Okay, I will probably get flamed, but here it goes... I have been wondering lately how insecure XP really is compared to linux. I am sure this has been talked about a million times, but I couldnt find anything about it.

Basically I just want to know why XP gets the label of being so much more insecure than linux. I am not talking about microsoft spyware, or auto-updates.... I am talking about actual exploits. Also, just let me note that I am talking about your everyday user, not a web server, etc...

Now, I have XP on my laptop, but I run RH9 and Debian on my network, and it seems like I am patching a new sendmail buffer overflow flaw, etc., everyday on my linux machines. But the last time I did anything on XP was upgrade to service pack 1 because of the upnp exploit. And that is the last time I touched the laptop with a patch for anything.

Another thing I have noticed are my firewall logs. Just as a test, I left a few ports open on all my machines this week and watched what people did when scanning them.

Everytime the XP machine was scanned (and it was easy to notice it as windows because I left port 139 open), it was just left alone after the scan. Nobody ever came back to it. But, more than once. when the linux boxes were scanned I watched people try exploit after exploit on me.

So basically I just want to know why XP is laughed at and called insecure when it seems that there are new exploits for linux popping up everyday that you have to patch, but windows is just every once in a while. Granted, linux patches come out as soon as the exploit is found and XP patches take ten years, but still...

Isnt your average user going to be safer on XP?

ps - I am not trying to start a flame war here, I seriously want to know. Thanks. . .

OS related security flaws are not the same with application related flaws.
Take a look. Most patches are for 3rd party software.

Difference is, they get fixed and fixed fast no matter if its a security hole of the OS it self or an app security hole.


Not all Free software is good software because not all software is good software.


And if the averager user is safer with XP?

Well the answer is simply............no.

Well sendmail blows ;) Now why in the world would you be running sendmail on debian, it isn't the default and you would have to make an active choice to use that MTA which has a poor security record. More and more distros are changing the default MTA to something other than sendmail. Exchange doesn't have much better of a record compared to sendmail. I can remember exchange having a smtp buffer overflow, an IM buffer overflow and a LDAP buffer overflow. Did you have filesharing turned on when you exposed 139? If you didn't then there was no test. How are you seeing what attempts have been made to exploit different services during your test? Could it be you have more experience reading UNIX logs? I would give this more credibility if the method of seeing what attempts were the same for the two different OS', something like running snort on a hub that is connected to the internet and the test box. BTW just because you see an attempted exploit on your Linux boxes does not mean that the exploit has anything to do with a Linux exploit. I have seen tons of IIS worms try to hit apache.

Now, I have XP on my laptop, but I run RH9 and Debian on my network, and it seems like I am patching a new sendmail buffer overflow flaw, etc., everyday on my linux machines.

Let me get this straight. Are you talking about an average user's box or servers. Ranting about services that don't have any barring on a desktop installation is very typical. Typical of flamebait.

By the way, if you're upset with sendmail then use something else.

But the last time I did anything on XP was upgrade to service pack 1 because of the upnp exploit.

I've read this post somewhere before. Gee where was that. Ade-something. Serice Pack 1 contains numerous patches above and beyond UPnP. Flamebait X2.

Everytime the XP machine was scanned (and it was easy to notice it as windows because I left port 139 open), it was just left alone after the scan.

Port 139, NetBIOS Session (TCP), Windows File and Printer Sharing. Leaving this port open but failing to run such a service does not leave your box vulnerable to an obvious attack. Flamebait X3

But, more than once. when the linux boxes were scanned I watched people try exploit after exploit on me.

You seem to have forgotten that you mentioned earlier that your Linux boxes run quite a few services. Amazingly you still wich to compare them qually as desktop systems. These ports are open and running services. Why not paint a giant target on your case? Flamebait X4.

So basically I just want to know why XP is laughed at and called insecure when it seems that there are new exploits for linux popping up everyday that you have to patch, but windows is just every once in a while.

Try to keep up. Numerous patches available for download are merely for additional software which runs on Linux. Unlike Windows everything isn't so interconnected that it's hard to tell where one piece of software ends and the other begins. This argument comparing the number of patches available for Linus distros has long since been debunked. Flamebait X5

Isnt your average user going to be safer on XP?

Hell no!

Well... in typical justlinux fashion all you guys did was come in seeing the words "better" and "xp" in the topic and b****.

Like I said, I was looking for some opinions, not a linux defense.

Now, if you bothered to read my post, I use redhat and debian... I run sendmail on redhat, not debian. And I never said I was upset with sendmail... I dont mind installing patches.

