Forwarded from: security curmudgeon 

---------- Forwarded message ----------
From: Kristian Hermansen 
To: full-disclosure (at) lists.grok.org.uk, dailydave (at) lists.immunitysec.com
Date: Tue, 26 Jun 2007 09:09:31 -0400
Subject: [Full-disclosure] 6 Month Vista Vuln Report, Debunked

This report from Microsoft's  Jeff R. Jones is ludicrous:

http://www.csoonline.com/pdf/6_Month_Vista_Vuln_Report.pdf 

The Microsoft "researcher" claims that Windows Vista is exponentially 
less vulnerable than many Linux distributions and Mac OS X.  It may be 
true that the default Vista installation has had less public 
vulnerability reports, and that Linux has had many more, but this is due 
to the nature of Open Source.  Jeff does not include any "silently 
fixed" vulnerabilities that have been patched since Vista was released 
and Microsoft has not disclosed such vulnerabilities publicly.

Here is a per section debunking of his paper broken down by topic, 
because I feel Jeff really needs to perform another less exaggerated 
analysis.

"Window Vista - The First 6 Months"

Let's remember that Vista was released to business partners earlier than 
home users.  He does not account for this gap, and thus, this could 
soften the exposure of the official Vista code to many researchers for 
analysis.

"Teredo"

Teredo is also a major hole, and they are leaving it wide open.  The 
community feels this is a flaw, but Microsoft doesn't seem to care. 
Also, the entire networking stack was rewritten for Vista, and that 
means lots of new bugs are present.  I have already spoken to other 
researchers who have not disclosed such flaws publicly.  However, a good 
start for learning about some is the Symantec paper that analyzed Vista 
during the BETA phases and revealed numerous issues.

"Windows XP"

Windows XP, touted as the most secure OS to date on release.  Also, 
touted as secure in SP1, and again most secure in SP2.  We are now 
seeing it again with Vista.  Are we really supposed to believe that 
somehow this mantra is going to change just because Microsoft tells us 
so?  In defense of Microsoft, however, they have focused their efforts 
to really clean things up, and that is commendable.

"Red Hat Enterprise Linux 4 Workstation"

OK.  The claims here are just plain insulting.  The 100+ vulnerabilities 
include such software as PostgreSQL, MySQL, mailman, squid, and emacs.  
None of this software is installed in a default installation of RHEL4.  
I think the guy clicked on "Install Everything" and went to town with 
vulnerability reports :-)

"RHEL4 Reduced Component List"

This analysis more closely assimilates with Vista, but is still bloated 
in that many of the vulnerabilities he reports are very small bugs in 
Firefox, which don't result in a compromise of the host. Again, the 
nature of bug reporting in open versus closed source software.

"Ubuntu"

Again, the nature of open versus closed source bug reporting. However, 
even the kernel flaws reported are only relevant when such modules are 
loaded in the system and that surface is exposed.  Again, the results 
are inflated, even in the "reduced" set.

"Novell"

More of the same.  The vulnerabilities are shared between all the 
distros of course!

"Mac OS X"

Even though OS X claims to be secure, researchers have obviously shown 
that Apple will have flaws too.  This is nature of software, and it 
affects all code.  However, the paper claims that things like the 
vulnerability below are relevant...


A bug in AFP Server when using an ACL-enabled storage volume may in
certain situations result in an ACL remaining attached when a file
with POSIX-only permissions is copied.


"Putting It All Together"

* insert nice graphs here *

The conclusions that are drawn are built on a lack of understanding by 
the Microsoft researcher.  I highly encourage him to go back and take 
another look, and pare down the results to essential information that is 
absolutely critical to the conclusions, rather than just "Other OS's 
have more bugs, see, look at my graphs"...
--
Kristian Hermansen

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html 
Hosted and sponsored by Secunia - http://secunia.com/ 


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com