Welcome to MSDN Blogs Sign in | Join | Help

Michael Howard's Web Log

A Simple Software Security Guy at Microsoft!
What about .NET vs Java Security?

 

Interesting stuff, no?

Posted: Monday, October 25, 2004 4:11 PM by michael_HOWARD
Filed under:

Comments

Ricky Datta said:

I can assure you that this will not be picked
up by Slashdot or TheServerSide as it does
not conform to their reader's belief system.

hehe...

Ricky
# October 25, 2004 4:29 PM

AIM48 said:

This might be the inverse of the IE effect. Since JAVA has been around so much longer (and more widely deployed) It is more of a traget for "Security Researchers and freinds".

But that might change
# October 25, 2004 5:15 PM

murphee said:

Well well, sounds terrible, doesn't it? 14 is much higher than 4... boy...
Of course, what you don't mention is the fact that the .NET vulnerabilities are all marked much more critical than the Java. (Java: 69 % not critical, 31 % moderately crtical; .NET: 75 % moderately critical, 25 % Highly Critical). One should of course also mention, that this 1 highly critical vulnerability is a *Buffer Overflow* in JPEG Processing code...
But compare yourself:
.NET: http://secunia.com/product/667/
Java:
http://secunia.com/product/784/
# October 25, 2004 5:28 PM

Jeremy Brayton said:

I guess the 31% of Java's vulnerabilities that are unpatched are the ones that "not critical". I suppose also because there are 14, and not 4, that Sun couldn't fix them like Microsoft could?

I guess local system exploits and DoS attacks aren't really high on Sun's list of things todo. Neither side is THAT impressive, but it's nice to know how Sun deals with security problems even if they "seem" minor.
# October 25, 2004 7:08 PM

uwe said:

So this graphs show that Microsoft gives out fewer advisories than Sun. Does it tell something about the applications itself? ;-)
# October 25, 2004 10:26 PM

Alun said:

Let's play math games, then. The Secunia page lists 13% of the Java vulnerabilities as being "Security Bypass", and 25% of the .NET vulnerabilities that way. Looks bad for .NET.

Hmm... wait a minute, though... 13% of 14 is two (allowing for Secunia's rounding), 25% of 4 is 1. So, Java has two "Security Bypass" flaws during that time, .NET has one. So, what is murphee trying to tell us with his percentages? That he can play with statistics as well as anyone?
# October 26, 2004 8:19 AM

xxx said:

Alun:

The numbers are too low to play with percentages. On the other hand, this is telling:

"Java: 69 % not critical, 31 % moderately crtical; .NET: 75 % moderately critical, 25 % Highly Critical"

You should also remember that whereas J2EE apps are strong residents in Linux/Unix/Mac and other platforms that are more secure than Windows, Dotnet so far is mainly used in Windows, which everyone knows is riddled with security holes.

# October 26, 2004 9:06 AM

dgw said:

Even while the numbers are too low to be statistically meaningful, let's do some simple math to make xxx's point excruciating clear:

69% Java not critical = .69 * 13 = 9
31% Java moderately critical = .31 * 13 = 4
75% .NET moderately critical = .75 * 4 = 3
25% .NET highly critical = .25 * 4 = 1

So, ignoring the non-criticals, by Secuna's definition, we have a 'criticals' total of:

Java: 4 moderately criticals
.NET: 3 moderately criticals, 1 severely critical.

Even ignoring the fact that Java is more pervasive than .NET (a sin that the Slashdot crowd does relative to Windows versus the ROW) and that the reports have been coming out over a longer of period of time, .NET seems to be a bit more insecure.

So what was the point of the original post?
# October 26, 2004 10:10 AM

kalim said:

And check out the IMPACT graph for both - advantage: Java!

# October 26, 2004 10:15 AM

Michael Howard said:

>>So what was the point of the original post

Very simple - everyone has security bugs, and only Msft admits it!
# October 26, 2004 10:29 AM

Jeff said:

I guess the point I took away was that that assumption about anything Microsoft before the blog seemed to be similar to what xxx says "...which everyone knows is riddled with security hold."

However, by the end of the discussion, dgw is saying that .NET is "a bit" more insecure and even that is with the caveat that you ignore every security issue that isn't 'critical'. (Convenient assumption that, I wonder if that would happen if the numbers were reversed...)
# October 26, 2004 10:33 AM

xxx said:

"However, by the end of the discussion, dgw is saying that .NET is "a bit" more insecure and even that is with the caveat that you ignore every security issue that isn't 'critical'."

You're confusing .NET with Windows/IIs/IE.....NET is probably just as screwy as the others, it's just that there aren't enough data points yet to confirm it - notice that the graph is only for about 1 year.

