AFTER 30 years of progress in the IT business you would think that products are maturing and that software errors are be a thing of the past. After all, we would not expect car manufacturers to have made little progress on the safety of their cars, would we? Unfortunately it is clear from Bugtraq, Secunia and CERT.org that many operating systems, middleware and applications are still plagued by all kinds of vulnerabilities.
CERT.org has not yet released statistics for all of 2003 but for in the first 9 months it reported 2982 vulnerabilities, or an average of more than ten vulnerabilities per day. This total number is more than ten times the number of vulnerabilities reported for the entire year in 1998 and close to three times the number of vulnerabilities in the year 2000.
The reports in the vulnerabilities databases sometimes describe errors within the operating systems themselves but more often they describe application errors through which the integrity of the operating system can be compromised.
Some people would argue that application problems such as buffer-overflow are no concern of the operating system. My counterargument is that while the blame for application errors might lie with the software engineers and developers who created the software, the ability of an application error to compromise an operating system is a fault in the operating system itself. I see the number of vulnerabilities of an operating system as a clear reminder of the inherent weaknesses in that system.
|OPERATING SYSTEM||SECUNIA ADVISORIES in 2003|
|Apple OS 9||1|
|HP OpenVMS 7.x||3|
|IBM AIX 5.x||14|
|HP Tru64 5.x||24|
|Sun Solaris 8||43|
|Sun Solaris 9||43|
|HP HPUX 11.x||48|
|OPERATING SYSTEM||SECUNIA ADVISORIES in 2003|
|Linux Kernel 2.4.x||10|
|Microsoft Windows Server 2003 Standard Edition||15|
|Microsoft Windows Server 2003 Enterprise Edition||15|
|Microsoft Windows 2000 Professional||32|
|Microsoft Windows XP Home Edition||32|
|Microsoft Windows XP Professional||34|
|Sun Linux 5.x||51|
|SuSE Linux 8.x||64|
|RedHat Linux 9||72|
|RedHat Linux 8||119|
|Mandrake Linux 9.x||126|
|Debian GNU/Linux 3.0||186|
Proprietary systems are the least vulnerable
The operating systems with fewest vulnerabilities in 2003 are HP’s OpenVMS, IBM’s OS/400 and IBM’s zOS.
These three are all proprietary and they all have security that is fully integrated, not applied as some kind of after-thought. Certainly they come with a decent price-tag but they can be well worth the money when the result is fewer security problems, less unscheduled downtime and less downtime for patching.
The other significant feature of these operating systems is the language in which they are written. The two from IBM are both written in assembler and OpenVMS uses a range of about ten languages, one of which is C.
C and similar languages that use pass-by-value techniques are exceptionally prone to buffer overflow and the consequent potential for unauthorized users to execute either their own malicious code or other programs which run with enhanced access privileges. Avoiding the use of these languages at the most vulnerable points, namely user I/O and network I/O, would appear to be wise. Linux, Unix and Windows are almost entirely written in C, and most of their middleware and application software is also in these vulnerable languages, so it should come as no surprise that they are less secure than OpenVMS, OS/400 and zOS.
The other operating system that had very few vulnerabilities is Apple’s OS 9, with the Secunia database showing just one in 2003 and none in 2002. Again this is a proprietary operating system and the decisions and integration of security rest with one organisation which does not have to concern itself with compatibility with other vendors.
Apple recently moved to a Unix-based operating system, OS X, and the 24 vulnerabilities reported for it by Secunia in 2003 are a very telling comment.
The Question of Linux versus Windows
Linux users are usually very fast to assert that Linux has fewer vulnerabilities than Microsoft’s products. The Linux kernel itself has few vulnerabilities but versions such as those from Mandrake, Redhat, Sun and SuSE have far more than Windows even when the number of vulnerabilities for Windows are added to the vulnerabilities of Outlook (1 for each of Outlook 2000 and 2002), Internet Explorer (20 for version 5.5 and 24 for version 6) and Access (4 each for Access 2000 and 2002 and 2 for Access 97).
Linux fans often point to press reports as evidence that Linux has fewer problems but this does not support their claim. Certainly a vulnerability in a product such as Outlook or Explorer might cause far more problems than Linux vulnerabilities but this is only due to the extent of use of Microsoft’s products.
Despite the fewer vulnerabilities in Microsoft’s products I see no reason to cheer for Microsoft. It is responsible for the majority of the application software that runs on its various versions of Windows and so regardless of where the erroneous software might be located it only has itself to blame.
In the forthcoming Windows XP SP2, Microsoft is finally making the security enhancements that should have been in place more than five years ago. These include having better network security by default and simplifying the automatic update of their software, something that should very rarely be needed if the software was properly written in the first place.
Microsoft is also tweaking the protection on dynamically created code, something that I regard as a quick, dirty and terribly dangerous practice. If Dijkstra was opposed to GOTO statements because they made it difficult to determine the exact state of processing, just imagine what he would have thought of code that is dynamically created and executed.
The recent release of Linux 2.6 has also introduced some security enhancements, again rather overdue if Linux ever hopes to be a serious alternative. In particular the new release includes the ability to define privileges in finer detail rather than the simple grouping of “user” and “root”, but this is something that most proprietary forms of Unix have had for many years.
The number of vulnerabilities in Linux and its applications should be ringing alarm bells for anyone considering using it. The Aberdeen Group has estimated that Linux open source accounted for about half of all security vulnerabilities identified in 2003, down from 70% in 2002.
Windows and proprietary Unix are both more secure than Linux but the most secure operating systems continue to be certain proprietary systems from HP and IBM. Some may refer to these more secure systems as legacy systems but if legacy means secure and reliable it seems that legacy should be the preferred option.
The orginal copy of this article is located at: http://www.theinquirer.net/?article=13420