Slashdot Mirror

If you went as far as looking up the counts on secunia then why didn't you take it one-click further and look at the number of unpatched vulnerabilities and the criticality of the vulerabilties?

Yes, simply counting vulnerabilities is idiotic, but for you to then claim that linux is not any more secure than windows is disingenous, at best. Take at look at the stats!

http://secunia.com/product/22/?period=2005#statist ics
http://secunia.com/product/16/?period=2005#statist ics

Count the number of IIs exploits vs Apache and correlate to the number of installations. If your logic held, there should be many many more exploits out there for Apache.

Count the number of IIs exploits vs Apache and correlate to the number of installations. If your logic held, there should be many many more exploits out there for Apache.

Count the number of IIs exploits vs Apache and correlate to the number of installations. If your logic held, there should be many many more exploits out there for Apache.

IIS (2) vs. Apache (29)

IIS (2) vs. Apache (29)

Yes, let's compare IIS to Apache.

IIS6 has had 2 vulnerabilities since it's inception three years ago. The most serious of which could allow someone to DOS the webserver.

http://secunia.com/product/1438/

Apache has had 29 vulnerabilities, 27 within the same timeframe as the IIS6 comparison. The worst of which allowed for full system access.

http://secunia.com/product/73/

If you want to step back in time, IIS5 had 13 vulnerabilities and IIS4 had 6. Apache 1.3.x had 17.

IIS seems less secure because of a handful of very public exploits, all of which happened typically months after the necessary patch was released.

It's not the underlying product, it's the accessability and maturity of the tools available for compromise. In the case of Windows there are a great number of kits already assembled and ready to go that simply need an attack vector. Once a single buffer overflow is discovered people can insert their favorite malware code into the exploit and fire away.

It's also mindset. Sitting back and claiming that Apache is invincible is the mindset that leads to compromise. Overconfidence often leads to complacency in both architecture and administration. I've run both IIS and Apache servers for close to a decade. I treat both like people are just waiting to get in and muck things up and in that time I've never had a single compromise. Nimda and CodeRed bounced right off.

Yes, let's compare IIS to Apache.

IIS6 has had 2 vulnerabilities since it's inception three years ago. The most serious of which could allow someone to DOS the webserver.

http://secunia.com/product/1438/

Apache has had 29 vulnerabilities, 27 within the same timeframe as the IIS6 comparison. The worst of which allowed for full system access.

http://secunia.com/product/73/

If you want to step back in time, IIS5 had 13 vulnerabilities and IIS4 had 6. Apache 1.3.x had 17.

IIS seems less secure because of a handful of very public exploits, all of which happened typically months after the necessary patch was released.

It's not the underlying product, it's the accessability and maturity of the tools available for compromise. In the case of Windows there are a great number of kits already assembled and ready to go that simply need an attack vector. Once a single buffer overflow is discovered people can insert their favorite malware code into the exploit and fire away.

It's also mindset. Sitting back and claiming that Apache is invincible is the mindset that leads to compromise. Overconfidence often leads to complacency in both architecture and administration. I've run both IIS and Apache servers for close to a decade. I treat both like people are just waiting to get in and muck things up and in that time I've never had a single compromise. Nimda and CodeRed bounced right off.

Too bad there was VMWare vulnerability just a week ago that allows guest to execute abritrary code on host system.

I may be a bit paranoid but I'd like to turn off images and video for a few days until this ".wmf" issue is resolved.

".wma" and ".wmv" file extensions seem closer to the ".wmf" extension than ".jpg" or ".tif" extensions, so they may also be loaded by programs that open ".wmf" files only to read the internal label and execute the malicious code.

I unchecked the box called "load images" in Firefox, but animated web sites still come up. So I reinstalled Firefox (also deleting the directory) to try to return to Firefox's original default settings, but my settings were still active. Apparently, Firefox saves personal settings in the registry even after it is uninstalled.

