All i hear is how linux is more secure then windows and i run into this list at this site showing the security flaws in linux. Whats the arguement about how windows has more security problems again...... i don't want to seem like a M$ posterboy..... i just want to know the fact. I think that if 90 percent of the market used *nux then they would be the target right. That makes a lot of since to me. Whats the deal? Help me understand *nux's position on this. All of which are opinions of course :]
thx

Quivver

By unSpawn
on Fri 13 Feb 2004, 12:29 PM

Feb 9th 2004
48 of 56 issues handled (SF)
1. PhpGedView Editconfig_gedcom.php Directory Traversal Vulnera...
2. GNU LibTool Local Insecure Temporary Directory Creation Vuln...
3. PhpGedView [GED_File]_conf.php Remote File Include Vulnerabi...
4. ChatterBox Remote Denial of Service Vulnerability
5. FreeBSD mksnap_ffs File System Option Reset Vulnerability
6. Sun Solaris PFExec Custom Profile Arbitrary Privileges Vulne...
7. JBrowser Browser.PHP Directory Traversal Vulnerability
8. Laurent Adda Les Commentaires PHP Script Multiple Module Fil...
9. JBrowser Unauthorized Admin Access Vulnerability
10. Leif M. Wright Web Blog Remote Command Execution Vulnerabili...
11. Aprox Portal File Disclosure Vulnerability
12. SqWebMail Authentication Response Information Leakage Weakne...
13. BugPort Unauthorized Configuration File Viewing Vulnerabilit...
14. Suidperl Unspecified Information Disclosure Vulnerability
15. PHP-Nuke Multiple Module SQL Injection Vulnerabilities
18. SGI IRIX Libdesktopicon.so Local Buffer Overflow Vulnerabili...
19. Sun Solaris TCSetAttr System Hang Denial Of Service Vulnerab...
20. Crob FTP Server Denial Of Service Vulnerability
21. 0verkill Game Client Multiple Local Buffer Overflow Vulnerab...
23. GNU Chess '-s' Local Buffer Overflow Vulnerability
24. SurgeFTP Surgeftpmgr.CGI Denial Of Service Vulnerability
26. Clearswift MAILsweeper For SMTP RAR Archive Denial Of Servic...
27. All Enthusiast Photopost PHP Pro SQL Injection Vulnerability
28. Util-Linux Login Program Information Leakage Vulnerability
29. PHP-Nuke GBook Module HTML Injection Vulnerability
30. Qualiteam X-Cart Remote Command Execution Vulnerability
31. Sun ONE/iPlanet Web Server HTTP TRACE Credential Theft Vulne...
32. Cisco IOS MSFC2 Malformed Layer 2 Frame Denial Of Service Vu...
33. Qualiteam X-Cart Multiple Remote Information Disclosure Vuln...
34. phpMyAdmin Export.PHP File Disclosure Vulnerability
35. Tunez Multiple Remote SQL Injection Vulnerabilities
36. Linley Henzell Dungeon Crawl Unspecified Local Buffer Overfl...
39. PHPX Multiple Vulnerabilities
40. Linux Kernel R128 Device Driver Unspecified Privilege Escala...
41. Apache mod_digest Client-Supplied Nonce Verification Vulnera...
42. FreeBSD NetINet TCP Maximum Segment Size Remote Denial Of Se...
43. TYPSoft FTP Server Remote Denial Of Service Vulnerability
44. All Enthusiast ReviewPost PHP Pro Multiple SQL Injection Vul...
45. RXGoogle.CGI Cross Site Scripting Vulnerability.
46. Web Crossing Web Server Component Remote Denial Of Service V...
47. OpenBSD ICMPV6 Handling Routines Remote Denial Of Service Vu...
48. GNU Radius Remote Denial Of Service Vulnerability
49. Multiple RealPlayer/RealOne Player Supported File Type Buffe...
50. RealPlayer/RealOne Player RMP File Handler Unspecified Code ...
51. Multiple Check Point Firewall-1 HTTP Security Server Remote ...
52. Check Point VPN-1/SecuRemote ISAKMP Large Certificate Reques...
54. Crossday Discuz! Cross Site Scripting Vulnerability
56. BSD Kernel SHMAT System Call Privilege Escalation Vulnerabil...

