Little confused on the Linux vs. MS security issues...

[Rilescat]

Hello Folks....

I use Linux, I like it. My job revolves around supporting about 120 education workstations/servers in a Linux and Windows environment.

I am a little confused.....I work for a VERY BIG blue company....and I receive updates on a daily and weekly basis in regards to security patches that I need to apply.

My average week of MS exploits/patches is: 2
My average week of Linux exploits/patches is: 31

uhhh.....ya. LOTS of Linux patches .....every week.....so, why is Linux considered in the popular world to be a more secure OS? Is it simply the script kiddies aren't smart enough to know how to exploit it (media coverage/virus too), or is it that the Linux fixes are just that much more prevelant due to open source and/or lower severity?

Don't want a normal Linux vs. MS flamewar here.....just wondering.....

 

[n0cmonkey]

The patches you consider Linux patches are not Linux patches at all. They are typically patches to parts other than the kernel.

 

[Rilescat]

Originally posted by: n0cmonkey
The patches you consider Linux patches are not Linux patches at all. They are typically patches to parts other than the kernel.

OK. So you are saying that these patches are for stuff like Samba, WINE, etc.....

Are these components considered to be integrated with the OS, or are they considered to be packages that are seperate, yet included with the OS?

 

[spyordie007]

I welcome an educated flame-retardant discussion about this topic also. I by no means consider myself "the expert" on the subject however I have some input that may be helpful to the discussion.

First of all why are there so many Linux exploits and patches?
Because there are so many differant software packages written by so many differant programmers that may or may not be working in conjunction with eachother. Also keep in mind that with any of your major distros a large number of the packages are "first release" versions whereas many of the Microsoft packages have been updated and re-released for years.

I would argue that Linux "can be more secure" if you have very good admins who know the OS very well (which is why it continues to be the most use server software package). However it "can also be the least secure" if you have someone running it who doesnt know what they are doing (like all of the people running with it as a desktop OS who dont have a clue about anything more than what the GUI has to offer such as myself, which is why I run it in limited and controled situations and not 24/7 as a desktop).

Just like you mentioned the majority of the "viruses" or "worms" out there are script kiddy windows or outlook exploits because that's all they know and because windows has more desktop penitration. What script kiddy wants to write a little worm that only effects the 50% of linux users who dont know what they are doing when linux has less than 5% of the desktop market anyways (BTW I pulled those numbers out of a hat they are not referensing anything).

I'm sure I'll have more to add to this discussion later (assuming it continues) but I'm off to a meeting for the time being.

-Spy

 

[spyordie007]

Originally posted by: n0cmonkey
The patches you consider Linux patches are not Linux patches at all. They are typically patches to parts other than the kernel.

One quick note on this, just about all the "Windows Updates" are not updates to the NT Kernel either, but updates to other packages that can often be removed or reconfigured to avoid the problem (i.e. IIS or IE).

-Spy

 

[Rilescat]

Originally posted by: spyordie007

Originally posted by: n0cmonkey
The patches you consider Linux patches are not Linux patches at all. They are typically patches to parts other than the kernel.

One quick note on this, just about all the "Windows Updates" are not updates to the NT Kernel either, but updates to other packages that can often be removed or reconfigured to avoid the problem (i.e. IIS or IE).

-Spy

Don't worry...I am just learning too...the systems I am supporting are actually for education, and I "the Administrator" are learning with them. Luckily we have some excellent instructors.

Good point on the packages....this is pointing right at what I noted a moment ago. I only have a few packages installed on my RH7.3 system that doesn't come on the RH CDs, yet i still get big patch emails.

 

[n0cmonkey]

Originally posted by: spyordie007

Originally posted by: n0cmonkey
The patches you consider Linux patches are not Linux patches at all. They are typically patches to parts other than the kernel.

One quick note on this, just about all the "Windows Updates" are not updates to the NT Kernel either, but updates to other packages that can often be removed or reconfigured to avoid the problem (i.e. IIS or IE).

-Spy

Just a note on your note: Linux is a kernel. Windows is an OS. Internet Explorer is "part of the OS." SAMBA is not part of the Linux kernel. A better comparison would have been Red Hat vs. Microsoft because Red Hat Linux is an OS (distribution really, but we will ignore that for the moment, one of the BSDs might be the best comparison).

So, comparing the Linux kernel + mozilla + SAMBA + blah blah blah against Microsoft's Windows is not exactly fair.

