decoration decoration
Stories

GROKLAW
When you want to know more...
decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books
Your contributions keep Groklaw going.
To donate to Groklaw 2.0:

Groklaw Gear

Click here to send an email to the editor of this weblog.


Contact PJ

Click here to email PJ. You won't find me on Facebook Donate Paypal


User Functions

Username:

Password:

Don't have an account yet? Sign up as a New User

No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.


What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments


Sponsors

Hosting:
hosted by ibiblio

On servers donated to ibiblio by AMD.

Webmaster
On CERT's 2005 Software Vulnerabilities List
Saturday, December 31 2005 @ 03:48 PM EST

CERT has released its list of software vulnerabilities for 2005. Brian Krebs on his blog, Security Fix, reports:
Security researchers uncovered a record 5,198 vulnerabilities in software products this year, nearly 38 percent more than the number of flaws found in 2004, according to statistics published by US-CERT, a cyber security information-sharing collaboration between the Department of Homeland Security and the CERT Coordination Center at Carnegie Mellon University in Pittsburgh.

Well, yes and no. Let me explain what I see.

Already some are trying to spin the list to try to imply that Microsoft has so many vulnerabilities, 812, because of its popularity. The way CERT has published the list, however, makes any comparison questionable, at least using this list as currently organized.

First, this is a list of vulnerability reports, and it lists them in the following categories: Microsoft Operating System, and Multiple Operating System, and Unix/Linux Operating System. The last category means that AIX and Apple and FreeBSD and Solaris and Linux and ... gulp, ironically enough ... SCO OpenServer and UnixWare vulnerabilities ... are all lumped together, for a total of 2328, making a direct comparison between Microsoft and anyone else nearly impossible.

Second, the Unix/Linux list duplicates items, counting a vulnerability more than once in the list. For an example, note that it lists Eric Raymond Fetchmail POP3 Client Buffer Overflow (Updated). However, the same vulnerability is listed, under the same title, four times. That's because it was reported in the week of August 10-15, again in the week of August 17-23, in September 6-13, and the week of November 9-16. Worse, for any comparison purposes, the same vulnerability is also reported as Fetchmail POP3 Client Buffer Overflow, so in reality one vulnerability is listed 5 times, making the total of 2328 meaningless unless you carefully comb through it to weed out duplications.

All the links take you to the same description of the same vulnerability, CVE-2005-2335, which tells you that there are no known exploits for this vulnerability. So another issue with the list is that there is no distinction made between truly widespread issues that caused real-life damage and vulnerabilities someone noticed but no one ever exploited. There is a difference.

By the way, there's a Microsoft security issue today, according to Government Computer News, whereby someone can create an infected WMF file and disguise it as a JPEG :

Simply opening the wrong Web page or receiving an e-mail with an errant image file could be enough to cripple your computer, thanks to a newly discovered vulnerability in the Microsoft Windows operating systems.

“We believe that this vulnerability is extremely serious,” e-mailed Scott Fendley, today’s Handler on Duty for the SANS Institute’s Internet Storm Center. “It is extremely hard to protect against this vulnerability. It is not as easy of filtering files of a particular extension or setting a group policy.”

Microsoft Corp., of Redmond, Wash., has warned that the vulnerability is already being exploited by spyware, adware and viruses written to alter the behavior of users’ computers. The company is working on a patch, but has not said when it will be ready

I'm sure you can see that the seriousness of such a vulnerability outweighs the POP3 Fetchmail issue. When was the last time you read a headline like this one about GNU/Linux or Solaris or AIX or Apple?

To be fair, the Windows list isn't really an accurate list of Windows vulnerabilities either, not the way I would think of it. It also has duplicative items, such as for Microsoft ASP.NET Canonicalization (Updated). And it includes Apple, F-Secure, IBM WebSphere, McAfee and other third-party vendor issues. If it can happen to you if you use Windows and the third party software, it's on the list, I guess. So, personally, I don't see 812 as being a fair number, unless you qualify what the number means. CERT does qualify this way:

Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, so the information should not be considered the result of US-CERT analysis. Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.

So when you read about the list, keep in mind that no straight comparisons are actually possible, unless someone wishes to take the time to do what I've done here through the entire list. Hmm. Any takers?


  


On CERT's 2005 Software Vulnerabilities List | 151 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
On CERT's 2005 Software Vulnerabilities List
Authored by: Peter H. Salus on Saturday, December 31 2005 @ 03:58 PM EST

PJ,

We all love you. It's New Year's (almost)
eve. Go off and have a glass of champagne on
us.

