Microsoft on Wednesday clinched Common Criteria security certification from the US government’s National Information Assurance Partnership for six versions of its flagship Windows OS. At the Security Summit East here, Microsoft announced that all the products earned the EAL 4 + (Evaluation Assurance Level), which is the highest level granted to a commercial product.
“So, if a product is ISO 15408 (Common Criteria) certified, does that mean it is very secure? Let’s take an example of Microsoft Windows 2000. It is an ISO 15408 certified product but regular security patches for security vulnerabilities are still published by Microsoft for Windows 2000. This is possible because the process of getting an ISO 15408 certification allows a vendor to make certain assumptions about the operating environment and the strength of threats, if any, faced by the product in that environment. Based on these assumptions, the claimed security functions of the product are evaluated. Since Microsoft Windows 2000 has been ISO 15408 certified, it should only be considered secure in the assumed, specified circumstances, also known as the evaluated configuration, specified by Microsoft. Whether you run Microsoft Windows 2000 in the precise evaluated configuration or not, you should apply Microsoft’s security patches for the vulnerabilities in Windows 2000 as they continue to appear. If any of these security vulnerabilities are exploitable in the product’s evaluated configuration, the product’s ISO 15408 certification should be voluntarily withdrawn by the vendor. Alternatively, the vendor should re-evaluate the product to include application of the patches to fix the security vulnerabilities within the evaluated configuration. Failure by the vendor to take either of these steps would result in involuntary withdrawal of the product’s ISO 15408 certification by the Certification Body of the country in which the product was evaluated. The fact that Microsoft Windows 2000 remains an ISO 15408 certified product, without including the application of any Microsoft security vulnerability patches in its evaluated configuration, shows both the limitation and strength of an evaluated configuration.”
http://en.wikipedia.org/wiki/Common_Criteria
Which is a great example of the bias and hacked writing of wikipedia, alas.
Which is a great example of the bias and hacked writing of wikipedia, alas.
Seems spot on to me. Where’s the problem?
Yeah, and in 10 secondes, you will say that windows 2003 is as secure as OpenBSD …
Is it?
Why? What’s incorrect about it?
Microsoft announced that all the products earned the EAL 4 + (Evaluation Assurance Level), which is the highest level granted to a commercial product.
Let’s be sincere, how much did Microsoft pay to each of the US government’s National Information Assurance Partnership???
Microsoft, instead of paying big bucks in order to get some Certs, what about investing some money in good engeneering projects and good quality products?
Let’s be sincere, how much did Microsoft pay to each of the US government’s National Information Assurance Partnership???
Likely no more than Sun, Red Hat, Oracle, and others, and probably no more than they did for Exchange 2003, ISA Server 2004, and Win2k Pro and Servers.
For those interested, the technical reports are available here:
Windows XP / Server 2003 Common Criteria Evaluation Technical Report
http://www.microsoft.com/downloads/details.aspx?FamilyID=63cf2a1e-f…
Windows Server 2003 Certificate Server Common Criteria Evaluation Technical Report
http://www.microsoft.com/downloads/details.aspx?FamilyID=a594e77f-d…
and a whitepaper here:
http://www.microsoft.com/technet/security/prodtech/windowsserver200…
Okay, I’ll bite…
I was one of the engineers who worked on the CC eval for W2K3 and XP. What a lot of people don’t understand is what the CC is really intended to do. It’s designed to evaluate the security DESIGN of an application, not necessarily the implementation. (At least, at this EAL. At higher EALs there are requirements for vulnerability assessments, etc.) This involves security checking when performing security-related actions, and then audit logging these actions appropriately. However, if a buffer overflow vulnerability exists 2 lines before this security check, that is not within the scope of this particular evaluation.
To all the open-source fanatics out there who criticize Microsoft code, let me tell you: Microsoft writes some damn good code. Not only that, it is FAR more complex than you would think. In addition, it’s relatively well architected, so the pieces fit together quite well. Are there security holes? Of course. Any application or OS of that size is going to have security holes. Is Linux more secure just because it’s open source? No. Linux is generally more secure because it lacks the complexity and many of the features of W2K3.