 

[Rainsford]

More patches does not always mean worse security/reliability, especially when you are talking about MS. Look at their games. The majority of them have many, many technical issues, yet they never get patched. Does this make them superior games (as far as programming goes) when compared to games from companies like Blizzard who patch their games many times, even years after they are released? I could release an OS and never patch it, does that make it secure or reliable?

 

[Nothinman]

Are these components considered to be integrated with the OS, or are they considered to be packages that are seperate, yet included with the OS?

Samba and WINE are both optional, right?

Think about the numbers for a minute. A large Linux distribution like Debian has ~11,000 packages on 12 different architectures to support. Every time one of those 11K apps needs a security atch they issue a DSA, but how many of those 11K packages do you have installed? I just looked on my workstation and have 726, which is a far cry from the thousands maintained.

 

[Saltin]

So, comparing the Linux kernel + mozilla + SAMBA + blah blah blah against Microsoft's Windows is not exactly fair.

While it may not be entirely fair, what good is a Linux kernel alone, in terms of functionality? (Seriously, what is it capable of?)

IE is only "part" of the Windows OS for business reasons. Linux guys argued for years that it wasnt (especially during the anti-trust cases).

I think comparing Linux +Samaba+Mozilla+wine, etc IS a fair comparison to the Windows OS....

 

[n0cmonkey]

Originally posted by: Saltin

So, comparing the Linux kernel + mozilla + SAMBA + blah blah blah against Microsoft's Windows is not exactly fair.

While it may not be entirely fair, what good is a Linux kernel alone, in terms of functionality? (Seriously, what is it capable of?)

Not a whole lot. Which is why I said we should compare a distro, without bunches of extra packages to Windows.

IE is only "part" of the Windows OS for business reasons. Linux guys argued for years that it wasnt (especially during the anti-trust cases).

Microsoft says it is part of the OS, I am going to go with their technical judgements

I think comparing Linux +Samaba+Mozilla+wine, etc IS a fair comparison to the Windows OS....

How about GNU/Linux (the Linux kernel and the gnu utilities) + Apache vs. Microsoft Windows 2000 server + IIS? Or GNU/Linux + Samba vs. Microsoft Windows XP. Or GNU/Linux + Mozilla vs. Microsoft Windows XP + IE. WINE should not be a factor really in any of these, unless Microsoft has a comparable piece of software for running *nix apps. Or how about OpenBSD vs. Microsoft Windows 2000 Server + IIS?

I think, despite my obvious bias towards a *nix OS, I have been fairly impartial towards which is better. I just want a more fair test than some people are allowing for. We could dig up the security announcements for all of the programs that run on Windows, but would that really be fair?

 

[spyordie007]

why is Linux considered in the popular world to be a more secure OS? Is it simply the script kiddies aren't smart enough to know how to exploit it (media coverage/virus too), or is it that the Linux fixes are just that much more prevelant due to open source and/or lower severity?

In the spirit of the question I'm am going to simplify my answer.

Linux is considered more secure because of its customizibility.

-Spy

 

[Rilescat]

Originally posted by: Rainsford
More patches does not always mean worse security/reliability, especially when you are talking about MS. Look at their games. The majority of them have many, many technical issues, yet they never get patched. Does this make them superior games (as far as programming goes) when compared to games from companies like Blizzard who patch their games many times, even years after they are released? I could release an OS and never patch it, does that make it secure or reliable?

Very True...more patches does not lead credability to less/more security. However, the patches I am supposed to apply all directly apply to security of Windows and Linux directly. I think n0cmonkey is directly on the subject when he says "compare distros to Windows rather than Linux to Windows". Overall, we run a considerable number of different versions of Linux in many different environments, and I would certainly say that perhaps 90% of the patches I see are directed towards Red Hat and Mandrake.

 

[Bremen]

Going back to the orginal question: one needs to examine what these patches are actually patching. With linux, or any open source project, any small vulnerability gets a patch because of the many eyeballs effect. Only a small fraction of these security vulnerabilities are ever exploited, some may not even be exploitable. With M$ they only release security patches when they feel there is a danger. How many times have we seen stories about M$ refusing to patch something because it was not an exploitable bug only to have someone figure out an exploit a year later? It is not, as many have said, a function of how secure the system is but of how easy it is to get away without patching something.

 

[chsh1ca]

I run a few Slackware based systems whereon I have done a minimal install and preconfigured everything to my liking. I know all the version numbers, and am subscribed to several vulnerability and patch lists.

