Windows beats Linux / Unix on vulnerabilities - CERT
Quote:
Any thoughts? |
Key word is "reported". It's a well know fact most windows vulnerabilities are never reported publicly. And even when they are reported it's usually only after a fix is available, in some cases leaving customers unwittingly vulnerable for months between discovery and the fix's release. All CERT's study truly reveals is that ignorance is still bliss. :o
|
I would question if all 2,238 vulnerabilities applied to each distro. For instance, did gentoo suffer from all of those, or was that a collective number from each distro. Another question is, Were those 2000 vulnerabilities 'Kernel vulnerabilities' or software packages. you can't blame linux if your vixie-cron daemon had a vulnerability unless you count windows programs that were installed after the operating system.
|
As proof, here's an old incident of a serious vulnerability that MS kept quiet about for months and only disclosed publicly because word leaked out about it:
"Another ASN.1 flaw that affected many more companies and involved more research was made public in only five months. Although the decision to disclose information on the flaw was made after such information had already leaked out, many companies had fixes in place or quickly made them available." FROM: http://news.zdnet.com/2100-1009_22-5158625.html Linux's open nature encourages full disclosure of vulnerabilties and that's a positive in my book. MS' customers are treated like mushrooms: kept in the dark and fed boolshiat like CERT's. :o |
Also that report is comparing windows against Linux/Unix which includes (if you look at the vulns) Mac OSX, FreeBSD, OpenBSD, HP-UX, AIX, Solaris, SCO Unixware, and several Linux distros. There also appears to be multiple entries counted for the same vuln in different Linux vendors. So I think you need to be careful about what kind of conclusions you try to draw from that report.
|
Most if not all of these articles count Linux vuls by adding up all vuls of all distros which inflates the Linux numbers greatly.
Check out the servers and see which has more cracks, but don't count each Linux distro as a separate exploit. Netcraft is a good place to start your own research. Also, check to see who sponsored the study. If it is sponsored by MSFT, they are well known for this type of FUD. This report will repeat next year as I have seen it every year since I installed my first Linux distro in 1999. How about viruses and worms? # Basic Linux security and virus info The Virus Writing HOWTO reference: Should I get anti-virus software for my Linux box? Unusual network activity? chkrootkit is a tool to locally check for signs of a rootkit Linux Questions Security references Security Help Files Linux Administrator's Security Guide Security Focus Linux Security Firewalls and Security |
You'll also note that lots of the cert "unix/linux" vunerabilities are in software that few people use and that isn't grouped with any distributions by default. For example, there is an imap server availible through apt that is still in testing and isn't thought to be secure, and cert has like 100 vunerabilities from that program listed.
|
mmmmhh compare the colors
http://www.frsirt.com/english/vendor/2161 http://www.frsirt.com/english/vendor/1948 I may be blind but there is one a bit more red lol |
Quote:
|
I don't recall CERT doing anything except listing vuls, but:
Who is paying the reporter? I know I have seen the same thing reported every year since I discovered Linux, not all using CERT as their source, but several reports I have seen were based on studies financed by MSFT, some of which were very difficult to "follow the money". I think I probably stated my response poorly after re-reading it. Prednisone and morphine (which I have to take) aren't great memory boosters. |
Quote:
|
I'm going to close this thread as we have an identical one in the General forum. Feel free to post comment there:
http://www.linuxquestions.org/questi...d.php?t=399623 //Thread Closed |
All times are GMT -5. The time now is 05:23 PM. |