[Vms.sig-hu] Article in the Inquirer - Software vulnerabilities still dog operating systems (fwd)

Fodor Zsuzsa fodor31 at freemail.hu
2004. Jan. 5., H, 20:11:46 CET 

---------- Továbbított levél ----------
Dátum: Mon, 5 Jan 2004 12:09:52 -0500
Feladó: Skonetski, Susan <susan.skonetski at hp.com>
Címzett: Skonetski, Susan <susan.skonetski at hp.com>
Tárgy: Article in the Inquirer - Software vulnerabilities still dog 
operating systems 

http://www.theinquirer.net/?article=13420

The following is a portion of the article, which is large and contains
charts.

Proprietary systems are the least vulnerable 
The operating systems with fewest vulnerabilities in 2003 are HP's
OpenVMS, IBM's OS/400 and IBM's zOS. 

These three are all proprietary and they all have security that is fully
integrated, not applied as some kind of after-thought. Certainly they
come with a decent price-tag but they can be well worth the money 
when
the result is fewer security problems, less unscheduled downtime and
less downtime for patching.

The other significant feature of these operating systems is the language
in which they are written. The two from IBM are both written in
assembler and OpenVMS uses a range of about ten languages, one of 
which
is C.

C and similar languages that use pass-by-value techniques are
exceptionally prone to buffer overflow and the consequent potential for
unauthorized users to execute either their own malicious code or other
programs which run with enhanced access privileges. Avoiding the use 
of
these languages at the most vulnerable points, namely user I/O and
network I/O, would appear to be wise. Linux, Unix and Windows are 
almost
entirely written in C, and most of their middleware and application
software is also in these vulnerable languages, so it should come as no
surprise that they are less secure than OpenVMS, OS/400 and zOS.

The other operating system that had very few vulnerabilities is Apple's
OS 9, with the Secunia database showing just one in 2003 and none in
2002. Again this is a proprietary operating system and the decisions 
and
integration of security rest with one organisation which does not have
to concern itself with compatibility with other vendors. 

Apple recently moved to a Unix-based operating system, OS X, and the 
24
vulnerabilities reported for it by Secunia in 2003 are a very telling
comment.

További információk a(z) VMS.SIG-hu levelezőlistáról