As for the logging method I used... just simple logs from my firewalls, notice I never said I shut them down. I opened some ports, but still logged them. I also used netcat, etc...

And last, I am talking about default desktop installs... and the last time I looked redhat installed sendmail even on a desktop install... not only that, it runs at startup by default. The average user, who is new to linux isnt gonna know this... the only service I have running that was not in the default install is httpd. If you dont believe me, install rh9 on a fresh system (as a desktop install) and then run nessus against it. See how secure that desktop install really is.

Anyway, I am not going to get into a debate with you a******. If anyone cared, I like linux 100x's better than XP. I was just stating a question that has been on my mind...

This question actually had some good, thinking, logical talk over at linuxquestions.org

Good day.

Originally posted by malic
Well... in typical justlinux fashion all you guys did was come in seeing the words "better" and "xp" in the topic and b****.

Actually if you read my post you would see I questioned your testing methodology and I still do. That is legit. I also never insulted you, and I never weighed in with my opinion.


Originally posted by malic
Now, if you bothered to read my post, I use redhat and debian... I run sendmail on redhat, not debian. And I never said I was upset with sendmail... I dont mind installing patches.

I did read your post, and I never said anything about you and your willingness to keep your system updated. I am saying that I have a problem with sendmail (regardless of platform, MS included).

Originally posted by malic
As for the logging method I used... just simple logs from my firewalls, notice I never said I shut them down. I opened some ports, but still logged them. I also used netcat, etc...

Let's see your NAT and related logging rulesets! I don't think you can tell the difference between a legit connection and an attempted exploit as you have claimed. Netcat only shows connections, how does that help?

Another thing if your firewall is Linux based and a cracker fingerprints it but you are passing the connections via NAT to windows box the cracker will be trying Linux exploits on a windows box. Like I said I question your methodologies, don't take it so d*** personal.

Originally posted by malic
And last, I am talking about default desktop installs... and the last time I looked redhat installed sendmail even on a desktop install... not only that, it runs at startup by default. The average user, who is new to linux isnt gonna know this... the only service I have running that was not in the default install is httpd. If you dont believe me, install rh9 on a fresh system (as a desktop install) and then run nessus against it. See how secure that desktop install really is.

And the average user will use IE, which has had how many exploits? How many exploits has Outlook (express) had (another program run by the avarage user IIRC)? How brain dead has the whole ActiveX controls been when it comes to security? I'll bet you a dime to a dollar more computers have had some kind of security breach based on ActiveX controls than sendmail (even thought I deplore sendmail).

BTW I haven't run RH sence '99, please don't assume otherwise.

Originally posted by malic
Anyway, I am not going to get into a debate with you a******. If anyone cared, I like linux 100x's better than XP. I was just stating a question that has been on my mind...

Well your methodologies are questionable, and thanks for the insult.

Originally posted by malic
This question actually had some good, thinking, logical talk over at linuxquestions.org


AWWWWW I'm so touched by the love fest!


So if you want a real intelligent discussion you should first clearly explain your testing methodologies and show your results, otherwise how can there be any peer review? What services did you expose on both OS'? Where there any common services between the two? When you set up the NAT rules were the listeners up on the tested OS'? What does your NAT rules look like? What do your loging rules look like? What are the variations between a simple connect scan and the "exploits" you have witnessed (also include legit connections ;) )? Post raw data if you can.

BTW I’m still not going to weigh in with my opinion on this subject ATM.

hmm.. im just going to throw in my few cents. First off, if you have a decent package manager, you should be able to siply update your linux boxes to a more secure version if soemthign is released. i know that in debian (assuming you're running stable), you can just make it a cron job and not even worry about it.

with windows though, there are vulnerabilities released. I know that if i run this code in a webpage, (in the head part), it will crash ie. <input type crash>, thats all it is. Now, this is what I can then do. say i found out of some exploit on some system, doesn't matter what, but i had access to quite a few webservers. run a script to exploit it, and in all index.* files, put that line in there. now whats going to happen. a ton of ie clients are going to start crashing. alot of web-hosts probably won't notice ince there was no defacement (normally visible atleast), and well, they wouldn't notice for a day perhaps.

