CSCD 303Essential Computer SecuritySpring 2013

Lecture 8 - Desktop Security

OS Security ComparedReading: See References

Overview• Briefly, Overview of Linux Security • OS Vulnerabilities• Linux• Windows• Max OS X

National Vulnerability Database National Vulnerability Database

Classifies and organizes reported vulnerabilities for various software programs and systems

Mitre has the contract to maintain this database

http://web.nvd.nist.gov/view/vuln/search?execution=e2s1

You can search this database for all the vulnerabilities associated with a system

Evaluation: Windows Vs. LinuxVulnerabilities• The United States Computer Emergency Readiness Team

(CERT) uses its own set of metrics to evaluate severity of any given security flaw

• Query CERT vulnerabilities notes database for “Windows” and “Linux” keywords to examine metrics for 40 most recent reported vulnerabilities

• A number between 0 and 180 expresses final metric, where number 180 represents the most serious vulnerability

• The ranking is not linear– In other words, a vulnerability ranked 100 is not

twice as serious as a vulnerability ranked at 50• CERT considers any vulnerability with a score of 40 or

higher to be serious enough to be a candidate for a special CERT Advisory and US-CERT technical alert

CERT: Query Result for Keyword “Microsoft”

CERT: Query Result for Keyword “Microsoft” (continued)

CERT: Query Result for Keyword “Linux”

CERT: Query Result for Keyword “Linux” (continued)

CERT: Evaluation of Query Results for Microsoft and Linux• CERT web search capabilities do not produce

perfectly desirable results in terms of granularity or longevity

– Especially True for Linux• The “Linux” search results include a number of Oracle

security vulnerabilities that are common to Linux, UNIX, and Windows

– In Top 40 CERT results for “Microsoft”, • Top entry containing the severity metric of 78• 5 entries have a severity rating of 40 or greater

– In Top 40 CERT results for Linux• Top entry containing the severity metric of 26.52• None other entry have a severity rating 27 or greater

Vulnerabilities http://blogs.zdnet.com/security/?p=758• Recent years, lots of comparisons – 2007 brought improved security with

Windows Vista and Mac OS X Leopard – Compiled security flaws in Mac OS X and

Windows XP and Vista and placed them side by side– Vulnerability statistics from third party vendor

Secunia and broke them down by Windows XP flaws, Vista flaws, and Mac OS X flaws

Table of Flaws Windows vs. MacWindows XP, Vista, and Mac OS X vulnerability stats

for 2007

XP Vista XP + Vista Mac OS XTotal extremely critical 3 1 4 0Total highly critical 19 12 23 234Total moderately critical 2 1 3 2Total less critical 3 1 4 7Total flaws 34 20 44 243Average flaws/month 2.8 1.7 3.7 20.3

Analysis of Data• Apple had more than 5 times number of

flaws per month than Windows XP and Vista in 2007–Most of these flaws were serious– This seems to go against conventional

wisdom• Noteworthy ... –Windows Vista showed fewer flaws than

Windows XP, Windows Defender and Sidebar added 4 highly critical flaws to Vista that weren’t present in Windows XP

Update - Pwn2Own 2009• Want to guess the results of 2009?– Charlie Miller has done it again– 2nd consecutive year, security researcher hacked

into a fully patched MacBook computer by exploiting a security vulnerability in Apple’s Safari browser

– Miller launched his drive-by attack and claimed the $10,000 top prize. He also got to keep the MacBook machine

– Miller said he came to the CanSecWest security conference with a plan to hack into Safari and had tested the exploit carefully to ensure “it worked the first time.”

http://www.zdnet.com/blog/security/pwn2own-2009-safarimacbook-falls-in-seconds/2917

Current results beyond 2009 https://en.wikipedia.org/wiki/Pwn2Own

Microsoft Vulnerabilities

http://www.sans.org/top-cyber-security-risks/#trends

• September 2009• Over 90% of the attacks recorded for Microsoft

targeted the buffer overflow vulnerability described in the Microsoft Security Bulletin MS08-067

ReferencesThe Register Security Report: Linux vs. Windowshttp://www.theregister.co.uk/2004/10/22/

security_report_windows_vs_linux/#execsummaryhttp://blog.loaz.com/timwang/index.php/2008/03/30/

security_vulnerability_showdown_mac_os_v Security vulnerability showdown, Mac vs. Linux vs. Ubuntuhttp://blog.loaz.com/timwang/index.php/2008/03/30/

security_vulnerability_showdown_mac_os_vIBM report: Vulnerabilities still going unpatchedhttp://news.cnet.com/8301-1009_3-10154662-83.htmlMac versus Windows vulnerability stats for 2007http://blogs.zdnet.com/security/?p=758

The End