Personally, I prefer the many-patches-even-if-they're-not-needed approach to the seeming outright refusal to patch certain things. Keep also in mind that there are likely many patches that aren't necessary for a secure system, especially in the case of local root exploits, local privilege escalation, and so on, which make up a great part of most patch releases. On top of that, you also have these coming out not by being exploited and finding the bug after the fact, but rather by researcher types who are sifting through the code to see that these conditions could possibly exist. Most people can't create a race condition scenario themselves, they instead look through the source and figure out how it might be possible to exploit the app. I'd guesstimate the ratio of true remotely exploitable vulnerabilities to patches to be about 0.15:1 if not lower.

 

[Sunner]

Im responsible for a bunch of RedHat servers at work, I'd say I get 1 advisory every 2 weeks or so, on avarge.
31 a week seems absolutely insane?

Of course the advisories I get are based on a profile on RHN, which is a box running RH 7.3, so I don't get advisories for stuff that isn't installed on that box, but that's perfectly acceptable for us, since all boxes have the same packages installed.

But, look at what comes included with RedHat, compared to Windows:
SQL Server, 2 of them even, MySQL and PostgreSQL, to the best of my knowledge Windows doesn't come with any.
Apache, Win Server comes with IIS, if anyone wants to count bugs between these two, be my guest
FTP Server, see above, though Im at a loss why RH hasn't thrown out wu-ftpd in favour of ProFTPd.
Nameserver, see above.
Mailserver, does Windows Server come with one, or do you have to buy Exchange?
Etc etc etc.

Up until just recently, RedHat only had one product, Redhat Linux, and it included everything in one package, unlike MS which bundles the bare essentials minus a few things.

 

[spyordie007]

Mailserver, does Windows Server come with one, or do you have to buy Exchange?

Windows 2000 you have to buy exchange (or of course another e-mail server software).
Windows 2003 Server (the server formally known as .net) comes with built-in POP3/SMTP, if you want more you would still have to buy exchange or another e-mail server software.

-Spy

 

[Barnaby W. Füi]

1. Full disclosure vs. "security through obscurity" - people can openly review the source code of all parts of a linux system. Metric tons of people are working on this stuff all the time. Tons of software, tons of bugs, tons of updates. Microsoft only releases patches for things that it deems important to release patches for.

2. Unix admins tend to be more competent and things get patched quicker.

 

[spyordie007]

Objective:

1. Full disclosure vs. "security through obscurity" - people can openly review the source code of all parts of a linux system. Metric tons of people are working on this stuff all the time. Tons of software, tons of bugs, tons of updates. Microsoft only releases patches for things that it deems important to release patches for.

Subjective:

2. Unix admins tend to be more competent and things get patched quicker.

It's plenty mixed, just because there are *some* Windows admins that dont know jack doesnt mean they are all that way, likewise for Linux. The reverse also holds true. Small business "computer guys" aside there are plenty of Windows admins that know just what they are doing and know just what and how to patch.

-Spy

 

[Sunner]

Originally posted by: spyordie007
Objective:

1. Full disclosure vs. "security through obscurity" - people can openly review the source code of all parts of a linux system. Metric tons of people are working on this stuff all the time. Tons of software, tons of bugs, tons of updates. Microsoft only releases patches for things that it deems important to release patches for.

Subjective:

2. Unix admins tend to be more competent and things get patched quicker.

It's plenty mixed, just because there are *some* Windows admins that dont know jack doesnt mean they are all that way, likewise for Linux. The reverse also holds true. Small business "computer guys" aside there are plenty of Windows admins that know just what they are doing and know just what and how to patch.

-Spy

I disagree.

That's the problem with "Wizards" and stuff like that.
It attracts the "I just want it up and running quickly" crowd.

If you're gonna setup Apache and ProFTPd on a Debian box, it will take some learning, which is a good thing, cause that will give you some valuable knowledge.
Besides, many people who start messing with *NIX tend to find out they like it once they discover the flexibility that comes with it, and once they like it, they learn even more.
At least that's how I got started

 

[Buddha Bart]

In response to the original question, think about it like this:

With linux* you have a relativly large number of people pouring over nearly every line of even some of the most trivial packages. Any given package ususally has a debian maintainer, a redhat maintainer, and at least 2 or 3 developers who created it (usualy much much more). Those guys are just naturally gonna find stuff as the go.

With microsoft, the only way to find an exploit would be to try to de-compile parts (never accurate, just gives ideas), read memory dumps, or write a lot of experemental code battering the crap out of what API's you can find.

