Security

What’s the Most Secure OS? Surprise! It’s Windows. (Well, sort of.)


The startling conclusion that Microsoft has the most secure OS isn’t mine (although I don’t find it all that fantastically unlikely), but that of some observors who came to that conclusion after looking at Symantec’s  Internet Security Threat Report Volume IX (http://www.symantec.com/enterprise/theme.jsp?themeid=threatreport) that covers the second half of 2006.

Here's a quick look at a few of the relevant numbers; see what you make of them:

  • For the period of  July 1, 2006, through December 31, 2006
  • Windows had 12 severe threats with the total of 39 vulnerabilities fixed in an average of 21 days.
  • Mac OS X had 1 severe threat but Apple had an average 66 day turn-around for the entire 43 vulnerabilities reported.
  • Red Hat Linux was actually faster than OS X with a 58-day average time to fix a total of 208 vulnerabilities.
  • Of those Red Hat threats, 2 were critical and 130 were rated medium severity.
  • HP-UX had 98 vulnerabilities and needed an average of 101 days to fix them.

Still, pity the poor Sun users who waited an average of 122 days for fixes of the 63 Solaris vulnerabilities.

Mozilla users rejoice - the average time to patch a vulnerability was the best of any browser, only 2 days, vital if you are facing a zero-day threat.

What shouldn't come as a surprise is Symantec's report that the biggest vulnerability threat is found in the newest hot branch of software - Web apps!

Another unsurprising (at least to me) part of the report was the first paragraph of the Executive Summary:

"Over the past two reporting periods, Symantec has observed a fundamental shift in Internet security ctivity. The current threat environment is characterized by an increase in data theft and data leakage, and the creation of malicious code that targets specific organizations for information that can be used forfinancial gain."

Also, right in line with my recent report here on the California Secretary of State's exposure of hundreds of thousands of individuals' Social Security Numbers on their official Web site, Symantec reports that the government sector in total was responsible for 25 percent of the identity theft activity related to online security breaches.

Comming in second as the biggest threat to your personal identity were educational-related sites, with medical sites taking a close third.

Of course those are the groups that keep the largest amount of personal information outside the three highly centralized credit reporting agencies, so perhaps it really shouldn't be surprising to anyone that the most data theft came from the places with the most personal information.

77% of all Web browser attacks were aimed at Internet Explorer (the biggest target obviously, so no surprise there).

There is a lot of useful information to be gleaned from this Symantec report and every security professional needs to download and study a FREE copy. It not only tells you what category of threats you need to protect against most, it also includes a lot of useful information about which regions have the most infected computers (and that therefore you should be especially wary of Web sites in those areas and emails from people in those locations. By the way, the U.S. is the origin of more attacks than any other country (probably has the most computers also) and, on average, China has the most bot-infested computers in the world, but the U.S. ranks second in the number of infected systems while Israel has the highest percentage of hackers per PC.

But there is good news for IT security managers too; the home user is the subject of targeted attacks more than 90 percent of the time, which means that your workers aren't.

SPAM now makes up about 59% of all email traffic and 65% of that is in English (a lot of it pretty broken English in my experience).

A really alarming statistic was that Symantec had only identified 1 zero-day threat in the first half of 2006 but the security company documented 12 in the second half.

The report also details the percentages of each kind of malware detected and has a vast amount of useful information, not the least of which is the headline-making finding that Microsoft is currently the best performing company when it comes to the speed of fixing vulnerabilities in a major OS.

I would only be fair to remind everyone that Microsoft also mainly sticks to a regular monthly security patch release, with only an occasional mid-month release in extreme cases. I wonder what Microsoft's numbers would have been if they released patches as soon as they were available?

I also feel compelled to point out that the #1 ranking was based only on the speed with which the companies responded to threats, not the severety of the threats or how much trouble the patches caused.

Nevertheless, this report from a company that is finding itself more and more in competition with Microsoft in the security market (and therefore probably isn't cutting Microsoft any slack) is certainly a good one for the folks at Redmond.

So, why does nearly everyone seem to believe Microsoft is so slow to provide patched code?

I feel it is just just like Detroit, which now makes pretty good cars and trucks but is still considered by many to turn out inferior quality products; it may take a LONG time to convince people that Windows is actually pretty secure and Microsoft is very responsive to threats.