Happy New Year,

PJ, MathFox, everyone,

P

---
Peter H. Salus

[ Reply to This | # ]

Off topic here please
Authored by: Chris Lingard on Saturday, December 31 2005 @ 03:59 PM EST

Post in HTML, and put in those links, if you can.

[ Reply to This | # ]

Corrections here, please
Authored by: Chris Lingard on Saturday, December 31 2005 @ 04:01 PM EST

Just in case, though I doubt it.

[ Reply to This | # ]

Vulnerabilities affecting browsers in 2004
Authored by: Anonymous on Saturday, December 31 2005 @ 04:15 PM EST

To get an idea of the 2004 vulnerablity impact, there's the Scanit browser security summary. It will be interesting to see what they come up with for 2005.

Karl O. Pinc <kop@meme.com>

P.S. Those interested in stories of how visiting a web page can ruin your computer may want to read: What Part of Virus and Spyware Didn’t You Understand?

[ Reply to This | # ]

Vulnerabilities List
Authored by: ruurd on Saturday, December 31 2005 @ 04:30 PM EST
Regarding the spin the ZDNet article tries to give on it,
there's Lies, Vulnerability Lists and ZDNet articles :-)
Tallying like this is inane, thinking that the tallies
actually MEAN something is insane.
People have been
going over this again and again and again.

---
ruurd

[ Reply to This | # ]

  • Vulnerabilities List - Authored by: Anonymous on Saturday, December 31 2005 @ 06:15 PM EST
  • The Tally - Authored by: pogson on Saturday, December 31 2005 @ 07:31 PM EST
    • ssh attacks. - Authored by: Anonymous on Saturday, December 31 2005 @ 10:13 PM EST
    • The Tally - Authored by: Anonymous on Saturday, December 31 2005 @ 10:35 PM EST
MacOX in SANS top 20 vulnerabilities
Authored by: _Arthur on Saturday, December 31 2005 @ 05:04 PM EST
SANS: The Twenty Most Critical Internet Security Vulnerabilities (Updated) ~ The Experts Consensus

The Twenty Most Critical Internet Security Vulnerabilities



#1: Windows Services
#2: Internet Explorer
#3: Windows Libraries
#4: Microsoft Office and Outlook Express
...
#16: UNIX Configurations Weaknesses
#17: Mac OS X

Not a single vulnerability has ever been successfully exploited so far on Mac OS X, which didn't prevent SANS to list the whole OS as a "Top 20 Vulnerability"


_Arthur

[ Reply to This | # ]

On CERT's 2005 Software Vulnerabilities List
Authored by: Stumbles on Saturday, December 31 2005 @ 05:55 PM EST
So just what exactly is US-CERT trying to accomplish with such a
pitfully hosed up report? From the looks and sound of it, it's
pretty much worthless.

---
You can tuna piano but you can't tune a fish.

[ Reply to This | # ]

All software will always have vulnerabilities
Authored by: kawabago on Saturday, December 31 2005 @ 05:58 PM EST
We must accept that software will always have vulnerabilities. The best way to
defend against this reality is to nurture a diverse eco-system of software so
that no one implimentation of anything is used exclusively everywhere.
Microsoft's monopoly is like a ripe fruit ready for every nefarious hacker to
exploit. One little piece of code can literally infect 90% of the computers on
earth. That is why we need much more diversity in operating systems, so
malicious code will only infect a small percentage of machines. Virus writers
would find it much less rewarding.
I love linux, but I will love the next OS that comes along even more because it
will bring even more diversity and make it that much harder for malicious coders
to succeed. The only down side to that is drivers. At some point I think we'll
need a standard driver interface across all platforms if manufacturers are to
have any hope of supporting all the different OS's, but that can and I'm sure
will be done at some point.

---
TTFN

[ Reply to This | # ]

HNY
Authored by: Anonymous on Saturday, December 31 2005 @ 06:34 PM EST
Happy New Year!

/IMANAL

[ Reply to This | # ]

On exploits and a lack of known ones
Authored by: chris_bloke on Saturday, December 31 2005 @ 06:57 PM EST

PJ wrote:

So another issue with the list is that there is no distinction made between truly widespread issues that caused real-life damage and vulnerabilities someone noticed but no one ever exploited. There is a difference.

Sadly I have to disagree, the key word about exploits in the entry about that vulnerability is known, and that just means that the good guys aren't aware of an exploit for it, it doesn't mean that the Black Hats haven't already got one just and either not published it or it hasn't been discovered after poorly hiding it during an attack.