Security web sites seem to be of little help:

Secunia, Kaspersky strongly caution against opening any untrusted *.wmf files
http://secunia.com/advisories/18255/
http://www.viruslist.com/en/alerts?alertid=1767016 69

VNUNet.com says Firefox will first ask the user before opening the file.
http://www.vnunet.com/vnunet/news/2147909/hackers- attack-zero-day-windows

Pete Lindstrom, research director for Spire Security LLC, said,
"There's no such thing as 'extremely critical' when user interaction is required. [...] That's just silly."

Lisa Vaas of eweek.com says "Google had no immediate comment. To avoid the problem, security experts suggest disabling the feature's indexing of media files, or to remove Google Desktop altogether."
http://www.eweek.com/article2/0,1895,1906177,00.as p

Jay Wrolstad at CIO-Today says, "Current exploits use the Windows Picture and Fax Viewer to attack any application that can handle Windows Metafiles. Disabling the Windows Picture and Fax Viewer will not eliminate the risk as the flaw exists in the Windows Graphical Device Interface library".
http://www.cio-today.com/news/Flaw-Detected-in-Win dows-Metafile/story.xhtml?story_id=131004IKPNAU

Alex Eckelberry, president of Sunbelt Software.
"There is no user interaction required," he wrote in an e-mail exchange. "You hit the Web site, you get hit immediately. No prompts, nothing."
http://www.eweek.com/article2/0,1895,1906489,00.as p

Buffer overflows and other security issues are a dime a dozen. Just subscribe to Secunia's RSS feed to see that.

Buffer overflows and other security issues are a dime a dozen. Just subscribe to Secunia's RSS feed to see that.

That depends. In a server environment you could even forbid scripts from running unless the signed and checked.
Ever heard of security bugs that allow soemone to execute code without having permission to do so? Buffer overflows are only an example of those bugs. http://secunia.com/ is full of them . the TPM won't protect from all these bugs, it's not a magical wand.


Won't help, a TPM checks each time an application is executed and doesn't permit anything to write to the app's program area after the initial load.
Obviously you don't know what a TPM is. The definition of a TPM comes from TCPA/TCG. It is mainly a device used to store cryptographic hashes. What you are talking about here is much more along the lines of the NGSCB/Palladium OS from Microsoft. But it won't be a magical tool able to remove all bugs !

Think about it, any non-minor bug that can be voluntary triggered, can be a security hole, at least for a denial of service, and often for tampering data or getting access to forbidden data. You don't always need to execute arbitrary code in order to do harm to a system.

TPMS are going in to corporate laptops, because they let the IT dept lock down the box against, spyware, trojans and end users.
If they blindly trust the TPM to protect against all security holes and bugs, they should get another job.
The TPM won't prevent the users putting at risk corporate information when they use IE:
http://secunia.com/product/11/
Same thing for all applications and OS that have critical remote holes. And they are many.

http://secunia.com/advisories/14792/

PHP 4.3.10 is still used all over the place.

Download dialog ... 6 months
Keyboard shortcut ... 7 months
COM corruption ... 3 months (fixed last month?)
window() code execution ... 6 months

It's like getting two years of fixes in one ...

Download dialog ... 6 months
Keyboard shortcut ... 7 months
COM corruption ... 3 months (fixed last month?)
window() code execution ... 6 months

It's like getting two years of fixes in one ...

Download dialog ... 6 months
Keyboard shortcut ... 7 months
COM corruption ... 3 months (fixed last month?)
window() code execution ... 6 months

It's like getting two years of fixes in one ...

Download dialog ... 6 months
Keyboard shortcut ... 7 months
COM corruption ... 3 months (fixed last month?)
window() code execution ... 6 months

It's like getting two years of fixes in one ...

If Microsoft is the richest software company in the world, why is Internet Explorer possibly the most vulnerable software on earth?

As a security researcher, I can say without hesitation: of course the threat is credible. The vulnerabilities are here, each day a dozen of them are discovered in major applications [1]. And competent security researchers exist around the world (e.g. 75% of windows vulnerabilities are discovered by external independant researchers [2]).