Detroit will have to keep proving that it can make reliable vehicles for a long time to overcome the advantage some foreign makes have. (Turning out more popular designs with better gas mileage couldn't hurt either - I'm NOT Detroit-bashing - I have a lot of old Detroit Iron, including some with very big displacement engines from the muscle-car era - several 460's and one 455.)

Likewise, Microsoft is going to have to keep being the fastest to patch its most basic product for a long time to convince people that it is really doing a good job.

(Making a much smaller and highly secure alternative to Vista would also be a good place to earn some points - at least with me.) 

How about YOU? What do you think of the implications in this Symantec report? 

31 comments
Hiaximize
Hiaximize

I dont think windows is the most secure for one main reason, it is so easy to hack if you can get physical contact with the computer. You can put as many passwords on it with as many special characters as you want and as long as you want. I have a program that will wipe it clean in under 2 seconds.(I'm pretty sure I'm not the only one in here with this program either)And a remote hack is easy to. Especially if you are on the same network as they are. Now if you know how to secure it down then yeah it may be harder, but still not that hard to hack. The fact of the matter still remains that windows is in fact not the most secure OS out there.

CIO at Alphabetas
CIO at Alphabetas

You must look at statistics carefully. On the surface your numbers appear correct, but in the end you are doing a whitewashing job for Micrsoft. You punish OSX and Solaris for their time to fix the vuls and declare MS the winner. By doing this you do a disservice to the reader and help perpetuate myths and stereotypes, because you didn't finish the math! Take your severity and number of bugs, and factor in the fix time, but you do nothing to address the EASE OF EXPLOIT. MS has to deal with their exploits faster because they are most easily exploited, and code is handy and free for doing so. NONE of the vuls and/or exploits found on OSX or Solaris were EVER exploited, and neither had any found in the wild. The same was not true of the MS issues found. Nest time factor in the possible likelihood of attack and the ease of using the published vul to EFFECTIVELY attack a system....

Tech Locksmith
Tech Locksmith

If you were addressing me then you certainly need to re-read the blog - I did NOT consuct a statistical analysis of the data, if only because I had no access to the raw data. I am a trained mathemetical physicist and know something about statistical analysys (kinda required in quantum mechanics). What I did was present a few chosen quotes from a long and detailed report compiled by Symantec and then point out that some reporters had jumped to a strange conclusion about the security of various OS based on a poor understanding of statistics. The point of a blog posting such as this is to provide a bit of background and links to the actual report. Not knowing the details of Symantec's methodology nor having access to their raw data there is no possible way I could do a proper analysis of their report, nor could any of the reporters who jumped to the conclusion that the report showed Microsoft to have the most secure systems. All I was able to conclude from reading the entire report was that Microsoft was the fastest at providing patches.

apotheon
apotheon

"[i]All I was able to conclude from reading the entire report was that Microsoft was the fastest at providing patches.[/i]" I've been doing secondary statistical analysis informally for several years now as part of my professional work. I've thus far only given the report a cursory going-over -- but I've printed out the first thirty-seven pages for in-depth reading and analysis, and I'll print a bunch more tomorrow, and when I'm all done I'll probably have a lot more to say about how it all looks. Since most statistical data comparing different information technology "solutions" is generated and presented by parties that operate under a significant conflict of interest, secondary analysis is a survival skill in this industry.

Tony Hopkinson
Tony Hopkinson

that's not a truly fair example. You could do the same thing in any OS, given of course the wally that did it had admin privileges. You couldn't do it on low rights XP or vista, or through an even vaguely set up mail server. I'm not defending winders, but it's biggest flaw is the lack of of isolation between kernel and user space, no thaving someone sat in front it who believes there really is picture of Britney naked in the file.

