It is almost that time again. The ritual of installing Microsoft patches released on the second Tuesday of each month to fix security problems with its operating systems and software. My company will be monitoring and installing these updates again for some of our local clients this week.
It is an ironic coincidence that I have received update notices from Mandriva for software installed on my Linux PC systems as well this weekend. These updates come regularly from the upstream developers through Mandriva to Mandriva end-users. These updates may be simple code fixes for bugs, upgrades to get new versions of software or security fixes to patch possible security problems. While looking at these today I thought it would be interesting to compare vulnerability wise what I am getting from Mandriva today with what Microsoft customers will be getting on Tuesday 14 September 2010.
First, to understand Microsoft's vulnerability code words one must know the terminology Microsoft uses and what it means. This is found in this table borrowed from Microsoft:
|Critical||A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.|
|Important||A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.|
|Moderate||Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.|
|Low||A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.|
Then one needs to see the Microsoft Security Bulletin Advance Notification for September 2010. If that URL is broken or does not work for one I created a PDF document from that page. What we see are nine "bulletins". The word bulletin is Microsoft-speak for "a problem with our code" or "a vulnerability in our code". The euphemistic term bulletin sounds urgent, no?
Then we see the various software that is afflicted with the problems requiring patches. For our purposes today I am going to ignore all but those that affect Windows 7. Why? Because I am using the latest Mandriva release and anyone using Linux on the desktop is more than likely using a recent release. Or at least a release that is newer than XP sp3 or Vista sp1. So the only fair comparison is to stick with Windows 7.
Windows 7 has three patches. These are all marked as Important which, based on the table above, means they each are "A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources." Looking at that definition again some may wonder what the heck it really means? Essentially it is saying one's system might be compromised, also known as cracked and improperly known as hacked, if this patch is not installed. The compromise cannot be "automatic" based on Microsoft's judgement of the problem in Microsoft's code. So, it likely would require one to click on a URL or open a file to create the compromise. Gee, that cannot be too serious then, right? Oh wait, it CAN be serious! So, you Windows 7 users need to make sure you get those patches.
Now I will examine the updates I am getting from Mandriva. I get a GUI popup that updates are available and have opened that in one of my desktop workspaces. However getting a list from a GUI is problematic. Here is the list as generated from the Mandriva command line command 'urpmi –auto-update -v':
beagle 0.3.9 40.3mdv2010.1 i586 beagle-evolution 0.3.9 40.3mdv2010.1 i586 beagle-gui 0.3.9 40.3mdv2010.1 i586 beagle-libs 0.3.9 40.3mdv2010.1 i586 firefox 3.6.9 0.1mdv2010.1 i586 firefox-en_GB 3.6.9 0.1mdv2010.1 i586 gnome-python-extras 2.25.3 18.2mdv2010.1 i586 gnome-python-gtkmozembed 2.25.3 18.2mdv2010.1 i586 gnome-python-gtkspell 2.25.3 18.2mdv2010.1 i586 kernel-desktop-188.8.131.52-1mnb 1 1mnb2 i586 kernel-desktop-devel-184.108.40.206> 1 1mnb2 i586 kernel-desktop-devel-latest 220.127.116.11 1mnb2 i586 kernel-desktop-latest 18.104.22.168 1mnb2 i586 kernel-source-22.214.171.124-1mnb 1 1mnb2 i586 kernel-source-latest 126.96.36.199 1mnb2 i586 libnspr4 4.8.6 0.1mdv2010.1 i586 libnss3 3.12.7 0.1mdv2010.1 i586 libxulrunner188.8.131.52 184.108.40.206 0.1mdv2010.1 i586 nss 3.12.7 0.1mdv2010.1 i586 nvidia-current-kernel-2.6.33.> 195.36.24 3mdv2010.1 i586 nvidia-current-kernel-desktop> 195.36.24 1.20100901.3> i586 rootcerts 20100827.00 1mdv2010.1 i586 xulrunner 220.127.116.11 0.1mdv2010.1 i586 yelp 2.30.1 4.2mdv2010.1 i586
These updates are better shown grouped and explained this way:
"Security issues" were identified and fixed in Firefox and Mozilla-Thunderbird. The software below relies on some functionality from Firefox and thus also needs to be updated. Technically this is not a "Linux" update. It is a Firefox update that affects some FOSS software that happens to be on my Linux desktop PC. Happily Mandriva provides for these updates in its package management system. Firefox on Microsoft Windows 7 must also be updated. But that is not shown in the Microsoft security bulletins and one cannot get that update direct from Microsoft.
- firefox-en_GB (Why no firefox-en_US? I don't know.)
Four "vulnerabilities" were discovered and corrected in the Linux 2.6 kernel. The software below is all related to the Linux kernel and thus also needs to be updated.
The words "security issues" and "vulnerabilities" are not my words. These are how the updates are described by the Linux/FOSS community. If one wants to know about the vulnerabilities and security problems as reported then these two URLs will explain the details:
http://www.mandriva.com/en/security/advisories?name=MDVSA-2010:172 (for Linux kernel)
Okay, so what does this all mean? Is Linux and FOSS less secure and more vulnerable than Microsoft Windows 7 because there are more updates shown here? No, not really. In fact, even if I did not apply these updates and some virus authors were trying to crack Linux, my risk of my Linux desktop PC being successfully cracked is low to zero. Did you get that? I will repeat what I said, "In fact, even if I did not apply these updates and some virus authors were trying to crack Linux, my risk of my Linux desktop PC being successfully cracked is low to zero."
Some ignorant people argue that Linux and FOSS are not cracked much because Linux and FOSS are not all that popular. The argument then goes on to state that Microsoft systems are cracked often because they are more popular and this makes Microsoft a bigger target. That is absolutely false. Linux security updates if not applied to a typical Linux desktop system will most likely not result in that system being compromised. The converse is not true of Microsoft systems. Don't update Microsoft and one will definitely be at a higher risk of likely to certain one's Microsoft desktop system will be compromised with malware. Even then one's Microsoft PC is still vulnerable due to basic design flaws in the operating system.
Frankly, it requires much more effort to crack a typical Linux desktop PC than to crack a typical Microsoft desktop PC. Heck, even the United States National Security Agency (NSA) thinks so. This is covered in a document about its Security-Enhanced Linux a.k.a. SE Linux. This excerpt from the Introduction is telling (my comments are in red):
Unfortunately, existing mainstream operating systems (meaning Microsoft) lack the critical security feature required for enforcing separation: mandatory access control (MAC)  (SE Linux adds this).
The document goes on to state that mandatory access control a.k.a. MAC is needed and is added in SE Linux. However, the interesting point here is that the basic structures needed to be able to add MAC are already in Linux but not in Microsoft systems. This means Linux systems already have a higher security standard "out of the box" than Microsoft. Plus, I doubt even the US NSA can get source code to any Microsoft OS without paying dearly and then signing a raft of Non-Disclosure Agreement documents.
So, go ahead and patch those Microsoft Windows 7 systems and then keep on worrying they will be cracked anyway. I think I will put off my Mandriva updates until after I take care of our Microsoft clients and their monthly "Patch Tuesday" requirements … maybe I'll update my systems in December.
Internal ERACC advertisement: Windows users – need anti-malware (anti-virus) software? Get it from our on-line shopping site here: AVG Software
|free hit counter|
Notice: All comments here are approved by a moderator before they will show up. Depending on the time of day this can take several hours. Please be patient and only post comments once. Thank you.
Edit Sun Sep 12 21:30:41 CDT 2010: Change the first sentence in the second paragraph based on an accurate observation of the wording by a reader.