Now the only reason why cyber terrorism is not more frequent and more harmful (it is almost inexistent but it *does* exist) is the relatively few number of black hats (bad guys) compared to the huge number of white hats out there, and probably also the lack of motivation of the potential attackers.

[1] Look at this graph.
[2] Look at the credits in MS security bulletins.

I agree that it's valid to criticise IE for a lull in development once they won the browser war and ousted Netscape. I also think the competition between Firefox and IE is ultimately great for the consumer, since it has sparked a new emphasis in feature development for all the major browsers. This article seems to take it to an unwarranted extreme however, as the latest IE (particularly through SP2 and the optional MSN Toolbar) developments have added a lot in terms of security, for example the new anti-phishing filter. Also, Firefox has more than its share of critical vulnerabilities listed on Secunia, including more than a few that were as big of a deal as the recent IE exploit.

Okay, I stand corrected, the bugs are in Gecko or Mozilla. However since they're both open source and have bugs over 5 years old then my point that open source doesn't necessarily mean faster bugs fixes still stands.

Regardless, since the article said all Firefox security issues had been patched...

To be fair, I never used the word "security" in my posting as I wasn't referring to that but rather that bugs are fixed quicker in the open source model (which may be generally true, but Slashdot always loves an exception to that rule).

However if you want to talk security, according to Secunia, Firefox 1.x has 3 outstanding and Mozilla 1.7.x has 3 outstanding security issues.

I'm not in a position to confirm whether or not they have been patched in the latest version but until another reputable site can confirm that they're closed, then this is the best I (and other people) have to go on.

...I think maybe you just made it all up.

See here and here for two examples.

That's OK, most posts come out of people's posteriors.

Yours too, so it would seem. At least I am capable of being civil when replying to a posting.

Okay, I stand corrected, the bugs are in Gecko or Mozilla. However since they're both open source and have bugs over 5 years old then my point that open source doesn't necessarily mean faster bugs fixes still stands.

Regardless, since the article said all Firefox security issues had been patched...

To be fair, I never used the word "security" in my posting as I wasn't referring to that but rather that bugs are fixed quicker in the open source model (which may be generally true, but Slashdot always loves an exception to that rule).

However if you want to talk security, according to Secunia, Firefox 1.x has 3 outstanding and Mozilla 1.7.x has 3 outstanding security issues.

I'm not in a position to confirm whether or not they have been patched in the latest version but until another reputable site can confirm that they're closed, then this is the best I (and other people) have to go on.

...I think maybe you just made it all up.

See here and here for two examples.

That's OK, most posts come out of people's posteriors.

Yours too, so it would seem. At least I am capable of being civil when replying to a posting.

While comparing these things is difficult at best, try (for example) Secunia's relevant product pages:

Advisories (2003-2005) OSX 57 & XP Pro 102

As for vendor patches Apple is at 100%... not bad.

(XP Professional) http://secunia.com/product/22/
and...
(Mac OS X) http://secunia.com/product/96/

Is any system perfect... no (even OpenBSD admits to 1 hole in 8 years), but Apple does make it as painless as possible.

While comparing these things is difficult at best, try (for example) Secunia's relevant product pages:

Advisories (2003-2005) OSX 57 & XP Pro 102

As for vendor patches Apple is at 100%... not bad.

(XP Professional) http://secunia.com/product/22/
and...
(Mac OS X) http://secunia.com/product/96/

Is any system perfect... no (even OpenBSD admits to 1 hole in 8 years), but Apple does make it as painless as possible.

Has already happened, happens often, and will happen again, in many anti virus products, including MS's.

Here's one from the article flagged: "Less critical" from 2002: SA7127 Check out the first paragraph of this 'less critical' item's description.

By the way, when I read a statement like this one:
If smaller software companies can patch all of their bugs serious or minor, why can't Microsoft just patch all of their vulnerabilities with their massive army of programmers and massive budget?
I start thinking there ought to be some kind of credibility (karma) system for anyone giving public opinions. You know, give the article '-1', give the guy 'Terrible Karma'. Make all his subsequent articles dissapear for you, or even better, replace the article with a 'joke of the day', you know, to dilute the real news a bit.