Hiaximize
Hiaximize

and to further my opinion about how unsecure windows is, i could create a simple batch file, convert it to a com file and send it through an email, and it would shutdown the firewall and shutdown the security center in seconds, passing through all major AV's in a matter of seconds without even an alert. the only alert you may get is that you security center and firewall have been shutdown and you may not be fully protected. and then its just a matter of sending a trojan after that. or maybe even in the same batch file. or i could even write one in c# to do all of this. this just furthers my opinion that windows is so unsecure.

apotheon
apotheon

"[i]Personally, although I admire your effort, I doubt studying the report in detail (without access to the raw data and the assumptions made in designing the poll) will produce any different results than the report's own conclusion.[/i]" You can see the beginning of my analysis here: [url=http://sob.apotheon.org/?p=231][b]Security Analysis: Symantec ISTR XI (Executive Summary)[/b][/url]

apotheon
apotheon

There are usually some very interesting hints in someone's primary analysis of statistical data to where their biases lie, and usually some data slips through that, with scrutiny, actually contradicts the presented conclusions. For instance, by the time I'm done, I may discover that artificial and inconstant procedures of separating patch types produce highly biased reports of average patch times. I'm withholding judgment on that until I've gone through the whole thing, though.

Tech Locksmith
Tech Locksmith

All adults should know by now that people can lie using statistics because so few people really understand that branch of math (same as they don't understand probability and think 100 heads in a row mean a greater chance of tails next). I hope everyone noted that I said "All I was able to conclude FROM READING THE ENTIRE REPORT..." I had no access to the raw data and that, along with the assumptions you always have to make in setting up any such project, including HOW and WHAT data you collect, have a great influence on the results. In designing physics experiments (and taking political polls) you usually get the results you are looking for because either consciously or unconsciously you design the data collection method to answer certain questions and not others. Personally, although I admire your effort, I doubt studying the report in detail (without access to the raw data and the assumptions made in designing the poll) will produce any different results than the report's own conclusion. That, of course, doesn't make the conclusions true. Cause and effect are pretty fuzzy concepts in IT security.

apotheon
apotheon

There's a lot more to it than that. IE alone had 54 vulnerabilities during that same period, according to the study. That's more than the total number of reported MS Windows vulnerabilities. Ahh, but that's not the OS! you might say. You'd be wrong, because of the (well known) close integration of IE with the OS. . . . but wait, it gets better: While the report is ignoring IE when providing MS Windows statistics, it is including the [b]entire set of software[/b] available in Red Hat's archives in its assessment of Red Hat. This is literally thousands of discrete pieces of software, very few of which are actually necessary to a desktop install. It's akin to including Photoshop, World of Warcraft, Quickbooks, Nero, Norton Antivirus, Borland Delphi, WinAmp, and thousands of random little bits of freeware in the assessment of MS Windows security. That's just the beginning, of course. Sun Microsystems disputes Symantec's numbers with regard to Sun Solaris. Sun's numbers are more easily verified than Symantec's, too -- and in fact Sun went to the effort of trying to verify Symantec's numbers, and failed to do so. I wonder how good Symantec's numbers are in relation to other system. Keep in mind that Symantec is the company that comes out with a new scary security bulletin about "Linux" every now and then, "proving" via a proof-of-concept virus the people at Symantec themselves created, that if you bend over backward to let malware get a foothold on your system and execute it intentionally yourself you too can need Symantec security products. Of course Symantec wants you to think MS Windows is the most secure system out there -- it's having a real bear of a time selling security software for Linux systems. It just doesn't want you to think MS Windows is perfect, because then it wouldn't be able to sell security software for MS Windows either. In fact, one of the things Symantec isn't mentioning is the simple truth of how different OSes handle viruses. Those proof-of-concept viruses from Symantec all have to exploit some obscure little vulnerability; the moment Symantec demonstrates the vulnerability, the Linux development community closes it. Meanwhile, every time a virus for MS Windows comes out, Microsoft just sits back and waits for Symantec, McAfee, Grisoft, and even the fine folks at ClamAV (open source antivirus software) to "fix" it by providing virus definitions so that the annoyance of additional virus-scanning software can be used to "protect" you after the fact. Oh, there's more, don't you worry: Red Hat isn't the One True Linux. I wonder why McAfee didn't pick a distro with a better reputation for security. Oh, there's more still: I wonder why everyone that reads this damnable report of Symantec's is declaring MS Windows the securest evar, not even noticing that it only covers five OSes -- completely ignoring a bunch of Linux distributions, a bunch of BSDs, the BeOS spin-offs, Plan 9, and even UnixWare. In fact, the [b]true[/b] most secure of the major desktop operating systems is OpenBSD, which has recently had its [b]second remotely exploitable vulnerability ever[/b]. In fact, it was so recent that during the same six-month period as the study, OpenBSD has had a vulnerability rate of exactly [b]ZERO[/b]. That's [b]much[/b] better than the 39 that MS Windows got after Symantec fudged the numbers! There's still more, but my fingers tire of typing, and I have other things to do before bed.