I don't disagree that there is a big difference in the level of risk between a fetchmail vulnerability and an Internet Explorer vulnerability, but the difference between a vulnerability with no exploit code and one with may just be a few minutes or hours of coding.

Remember the old quote about a password guessing attack against Windoze:

"That vulnerability is completely theoretical." -- Microsoft

Which, of course, was like a red rag to a bull, so l0phtcrack appeared, with the slogan:

L0pht, Making the theoretical practical since 1992.

Chris

[ Reply to This | # ]

It's midnight here.
Authored by: Anonymous on Saturday, December 31 2005 @ 07:03 PM EST
Happy New Year everybody. xxxxxxxxxxxxxx

[ Reply to This | # ]

Happy New Year, PJ & Everyone!
Authored by: SilverWave on Saturday, December 31 2005 @ 09:08 PM EST
Just finished "First Footing" (North east of England 3.5C)

It's 2:04 and We are calling it a night.

Happy New Year, PJ! :-)

SilverWave's 1st post of 2006

---
"They [each] put in one hour of work,
but because they share the end results
they get nine hours... for free"

Firstmonday 98 interview with Linus Torvalds

[ Reply to This | # ]

On CERT's 2005 Software Vulnerabilities List
Authored by: cknadle on Sunday, January 01 2006 @ 12:45 AM EST
The issue of security vulnerability reports of software has always been controversial.

Some vendors ask that vulnerability reports not be released until a patch can be programmed, so sometimes reports of known vulnerabilities are artificially "late". Vulnerabilities of software common to various Linux distributions are often counted numerous times -- once per distribution. Arguments about the security of various OS's abound, sometimes trying to compare bottom line numbers of the number of reported vulnerabilities -- sometimes trying to compare the vulnerability severity -- sometimes looking at patch turnaround time -- etc. I don't even know how it would be possible to prove that there was a clear winner.

Similarly the benchmark comparisons between various computer CPUs has always been controversial, and now most benchmarks have to incorporate typically used programs because otherwise benchmarks are too subjective... and even then the results aren't totally clear.

Even going on reported break-ins is difficult, because then there are arguments about how many weren't reported.

I have my personal beliefs as to what is more secure [starts with an 'L'], but it's too difficult to try to back that up with any kind of provable or repeatable data, and there are always niche situations where one OS is better suited than another... so I'll just leave it at that.

Happy new year, all.

-- Chris

[ Reply to This | # ]

OT, Happy New Year
Authored by: webster on Sunday, January 01 2006 @ 01:17 AM EST
...to PJ and all on Groklaw. I spoke to my brother and 3 cousins from
Katrinaland, MS. It was quite a year for them. Half of them stay in a FEMA
trailor in the driveway. But they are still there and all working! Others have
been driven from New Orleans but have returned. Some could not. Let's hope we
don't have another year like the last for another 30 years.

---

webster

[ Reply to This | # ]

SANS takes WMF back up to Yellow again!
Authored by: Anonymous on Sunday, January 01 2006 @ 04:15 AM EST
Hey, they got their list out a bit early... This one must not have even been on it... how many times would it have been counted!  We will have to wait and see as SANS has just put it back up to YELLOW again!

http://isc.sans.org/

They were at Yellow earlier this week, then to green, now backup to Yellow - it seems that they are saying that if you run a Windows Box that your only option is to RUN AWAY and leave the machine off!

[ Reply to This | # ]

On CERT's 2005 Software Vulnerabilities List
Authored by: Anonymous on Sunday, January 01 2006 @ 04:17 AM EST

``... so in reality one vulnerability is listed 5 times, making the total of 2328 meaningless unless you carefully comb through it to weed out duplications.''

I (and I'd guess most readers) pretty much assumed that a mistake such as that was behind these inflated numbers.

Thanks for taking the time to confirm that, PJ. Now I really do hope that you took the time to enjoy the coming of the new year doing something besides debunking someone else's faulty statistics. (Lest anyone think I don't have a life, let me point out that the get-together was a rousing success, the guests have all left, and I'm only posting after finishing the cleaning up. Well most of it, anyway.)

Happy New Year all!

[ Reply to This | # ]

The reason of many of the vulnerabilities
Authored by: Qrczak on Sunday, January 01 2006 @ 07:19 AM EST
Vulnerabilities with titles mentioning "buffer overflow" or
"format string" are caused by overusing unsafe low-level languages
like C and C++.

