clouseau

Recently, a programmer named Patrick Stach released unto the world his working source code for generating an MD5 collision within a very reasonable amount of time for most desktop PC’s. Leave it to the media to sensationalize it and proclaim that MD5 is now BROKEN! Run! Go out and buy duct tape! While it is true that no true security product should be relying on MD5 for anything serious, it’s not quite the end of the world that many of these news geniuses are painting it as.

The fact of the matter is that most Linux and other UNIX distributions use the MD5 hashing algorithm to handle their password database for the users. It takes your password, hashes it using MD5, and then stores that. When a user attempts to login via SSH for example, the system takes the password they typed and then hashes it using whatever algorithm it was configured to do (which is MD5 in most cases) and then compares it to the hash that’s in its database. If it matches, then the user entered the correct password and is granted access to the system. If they don�t match, they obviously didn’t type in the right password. The security in these hashing algorithms lies in the fact that each and every series of letters will have a unique hash. In English, I can rest easy at night knowing that the hash of “cat” will NEVER be the same hash of “dog“.

So the security community is up in arms about the fact that they now have an actual implementation of generating MD5 collisions, instead of it being a hypothetical paper that the general public would never understand. So what exactly is the impact of this little release you might be wondering? Well, you can put away that duct tape because your NIX servers will remain running tomorrow just fine. The truth is you can’t use this utility to be able to break a hashed password any faster. Instead what this does it allows you to find a pair of “plaintexts” (term for normal words/letters) that will come out to the exact same hash value. This is not supposed to be possible, but because of the discovered weakness in MD5, it is. Either way, the release utility does not help anyone find the “plaintext” from an MD5 hash. That is still impossible and does require you to brute force crack any hashes. It also means that MD5 is STILL safe to use as a file verification tool. While I’m not advocating the continued use of MD5, it’s still not the end of its life.

You will constantly see “religious” wars being fought between the camps of the above mentioned platforms. You’ll also see a lot of comparisons between the two on the net, all of which have a hint of bias in them. Well today I’m going to cover just facts between the two platforms to see which one comes out a clear winner, if any.
Let’s see when each platform launched. If we look up RedHat we’ll find that they launched version 4 of their highly acclaimed Enterprise Linux on February 15th, 2005 according to CRN. Microsoft Windows Server 2003 was released on March 28th, 2003 according to Microsoft’s own site. That’s nearly a two year gap between the two which in the IT world is nearly a lifetime of most software product versions themselves.
So Windows Server 2003 has a near 2 year head start on RedHat Enterprise Linux 4 to collect all sorts of vulnerabilities that we all know Microsoft is famous for. However, this is where it gets to be a tad bit surprising. Outside the hype and FUD (Fear, Uncertainty and Distrust), it’s not nearly as bad as the general tech community paints it out to be. A little research from Secunia reveals that it’s not bad at all.

Graph
Since its release in 2003, Windows Server has accumulated a total of 74 Secunia Advisories.

Now let us take a look at Redhat Enterprise Linux

graph

Since its release in 2005, Enterprise Linux 4 has accumulated a total of 128 advisories.

Wait, what? There must be some mistake. Well ok, perhaps the Enterprise Linux 4 vulnerabilities are a lot less severe than Windows Server 2003. A local vulnerability is a lot less severe than a remote vulnerability.

So let’s look at RedHat Enterprise Linux 4 first.

graph

Ok so 83 percent of all the vulnerabilities are able to be exploited remotely. That’s a pretty high number. Let’s take a look at Windows.

Graph

59 percent of all Windows Server 2003 Secunia Advisories are remotely exploitable.

Well now, this is fairly interesting. So far, dare I say, Windows is leading in terms of security.

Ah but wait, it’s not over yet. We have yet to see the type of impact most of these vulnerabilities have, and most importantly, the impact they have at the system level.

So let’s take a look at RedHat Enterprise Linux 4 first.

Graph

We see here that 30 percent of the vulnerabilities allow system access.

Now let’s take a look at Windows Server 2003.

Graph

We see here that Windows Server 2003 is a bit more severe in that 53 percent of their vulnerabilities allowed system access. That’s a fairly high percentage that is dangerous, especially in an enterprise environment.
Secunia also keeps track of vulnerabilities that they have discovered and are unpatched as of yet by the vendor, which gives us an idea of the rate at which each vendor responds to security.

The Secunia database currently contains 0 Secunia advisories marked as “Unpatched“, which affects RedHat Enterprise Linux AS 4.

That’s pretty decent, so we know that RedHat responds very quickly to any discovered security threats. Let’s have a look at Microsoft.

Currently, 8 out of 74 Secunia advisories, is marked as “Unpatched” in the Secunia database.

A much more dangerous number than zero. Although, to their credit, all of the “unpatched” vulnerabilities are not too critical. However, this still shows us how seriously Microsoft lags behind in their patching efforts. One could only attribute this to the massive complexity of the Windows system that Microsoft engineers must go through in contrast to the modular nature of Linux itself.

In conclusion, what we have here is a very interesting set of differences between the two platforms and neither comes out as a clear winner. (I know, you are disappointed!) However, we did uncover the fact that Windows Server 2003 is not nearly as bad as the general tech community paints it out to be and would be a fairly solid choice in an enterprise environment despite all the FUD.

MD5 Revisited

RedHat Enterprise Linux 4 vs. Windows Server 2003