Comments

# Ricky Datta said on October 25, 2004 4:29 PM:

I can assure you that this will not be picked
up by Slashdot or TheServerSide as it does
not conform to their reader's belief system.

hehe...

Ricky

# AIM48 said on October 25, 2004 5:15 PM:

This might be the inverse of the IE effect. Since JAVA has been around so much longer (and more widely deployed) It is more of a traget for "Security Researchers and freinds".

But that might change

# murphee said on October 25, 2004 5:28 PM:

Well well, sounds terrible, doesn't it? 14 is much higher than 4... boy...
Of course, what you don't mention is the fact that the .NET vulnerabilities are all marked much more critical than the Java. (Java: 69 % not critical, 31 % moderately crtical; .NET: 75 % moderately critical, 25 % Highly Critical). One should of course also mention, that this 1 highly critical vulnerability is a *Buffer Overflow* in JPEG Processing code...
But compare yourself:
.NET: http://secunia.com/product/667/
Java:
http://secunia.com/product/784/

# Jeremy Brayton said on October 25, 2004 7:08 PM:

I guess the 31% of Java's vulnerabilities that are unpatched are the ones that "not critical". I suppose also because there are 14, and not 4, that Sun couldn't fix them like Microsoft could?

I guess local system exploits and DoS attacks aren't really high on Sun's list of things todo. Neither side is THAT impressive, but it's nice to know how Sun deals with security problems even if they "seem" minor.

# uwe said on October 25, 2004 10:26 PM:

So this graphs show that Microsoft gives out fewer advisories than Sun. Does it tell something about the applications itself? ;-)

# Alun said on October 26, 2004 8:19 AM:

Let's play math games, then. The Secunia page lists 13% of the Java vulnerabilities as being "Security Bypass", and 25% of the .NET vulnerabilities that way. Looks bad for .NET.

Hmm... wait a minute, though... 13% of 14 is two (allowing for Secunia's rounding), 25% of 4 is 1. So, Java has two "Security Bypass" flaws during that time, .NET has one. So, what is murphee trying to tell us with his percentages? That he can play with statistics as well as anyone?

# xxx said on October 26, 2004 9:06 AM:

Alun:

The numbers are too low to play with percentages. On the other hand, this is telling:

"Java: 69 % not critical, 31 % moderately crtical; .NET: 75 % moderately critical, 25 % Highly Critical"

You should also remember that whereas J2EE apps are strong residents in Linux/Unix/Mac and other platforms that are more secure than Windows, Dotnet so far is mainly used in Windows, which everyone knows is riddled with security holes.

# dgw said on October 26, 2004 10:10 AM:

Even while the numbers are too low to be statistically meaningful, let's do some simple math to make xxx's point excruciating clear:

69% Java not critical = .69 * 13 = 9
31% Java moderately critical = .31 * 13 = 4
75% .NET moderately critical = .75 * 4 = 3
25% .NET highly critical = .25 * 4 = 1

So, ignoring the non-criticals, by Secuna's definition, we have a 'criticals' total of:

Java: 4 moderately criticals
.NET: 3 moderately criticals, 1 severely critical.

Even ignoring the fact that Java is more pervasive than .NET (a sin that the Slashdot crowd does relative to Windows versus the ROW) and that the reports have been coming out over a longer of period of time, .NET seems to be a bit more insecure.

So what was the point of the original post?

# kalim said on October 26, 2004 10:15 AM:

And check out the IMPACT graph for both - advantage: Java!

# Michael Howard said on October 26, 2004 10:29 AM:

>>So what was the point of the original post

Very simple - everyone has security bugs, and only Msft admits it!

# Jeff said on October 26, 2004 10:33 AM:

I guess the point I took away was that that assumption about anything Microsoft before the blog seemed to be similar to what xxx says "...which everyone knows is riddled with security hold."

However, by the end of the discussion, dgw is saying that .NET is "a bit" more insecure and even that is with the caveat that you ignore every security issue that isn't 'critical'. (Convenient assumption that, I wonder if that would happen if the numbers were reversed...)

# xxx said on October 26, 2004 12:42 PM:

"However, by the end of the discussion, dgw is saying that .NET is "a bit" more insecure and even that is with the caveat that you ignore every security issue that isn't 'critical'."

You're confusing .NET with Windows/IIs/IE.....NET is probably just as screwy as the others, it's just that there aren't enough data points yet to confirm it - notice that the graph is only for about 1 year.

The point is, even over that short period, and even granting the fact Java has been here several times longer, Java STILL is more secure than dotnet.