Feb 09th 2004
39 of 55 issues handled (ISS)
Overkill client has multiple buffer overflows
Overkill server parse_command_line buffer overflow
SurgeFTP Web interface denial of service
Caravan Business Server sample_showcode directory
FreeBSD mksnap_ffs security bypass
PhotoPost PHP Pro SQL injection
iSearch isearch.inc.php script PHP file include
ChatterBox denial of service
suidperl information disclosure
Aprox PHP portal index.php script directory
Apache httpd server httpd.conf could allow a local
util-linux information leak
GNU Libtool creates insecure temporary directory
Web Blog file parameter command execution
Tunez multiple SQL injection
phpMyAdmin "dot dot" Directory Traversal
Web Crossing Content-Length header denial of
Gbook message HTML injection
BugPort sensitive information exposure
Linley's Dungeon Crawl long environment variable
X-Cart "dot dot" directory traversal
X-Cart perl_binary variable command execution
ReviewPost PHP Pro showproduct.php and showcat.php
X-Cart general.php information disclosure
RealOne Player multiple file buffer overflows
RxGoogle query cross-site scripting
OpenBSD IPv6 packet denial of service
Linux kernel 2.4.x ixj telephony card driver buffer
GNU Radius rad_print_request denial of service
PHPX subject HTML injection
PHPX main.inc.php and help.inc.php cross-site
PHPX could allow an attacker to modify cookie to
SqWebMail login error information disclosure
Oracle Database Server multiple functions buffer
Multiple vendor BSD platforms allows elevated
Mambo Itemid parameter cross-site scripting
Apache-SSL has a default password
Discuz! Board image tag cross-site scripting
OpenJournal uid could allow an attacker

I know that you look at that list and it seems a lot. But you have to remember that in Windows is controled where all the commerical programs have to same basis of coding. In Linux there is no basis. You make your program anyway you want it. The difference is that in Linux I control the system and I watch it. There are programs out there that monitor things to see what is going on in your syste. And of course root secures everything. In Windows unless you do some extra work a normal person can go and delete c:/Windows directory. So if they get by your security you are done. In Linux you have to crack root which if you do it right would take a long time to crack. So yes there is updates but that is to better the system as well and close up so bad coding.

well about 67% of the internet uses apache and how many exploits are there for apache compared to IIS? the 90% marketshare argument doesn't really hold that much water. but the gist of the argument isn't so much that as how windows defaults are insecure as well as how many flaws are in windows are unknown. look at the source code leak as there's already an exploit for IE5 based on the source code. there's going to be more coming soon. the only "fix" is to upgrade to IE6 which isn't really a fix. besides, it's estimated that 20-30% of users (not sure if it's IE users or web users) still use IE5. there's the issue that when flaws are discovered in linux, they're patched quickly where as with microsoft, it seems that they sit on it for a few months before even acknowledging that there is a flaw. i think the latest one in regards to xp, 2k, and server 2003, they "knew" about that flaw for 6 months before issuing a patch recently and saying well there isn't an exploit for it. well there's an exploit for it today. and that list you posted is pretty much other software that's not part of the operating system although they could be part of a distrobution. if you wanted to look at things that way, you need to look not only at windows, but with ms office, IIS, etc. my guess is you'll see about the same amount of flaws if not more and then there's the ones no one knows about since you can be sure microsoft likes to put their heads in the sand hoping no one finds them and only acknowledging them if they really, really have to.

I can see only two on the lists that mention the actual kernel itself, the operating system.

The basis of the better security argument stems from the open source philosophy itself. Millions of unpaid programmers are going to better at identifying bugs and exploits in code then thousands of paid programmers. Its that simple.

IMHO the big difference in terms of security between *NIX and
Windows is that while both suffer security holes resulting from
programming mistakes, some of the Windows holes are holes
by design (like ActiveX, allowing web sites to execute any code
on a remote client; Outlook preview), and such holes can't be
patched.

Also, please don't think that because a potential security flaw has been found in the code, that is has been exploited and is-the-worst-possible-thing-that-could-ever-happen-to-you. There are many, many 'security alerts' for all sorts of packages, but keep it in perspective. These alerts come about because the source to the programmes is under continual peer-review. Surely it is better to have a system where lots of tiny, very unlikely potential vulnerabilities are discovered - and fixed - regularly, than a system where even a very large vulnerability can be hidden from paying customers for over 6 months?

If you like car analogies (and I do), then think of it like this. You take you car to the garage and what would you prefer to hear? "The locks on your doors are getting a little rusty. Someone may be able to jimmy them open with a knife, but they'd be lucky. I would replace them anyway and keep them well oiled, just in case." or "Your car seems to be missing all its doors and has a push-start ignition. Don't worry about it, no one would ever steal it."? I know which I would choose.