Now, some discussion has been made regarding the scope of the evaluation itself. It is true the Redhat et al have/will have their products certified at EAL 4 as well. However, it’s important to note the difference in what the eval covers. With Redhat, I don’t believe it included any sort of centralized authentication. W2K3’s eval included Active Directory. Smartcard authentication? Not in Redhat. So, it’s important to note that just because 2 products are evaluated at the same EAL, they’re not necessarily equal.
“Microsoft writes some damn good code.”
So, why I simply have a .doc screwed up like 20 years ago when I pass it from a machine to another? More than with Open Documents? How damn complicated would you make to preserve a layout? Or, while you have no concurrence because of the 040 1234567 magic activation code of Office 97 that let you conqueer the monopoly in Office suites, you will continue responding that I should not expect a document editor to preserve the layout on another machine, even with the same version/ patch level of the same damned application???
Why XP’s DNS is so damn flawed that if I don’t specify the DNS server a XP machine would trash for 5 minutes before logging into a 2K server domain?
Why a Windows server running Terminal Server should be rebooted weekly or more to be stable?
Why for years MS used Vigenere crypto (xor with “Netscape programmers are weenies”), that was considered outdated since the beginning of the 20ยฐcentury (Vernam’s studies are of 1911)?
Why some passwords in Office formats are saved in clear in the document and can be trivially recovered with an hex editor or a silly recover program?
Why IE developement was freezed for years making it the most flawed browser of the world? (same thing for Outlook and OE)
Why in 20 years I cannot have a decent command line comparable to x* under Windowes?
Why in 20 years you don’t released a decent bundled IDE for Windows like XCode for OSX and KDevelop for Linux?
Why in 20 years you don’t released a decent image editor?
Why the old Media Player of 98-NT4 era was capable of saving videoclips and now with new drm features of newer Media Player i’m no longer able to take even screenshots??? Not talk about of the lack of feature comparing your MP to a free product Videolan VLC!
Why can I easily connect machines with VNC without caring of the OS and your remote desktop is so shy?
I won’t call it “great code”
You make some excellent points here!!!
Never seen this issue.
Also, never seen this issue.
I never have to reboot my server (which runs terminal clients 24/7, amongst many other things). But I am on Server 2003
Can’t honestly say I know what you are talking about here so I’ll move on.
Because it’s just a simple password system. They do have a more fully functional system, with a server and such to track the documents, DRM them, etc…
IE development froze because 1) Nobody was anywhere nar IE was for quite some time, and 2) Because they got lazy. Outlook development was never frozen, though, OE was as it is considered part of IE.
No IDE because they would probably get in trouble with the DOJ. BUT, they do now offer a VS Express, which is pretty nice.
What do you mean by decent image editor? Paint is for basic functionality and not really meant for image editing. There are other things (available for free from MS), but they would also get in trouble for shipping these with the OS.
You can actually take screenshots of movies, you have to disable the hardware accelleration feature though. This is no way shape or form DRM.
Because remote desktop uses the RDP protocol, which is only available on Mac (client only) and Windows.
There are maybe 2 good points here (not really points either). The rest is because you didn’t know how to go about doing these things.
Much of his criticism has nothing to do with well-written or “good code” either. He just went off on a tangent about what about Windows he hates.
Ok, you are telling that you get a .doc perfectly paged on different machines.
So, I can expect you say anything else more credible, like you have found the way to invert universe’s enthropy, you are Santa Claus, you have the proof of alien conspirancy etc…
Maybe I’m not understanding what you are trying to say but…
All my contracts and such (which I use daily for business) are in .doc, and I don’t have problems opening them on any system. Both on Word, and OOo.
“All my contracts and such (which I use daily for business) are in .doc, and I don’t have problems opening them on any system.”
a) usually, contract are sent into .pdf format, with real encryption against modifications (that’s not hoping that other people have not a .pdf ripping tool, it’s an option of the format, well implemented using serious crypto)
b) come on, are you joking? did you ever noticed that on different system, even with (apparently) the same version of every piece of software, .doc are paged in different ways (different layout i.e. different page breaks, different end of lines, different distribution of the text around images and boxes, sligtly different sizes of graphic embedded objects…) not mentioning the poor way they get printed. Come on, you are joking or you haven’t ever used .pdf or .od*, and since nearly anyone used one of the two, you must be joking.
