Windows beats Linux / Unix on vulnerabilities

Ardor · 01-05-2006, 09:12 PM

Quote:

Windows beats Linux / Unix on vulnerabilities - CERT
Good news and bad news
By Gavin Clarke in San Francisco
Published Thursday 5th January 2006 09:41 GMT

It might not feel like it, but Windows suffered less security vulnerabilities than Linux and Unix during 2005.

Linux and Unix experienced more than three times as many reported security vulnerabilities than Windows, according to the mighty US Computer Emergency Readiness Team (CERT) annual year-end security index.
Click Here

Windows experienced 812 reported operating system vulnerabilities for the period between January and December 2005, compared to 2,328 for Linux and Unix.

CERT found more than 500 multiple vendor vulnerabilities in Linux and Unix spanning old favorites such as denial of service and buffer overflows, while CERT recorded 88 Windows-specific holes and 44 in Internet Explorer (IE). For a complete list of vulnerabilities, you can visit the CERT site here.

The annual poll does not include the Windows MetaFile (WMF) vulnerability, which has become the most widely reported attack on Windows according to security and antivirus specialist McAfee since being reported on December 28.

News of Windows' relative security will prove little comfort to millions of computer users now bracing for the latest attack of the Sober worm variant due this week.

CERT's data underlines the scale of the challenge faced by Microsoft on security, four years into the company's highly publicized Trusted Computing initiative.

Despite posting fewer vulnerabilities than its Unix and Linux challengers and Microsoft going out its way to talk up its "progress" in security in 2005, it is attacks on Windows that still cause more concern and generate most headlines.

The reason is that, unlike Linux, Windows has greater potential to cause harm because of its presence on desktops in the hands of users who receive self-propagating worms, click on email attachments and download malicious code. And while it seems just as each hole is fixed, a new vulnerability is unlocked elsewhere in the vast Windows code base.®

http://www.theregister.co.uk/2006/01...lnerabilities/

Any thoughts?

Crito · 01-05-2006, 10:06 PM

Key word is "reported". It's a well know fact most windows vulnerabilities are never reported publicly. And even when they are reported it's usually only after a fix is available, in some cases leaving customers unwittingly vulnerable for months between discovery and the fix's release. All CERT's study truly reveals is that ignorance is still bliss.

musicman_ace · 01-05-2006, 10:06 PM

I would question if all 2,238 vulnerabilities applied to each distro. For instance, did gentoo suffer from all of those, or was that a collective number from each distro. Another question is, Were those 2000 vulnerabilities 'Kernel vulnerabilities' or software packages. you can't blame linux if your vixie-cron daemon had a vulnerability unless you count windows programs that were installed after the operating system.

Crito · 01-05-2006, 10:24 PM

As proof, here's an old incident of a serious vulnerability that MS kept quiet about for months and only disclosed publicly because word leaked out about it:

"Another ASN.1 flaw that affected many more companies and involved more research was made public in only five months. Although the decision to disclose information on the flaw was made after such information had already leaked out, many companies had fixes in place or quickly made them available."

FROM: http://news.zdnet.com/2100-1009_22-5158625.html

Linux's open nature encourages full disclosure of vulnerabilties and that's a positive in my book. MS' customers are treated like mushrooms: kept in the dark and fed boolshiat like CERT's.

Capt_Caveman · 01-05-2006, 11:46 PM

Also that report is comparing windows against Linux/Unix which includes (if you look at the vulns) Mac OSX, FreeBSD, OpenBSD, HP-UX, AIX, Solaris, SCO Unixware, and several Linux distros. There also appears to be multiple entries counted for the same vuln in different Linux vendors. So I think you need to be careful about what kind of conclusions you try to draw from that report.

fancypiper · 01-06-2006, 01:34 AM

Most if not all of these articles count Linux vuls by adding up all vuls of all distros which inflates the Linux numbers greatly.

Check out the servers and see which has more cracks, but don't count each Linux distro as a separate exploit. Netcraft is a good place to start your own research.

Also, check to see who sponsored the study. If it is sponsored by MSFT, they are well known for this type of FUD.

This report will repeat next year as I have seen it every year since I installed my first Linux distro in 1999.

How about viruses and worms?
# Basic Linux security and virus info
The Virus Writing HOWTO reference: Should I get anti-virus software for my Linux box?
Unusual network activity? chkrootkit is a tool to locally check for signs of a rootkit
Linux Questions Security references
Security Help Files
Linux Administrator's Security Guide
Security Focus
Linux Security
Firewalls and Security

jtshaw · 01-06-2006, 07:50 AM

You'll also note that lots of the cert "unix/linux" vunerabilities are in software that few people use and that isn't grouped with any distributions by default. For example, there is an imap server availible through apt that is still in testing and isn't thought to be secure, and cert has like 100 vunerabilities from that program listed.

nx5000 · 01-06-2006, 11:10 AM

mmmmhh compare the colors

http://www.frsirt.com/english/vendor/2161
http://www.frsirt.com/english/vendor/1948

I may be blind but there is one a bit more red
lol

Capt_Caveman · 01-06-2006, 04:11 PM

Quote:

Originally Posted by fancypiper

Also, check to see who sponsored the study. If it is sponsored by MSFT, they are well known for this type of FUD.

I don't believe it was sponsored by anyone, especially not by Microsoft. In fact, most vuln reporting mailing lists group their bug reports exactly in this format (windows as one category and unix/linux lumped together as another). So I don't think there is any intentional deceit on the part of CERT. It's just the people reporting on this and using it as evidence that Linux/Unix is somehow less secure are morons.

fancypiper · 01-06-2006, 04:27 PM

I don't recall CERT doing anything except listing vuls, but:

Who is paying the reporter?

I know I have seen the same thing reported every year since I discovered Linux, not all using CERT as their source, but several reports I have seen were based on studies financed by MSFT, some of which were very difficult to "follow the money".

I think I probably stated my response poorly after re-reading it.

Prednisone and morphine (which I have to take) aren't great memory boosters.

Capt_Caveman · 01-06-2006, 04:55 PM

Quote:

Originally Posted by fancypiper

Who is paying the reporter? I know I have seen the same thing reported every year since I discovered Linux, not all using CERT as their source, but several reports I have seen were based on studies financed by MSFT, some of which were very difficult to "follow the money". I think I probably stated my response poorly after re-reading it.

Ahh, I see what you were getting at now...and I have seen the Reg posting troll articles recently.

Capt_Caveman · 01-06-2006, 10:48 PM

I'm going to close this thread as we have an identical one in the General forum. Feel free to post comment there:
http://www.linuxquestions.org/questi...d.php?t=399623

//Thread Closed