pmshah
pmshah

I was wondering if there were any efforts on the part of Symantech to come up with "Proof of Concept" virus targeting Windows! I did not see any mention of that. Perhaps Symantech did not want or have to exert themselves or allocate resources to that end. What would be scary is they did, found a bunch & never published them.

Tech Locksmith
Tech Locksmith

I was wondering if anyone would notice that about IE vulnerabilities. Microsoft has integrated explorer so closely with the OS that it is impossible to fairly look at windows security without counting IE flaws. The point of these security blog entries (at least many of mine) is to get security people to THINK about what they are doing! You simply can't be good at IT security by only following a few rules and reading about new vulnerabilities - you also have to THINK about security all the time and question any of these reports published by any AV or security vendor. I DON'T question Symante's honesty, but I have serious reservations about their methodology. I also agree about OpenBSD, one of my top favorites- ALMOST as secure as not being networked! I also like BeOS, although I'm far from certain it is particularly secure, it may just not have been tested sufficiently. That's why they make removeable hard drive frames, to enable you to select the best OS for a particular situation.

apotheon
apotheon

I really do appreciate your efforts to get IT professionals to think about what they're doing. That's the most important skill a security-conscious IT pro can have: thinking critically.

mike_patburgess
mike_patburgess

So, because MS fixes their bugs faster, that makes their OS more secure... Hummm interesting association of terms.. er sort of. When you have to purchase a plethora of associated applications to protect the MS OS kernal that tells me that the OS kernal is not secure. I cannot remember any time that HP-UX was brought down by a virus or by intrustion. Question... what HP-UX vulnerabilities? Funny that no-one mentions IBM in this blog.

Tech Locksmith
Tech Locksmith

Thinking your OS is totally secure is the best way to get into really big trouble. But, to answer your question: http://secunia.com/vendor/2/ UX Specifically: http://secunia.com/product/871/?task=statistics http://secunia.com/product/138/ All those and I never even met a hacker who was testing HP-UX. http://insecure.org/sploits_hpux.html

mike_patburgess
mike_patburgess

Viewed even more of these things... 1998 are the post dates .... Please... Last time that I looked, we are in 2007.

mike_patburgess
mike_patburgess

Well, I read the list and I found ux 10.. which is for the most part obsolete, iLO not on UX, Alpha Server, again not a UX machine, and a whole lot of other stuff unrelated to UX. Referencing these charts, it sure looks to me that given the number of patches vs the time line, it is a very secure OS.

Tech Locksmith
Tech Locksmith

I used to work with it but no one ever really had a chance to attack it because almost no one ever used it.

Absolutely
Absolutely

Microsoft does at least lead in some areas of technology. OK, they buy that technology instead of developing it, but to the market, they're the first to provide a number of new technologies. Detroit still cannot claim to be the first to offer high-mileage cars, or any other major innovation, since the internal combustion engine itself. So Microsoft's reputation isn't quite that bad -- yet.

Tech Locksmith
Tech Locksmith

I get your point, but Henry Ford did sort of invent the assembly line and, BTW, Detroit did not invent the internal combustion engine. Detroit (the car company, not the city) used to build electric cars though. Good old Leonardo (who else?) is somewhat credited with comming up with the concept and the first commercial applications were around 1820. Otto and Daimler came up with the 4-stroke (Otto-cycle) around 1875 or so. But I get your point, what HAS Microsoft invented? We all know where MS-DOS came from and Windows 1.x seemed to have a lot of very familiar features when I first saw it. (Can anyone say PARC?)

ajn465
ajn465

It's high time the boys at Microsoft prove that they can write some nice tight code, as opposed to lots and lots of it. An OS with XP level functionality (along with a decent degree of modular upgradability) combined with a streamlined installation would be welcome to most home users. Trimming the fat almost always results in more reliable, faster running programs of any kind. Properly executed it should also leave fewer holes to exploit in the first place.

