Operating Systems Security: Year 2007 Vulnerability Report

by Ajit Gaddam on April 9, 2008

Operating Systems Security: Year 2007 Vulnerability Report

This paper analyzes the vulnerability disclosures and security updates during the year 2007 for Windows Vista Operating System when compared to its predecessor, Windows XP, along with other modern Client Operating Systems Red Hat, Ubuntu and Apple Mac OS X.

The results of this analysis based on the Vulnerability Count Metric and Days of Risk suggest that Windows Vista is the most secure Operating System when compared to the other leading Desktop Operating Systems for the year 2007 based on its lower vulnerability profile. Windows Vista is also significantly easier to administer for IT Security of various corporations as well as individual users based on the number of Security Bulletins and updates it issues besides the excellent security support provided through Microsoft TechNet Security Center.

With the vulnerability and risk data available, I also wanted to tackle the topic of Browser security. The analysis reveals that Firefox 2.x on Ubuntu platform was the most secure browser for the year 2007 in terms of the lowest Days of Risk and vulnerability profile. While these results represent only the vulnerability dimension of security risk, they do provide insight into the aspects of security quality that are under the control of the vendors – code security quality and security response. These metrics however, must be considered in combination with several other important qualitative factors when choosing a platform based upon security maintenance and likelihood of a security breach in your environment.

Beyond patches and vulnerabilities, there are “softer” qualities of security that are difficult to quantify but undeniably impact deployed security. Qualities like security lifecycle support, bulletin descriptiveness, default security features and the like all have a direct impact on deployed role security.

Note: This report is an update to the previously published Windows Vista One Year Vulnerability Report by Jeff Jones1, a VP at Microsoft, who concluded that Windows Vista is more secure by analyzing vulnerability data of Windows Vista and other Operating Systems based on the first year of their operation. However, as Jeff admits, this kind of first year analysis may be good to evaluate the security practices and product development methodologies of a vendor more than measure the security of an Operating system. This paper expands on his findings while following a similar structure used in Jeff’s report presenting a deeper level of analysis and comparison of the modern workstation Operating Systems using the entire 2007 vulnerability and risk data which would more accurately reflect the “present security state” of these different Operating Systems.

Also, please note for non-windows fans, this is a Vulnerability Report not a ranking the most secure operating system report. Before you make any conclusions, I have presented the data used to come to the conclusions in this paper for everyone to access. I tried my best to level the playing field by having similar components for all Operating Systems accessed in this report.

Operating Systems Security Comparison

Operating System security is all about reducing risk and process outputs such as better audit reports, reduction in virus incidents, reduction in vulnerabilities are all worthwhile sources of metrics and I will be using the vulnerability count and Days of Risk to provide a vulnerability analysis which could be incorporated with other factors such as various kinds of controls and Defense in Depth measures to provide for reduced risk for different kinds of environments whether corporate or home.

While these counts are popular, vendors control how many vulnerabilities are addressed by a single security advisory. So to compensate the inherent weakness of just using raw bulletin counts, I will be using Days of Risk and a role based approach of measuring security of these different operating systems using a likely deployed client configuration environment. So, this analysis will take advantage of Linux ability to create and deploy a minimum set of components, a security advantage it has over Windows.

The following is the set of conditions that was used to gather the vulnerability information and patch information
1. I install only patches and fixes released by Microsoft. Similarly for Red Hat and the other Operating Systems, I only install patches released by the vendor.
2. The “first public” date for a vulnerability is the date at which the vulnerability was first released on a public list or a web site (Bugtraq, Red Hat, Microsoft, Full-disclosure, Security Focus, k-otik) devoted to security, or a publicly accessible list of bugs or problems posted to the home site of a package or its mailing list.
3. Dates of patches are based on the release date for the distribution of interest.
4. Release dates for a vulnerability patch or fix are specific to a distribution/architecture. If a fix for a component (ex: libpng) is released on 01/01/2007 for a certain Linux distribution (ex: Gentoo Linux) and a fix for the same issue is released for Red Hat on 01/10/2007, the release date for the fix on Red Hat will be 01/10/2007. This is not applicable for the Windows platform.
5. For past issues, the release date for a patch is the first published vendor report that includes the patch for the applicable platform for which the patch fully fixed the vulnerability. If the patch had to be re-issued to address some portion of the security issue, the later date is used.