Now, who would be deserving of more blame. the web-server software for having the hole that led me take over the web-root. or the internet client (ie in this case), which took code that should not have crashed it, and did. in my opinion, both would be responsible. However, the ie bug is known, yet not patched. if the web-servers were iis, then we would be dependent on microsoft to release a patch, and then go through all that. if its apache or whatnot, anyone can write a patch. anyone (with the knowledge, but they have the ability to). This is why we get more bug fixes. what microsoft does is they just get a bunch and release it as one big fix. however, in the mean time, we have exploitable holes. (by the way, the above hole has been out for a reallly long time, and still isin't fixed).

oh, and on the whole service pack idea... http://support.microsoft.com/common/canned.aspx?R=d&H=List%20of%20Fixes%20in%20Microsoft%20Internet%20 Explorer%206%20SP1&LL=&Sz=kbIE600sp1fix&Fr=&DU=&SD=GN&LN=EN-US&CND=1&VR=&CAT=&VRL=&SG=&MaxResults=150

and then to just throw out some meaningless numbers from packet storm archive....
iis = 293
apache = 246

do realize that those 2 numbers are purely meaningless.

before i get to the rest of this, do realize that i have no personal experiance with xp, so i could be wrong. however, most, if not all, of what i say should be true for atleast 2k.

and now to the desktop issue. A linux box and a win-xp box are both equally securable. how is this possible? disconnect them from the internet. But on a more realistic note, the main thing with linux is the user seperation. staying away from the whole root exploit stuff, what happens is that user joe can't delete the whole hard-drive. what joe can do is screw up his account. but he can't screw up his sister's account, or the root itself. in windows, well, joe can delete all of his sister's files if he feels like it, and sister can do like-wise. as wellas this they can delete the whole drive. from some infomercial (tv sales channel thingy), supposedly windows now has seperate user accounts. but i don't know about the root access. The main reason I am going into that is because of viruses. Virus A can't kill everything on a linux box because joe didn't have permisssions to do that. on the windows box however....

Another thing, just along the above lines, is that on windows, you basically are always running as root / admin.

hmm..

sharth --

WindowsXP is supposed to prevent anyone from deleting system files.

Originally posted by El_Cu_Guy
sharth --

WindowsXP is supposed to prevent anyone from deleting system files.

And it does-- so long as you're running NTFS.

But I've seen systems from manufacturers come with Windows XP installed, but it's on a FAT32 partition. While this may not be the norm, it throws the whole idea of user seperation out the window, as there are no priviledge/permission levels available to you on a FAT32 filesystem. Some early release Dell models had this "feature" if I recall correctly...

...And for my two bits: Both Windows and Linux can be equally secure for the "average" user. If you set up either with no TCP ports open, meaning no server-type services running on a workstation/home-type machine, you'll patch many security holes that people complain about in Linux. With Windows, don't run any version of Windows before Windows 2000, and run those newer OSes on NTFS filesystems. Since Linux already has user/priviledge separation, this isn't an issue, but with Windows 9x/ME, you're always running as the superuser, which leaves you open to the oft-lamented stupidity of the average user when it comes to virus safety and the ilk. Windows 2k/XP running NTFS ensures at least a little bit better safety. The only problem with Windows XP is, though, is that when you create a new user, they're automatically set up as an administrator. Any files you create on an NTFS partition also come with read/write/execute/delete by Everyone permissions by default as well.

But, that's all I'm going to say about that, as I feel the posts which precede this one spell it out fairly well. The last thing I'll say is this. This thread's a discussion about system security, not a platform for personal insults. I'll be editing out the profanity in this thread, and if I see any more in it, I'll have to close it down.

i did say up there that i had no personal experiance with windows xp :)

and theres the fact that more often then not (again, may not be true for xp), that the user running is admin. which throws any seperation out the window. in linux (excepting lindows), generally, root usage is limited.

I'm not here to say anything bad about xp or anything bad about linux. I'm completly new to linux, and have been using it for about a month. Im trying to learn as much as I can. Right now im using redhat9, and I use the redhat update agent for new fixes. For a person like me that doesn't know much about linux, would linux be safer/more secure then windows xp (using something like zonealarm pro?) To tell you the truth, I don't know if I have process running that aren't supposed to be, and if I have any holes in my system.

I know you guys will probably say linux again, but then I guess im woundering how I can find out if I have explioits in my system.

p.s
im not going to stop using linux.

authority,

I would suggest first downloading the firewall firestarter, it uses iptables and has a nice GUI that lets you configure your firewall. When you close the window you can either have an icon in your system tray and it will give you real time alerts, or you can simply close it and it will run in the background.

As for services in RH9, it will install a few things by default that you will want to disable like sendmail, portmap (if you dont need it), sgi_fam...

You can disable these services by going to:

system settings -> server settings -> services

And then just uncheck the unwanted services and they wont startup the next time you reboot.

Also watch for emails from the redhat network .