Extremely Critical:

Typically used for remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild.

These vulnerabilities can e.g. exist in services like FTP, HTTP, and SMTP or in certain client systems like email programs or browsers.

Highly Critical:

Typically used for remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction but there are no known exploits available at the time of disclosure.

Such vulnerabilities can e.g. exist in services like FTP, HTTP, and SMTP or in client systems like email programs or browsers.

Yes it has. The vulnerability was found by me, Paul from Greyhats Security, and disclosed responsibly to Mozilla. However, a mistrusted individual leaked the vulnerability details, which quickly made their way to security websites. Secunia rated the flaw as Extremely Critical, but later dropped the rating to Highly Critical due to that fact that Mozilla changed their servers in order to render the proof of concept ineffective, even though the core vulnerability was still in the browser, and in theory could have been updated to work again.

The bug details can be found either at Secunia or at my site. The URLs for the advisory are posted below.
Secunia: http://secunia.com/advisories/15292/
Greyhats Security: http://greyhatsecurity.org/firefox.htm

Just wanted to clarify that for you :)

From 2005-09-20: Firefox Command Line URL Shell Command Injection

I agree -- just because I thought that 3 of the legitimate emails were phishing scams doesn't mean that I can't flag 100% of phishing emails as fradulent!

However I doubt that you will learn much more by looking at the headers and html source of the email (except that might make it easier to identify links that are abusing email client vulnerablities to spoof the link destination)

The one that threw me was the legitimate capital one email -- they are actually asking clients to click on a link that goes to capitalone.bfi0.com !

People still need to learn never to trust links in any email.

Microsoft said Spooler was most likely just a DoS. Immunity Inc. let people know that was not true; the Spooler vuln was reliably exploitable remote root code exec & working exploit code was clearly in existence prior to or at least at the time of patch release.

At the time, a few months ago now Dave Aitel from Immunity Inc. said "Linux vulnerabilities are a thousand times harder to exploit than Windows vulnerabilities", and "'many eyes' have reduced Linux to a fished out pond, whereas things like strncpy() bugs are highly likely to still be around in remotely accessible (Microsoft Windows) components."

The following link seems to suggest that Microsoft (as of q3 2005) did not understand or worse misrepresented the "root source of vulnerablility" for Spooler; a critical security risk. Perhaps one could argue that Linux style patch transparency would have made that vulnerability/exploit far more publicly visible and would have resulted in fewer people being misled into believing it was a less severe risk (only a DoS, hah).

http://archives.neohapsis.com/archives/dailydave/2 005-q3/0221.html

How much value do you place in the fact that Linux patches are always made available in source code form? Do you think that those "many eyes" Aitel talks about bring greater scrutiny to Linux bugs when they become publicly known? Do you think the nature of Linux patches results in a better or worse understanding of vulnerabilities and true risks?

http://secunia.com/product/22/
Currently, 27 out of 122 Secunia advisories (for Windows XP Professional), is marked as "Unpatched" in the Secunia database.

Wireless Connection Status > Properties > Internet Protocol > General > DNS

I set it to one of their nameservers.

The funny thing is, their little image ( http://www.unifiedroot.com/registrars ) now shows me a "You have access to whole internet" (yeah, like I'd actually care about the 0.0 percent of the web that uses their registrar) but URLs like http://schiphol/ don't seem to work... Anyone else try?

By the way, unless you want to lock out 90% of all possible customers, you'll probably keep your old domain name running (I know Schiphol has).

The Yahoo article is very biased for the move, but the "clinched deals with most ISPs in Turkey" is quite major. This could mean a greater fragmentation of the internet... we know countries can do it, we know that China has done it.

This will only make those working on the cookie problem ( https://bugzilla.mozilla.org/show_bug.cgi?id=25234 2 and http://secunia.com/advisories/12580/ )... now who's the top level, and at what level do we trust cookies? Choices, choices...