Operating System Security Comparison

Metric

Windows Vista

Windows XP

Red Hat rhel4ws Reduced

Ubuntu 6.06 LTS reduced

Mac OS X 10.4

Vulnerabilities Fixed

42

66

160

168

187


Security Updates

21

39

67

65

15

Patch Events

9

12

43

54

19

Weeks with at least 1 Patch Event

9

12

31

37

15

Days of Risk for Different Operating Systems

#Days

Windows Vista

Windows XP

RHEL4WS

Ubuntu 6.06

Mac OS X 10.4

0-30

47

62

11

31-90

6

4

50

57

37

91-365

18

26

33

27

38

365+

1

1

7

2

9

Web Browser Security

The next generation of browsers such as Internet Explorer 8 and Firefox 3 plan to do a tighter integration with anti-malware and anti-fraud mechanisms such as IE8 incorporating Windows Vista’s protected mode and IE8 using a sandbox mechanism and malware blockers.

But despite those moves, vulnerabilities and malicious hacker attacks that use the browser as the entry point to desktops continue to rise as indicated by the current number of browser exploits. In hacking contests to hack three different notebooks running Mac OS X, Ubuntu and Vista, network attacks against all three failed the first day. However, when the contest was opened up to include browser exploits, Mac OS X failed in 2 minutes , Windows Vista running IE7 went next and then Ubuntu running Firefox all get hacked.

Coming back to the data, the best browser for year 2007 was Mozilla Firefox on the Ubuntu operating system, which although was exposed to 56 different vulnerabilities, had the lowest average days of risk at ~75.

Web Browser Vulnerability Count in 2007

Days of Risk for Web Browsers

Browser

Number of Vulnerabilities

Average Days of Risk

Internet Explorer 6

23

219.53

Internet Explorer 7

19

177.46

Mozilla Firefox RHEL

40

106.6

Mozilla Firefox Ubuntu

56

75.15

Apple Safari

24

78

So, does the high vulnerability count indicate that the Mac OS X is the most vulnerable of all the Operating Systems evaluated? Of course not… There are less than 200 known viruses targeting the Mac platform compared to the many hundreds for Windows.

Again, if I was a malicious hacker, and motivated by financial incentives, I would want to write a virus that would take over as many machines as possible on a dominant platform such as Windows. Owning more boxes would help a malicious hacker in launching a DDoS attacks or sending out spam or installing spyware on those machines where each click or install would pay the malicious hacker/spammer.

Recent reports are indicating the increasing Mac market share and this might tip it over an infection point which would bring more active attention from malware writers.

Adam J. O’Donnell, PhD, Director of Emerging Technologies at Cloudmark and has recently been using game theory to analyze at what point Macs become more targeted for malicious attack. He states,

“Game theory shows that an inflection point will come when the rate at which a malware author can reliably compromise a PC rivals that of the Mac market share. It is at this time you will see monetized, profitable Mac malware start popping up.”

Derek Schatz says it best when it may be possible to think about a relative security nirvana by patching your Operating System diligently, locking down the configuration and being careful with where you surf and what you trust on the Internet. For the average user, it is hard to make an OS secure but at the same time preserving usability, doesn’t matter whether the Operating System is Windows or Linux or Mac OS. None is measurably better than the other and they only differ in how many security researchers/ malicious hackers are paying attention to it. Sure, there are some really secure Operating Systems such as OpenBSD or Trusted Solaris, but how many of your applications would run on them, those required for desktop usage.

So, Enterprises and regular users will continue to fight the never ending cycle of patching as new flaws continue to be found in their installed base of PC’s. This is a battle that we lose a little more each month.

Operating Systems Security Vulnerability Report

Similar Posts:

Previous post:

Next post: