For the last week, I’ve seen various headlines referring to a report from US-CERT that indicated 2005 had 5,198 security flaws reported. Out of those 2,328 were reported for Linux/Unix, 812 for Windows and 2,058 affecting more than one operating system. Now, I’m seeing all sorts of headlines about how Windows is more secure than Linux based on this report. (?!?) Did anyone reporting “windows more secure than linux/unix” actually read the report, look at some of the details and compare with the Technical Cyber Security Alerts?
What’s really ironic about all of this is that it came out at a time when we’ve been dealing with the WMF vulnerability, which in fact wasn’t a vulnerability as much as a “feature” of a file format Microsoft designed some time back. (The function was in use since 1990 in Windows.) This vulnerability was there for each of the last 15 years then, but was only discovered and exploited this year, how many unix/linux bugs can claim that kind of heritage?
OH, there’s so much to dissect about this. Hang on this may be a long article….
For starters the comparison of Windows vs. Unix/Linux bulletin breaks down as follows. (I’ll try and filter down to the Operating systems used. I may overlook some because it’s a long list….) For the linux/unix side I’m not going to read every bulletin, as many cover multiple distributions. I’ll pick out those unix/linuxes (linuces?) that are mentioned by name in the bulletin title. Some are not listed for a core OS problem, but for add-on software. There are similar “add-on” software bulletins for Windows.
Windows covers Windows 98, ME, 2000, XP and 2003
Linux/Unix covers: Apple OS X, Astaro Security Linux, Debian Linux, FreeBSD, Gentoo, HP-UX, IBM AIX, Mandrake Linux, OpenBSD, Red Hat Linux, Sco Openserver, SGI IRix, Sun Solaris, SUSE Linux… if you go reading the details of “multiple vendors” bulletins you’ll find a few more distributions, kubuntu linux, and so on.
So you can see this is a fair comparison isn’t it 5 operating systems with a lot of shared code had 812 bulletins and 14 or more operating systems with varying release policies and varying amounts of shared software and code had 3 times as many bulletins or 2,328…. not bad at this point considering we’re looking at, at least 3 TIMES AS MANY operating systems in the comparison. (There are many distributions listed in the details that don’t get listed in the count I used above.) However…. let’s look at some more details.
I see a few duplicate advisories in the Windows list. One example is “Microsoft Agent Could Allow Spoofing” this shows up twice. Once with the initial US-Cert bulletin, then again when the Microsoft advisory came out with a patch. In this case, they both refer to the same CVE report http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1214 Some entries are duplicated 5 or more times. If you compare the duplicates in the Windows category to those in the Linux/Unix category though you’ll find there is MUCH more duplication. Here’s an example:
Clam Anti-Virus ClamAV Remote Denial of Service: – first entry shows multiple operating systems affected: Gentoo, Mandrake, Suse (various versions of each), the next copy adds Trustix, another copy adds Conectiva and yet another adds Altlinux FOR THE SAME VULNERABILITY. I’m not talking about a vulnerability that has been discovered to be more serious either. All are rated low and are simply reported multiple times when the vendors issue their own bulletins. I saw some duplicated as many as 12 times. It’s especially tedious browsing the “multiple distributions linux kernel” part of the list.
Now some things should be legitimately counted multiple times in this type of comparison. When a vulnerability is re-analyzed and is found to be more serious, etc. But the fact that 8 distributions put out an bulletin about the same bug does not mean that linux is more dangerous than windows when Microsoft releases 3 bulletins (some covering multiple bugs) in the same amount of time.
Oh and by the way, the Windows WMF bug was not included in the listing. Yes, I understand that it’s exploitable under linux using Wine, so now I guess now 20 distributions + wine and codeweavers and probably transgaming will put out bulletins and windows will yet again claim to be more secure because there was only one windows bulletin and 23+ linux related bulletins on the issue.