Basically they have polar opposite theories in how to approach security. Linux says bare-it-all under the hopes that in doing so, the problems will be spotted, and fixed and patched. The result is that a lot of problems are spotted, fixed, and patched.

Windows on the other hand tries to release more conservativley, with months and even years between versions of their products. This is in hope that 1.) the bugs all get ironed out and 2.) those that don't will be nearly impossible to find anyway, so if occasionally a bad one comes out we can patch it.
The problem, in my opinion is that they rely too much on #2 to compensate for rushing through #1

This, imho, is why if you choose to use linux (outside of hobbyist, learning/messing with reasons), its so important to stick with a distrobution and its package system. You get all the benefits of the many eyes auditing the code, and you get many of the benefits of a slower release cycle.

*all of it, i'm not nitpicking about what counts where

bart

 

[EeyoreX]

I think you answered the question basically yourself. And someone else mentioned it too. Windows has such a huge market penetration it screams "attack and exploit me!" While Linux does not have such a large penetration, and I think for the most part, is mainly hobbiests/enthusiasts/etc (ie, not mainstream users) so there seems to be less incentive to attack these systems, due largly to a couple factors. 1) "Script kiddies" are mostly lazy, many times they just reuse code and rewrite a few lines. Most of this code is targeted at Windows, so the recycled stuff is thusly targeted at Windows. And 2) they want to get attention and get as much of it as possible. Where do you get it? Why, exploit Windows, that's how.

I think another factor stems from the users of the systems. I agree with the generalization that Windows users for the most part tend to be "I want it quick and easy and now!" so they tend to just use what's put in front of them, and leave it alone. While the Linux users I know are much more willing to invest the time and effort to learn their chosen distro and therefore more willing to take care of it. (This is NOT to say that I feel all users fit into my generalizations)

IMO, it is simply an unfair general statement to say one system is more secure than the other. Either CAN be secure with knowledgeable admins/users. If Linux ever has the desktop penetration of Windows, I would think one would see many more attacks/exploits than we do currently. It is easier to attack many and get "results" than to attack a few.

Just my $0.02 (about all I can afford right now)

\Dan

 

[chsh1ca]

Originally posted by: spyordie007
It's plenty mixed, just because there are *some* Windows admins that dont know jack doesnt mean they are all that way, likewise for Linux. The reverse also holds true. Small business "computer guys" aside there are plenty of Windows admins that know just what they are doing and know just what and how to patch.

This is very true, and unfortunately, the paper-wielding MCSE guys who can't install NT (save that diatribe for another day) also aren't likely to know anything about unixes. On the counterpoint, most Unix admins also are probably decent Windows NT/2K admins, simply due to the market penetration of Microsoft. Rarely will you find someone who is only a Unix admin nowadays. Almost all networks in mid-sized to large businesses are mixed, and that isn't likely to change anytime soon.

A bad admin is a bad admin, and regardless of OS will make mistakes. Conversely, a good admin is a good admin, and regardless of OS won't make (m)any mistakes. Administration is a mindset, not an operating-system based skill, and to be a good admin on one OS means you'll likely be a good admin on ANY OS, you just simply have to become knowledgeable enough about it.

 

[n0cmonkey]

Originally posted by: chsh1ca

Originally posted by: spyordie007
It's plenty mixed, just because there are *some* Windows admins that dont know jack doesnt mean they are all that way, likewise for Linux. The reverse also holds true. Small business "computer guys" aside there are plenty of Windows admins that know just what they are doing and know just what and how to patch.

This is very true, and unfortunately, the paper-wielding MCSE guys who can't install NT (save that diatribe for another day) also aren't likely to know anything about unixes. On the counterpoint, most Unix admins also are probably decent Windows NT/2K admins, simply due to the market penetration of Microsoft. Rarely will you find someone who is only a Unix admin nowadays. Almost all networks in mid-sized to large businesses are mixed, and that isn't likely to change anytime soon.

A bad admin is a bad admin, and regardless of OS will make mistakes. Conversely, a good admin is a good admin, and regardless of OS won't make (m)any mistakes. Administration is a mindset, not an operating-system based skill, and to be a good admin on one OS means you'll likely be a good admin on ANY OS, you just simply have to become knowledgeable enough about it.

I don't know much about Windows administration. I consider myself a Unix guy, and nothing else. That luxury won't be long lived though...

 

[spyordie007]

Yes but you know plenty of things that would make it easy for you to admin Windows boxes, dont sell yourself short.

-Spy

EDIT: not just windows boxes