Everything I send out is converted into PDFs from a printout.
But they are all .docs on my server. I’ve honestly never seen these different page layout problems.
Are you sure you aren’t using mixed versions of Word (Word 97 with Word 2003)? While it shouldn’t really have problems with older (or newer) versions of Word, I could still see it as being what your problem may be.
“Are you sure you aren’t using mixed versions of Word (Word 97 with Word 2003)?”
Same machine.
Same OS.
Same Office version.
Same level of patches of Office, Win, IE, MDAC etc…
Does the evaluation take ignorant users into account?
“which is the highest level granted to a commercial product.”
It should be a joke or maybe those guys from the US government’s National Information Assurance Partnership are living in another planet!!!!!
mandriva’s supposed to deliver EAL5+ by using RSBAC instead of SELinux. (www.rsbac.org)
now I know about the “US government’s National Information Assurance Partnership.” I only hope it isn’t sucking too many tax dollars in addition to whatever MS paid.
If you don’t connect to the Internet, don’t use IE and don’t have malicious users!
From the evaluation documents: “.. TOE is a closed environment with no connection to external network environments. Internet Explorer is not included in the TOE.” “Additionally, an assumption is made that all users and administrators within the TOE environment are trusted.”
But seriously, it is good that Microsoft can achieve this level of evaluation. And have a alerting and patching process that meets ALC_FLR.3. Just be careful interpolating to real-life environments.
“.. TOE is a closed environment with no connection to external network environments. Internet Explorer is not included in the TOE.”
OH! What kind of useless certification may it be if it’s in those terms?
MS itself claimed that today is unreasonable to consider a PC not connected to a public network (responding to criticism about XP registration, so “today” was 2001…);
MS itself claimed that IE is an essential component of Windows 9x and NTx (responding to the interrogation of the antitrust about the broweser’s integration), and actually MS Updates are claimed by MS to work only if you have IE installed (and if you don’t update when a new update is available you will not be certified anymore! Standing the previous paragraph and common experience would you rely on patching when postal service send you MS updates CD-ROMs???)
“Additionally, an assumption is made that all users and administrators within the TOE environment are trusted.”
Ok, so let’s throw away 60 years of security best practices: the most dangerous attachers are inside, not outside.
So, the TOE cannot be reached from outside, TOE is populated by totally trusted users inside… ok TOE may be only the Winnie The Poo home’s LAN!
Seriously, where is required “informatic” security in such an environment? If inside it’s OK and noone can enter from outside net, a locked door in the TOE’s phisical place should be enough to certify ANY system.
“EAL 4 + (Evaluation Assurance Level), which is the highest level granted to a commercial product”
EAL4 is NOT the highest. EAL7 is. the XTS-400 was the first system to reach the EAL5 certification.
Also, EAL has nothing to do with actual security. It defines a level of trust — what the user believes happens vs what actually happens. The higher the level, the more stringent the requirements, and the more trusted the system is to behave as the user expects.
EAL4 is worthless, it means essentially that you have achieved a non-demanding level of security and it boils down to a documentation review. What is also missing is the profile that it was tested under. If my memory serves me correctly Microsoft achieved EAL4 for Win2000 with a profile of “non-threatening local network”. This meant that the testing was done on a local LAN with no attempts to hack in aqnd no Internet connection. In case your’e interested the EAL designation ranks from:
EAL0 – they showed up for the meetings
to EAL4 – non demanding documentation review
to EAL7 – very rigorous 3rd party validation
I AM NOT aware of anyone with an EAL7….
typical Micro-crap
Yeah, I can’t believe ANYone would think that Windows is secure in ANY way. I mean look at the news and you will see. I agree with some of the above posts, someone paid someone to get that. What a joke…
The only joke here is you! Your comment is dumber than a bucket of air! Just because the anti-capitalists in the news hate MS and write negative stories about them doesn’t make it true. Just because CNN says Saddam Hussien is a saint doesn’t make it so.
Windows is secure just not by default. It needs to be locked down (just like Linux). Most linux distros are not secure out of the box either and need to be locked down. The only OS I can think of that is locked down at install time is OpenBSD (but it is a pain to manage).