Rascal1981
Rascal1981

So after reading the article and dumping some of the garbage from the article on the floor, I have to say that its still hard to put faith in Symantec. And since they go hand in hand with M$ its even a little harder but I can't hold that against them (hey, Dell and HP are primarily Wintel shops but I still buy their servers) too much. I don't agree with the article entirely but I do see some of the points. I would also say that I agree that M$ needs to start writing better code not more of it but that is something they should have been doing YEARS ago.

kent.pealy
kent.pealy

I didn't see VMS in the list. Windoz and Symantec probably can't spell it!

Tech Locksmith
Tech Locksmith

Right, not compared to VMS, AIX, MS-DOS, OS/360, or a lot of other OS I've used, probably because you don't seem them on desktops so they aren't relevant for comparison.

mike_patburgess
mike_patburgess

Yep and we all believed the famous phrase, "..no one will ever need more than 640K of memory." Believe what you will but when SMB's come to the realization that their main business is to make money on their competency and not to run an IT shop they will soon see the light and move to something that is more manageable. Have you ever heard of co-location? Some SMB's that I know have banded together and co-located their IT in a center that can support them and provide the services that they require. Look ma... no more IT folks or HVAC things to worry about. How much memory does Vista need now???? I guess the 640K of memory was wrong as well.

CharlieSpencer
CharlieSpencer

They'll probably wonder who's buying all that inventory. Oh, and let the corporate customers know they can stop buying laptops too. I can throw out that desktop running a single license of an expensive application; we'll throw it on the server and pay for licenses for all connected clients who don't need it. Also, don't forget to take the desktops out of those SMBs that don't have servers or IT departments. Thin clients are great solutions, but they can't replace all desktops, or even the majority of them.

Rascal1981
Rascal1981

An interesting statement, "The FAT desktop is dead. If anyone wants to run games,... get an Xbox.." and as much as I may not like it you have a good point. We are pretty much a thin client shop at this point and its great I have to admit but I think the home user is still quite a ways from this. It would eliminate alot of problems if it were not so but I don't see it happening. Thin clients come with their own set of problems as well and as much as I love vmware, it doesn't come without its headaches. So I guess in the end it really depends on your flavor of pain; how the xbox would be the solution for a hardcore gamer though still eludes me.....

mike_patburgess
mike_patburgess

The desktop and mikeysoft are out of control With the escalating cost of supporting the desktop, more and more smart businesses are moving the compute power back into the glass room (data center). What with Vista needing more memory, more CPU, more disk, more.. more... ENOUGH. VMWARE is here today. I have seen many businesses realize real savings in abandoning the FAT desktop and moving to "DUMB" terminals or thin clients which bring more order, less risk and more importantly less cost to their business. The FAT desktop is dead. If anyone wants to run games,... get an Xbox..

shane.justice
shane.justice

So, Symantec, whose only customer is MS Windows people worried about having things stolen from their computers, is saying that it's host O/S is the most secure? Wouldn't that mean that there is no need for Symantec's products on a PC? Obviously the MAC, LINUX, and other Un*X's don't have any Symantec products (that I know of). And, if they do/did, there doesn't seem to be much requirement for them. Sounds like to me Symantec is trying to up their market share, by trying to stim the tide of people switching to other O/S platforms. Of course, I could be wrong.

apotheon
apotheon

"[i]wouldn't Symantec sell more Windows security software if they demonstrated it WASN'T secure?[/i]" Not necessarily. Symantec may be reading the writing on the wall, and concluding that it's likely to lose more money by way of conversions from MS Windows to other OSes, which in many cases would result in dropping Symantec software, than it would gain from ever-increasing perceptions of crappy security on MS Windows. After all, people who leave MS Windows because of security concerns are probably going to be likely to choose systems for which there is little or no Symantec traction in the security market. Even if someone migrates to a different OS and keeps Symantec as security software provider, the people who follow that example of system migration may very well not do the same. Keeping people on Windows, convinced of a need for security software but not convinced that MS Windows sucks, is probably Symantec's best bet for continued market share.