The point is, even over that short period, and even granting the fact Java has been here several times longer, Java STILL is more secure than dotnet.


# October 26, 2004 12:42 PM

Michael Howard said:

xxx Dude - i accidently deleted your last post - can you pls repost it?

thanks!
# October 26, 2004 1:10 PM

xxx said:

Do you really want me to keep "kicking" your butt? ;-)
# October 26, 2004 1:33 PM

Michael Howard said:

It's all in a days work :)
# October 26, 2004 1:43 PM

xxx said:

"Very simple - everyone has security bugs, and only Msft admits it!"

I'll hope you're only kidding here, because that's the stupidest statement I've heard coming from a Microsoft employee. Denying or blinding oneself to the fact that Microsoft Windows or IE or IIs, for example, is a treasure trove of security breaches (even the major news organizations regularly report this because of the severity and potential damage) does NOT inspire any confidence that MSFT is serious about solving these problems...

SHAME on you, as you are, as you point out, a "security" guy at MSFT!
# October 26, 2004 1:50 PM

Michael Howard said:

Seriously, let's look at this constructively. Everyone has security bugs, right? We agree on that I hope!

But where do you hear that anyone but Microsoft has security bugs? We're actively working on addressing the issue, with time, education, $$, process improvment, better security testing, better libs, better best practice (i could keep going.) And yet, no-one else seems to want to do this work. Why? Beats me, because everyone has security bugs. Am I really that off-base?
# October 26, 2004 1:54 PM

xxx said:

That's a really simple thing to say and i'm trying not to call you names like "simple simon" (I mean, who else would simply COUNT the number of advisories without looking at the underlying severance and impact of the advisories)...

Obviously everything has the potential to have security problems...the point is, which ones have the most security bugs and the most critical ones. Your entry actually backfired by showing that in fact Java has a better record on this than .NET.

Microsoft has rightly been attacked by the press and the public for its poor security record, so you doing a PR on the thing doesn't really help things - it just shows Microsoft still has not owned up to the fact it needs to do some serious convincing to make the common perception that its products are security sieves go away.


# October 26, 2004 2:47 PM

Michael Howard said:

You dodged my comment/question, no-one else has serious security issues?
# October 26, 2004 3:09 PM

xxx said:

And you obviously don't understand why people are angry at microsoft since i did answer your question and went beyond:

other products may have security issues...Java itself may have some real problems...but simply by doing the comparison above you highlight the point that the number and severity and impact of issues will vary from product to product - and the point is that microsoft products seem to be unusually rife with problems that are severe.

get it now?

# October 26, 2004 10:13 PM

Daniel said:

I think you can't simply measure the number of (published) security issues.

The ValidatePath issue in the ASP.Net Code was a really heavy issue. And especially since MS had really trouble with (url)-canonicalization issues in IIS in the path, I think such a mistake should not happen. They should know better.

Maybe the guy who coded it didn't read your book;-)
# October 27, 2004 9:07 AM

Michael Howard said:

>>I think such a mistake should not happen
Totally agree! There's a full post-mortem underway!

These are, I'm afraid to say, common industry mistakes:

PHP: http://secunia.com/advisories/11792/
Crystal Reports: http://secunia.com/advisories/11800/
BEA WebLogic: http://secunia.com/advisories/11435/
Sun JSP: http://secunia.com/advisories/8879/

Perhaps more people should read the book :)
# October 27, 2004 9:48 AM

RedoBlog - De .NET said:

# October 27, 2004 6:34 PM

RedoBlog - De .NET said:

# October 27, 2004 6:35 PM

SaD J said:

how many serious java apps vs .NET apps out there?
# October 27, 2004 7:40 PM

Ricky Datta said:

Michael,

Can you please comment on this :

http://secunia.com/product/22/

Why are 26% still unpatched ?

Not verifiable, not reproducible ?

btw.. I appreciate what you do for devlopers.

Thank you.

Ricky
# October 27, 2004 11:29 PM

Ya'akov Yehudi said:

Microsoft products may have many patches, but those products which do not have serious _unpatched_ vulnerabilities, _cannot_ still be called "riddled with security holes.", as done by xxx.
# October 28, 2004 1:15 AM

What about .NET vs Java Security said:

.
# October 28, 2004 3:49 PM

厚重之刀 said:

I think .NET is more safe than Java.
# November 1, 2004 2:06 AM

Brad Abrams said:

# December 14, 2004 6:29 PM

Abduh.net » أرشيف المدونة » بين Java و .Net said:

PingBack from http://www.abduh.net/?p=93
# February 17, 2006 2:40 PM
New Comments to this post are disabled
Page view tracker