This is huge for MS. If they can combine the ease of use with solid security, then the linux apologists will have nothing to stand on. You watch, the linux community will do everything in their power to refute this.
Thats just marketing by OpenBSD plus it is only true in the base install.
If you install the smallest supported install cluster of Solaris 10 you have 0 network services running, OpenBSD has sshd with remote root login. Does that make Solaris 10 more secure than OpenBSD no it doesn’t.
MacOS X has no remote services running by default either and that doesn’t make it the most secure either.
>Thats just marketing by OpenBSD plus it is only true in the base install.
Apparently, you don’t know anything about the OpenBSD project…
The only joke here is you! Your comment is dumber than a bucket of air! Just because the anti-capitalists in the news hate MS and write negative stories about them doesn’t make it true. Just because CNN says Saddam Hussien is a saint doesn’t make it so.
Windows is secure just not by default. It needs to be locked down (just like Linux). Most linux distros are not secure out of the box either and need to be locked down. The only OS I can think of that is locked down at install time is OpenBSD (but it is a pain to manage).
This is huge for MS. If they can combine the ease of use with solid security, then the linux apologists will have nothing to stand on. You watch, the linux community will do everything in their power to refute this.
Windows is NOT secure, even if you try to lock it down. If it is…Why the flying f**k do people need to spend money and time installing third-party apps to keep their Windows boxes in working order?
why does a Windows box give you complete access of the WHOLE system, while other OSs, limit the damage of a compromise of a portion of the system?
Why do security companies freak out when people seek alternatives like Linux/Unix/OS X/Solaris?
Its because they ain’t part of the Microsoft “money making” train. Look how Symantec publishes the report about worms and shit that could affect OS X and Linux on an world wide scale every year.
In reality, its nothing like what the report says.
Microsoft and “solid security”?
Where have you been for the last 10yrs?
Microsoft treats security like a public relations matter, by doing things “just enough” to an acceptable level.
No where in their entire history have they depended on their Windows alone for their entire network. (Check their network…Ask yourself why Solaris and FreeBSD boxes are there).
(1) They don’t re-design Windows from scratch with security as primary. They just change it a bit here and there, maybe borrow concepts from Unix and claim it their own “innovation”. This is all to sell the next version of Windows.
This is completely different to OpenBSD. OpenBSD lives for security. It regularly audits, implements features, etc. It also does the annual “hackathon”. (which MS tried to copy…LAME). The key is simplicity in design. (Easier to audit and debug).
The Windows solution isn’t easy to audit, and under that skirt…Its a friggin mess cobbled together.
(2) They slap on security band-aids. MS anti-spyware, etc. Which the definitions can be altered if you pay MS enough money to “change their mind” about your “malware”. They don’t provide solutions…They provide delays to never ending problems.
OpenBSD doesn’t do security band-aids, nor do they do bribes. They actually sit down and work out a proper security solution. They don’t do it to sell their next version of OS, Microsoft does.
(3) Microsoft response time is slow. At minimum, they need 1 month turn-around time. (From being informed to actually releasing a patch.)
Compare this with OpenBSD, within hours to a few days.
There will always be people defending Microsoft, despite the lies, the monopolistic behavior (of which they have been convicted of), the slow security response (1 month min), the US Government backing (see South Korea anti-trust case), etc.
If the news sites like eWeek say “Microsoft solutions offer the best in security”. Would blindly believe that?
Its no different here. Do you simply accept this “security certification” story? Or do you find out what it means and what it involves?
That’s the difference between a techno-geek and a two-bit techno tryhard who has no clue about anything, accept Microsoft can “do no wrong”.
Stop defending Microsoft, wake up and smell the coffee. You’ll realize the truth.
Good lord. How to even respond to a post that shrill and misinformed. It’s like Unabomber diary!
why does a Windows box give you complete access of the WHOLE system, while other OSs, limit the damage of a compromise of a portion of the system?
It doesn’t. See groups, privs, ACL’s, tokens. Windows is no different than any other OS – if you run yourself as root, you will get rooted. If you run as admin, you’re bad.
No where in their entire history have they depended on their Windows alone for their entire network. (Check their network…Ask yourself why Solaris and FreeBSD boxes are there).
