably have counted Microsoft's vulnerability MS08-008 (Vulnerability in OLE Automation Could Allow Remote Code Execution) against both XP and Vista. Here's part of their write-up:

This critical security update resolves a privately reported vulnerability. This vulnerability could allow remote code execution if a user viewed a specially crafted Web page. The vulnerability could be exploited through attacks on Object Linking and Embedding (OLE) Automation. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

If so he could have counted the Unix vulnerability noted above at least nine times even though it's a minor bug affecting few users; and the Windows one only twice, even though it directly threatened users on every supported Windows OS product.

If so, you'd expect the combination of some new code with lots of migrated XP code to produce more bugs in Vista than in XP - but that's not what he reports.

To me this means either that he's cooking the books by counting vulnerabilities as CVEs for Linux and MacOS X, but only once, and only against the originating OS, for Windows; or, that Microsoft's work on Vista including finding and fixing XP bugs that they choose not to report or fix in XP.

To find out which it is I sent him an email asking for the list of CVEs counted for each category and promptly got a very nice response:

I am not in the office right now, but you can generate the list yourself by examining all of the security advisories released by each vendor. It shouldn't take that long to validate the Mac OS X Leopard totals, for example, to give you confidence of my numbers The link is - http://support.apple.com/kb/HT1222, which contains only 16 security advisories in Q1.

If you click on the last one in June (http://support.apple.com/kb/HT2163), you can identify 25 vulnerabilities by CVE id, but you will only want to count the ones where they say it applies to Mac OS X v10.5 (some do not).

It is straightforward.

Unfortunately that just duplicates information in the report and therefore doesn't help, so my provisional bottom line on this is that either I'm missing something important (?), he's cooking the books to favor Vista, and/or work on Vista revealed bugs in XP Microsoft choose not to fix until they were found and made public by third parties.