Still think Microsoft is the buzzing corpse of vulnerabilities? Check OSVDB

I just recently finished a two-day Java Security seminar gig for network giant Cisco, and as is usual when the topic of security comes up, there were a few jokes primarily at Microsoft’s expense. A little voice nagged me at the back of my head, though, warning me that I probably shouldn’t laugh at the jokes (much less perpetuate one or two), as I know anecdotally that the guys at Microsoft are pretty serious about locking things down; witness the XP SP2 release, for example, the first time in the company’s history that they’re willing to break users in exchange for a more secure system.

At the time, I sort of shrugged off that insistent little voice, but it sort of kept at me for a while as I drove home. Finally, as I was cruising through my neglected set of RSS feeds, I noticed that I was still subscribed to the OSVDB RSS feed, a list of security vulnerability announcements that I’d subscribed to a while back to sort of keep an eye on how things were going in the world around me. (For those of you who aren’t familiar with it, OSVDB is a group of volunteers–as I understand it–who find and track security flaws in lots of products, Microsoft and otherwise, business and otherwise.) I figured, "Maybe a sort of summarization of what the ratio of Microsoft-to-others flaws will put some of this in perspective."

Ready for this? For the week of 11/29/2004, for example, there were 12 Mac OS/X, 3 Cisco, 3 Kreed (whatever that is), 1 Solaris, and 1 VMWare vulnerabilities found, among others. Note the lack of Microsoft in that list.

For the week of 11/22/2004, CMailServer was listed 4 times, Star Wars Battlefront twice, Soldier of Fortune II once, Apple iCal once, PHP once unless you count PHPNews as well (which makes it twice), and BNC IRC Proxy twice, among others. Again note the lack of Microsoft in that list.

In fact, for the period of 11/20/2004 stretching back to 11/1/2004, I counted 78 listings, and Microsoft was mentioned just once. Sun was mentioned more often, in fact: once for a DoS vulnerability in their app server, once for an information disclosure vulnerability when an XSS attack triggers TRACE requests, a Solaris SNMP vulnerability due to a hard-coded string that has read/write access to an SNMP agent, and a JRE vulnerability that leads to DoS if an attacker can get JNDI to return more than 32k records for a DNS request. PHPNuke got particularly blasted during those three weeks, with 6 vulnerabilities listed.

My point?

    Microsoft isn’t as much the hotbed of vulnerabilities as you might think; yes, they have their fair share, but the key words there are "fair share", not "lion’s share" or "biggest burden" or "crappy software". What makes their vulnerabilities so dangerous is the ubiquity of their software, not the quantity of the vulnerabilities themselves.
    Open source projects are just as vulnerable to security flaws as any other; the "thousand pairs of eyes" fallacy breaks down when you realize that most software developers simply aren’t trained to see vulnerabilities when looking at source code. Microsoft (and other vendors) are addressing this by amping up security training for their developers–what’s the open source community going to do to meet that need?
    The majority of vulnerabilities aren’t buffer-overrun attacks any more. There’s a lot of information disclosure and denial-of-service attacks that are just as bad as a buffer-overrun attack; thus, don’t assume that just because you’re running Java or .NET means your code is somehow secure against the majority of attackers out there.
    Security vulnerabilities generally arise out of a LOT of edge cases; look at the Sun app server vulnerability listed, for example:

        "Java System Application Server contains a flaw that may allow a malicious user to access confidential information. The issue is triggered when cross site scripting (XSS) is used to initiate TRACE requests. It is possible that the flaw may allow access to sensitive header information resulting in a loss of confidentiality and integrity."

    A cross-site scripting attakc has to initiate TRACE requests against the Sun server in order to yield the header information disclosure–and I’m sure that the QA guys had this one on their list, but just accidentally skipped it, right? How obscure is this? And yet, it’s something that could give an attacker enough information to compromise a system that you care about. Now THAT’s scary.
    Anybody who thinks that you can buy a firewall product and somehow "be secure" ought to be taken out into the courtyard and shot. Repeatedly. With large-caliber weapons.