Solaris and FreeBSD boxes are not there. MS depends entirely on Windows internally.
They don’t re-design Windows from scratch with security as primary. They just change it a bit here and there, maybe borrow concepts from Unix and claim it their own “innovation”. This is all to sell the next version of Windows.
Utter nonsense. After all, UNIX had such a great GUI to borrow from when Windows was developed. Oh wait.
Microsoft response time is slow. At minimum, they need 1 month turn-around time. (From being informed to actually releasing a patch.)
This is done entirely based on customer request, to make change management and testing easier for customers. Believe what you will, but enterprise customers don’t like patching at random intervals.
Here’s a small ranking of people, from least fanatic to most:
1. Windows users.
2. UNIX users.
3. Mac users.
4. Linux users.
5. Islamic suicide bombers.
6. FreeBSD users.
๐
Edited 2005-12-16 01:47
So is Microsoft liable for any vulnerabilities found in their new products?
I’ll judge their new products by their security track, i.e, the number and severity of new vulnerabilities and the time they need to provide patches, not by their certification.
Well, I can’t believe why you or others would think that other OS’s are secure in any way. Based on your criteria of…what, being an angry teenager?
2005 Secunia OS vulnerability info:
Windows Server 2003 Enterprise Edition – http://secunia.com/product/1174/ – 74 Security vulnerabilties since 2003, with 8 unpatched. Note that this is the OS as a whole, due to all the bundling of products everyone loves/hates.
Linux 2.6.X – Just the Kernel, not the whole bundled OS like 2003 – http://secunia.com/product/2719/ – 62 security vulnerabilities since 2004, with 13 unpatched.
10% vs 21%. Which one looks more secure to you?
You want numbers, I’ll give you numbers. This is not 1995. It’s 2005, and you have to catch up.
(And stop saying ‘Windows’. There have been 10 major versions of windows in the past 20 years. Be specific. Yes, I completely admit, Linux is more secure than Windows 2.0. You got me.)
Interesting information, but you should read it more carefully.
For example look at “criticality”:
w2003:
extremly: 1%
highly: 36%
moderately: 39%
linux 2.6:
extremly: 0%
highly: 0%
moderately: 11%
Now remote exploit or not:
w2003
from remote: 61%
linux 2.6:
from remote:15%
Impact system Access
w2003: 54%
linux: 3%
So seriously, what do you conclude from the facts that you exposed?
Did you look to secunia report correctly??
windows 2003
63% are remote thread (63%)
27% from local network
in Linux 2.6.x
15% Remote thread
15% from local network
And you say windows is more secure because he has now less unpatched bugs. If you see corectly, you’ll see that most(if not all) of bugs can cause DOS.
In case of windows is System takeover, DOS, previlieges escalation… and he only has 8 unpatched
Sorry but i don’t think in the same way!
well comparing MS with the kernel is ok, but look at redhat vs MS 0 open vs with 8 unpatched.
I started to read through the vulnerabilitys, if you do you see that alot are fixed upstream, or by vendors like redhat so it`s not 100%
The post with the percentage was a deeper analysis of the comment that posted the following links:
Windows Server 2003 Enterprise Edition – http://secunia.com/product/1174/
2.6.X – Just the Kernel, not the whole bundled OS like http://secunia.com/product/2719/
We can keep playing the numbers and define what criticality really means. To continue on with your previous charting (the numbers not posted in your other pass):
Linux 2.6 Kernel:
DoS: 37%
Expose sensitive info: 17%
Expose system info: 5%
Security Bypass: 7%
Windows 2003 EE:
DoS: 18%
Expose sensitive info: 5%
Expose system info: 3%
Security Bypass: 3%
See how it’s not black and white? See how Linux is not a security panacea? See how on many levels 2003 security is better?
My point is – all OS’s have security bugs. All OS’s dev’s fail to patch them completely, or in a timely manner. Windows 2003 is not ‘insecure’, any more than Linux is ‘secure’. Your best security defense is competent engineers and admins layering their defenses and managing their systems, as there is no magical secure OS.
Security patching and development is an ongoing process. If you look back at the advisories for older Linux (or god forbid, UNIX – holy crap) you will see that they have fought this battle just like MS for many years.