[ Reply to This | # ]

A really meaningful statistics
Authored by: Winter on Sunday, January 01 2006 @ 07:41 AM EST

Meaningful statistics on brower security are possible. This study shows that in 2004 fully patched browsers were vulnerable for the following fraction of the year:

  • IE 98% (359 days, ie, 7 days safe)
  • Mozilla 15% (56 days)
  • Opera 17% (65 days)

That is, only during 7 days in 2004 was a fully patched IE actually safe to use.

Rob

---
Revenge, Justice, Security, and Revenge, chose any two.

[ Reply to This | # ]

and another one
Authored by: Anonymous on Sunday, January 01 2006 @ 10:33 AM EST
Hippo Gnu Ear to all Groklawiens and of course to PJ :)

Enjoy the quiet while it lasts

Newbee

[ Reply to This | # ]

On CERT's 2005 Software Vulnerabilities List
Authored by: brc on Tuesday, January 03 2006 @ 12:21 PM EST

Comparing how many patches or even how fast they are fixed, for any given OS, tends to be a useless comparison. Every OS will have them occasionally, and any vendor can inevitably twist the numbers to say what they want. And it only takes one to hurt you.

The true long term difference is whether the flaw is a design flaw or a coding bug, and if exploited, how damaging it is. A coding bug like a buffer overflow or missed exception can be fixed, because it is an unintended result of how the program functions. In contrast, a design flaw cannot necessarily be fixed, because the program was intentionally coded this way, and fixing it means breaking the intended functionality of the program.

With a design flaw, the product was intentionally written to do something that turns out to be a bad idea. It's things that may be trumpeted as great features of a product, that people may use for valid business reasons, but that because they were not thought out with security in mind, are easily exploited by attackers. Because they are intentional functionality, you can't create a fix that prevents the attacks while leaving the product intact and working as it did before.

Microsoft's biggest problems are not the unintentional bugs (which ever OS has) - they are the design flaws that are all so common in MS software. Some of the more common examples of this are:

Windows OS


Every user is, by default, superuser/administrator/root on Windows. You can change this if you know how, but most people don't bother, or even know it's an issue. As a result, users can accidentally destroy their OS, and any program they run has the potential to do so, either by accident or design (i.e. viruses and trojans). The OS can't really protect itself from the average user (or processes the user runs - intentionally or otherwise). And if you do know enough to create non-admin users, there are lots of programs out there that break when you do so, because they expect the default wide open access.

Consider a flaw in a program like IIS or Exchange - The whole point of them is to expose them to the Internet. If there is a bug in these programs (i.e. an unintentional, fixable issue), the fact that they cannot be jailed by the OS means that if an attacker exploits a bug and gets in, the entire machine is suspect (i.e. if IIS or Exchange is compromised, so is the OS). Contrast that to a typical unix web or mail server, where they often can be put in a chroot jail (completely isolated from the majority of the OS), or at least run as a user with limited access. By design, MS has a very thin shell that, once broken, leaves the entire OS wide open. Unix variants, including Linux and MacOS, have many layers of protection that Windows simply lacks.

One only has to point to Code Red and it's many variants to prove this point.


MS Office vs Open Office.org (for that matter, most non-ms office programs)


MS Word/Excel contains macros that allow you to do just about anything in the OS - including writing to system files, etc. And it allows this wide open access by default. Open Office and others don't allow this, so you don't get macro viruses. It used to be that we had things like boot sector viruses or exe infectors, and these were easy to catch and get rid of. They took a certain level of skill to write (typically assembly or c), and were very sensative to OS changes, so there were relatively few of them. Now, we mave thousands of viruses, they are easy to write, and people readily accept them into their system (via social engineering - viruses can say "here's that doc I promised you", and too many people will open it to see what it was they "forgot they asked for").

Microsoft can't truly fix this issue without completely breaking MS Office. Add to that the fact that MS Office (which because all users are superuser by default) has full access to the entire OS, and you're in a lot of trouble. Contrast that to, say, Linux: By default anyone with a lick of sense does not run normal user processes like word processing as root. If you run MS Office on Linux (say, in crossover office/wine), and you get infected, the WORSE that it can typically do is destroy your home directory. It can't infect or otherwise corrupt your entire OS. Again, this is a difference in design decisions made by MS vs others.


Outlook


MS Outlook, by default, will run scripts received in email from untrusted sources. Simply by opening a message, you can become infected. You don't even have to save and run an attachment. There is no "fix" that doesn't break intended functionality of the product. Luckily most people can turn this off, since it is a fairly unused feature, but many don't even know to turn it off. MS may have turned this off by default in one of their updates, but the fact that it's there means some people will want to turn it on to use it, and will in turn be vulnerable. Best to completely remove it, or at least make it a module that is not installed by default. Note that if a system is compromised, a virus/trojan can do anything, including turning this functionality back on if it's there (since by default all users processes are running as superuser).