# Michael Howard said on October 26, 2004 1:10 PM:

xxx Dude - i accidently deleted your last post - can you pls repost it?

thanks!

# xxx said on October 26, 2004 1:33 PM:

Do you really want me to keep "kicking" your butt? ;-)

# Michael Howard said on October 26, 2004 1:43 PM:

It's all in a days work :)

# xxx said on October 26, 2004 1:50 PM:

"Very simple - everyone has security bugs, and only Msft admits it!"

I'll hope you're only kidding here, because that's the stupidest statement I've heard coming from a Microsoft employee. Denying or blinding oneself to the fact that Microsoft Windows or IE or IIs, for example, is a treasure trove of security breaches (even the major news organizations regularly report this because of the severity and potential damage) does NOT inspire any confidence that MSFT is serious about solving these problems...

SHAME on you, as you are, as you point out, a "security" guy at MSFT!

# Michael Howard said on October 26, 2004 1:54 PM:

Seriously, let's look at this constructively. Everyone has security bugs, right? We agree on that I hope!

But where do you hear that anyone but Microsoft has security bugs? We're actively working on addressing the issue, with time, education, $$, process improvment, better security testing, better libs, better best practice (i could keep going.) And yet, no-one else seems to want to do this work. Why? Beats me, because everyone has security bugs. Am I really that off-base?

# xxx said on October 26, 2004 2:47 PM:

That's a really simple thing to say and i'm trying not to call you names like "simple simon" (I mean, who else would simply COUNT the number of advisories without looking at the underlying severance and impact of the advisories)...

Obviously everything has the potential to have security problems...the point is, which ones have the most security bugs and the most critical ones. Your entry actually backfired by showing that in fact Java has a better record on this than .NET.

Microsoft has rightly been attacked by the press and the public for its poor security record, so you doing a PR on the thing doesn't really help things - it just shows Microsoft still has not owned up to the fact it needs to do some serious convincing to make the common perception that its products are security sieves go away.

# Michael Howard said on October 26, 2004 3:09 PM:

You dodged my comment/question, no-one else has serious security issues?

# xxx said on October 26, 2004 10:13 PM:

And you obviously don't understand why people are angry at microsoft since i did answer your question and went beyond:

other products may have security issues...Java itself may have some real problems...but simply by doing the comparison above you highlight the point that the number and severity and impact of issues will vary from product to product - and the point is that microsoft products seem to be unusually rife with problems that are severe.

get it now?

# Daniel said on October 27, 2004 9:07 AM:

I think you can't simply measure the number of (published) security issues.

The ValidatePath issue in the ASP.Net Code was a really heavy issue. And especially since MS had really trouble with (url)-canonicalization issues in IIS in the path, I think such a mistake should not happen. They should know better.

Maybe the guy who coded it didn't read your book;-)

# Michael Howard said on October 27, 2004 9:48 AM:

>>I think such a mistake should not happen
Totally agree! There's a full post-mortem underway!

These are, I'm afraid to say, common industry mistakes:

PHP: http://secunia.com/advisories/11792/
Crystal Reports: http://secunia.com/advisories/11800/
BEA WebLogic: http://secunia.com/advisories/11435/
Sun JSP: http://secunia.com/advisories/8879/

Perhaps more people should read the book :)

# RedoBlog - De .NET said on October 27, 2004 6:34 PM:

# RedoBlog - De .NET said on October 27, 2004 6:35 PM:

# SaD J said on October 27, 2004 7:40 PM:

how many serious java apps vs .NET apps out there?

# Ricky Datta said on October 27, 2004 11:29 PM:

Michael,

Can you please comment on this :

http://secunia.com/product/22/

Why are 26% still unpatched ?

Not verifiable, not reproducible ?

btw.. I appreciate what you do for devlopers.

Thank you.

Ricky

# Ya'akov Yehudi said on October 28, 2004 1:15 AM:

Microsoft products may have many patches, but those products which do not have serious _unpatched_ vulnerabilities, _cannot_ still be called "riddled with security holes.", as done by xxx.

# What about .NET vs Java Security said on October 28, 2004 3:49 PM:

.

# 厚重之刀 said on November 1, 2004 2:06 AM:

I think .NET is more safe than Java.

# Brad Abrams said on December 14, 2004 6:29 PM:

# Abduh.net » أرشيف المدونة » بين Java و .Net said on February 17, 2006 2:40 PM:

PingBack from http://www.abduh.net/?p=93

New Comments to this post are disabled