Ok, so let’s look at the Technical Cyber Security Alerts from US-CERT, these are the breaking news, big problem, “danger will robinson” kind of alerts that herald serious vulnerabilities. According to Newsforge, (I saw it but I’ll trust their counting abilities…)
22 Technical Cyber Security Alerts were issued in 2005
11 of those alerts were for Windows platforms
3 were for Oracle products
2 were for Cisco products
1 was for Mac OS X
None were for Linux
Oh, well, I guess it’s time for the old “if linux had the market share windows had it would have as many security problems.” Well let’s see, linux/unix is probably the widest deployed server operating system in the world all told. Windows is the most widely deployed desktop operating. Additionally, linux is open source and the source code can be broadly analyzed. Windows source code is closed and vulnerabilities can’t easily be discovered by access to the code because it is simply not easy to get access to the code. I would be willing to bet that if Windows source code were opened up we would see at least a doubling in the number of security bulletins. I don’t know, I can’t and we won’t, but that’s my opinion.
Further, it’s worth noting that Cert DIDN’T evaluate the numbers and say that Linux/Unix is more flawed than windows. I’m SURE Microsoft will love to spin these numbers that way, but it just doesn’t stand up to analysis. Now, to be fair, the article cited in the last link did say that the CERT list doesn’t address the severity of the issues, or how quickly they were patched. A look at Secunia found the following….:
CERT’s report did not include figures for how quickly vulnerabilities are patched once they are discovered. According to security provider Secunia, 124 of its security advisories relate to flaws in Windows XP Professional. Some 29 of these flaws are unpatched–which lands Microsoft’s operating system with a “highly critical” security rating.
In contrast, Red Hat 9 is covered by 99 Secunia warnings, but only one of these flaws has not been patched by Red Hat. Suse Linux Enterprise Server 9 is covered in 91 advisories, but every one has been patched by the vendor. Both products get a “not critical” rating.
So which operating system is more secure? I think it’s easier to secure a linux system than a Windows system, but, truth be told, it all boils down to the administration of the system. Even the best security models can be undermined. I personally, think Secunia’s analysis is a better way to compare “relative security” of two products. I like their rating of severity and keeping track of unpatched vulnerabilities.
Am I biased, yes, I use linux and I think the open source approach is a better way to build software. I’ve been impressed with the responsiveness and quick turn around of patches to open source projects and I’ve been impressed with how seriously MOST open source projects take potential security advisories, whether an exploit exists or not. Some vendors don’t seem to take as seriuosly such “possible vulnerabilities” unless there is an active working exploit.
To sum up, I don’t think the headline that most people took away from this summary of the years security bulletins says it all. Unfortunately many will read into it what they want and, much as was the case with the reporting on the WMF exploit, there can be a lack of depth.
Related PostsRelated Posts
- How to Remove Windows Enterprise Defender (Removal Guide) Windows Enterprise Defender is a rogue antivirus application that uses the name of Windows Defender and the similarities of their name to appear as an official product or add on to windows. Of course, the real Windows Defender is a legitimate application, but Windows Enterprise Defender is a rogue antivirus......
- The end for Windows 98 may be a boost to linux? There are articles out about the demise of official Windows 98 and ME support would be a boost to linux uptake. Realistically, I suppose it may, but I personally am not holding my breath. Here's why. 1) The people still running Windows 98/ME are likely doing so because that's what......
- Windows RDP Denial of service vulnerability I just saw this article at zdnet news a few minutes ago. Basically a new security bulletin is out with regards to Windows Remote Desktop Server being vulnerable to a denial of service (DoS) attack. Essentially it affects Windows 2000, XP and Server 2003. It appears that under an overwhelming......
- Cloud Computing and Security Concerns Cloud computing has been receiving a lot of press in the IT mainstream media lately and all indications points to it continuing to be a hot topic for some time. Gartner.com stated in an article “Significant innovations in virtualization and distributed computing, as well as improved access to high-speed Internet......
- Microsoft Security Bulletin MS10-046 - Critical Microsoft Security Bulletin MS10-046 - Critical Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198) Published: August 02, 2010 | Updated: August 03, 2010 Version: 1.1 General Information Executive Summary This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon......
- Ten Steps To Become a Linux/Unix Geek Until recently, Linux/Unix was considered OS of the geeks. However, with GUI and more desktop Linux distributions, things have simplified on both Linux and Unix. Still you can geek out with Unix/Linux using its terminal. Just follow the steps below to master the terminal. 1. Never used Linux! Get Ubuntu......
- 5198 Security Vulnerabilities tracked by US-CERT in 2005
- January Patch Tuesday
- Linux alternatives.
- F-Secure patches security vulnerabilities
- More Microsoft Patch problems MS06-042