Internet Explorer


1. Active X
MS created Active X without any competent consideration for security. An Active X widget is pure x86 code, can't be sandboxed, can't be controlled. It can do anything down to rewriting/destroying your cmos, and there's no way to secure it. MS loudly trumpeted the fact that active x widgets can be signed, so you know who they came from. But... most people don't pay attention to that until after damage is done, at which point you have potentially lost what is important (i.e. it could destroy or infect files, wipe your hard disk, irreparably harm your hardware by wiping out cmos flash memory, install spyware, send your sensative files back to the attacker, and erase all evidence of itself, including the signature, or even put in a false signature to fool you.) So, signed active x widgets don't really protect most users. Plus, if the active x widget cleans up evidence of itself, you may not remember or be able to go back and find it again to find the signature. On top of all this, keep in mind that a reputable certificate authority accidentally granted a 100% genuine Microsoft certificate to someone that wasn't Microsoft.

Contast this to things like java applets and javascript/ajax, which runs in a sandbox, doesn't have the level of access to your local system as Active X, and can only talk back to the server it came from. Plus, these are cross platform technologies.

2. Integration into the OS
Internet Explorer is tightly integrated into the OS, so you can't easily limit it's access to the OS, because of this tight coupling. As a result, any bugs in the code have much more access to the OS, so can compromise the OS much more thoroughly. If instead, it was run purely as a user process, and users were not full admins by default, the amount of damage it could do would be far less. Add that to active X, and you have a real concern.

Some people will say "I'm safe, because I only visit reputable web sites". That is no longer a valid defense - attackers will compromise reputable companies web sites - even some banks have been hit - and install stealth code/active x objects, etc, so that when you visit the reputable site, they hit you with their virus/trojan.


"MS Market share is why it's products are attacked so much more often"


Some people will say that MS products are attacked so often because they are so widespread - that if Linux were 90% of the market, it would be targeted more often. This is probably true that Linux would be targeted more, but it's clear from the above that even if that ever happened, Linux/Unix variants would be less vulnerable to attacks, and successful attacks would typically have less impact. A perfect example of this is Apache and IIS - Apache (running on linux) is far and away the most common web server on the Internet, and web servers are probably the most common type of service on the Internet (with the possible exception of email servers). Despite this, IIS servers are attacked, because they are so much easier to compromise, and once compromised, the impact is so much greater - you have the entire OS with IIS, vs possibly just taking control of a web server and defacing it with apache. Note that with apache, though, you can deface it, but can't typically truly take it over, since config files, executables, and often the html content are read-only even to the apache server process itself (again, OS design decisions play a part here), whereas with IIS, you own the entire machine, so can change IIS's configs, launch further attacks from within the firewall (from the web server that was just taken over), etc.


Internet Zombies


Given the above examples, it's clear how easily a Windows box can be compromised. We see the results most clearly in the case of Internet Zombies - Spam makes up well over half of all email on the Internet these days, and is probably mostly sent from Internet Zombies - Windows boxes that have been compromised and taken over to send out forged email or perform other types of attacks. I've never seen a zombie that isn't a windows PC, which should tell you something by itself. And attackers have created massive armies of compromised zombie machines to launch large scale attacks, without the owners of the physical hardware even knowing, in most cases, that they no longer control their own machines.

When you look at the design decisions made in creating Windows, the lack of user vs admin restrictions, the lack of being able to jail processes, etc, you see why it's so easy and attractive to attack windows machines to turn them into zombies. You simply can't do the same thing to a *nix box - there are too many layers of protection to allow something like that to happen as easily and as widespread as it does on Windows.


One last point:
Microsofts PR engine may claim, quite insistently, that security is important, and touts all kinds of security initiatives. However, you only have to look at the design decisions MS makes (the above being but a few), and it's clear that all those announcements are simply smoke and mirrors, and that the true problems are NOT being solved. There is simply no technical way to solve the problems while at the same time not completely breaking backward compatibility.

[ Reply to This | # ]

On CERT's 2005 Software Vulnerabilities List
Authored by: Anonymous on Thursday, January 05 2006 @ 12:00 AM EST
Check out this Slashdot discussion on this topic. One of the /.ers piped the results through grep and cat to eliminate duplicates. The result is a much, much closer similarity in reported vulnerability instances. And of course, there is the issue as to which of the listed OSes had quicker fix time. There is no way that MS can fix holes as quickly as the FOSS community.

Sla shdot discussion

[ Reply to This | # ]

Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )