For the last week, I’ve seen various headlines referring to a report from US-CERT that indicated 2005 had 5,198 security flaws reported. Out of those 2,328 were reported for Linux/Unix, 812 for Windows and 2,058 affecting more than one operating system. Now, I’m seeing all sorts of headlines about how Windows is more secure than Linux based on this report. (?!?) Did anyone reporting “windows more secure than linux/unix” actually read the report, look at some of the details and compare with the Technical Cyber Security Alerts?
What’s really ironic about all of this is that it came out at a time when we’ve been dealing with the WMF vulnerability, which in fact wasn’t a vulnerability as much as a “feature” of a file format Microsoft designed some time back. (The function was in use since 1990 in Windows.) This vulnerability was there for each of the last 15 years then, but was only discovered and exploited this year, how many unix/linux bugs can claim that kind of heritage?
OH, there’s so much to dissect about this. Hang on this may be a long article….
For starters the comparison of Windows vs. Unix/Linux bulletin breaks down as follows. (I’ll try and filter down to the Operating systems used. I may overlook some because it’s a long list….) For the linux/unix side I’m not going to read every bulletin, as many cover multiple distributions. I’ll pick out those unix/linuxes (linuces?) that are mentioned by name in the bulletin title. Some are not listed for a core OS problem, but for add-on software. There are similar “add-on” software bulletins for Windows.
Windows covers Windows 98, ME, 2000, XP and 2003
Linux/Unix covers: Apple OS X, Astaro Security Linux, Debian Linux, FreeBSD, Gentoo, HP-UX, IBM AIX, Mandrake Linux, OpenBSD, Red Hat Linux, Sco Openserver, SGI IRix, Sun Solaris, SUSE Linux… if you go reading the details of “multiple vendors” bulletins you’ll find a few more distributions, kubuntu linux, and so on.
So you can see this is a fair comparison isn’t it 5 operating systems with a lot of shared code had 812 bulletins and 14 or more operating systems with varying release policies and varying amounts of shared software and code had 3 times as many bulletins or 2,328…. not bad at this point considering we’re looking at, at least 3 TIMES AS MANY operating systems in the comparison. (There are many distributions listed in the details that don’t get listed in the count I used above.) However…. let’s look at some more details.
I see a few duplicate advisories in the Windows list. One example is “Microsoft Agent Could Allow Spoofing” this shows up twice. Once with the initial US-Cert bulletin, then again when the Microsoft advisory came out with a patch. In this case, they both refer to the same CVE report http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1214 Some entries are duplicated 5 or more times. If you compare the duplicates in the Windows category to those in the Linux/Unix category though you’ll find there is MUCH more duplication. Here’s an example:
Clam Anti-Virus ClamAV Remote Denial of Service: – first entry shows multiple operating systems affected: Gentoo, Mandrake, Suse (various versions of each), the next copy adds Trustix, another copy adds Conectiva and yet another adds Altlinux FOR THE SAME VULNERABILITY. I’m not talking about a vulnerability that has been discovered to be more serious either. All are rated low and are simply reported multiple times when the vendors issue their own bulletins. I saw some duplicated as many as 12 times. It’s especially tedious browsing the “multiple distributions linux kernel” part of the list.
Now some things should be legitimately counted multiple times in this type of comparison. When a vulnerability is re-analyzed and is found to be more serious, etc. But the fact that 8 distributions put out an bulletin about the same bug does not mean that linux is more dangerous than windows when Microsoft releases 3 bulletins (some covering multiple bugs) in the same amount of time.
Oh and by the way, the Windows WMF bug was not included in the listing. Yes, I understand that it’s exploitable under linux using Wine, so now I guess now 20 distributions + wine and codeweavers and probably transgaming will put out bulletins and windows will yet again claim to be more secure because there was only one windows bulletin and 23+ linux related bulletins on the issue.
Ok, so let’s look at the Technical Cyber Security Alerts from US-CERT, these are the breaking news, big problem, “danger will robinson” kind of alerts that herald serious vulnerabilities. According to Newsforge, (I saw it but I’ll trust their counting abilities…)
22 Technical Cyber Security Alerts were issued in 2005
11 of those alerts were for Windows platforms
3 were for Oracle products
2 were for Cisco products
1 was for Mac OS X
None were for Linux
Oh, well, I guess it’s time for the old “if linux had the market share windows had it would have as many security problems.” Well let’s see, linux/unix is probably the widest deployed server operating system in the world all told. Windows is the most widely deployed desktop operating. Additionally, linux is open source and the source code can be broadly analyzed. Windows source code is closed and vulnerabilities can’t easily be discovered by access to the code because it is simply not easy to get access to the code. I would be willing to bet that if Windows source code were opened up we would see at least a doubling in the number of security bulletins. I don’t know, I can’t and we won’t, but that’s my opinion.
Further, it’s worth noting that Cert DIDN’T evaluate the numbers and say that Linux/Unix is more flawed than windows. I’m SURE Microsoft will love to spin these numbers that way, but it just doesn’t stand up to analysis. Now, to be fair, the article cited in the last link did say that the CERT list doesn’t address the severity of the issues, or how quickly they were patched. A look at Secunia found the following….:
CERT’s report did not include figures for how quickly vulnerabilities are patched once they are discovered. According to security provider Secunia, 124 of its security advisories relate to flaws in Windows XP Professional. Some 29 of these flaws are unpatched–which lands Microsoft’s operating system with a “highly critical” security rating.
In contrast, Red Hat 9 is covered by 99 Secunia warnings, but only one of these flaws has not been patched by Red Hat. Suse Linux Enterprise Server 9 is covered in 91 advisories, but every one has been patched by the vendor. Both products get a “not critical” rating.
So which operating system is more secure? I think it’s easier to secure a linux system than a Windows system, but, truth be told, it all boils down to the administration of the system. Even the best security models can be undermined. I personally, think Secunia’s analysis is a better way to compare “relative security” of two products. I like their rating of severity and keeping track of unpatched vulnerabilities.
Am I biased, yes, I use linux and I think the open source approach is a better way to build software. I’ve been impressed with the responsiveness and quick turn around of patches to open source projects and I’ve been impressed with how seriously MOST open source projects take potential security advisories, whether an exploit exists or not. Some vendors don’t seem to take as seriuosly such “possible vulnerabilities” unless there is an active working exploit.
To sum up, I don’t think the headline that most people took away from this summary of the years security bulletins says it all. Unfortunately many will read into it what they want and, much as was the case with the reporting on the WMF exploit, there can be a lack of depth.
Related PostsRelated Posts
- Wine-Doors the future of Windows software installing on Linux I just came across this article about wine-doors which sounds VERY promising. Of course, let me set the stage. Wine is a windows compatibility api for linux. The goal of wine is to allow windows applications to run on top of a linux system without modification (of the original windows......
- Microsoft's unpatched security bugs George Ou at ZDnet is mystified (as many of us are) at why Microsoft can't patch ALL their security vulnerabilities. Most of the unpatched vulnerabilities are considered minor (as was the 6 month old bug that in the last week was discovered could be exploited for more than a Denial......
- 5198 Security Vulnerabilities tracked by US-CERT in 2005 The headline probably says most all... 5198 vulnerabilities tracked by US-Cert in 2005. This comes from The SecurityFix. It's probably not every vulernability that was out in 2005, just those that US-CERT issued advisories for. The breakdown is 812 in Windows 2,328 in various Unix/Linux/Mac/BSD systems and 2,058 affecting multiple......
- Save Time, Money and Space in Over 80 Ways If you're looking for handy gadgets, tools and various items that can save you time, money or space (or all three!) this list of more than 80 top products is just what you need. Everyone's got saving money on their minds these days- whether your at the grocery store, or......
- Microsoft Security Bulletin MS10-046 - Critical Microsoft Security Bulletin MS10-046 - Critical Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198) Published: August 02, 2010 | Updated: August 03, 2010 Version: 1.1 General Information Executive Summary This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon......
- Encryption: Never Leave Home Without It As portable drives have gotten physically smaller and larger in storage capacity, they've become an indespensible gadget for many. If you use yours to store vital and sensitive information, you need to secure that information with encryption. I should not need to tell you about the long list of......
- 5198 Security Vulnerabilities tracked by US-CERT in 2005
- January Patch Tuesday
- Linux alternatives.
- F-Secure patches security vulnerabilities
- More Microsoft Patch problems MS06-042