Security threats Toolkit

Security study pans Windows

Tags:
Security,
PC,
Microsoft

Published: 16 Aug 2004 08:35 BST

Microsoft has been waiting for security researchers to say that its Windows operating system has a lower total cost of ownership. One finally has, but that's not good news.

On Friday, David Aitel, a noted security professional and managing director of vulnerability assessment firm Immunity, published a paper stating that "owning" a computer -- hacker-speak for compromising a system -- is easier if the target computer runs Windows. While couched in puns and jokes, the paper takes a serious stance on the security of Windows compared with modern Linux, Aitel said.

"We are having some fun with it, but the underlying data and conclusions are real," he said.

The paper, titled "Microsoft Windows: A lower Total Cost of 0wnership," mocks other, typically Microsoft-funded, research, such as a study done by IDC that maintains Windows costs less to implement in four out of five corporate applications. Another such study, released by Forrester, found that a particular measure of the threat of vulnerabilities was higher for Linux than for Windows -- but the data used by the study was broadly questioned.

The Aitel paper marks the first time that a security professional with hands-on experience of hacking both Linux and Windows systems has weighed in on the issue.

His conclusion: the security of Windows computers is easier to breach than modern Linux computers, despite more than two years of work by Microsoft to secure its operating system under its Trustworthy Computing initiative. Microsoft declined to comment on the paper.

The report has very little supporting data, however, making it less of a challenge to Microsoft and more of another voice in the long-running debate between the two operating-system camps.

Based on their tentative data, Immunity's researchers found that their average time to find a flaw in the Red Hat-sponsored Fedora Core 2 distribution of Linux was about six days -- twice as long on average as it took to find previously unknown Windows vulnerabilities. Several factors affect that time, including better tools for finding flaws in Windows systems, better kernel-level defences in Linux, and more known points in Windows to execute attack code, the researchers noted.

Microsoft recently released a massive security update for Windows XP, a reaction to the massive spread of the MSBlast, or Blaster, worm a year ago, but that still will not close most of the holes until a major security feature in PC processors is more widely available, Aitel said. That feature, known as the nonexecutable flag or write-XOR-execute bit, allows processors to prevent attackers from executing code. However, only Advanced Micro Devices has introduced the technology, which it calls enhanced virus protection (EVP), into its mainstream processors.

Adding to the security issues he has with Windows, Aitel pointed out that, while getting customers to patch is a problem for both platforms, Linux patching utilities update a wide variety of applications, not just the core operating system, as is typical of Windows fixes.