In this article, Matthew uses nmap and nessus against actual installs of various operating systems as part of his research. A variety of operating sytems were tested including Windows XP, Server 2003, Vista Ultimate, MacOS, FreeBSD, Solaris, Fedora Core, and Slackware. “As far as ‘straight-out-of-box’ conditions go, both Windows and OS X are ripe with remotely accessible vulnerabilities. Even before enabling the servers, Windows based machines contain numerous exploitable holes allowing attackers to not only access the system but also execute arbitrary code. Both OS X and Windows were susceptible to additional vulnerabilities after enabling the built-in services. Once patched, however, both companies support a product that is secure, at least from the outside. The UNIX and Linux variants present a much more robust exterior to the outside. Even when the pre-configured server binaries are enabled, each system generally maintained its integrity against remote attacks.”
From the article:
—
Microsoft Windows constitutes the bulk of world’s operating systems with nearly 90% of the market while Apple’s OS X and Linus Torvald’s Linux share the remaining 10% with a smearing of alternative operating systems.
—
Rather than gloat about this triumph of Linux over Windows in the area of security, I’m going to nitpick about something else, instead.
I call Linux “Linux”. I don’t call it Gnu/Linux or LiGnuX or anything like that.
I acknowledge that Linux is “just a kernel” but also use Linux as a term to refer to a whole collection of software that uses Linux as its OS kernel.
BUT… in a context that so clearly encompasses the whole range of software, from different sources, that comprise an OS that we normally refer to as “Linux”, calling it “Linus Torvalds’ Linux” does seem a bit over the top.
It’s the sort of thing that makes RMS stew and steam all night… until… until… until… he finds some hapless, misspeaking, convention attendee to lash out at.
So please. “Linux” as a convenience term. But let’s not allocate Linus misappropriated credit which he neither wants nor deserves. He already has more well earned credit than he knows what to do with.
Edited 2007-03-30 21:05
Where all the OpenBSD at? It’s not even mentioned. Also, it is funny that so many installs run different versions of OpenSSH.
Fedora done very well in this test because they have implemented active protection. E.g. exec-shield, pie executables and selinux. I really hope that most linux distros implement similar functionality because it’s been available since about 2004.
Windows XP SP2 added NX support. Windows Vista added address space layout randomization (although this probably only works with built in apps because the code needs to be PIC). So why don’t all the linux distros at least use exec-shield for the sake of the users and linux ‘s reputation of being reasonbly secure.
I wonder the same thing myself.
Security is really important and despite what many Linux users would tell you, it isnt as good as it should be in most distributions.
As Linux gains more consumer interest, this issue will become more problematic for distros like Ubuntu, who put security on the back burner.
Not really, up front Ubuntu does not look to lock much stuff Down, but underneath, it is still Linux.
I am not going to try to claim Linux is ultra-secure, but it has been designed from the ground up as a multi-user system. And, as such security has been at the forefront since day one.
Linux might,(or not), get millions of Joe Users over the next few years, but I can safely predict, that there will not be even 1% of the malware that is currently on Windows, available to Linux users.
See, being multi-user since inception, one thing that Linux cannot do, is let Joe Users programs run rampant over other users or the system files.
Nothing very surprising in the article, but it is refreshing to see someone at least trying to test OS security in a relatively objective way instead of the endless black-and-white propaganda surrounding this subject in the IT world.
From the article:
“As far as ‘straight-out-of-box’ conditions go, both Windows and OS X are ripe with remotely accessible vulnerabilities”
Also from the article:
“Only after booting the system for the configuration phase was Nessus able to identify security issues. Although the issues were not remotely accessible,
…
By default, Apple OS X does not have its built-in servers enabled. For testing the standard binaries, Personal File Sharing, Windows Sharing, Personal Web Server, Remote Login, FTP Access, Apple Remote Desktop, Remote Apple Events and Printer Sharing were all enabled through the Preferences tool. Although OS X features a robust implementation of IPFW (Internet Protocol FireWall), it was not enabled. After enabling the services, Nmap identified the freshly opened ports and Nessus found only a user enumeration vulnerability in the HTTP server.“
Another bit from the article “insigthful” conclusions:
“Without a diligence for applying the appropriate patches or enabling automatic updates, owners of Windows and OS X systems are the most susceptible to quick and thorough remote violations by hackers.”
Automatic Updates are enabled by default on Mac OS X.
