Russ Cooper on Windows Security

Russ Cooper recently did a presentation to the Australian CERT analyzing Microsoft Security Bulletins. His post about that presentation is available at NTBUGTRAQ.
Microsoft PR has been comparing patch amounts for Microsoft Operating Systems and other OSes to demonstrate that the computer security initiative is working. The problem is that ‘number of patches’ only tells part of the story. Each patch is often taking care of multiple vulnerabilities (see MS04-011 for one example). You really need to break it down by vulnerability to get an apples to apple comparison. That is the meat of Russ’s demo.
Russ’s method fails to take into account vulnerability severity. He does however avoid a common pitfall where browser, webserver and operating system vulnerabilities are all lumped into one category.
Russ’s conclusion is that vulnerabilities stay in Microsoft code. When a vulnerability comes out it is often for NT4, 2000, and 2003. He says generally when a vulnerability does not occur in 2003 it is not because the code was cleaned up, it is because of improved configuration to avoid specific problems. Thus those who upgrade versions for security reasons are not gaining the improvement they seek. They could just as easily configure an earlier version in a secure manner in his opinion.
I think that some of his comparisons are unfair. When you compare the first x days of Windows NT4 to Windows 2003 you do a disservice to Windows 2003 when you conclude they have the same number of vulnerabilities. The full story would point out that Windows Server 2003 is a major target for the anti-Microsoft crowd. NT4 was a little more under the radar.
Russ had a slide in his presentation which reads “older is better”. I hope in his presentation he articulated that he meant only in terms of vulnerability numbers. Newer versions have new security tools that make them easier to configure. Newer versions have improved features and stability. Of course Russ would reply that the new features are just new security opportunities. I cant see anyone saying older is better unless they are talking about wine.
I am afraid that Russ’s analysis that “newer versions have more vulnerabilities than older versions… it is not getting better” will become the new chorus for the uninformed Microsoft basher. Russ isn’t a Microsoft basher, but I dont think he is presenting the full security picture when he reduces “better” to vulnerability numbers, particularly vulnerability numbers outside the context of severity. (He says he considers exploitability but he only seems to do that with IE).
Russ cites a TrueSecure survey which states that unless you achieved 100% patching with Sasser you were in were state than if you didn’t try patching at all. That seems counterintuitive. Particularly when he does on to say that 100% patch compliance is not verifiable. Perhaps he meant to say corporations not focused on patching as their sole security solution were able to lessen the effects of Sasser through other security means. Or perhaps they just got lucky.
He also oddly states that too much effort is being expending on keeping IE patched. He states that there have only been 2 wide spread attacks involving IE vulnerabilities. Certainly there is great fear with IE vulnerabilities because port 80 is not protected the way other ports are. I think it is worthwhile fear based on the number of javascript exploits I see detected by antivirus in the browser cache. I also think there is a lot of phishing (which can us a browser exploit to hide the true address if you are not patched. Further I think a lot of spyware gets in through IE vulnerabilities. Perhaps Mr Cooper would like to share with us the “secure” IE configuration he uses that makes patching unnecessary.
I would recommend reading this article. It is always important to get new viewpoints particularly when they are not from a rabid anti-Microsoft basher. He raises some good points about patching numbers from Microsoft that you should be aware of so you are not snowed by PR.