Side note:
If you want some real fun, look at the time lines of Apache 1 & 2 versus IIS 5 & 6 (from Win2000 and 2003 , respectively). Considering another myth of security, in what is historically been FOSS’s killer Linux app.
IIS 6 – 2 (both patched).
IIS 5 – 12 (1 unpatched)
Apache 2.X – 17 (2 unpatched)
Apache 1.3.X – 17 (1 unpatched)
Secunia.org is a pretty great site! Excellent replies you made above, I’m glad we’re actually discussing and not just throwing out mindless crap in the discussion at this point. Stimulating! ๐
How long the unpatched holes remains open?
In other words, why in some weeks or few months usually open softawre are patched when some win-related flaws exist from years and allow a dos era virus destoy a 2003 server system?
How the holes can be avoided? In other words, in open system i can really unload a flawed component with very good granularity while in windows-related environment I usually need to go on with WHOLE IE bugs, Win* bugs etc…
There has never been an old Windows 2000/XP/2003 security vulnerability rated high or critical that remained unpatched and was exploited. Not one. I challenge you to find one. I’ll call my criteria for ‘old’ more than 1 month (which is patch cycle that MS cusotmers demanded, as they were irritated by a constant stream of patches that forced them to constantly test and go out of band on Change Control).
And don’t bring up the recent IE issue that allowed that proof of concept attack against google toolbar. It was rated low for months, then was rated critical, and was almost immediately patched.
I don’t understand your second point – can you explain more?
you’re kidding.
just because microsoft doesn’t acknowledge their security flaws until someone releases an exploit to the public doesn’t make their products more secure…
and then they even moan that one first shall contact them an leave them enough time to fix the flaw, funny.
here is one: rdp design flaw allows mitm attacks on rdp.
SINCE 2002 EVERYBODY CAN BREAK IN MICROSOFT SERVERS!
http://www.ntcompatible.com/Microsoft_Terminal_Services_vulnerable_…
http://www.oxid.it/cain.html
their response:
none of our customers reported of actual exploitation of this flaw… with the successor of windows-2003 we’ll release an updated rdp protocol version.
they are bullshitting their own customers…
As you noticed i came to no conclusion, my point was just to show that you can say anything to numbers, i’m sure that you knew this.
Secunia informations are valuable, but to really come to a conclusion, i think we should compare things that are equivalent.
As you said comparing a kernel with a full Os is not fair.
I tried to compare with a linux distro (eg: redhat)
And i noticed that even in this scenario we can’t really compare the raw numbers: eg 2 critical vulnerabilities are in Lynx. As a sysadmin i prefer a critical vulneraiblity in lynx than a simple DoS in apache. And the numbers don’t take this into account.
Another thing that makes the number of advisories not interesting is the fact that an advisory can contains multiple vulnerability
eg: on the secunia main page:
Five vulnerabilities have been reported in Microsoft Internet Explorer.
Other things to take into account: from a server point of view, are bugs in internet explorer/outlook and thunderbird, really problematic for win2003 or redhat?
I don’t think so because they may/should never be used on a serious server.
there are a lot of other things like these that make me think that secunia is a really good basis to make good analysis, but it would need a carefull analysis of each adivsory and also define exactly what we want to study.
To finnish, i use both system, it depends on what i need to do, both have strengh and weakness, imoh it’s important to know this and not blindingly trust the Os to make us safe
( I broke down and registered and account here:-) )
Your post above is excellent and I completely agree with your logic. The whole situation is incredibly gray, which when you boil it down, shows the fallacy of the “my *insert favorite OS here* is more secure than *insert my hated OS here*” argument. Things only get trickier as Linux finds more widespread acceptance and continues to bundle bundle bundle. ๐
Was the network cable plugged in.
Was the computer turned on.
Does anyone care.
Baloney.
and so what ? EAL-4 good for MS …
some people are comparing win2k3 with kernel -2.6
what about win2k3 with kernel-2.6 hardened-source with SElinux and grsecurity patch ?
it’s fair or not ?
I use win2k3, freeBSD 6.0 and gentoo with hardened-sources-2.6.14.
I don’t know why but Fbsd and gentoo i use to expose my network, internet, proxy, mail server, etc … win2k3 it’s a internal domain …
note: i like all them