Is everyone now doing security surveys or is it just a coincidence that we get to read a new, completely different, subjective and biased report every week?
And just what is biased about this article?
It does ‘straight-out-of-the-box’ conditions by going out of the way to enable everything on the Windows and OS X servers?
And Matthew did the same thing for Solaris, so what exactly is your point? If for example, he had selected to limit network services during the installation of Solaris 10 11/06, or ran the netservices limited command (as root) his nmap scan would have looked like this (I used the same options as Matthew):
# ./nmap -P0 -sT -F -O -A 192.168.1.4
Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-01 08:53 EDT
Interesting ports on 192.168.1.4:
Not shown: 1253 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh SunSSH 1.1 (protocol 2.0)
111/tcp open rpcbind 2-4 (rpc #100000)
7100/tcp open font-service Sun Solaris fs.auto
MAC Address: 00:07:E9:39:05:51 (Intel)
Device type: general purpose
Running: Sun Solaris 9|10
OS details: Sun Solaris 9 or 10
Uptime: 0.010 days (since Sun Apr 1 08:40:19 2007)
Network Distance: 1 hop
Service Info: OS: Solaris
OS and Service detection performed. Please report any incorrect results at http:
//insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 45.386 seconds
While the article might not be perfect, compared to other pieces published here Matthew’s article is one that draws its facts and conclusions based on actual nmap and nessus scans, as opposed to adding up vulnerability reports or some other nonsense. So let’s see, his methodolgy is clear and repeatable by anyone who has the skill to compile nmap and install and use nessus. His results can be independently verified (at least I verified his Solaris 10 results), his article is well researched, so I don’t see the problem here!
What I’d like to see is a test against PPC and Intel versions of MacOSX Server and maybe desktop MacOSX. The results could be interesting. Of course that won’t fix httpd configs but still.
What’s the point of testing original installation media of an operating system? I can’t see any point in this other than (falsely) asserting that Unix variants are more secure than others. Which is a biased conclusion since most systems will auto-patch themselves if connected to the Internet. And if not connected, most of such problems can be seen as trivial.
So most Linux/Unix will flood us with CD-ROMs they need to sell to get some money. Now what does that prove?
There isn’t a good reason, other than to promote Linux really. That’s why OpenBSD isn’t even mentioned.
Anyone even remotely interested in their machine will apply patches immediately to keep their data secure.
It would be easy enough to get a bad version of some distribution of Linux and end up with plenty of vulnerabilities but those tested were likely hand-picked to make certain they were safe.
I don’t run a machine to support outsiders and I’m not sure who would knowingly do that but the writer would like us to see the world through the restricted view of the opinion piece.
Explain to us how Matthew is “promoting Linux” when he tests Windows XP, Server 2003, Vista, Solaris 10, MacOS 9 and X? He did pick the most used Linux distros and added Slackware (one that I haven’t used in years) for good measure. In fact, Slackware did not come out looking all that good.
So Matthew did not pick OpenBSD, so what? The vast majority of people who know anything about Unix variants know about OpenBSD’s security history.
The point he is trying to make (and several people have obviously missed) is if you choose to enable certain network services, there is a risk involved. Not all OS vendors use the latest and greatest versions of applications. And just because you patch the system essentially means nothing if you are running a vulnerable version of an application because the default configuration is used. There is a lot more to security than just patching boxes. This statement drives the point home “When it comes to business, most systems have the benefit of trained administrators and IT departments to properly patch and configure the operating systems and their corresponding services.”
It isn’t just enough to patch a system, you have to configure it as well. When the announcement was made about the Solaris 10 telnetd exploit, I essentially did nothing because the Solaris 10 systems I have running had telnetd turned off (for 3/05 and 1/06 it is turned on by default). This is the difference between a trained administrator and someone who is less than knowledgeable “The more consumer oriented operating systems made by Microsoft and Apple are each hardened in their own right. As soon as users begin to arbitrarily enable remote services or fiddle with the default configurations, the systems quickly become open to intrusion.”
I don’t understand how you can say this is an opinion piece considering Matthew has 95 references. The only opinion I see being expressed here is yours, and yours isn’t backed up by anything at all.
From the article:
During the installation phase, a variety of FreeBSD’s stock services were enabled. These included FTP, SSH, telnet, shell, login, finger, ntalk, TFTP, POP3, IMAP4, SMB and NFS.
No responsible admin would turn on all this crap. Still Nessus found no remote vulnerability.
As Borat would say: “Very nice!”