If you start a thread asking if XP is "more secure" ,why shouldn't you expect responses couched in terms like "better" and "safer"?

I don't know a lot about this, but for me the security issue with XP is the access to my hard drive that Microsoft claims with its EULA. The potential hackers that I distrust and resent most are Microsoft and the other vendors (e.g. RealOne) who claim the right to hack into my system. By signing on to these odious agreements, I lose my rights, which are even more important to me than my hard drive. At least the other hackers have the decency to know when they're acting like criminals.

That said, I'm sure there are steps you can take to secure your system under linux. God knows enough has been written about it. Check

http://www.oreilly.com

for openers.

As someone who works with Windows machines on a large scale, I can say this:

1) I experience viruses on windows machines like you find leaves on the ground on a daily basis. Antivirus does help the majority of this, but it is still a very prevailant problem. I have not once experienced virus problems on linux. I do realize that they are out there, but they never quite seem to be nowhere near as bad as XP.

2) XP des seem to do a better job of setting defaults for its services on a new install - making it somewhat more secure in that manner. But it seems that where MS has excelled in one area, they have let you down in another: Internet explorer and outlook. And while I won't directly say anything about MS and their spyware, what do all these back doors leave for people with ill intentions (besides MS) ?

3) While I might not be an expert on this, it seems to me that linux can be secured much better than XP, however XP makes it easier to do so.

I am still learning much about networking, but I have done this experiment: I took Langaurd network scanner on a Win 2000 machine and scanned every copputer here at my house, wich consists of one XP box, 2 mandrake machines, and a slack box. Keep in mind that I do not know that much about this stuff yet, but here was my finding. Of every machine that I scanned, I tried simply browsing the open ports with langaurds browser feature. I was able to browse more stuff on the XP box than what linux let me (except for one of the mandrake machines). Like I said, I don't even know that much about this stuff, but I was ablbe to actually browse the entire drive of the XP box - and its running Norton firewall.

Nonetheless, I think if MS would dump the spyware and *focus* on users security rather than their own, it would be a pretty secure platform.

Take a look at some of these exploits.

Many of them are critical, IE executing commands via IE and html w/o ActiveX.

http://security.greymagic.com/adv/gm001-ie/
http://www.cnn.com/TECH/computing/9909/06/activex.idg/
http://www.artzign.worldonline.co.uk/ievun.html

I don't think any of these problems have been fixed. Note that these affect Internet and email, two things that "average users" use alot, if not the most.

Both Windows XP and Linux can be locked down quite well if someone knows what they're doing, but Linux wins hands down for the average user.

First and foremost, Windows XP doesn't make it easy to create a non-administrator. There is a restricted user, but it's so restricted that most users I know simply opt to run as an administrator. Microsoft recommends that users create their own day to day account and use the administrator account, but they don't mention that it should be a restricted user, or the dangers associated with running as administrator. Indeed, the user account Windows XP makes you create during startup has administrator permissions. There are more user types with varying degrees of permissions in Windows XP Pro, but they're hidden in the Administrative tools. I would never expect the average user to find them. Also, Windows XP doesn't care wether the users password is weak, or there is even a password at all.

Most Linux distros, on the other hand, have the user create a regular user on install. If the user doesn't want to create a user, or if the users wants to use a weak password for root, most distros explain very clearly the dangers of doing so. Linux distros aren't crippled by running as a restricted user, and most ask for a root password when it is needed, rather than silently failing as Windows does. If the user attempts to run as root full time, most distros, as well as a large number of programs within that distro, will warn the user that running as root is dangerous.

Then we move on to the two most commonly used applications, a web browser and email client. Windows comes with Internet Explorer and Outlook Express. I don't think I need to elaborate on how incredibly vulnerable both programs are. The danger both programs pose to the system are greatly increased by the fact that your typical Windows XP user is running as administrator.

Linux, on the other hand, has a variety of solid clients which are nowhere near as exploitable. Running as a regular user rather than as root just makes it that much more secure.

Viruses are a big thing as well. Thankfully, Joe User realizes the importance of a virus scanner, but there is no gaurantee that he will keep the virus signatures updated. This gives the user a false sense of security. Also, Windows virus scanners are becoming less effective due to the speed of virus propagation. By the time the virus scanner's signatures are updated, the virus has already done major damage.

One area where I think Windows XP excels in for the average user is automatic updates. Windows will nag the user to apply critical updates and service packs. Most Linux distros have automatic update programs that are significantly more powerful, but aren't as obnoxious and "in your face" as automatic updates. This doesn't make up for it's faults, though.