I think this is a really good reason not to use IE

The fact that gaping vulnerabilities like these are found in a closed source browser like IE all the time and yet remain unpatched is one of the most convincing arguments to lead people away from IE.

http://secunia.com/product/11/

This is why. 1D10T user.

If you can view adbanners, you can nab a virus/malware/spyware via a web-browser program!

Yes, believe-it-or-not, it's been known to happen & was even reported here on slashdot in the past quite a few times the last 2-3 years now.

See here for more potential vulnerabilities found in FireFox in the past, & also its plugins, such as the "greasemonkey" one that made 'big headlines' in the past, e.g.'s:

http://secunia.com/advisories/16911/

http://it.slashdot.org/it/05/07/19/143241.shtml?ti d=154&tid=172

http://www.eweek.com/article2/0,1895,1838261,00.as p

http://www.theregister.co.uk/2005/09/12/mozilla_id n_fix/

(And, there are others, those are just examples... as well as the initial point I made about adbanners having been shown to harbor malware/spyware inserts into your OS as well in the past 2-3 years now a few times already).

Sure, many of them have been patched (as far as internal-to-FireFox code itself), but what about those plugins as well?

(I'd say, it's a GOOD bet that more will popup in the browser extensions FireFox has available for it, unfortunately... part of the "growing pains" of this browser, and a note about the 'danger' of 3rd party extensibility tools. ActiveX didn't come out as planned for IE either, so-to-speak, security-wise outside of Intranet usage & then probably not 110% totally safe either).

APK

P.S.=> Personally, though I think FireFox is excellent work & has come a LONG ways (since "FireBird" etc. builds of it), Opera 8.51 is my web-browser choice, since Opera's typically been shown to be faster:

http://www.howtocreate.co.uk/browserSpeed.html#win

And, also it seems that Opera has always been less subject to online vulnerability vs. BOTH FireFox &/or IE, period, as well as being consistently a faster/better performer year in & year out... apk

"I'm unable to find any statistics for 2005, but back in 2000, Linux accounted for 36% of webservers, and Windows only 21%, according to Netcraft. It's likely that this hasn't changed." - by arevos (659374) on Tuesday November 22, @07:43AM

Oh, really? Read this, from TODAY:

http://www.infoworld.com/article/05/11/23/HNwindow sleads_1.html?source=rss&url=http://www.infoworld. com/article/05/11/23/HNwindowsleads_1.html

"Sales of Windows systems accounted for 36.9 percent of all server revenue in the quarter, versus 31.7 percent for Unix and 11.5 percent for Linux (Overview, Articles, Company), Eastwood said. Enterprises increasingly are using Windows-based servers for applications such as ERP (enterprise resource planning) in addition to traditional uses such as e-mail and Web hosting. Migration from Windows NT to newer versions of Windows also is driving sales, he said."

That good enough for you? I think so!

"Windows is certainly more compatable with hardware and the majority of software binaries about, but more versatile? In what way?" - - by arevos (659374) on Tuesday November 22, @07:43AM

Well, for one, apparently for end users (since a good 95-99% of systems that are desktops/laptops in BOTH corporate/business AND home users are Windows, & most likely 2000/XP/Windows Server 2003 by now).

Secondly, read that quote - seems @ the server level? Windows Server 2003 is 'rocking the planet' vs. its competition, period.

And, lastly, how you mention... can't you understand what you JUST said? It only seconds my viewpoint!

* :)

"But the bug reports from Securia, which is not sponsored by Microsoft or Linux, show quite clearly that Windows Server 2003 and SQL Server 2000 have more known vulnerabilities than Redhat and Oracle. How can Windows Server 2003 be more secure when it is clear that it has more vulnerabilities?" - - by arevos (659374) on Tuesday November 22, @07:43AM

You should take a look @ ALL the kernel level vulnerabilities Linux has, right here, & tell us all what you just did:

http://secunia.com/search/?search=Linux+Kernel&w=0

And, from the SAME site you seem to worship, no less... some are "remoteable" exploits, other not classified as such, but are 'local' in nature (many of them remain unpatched as well).

The thing about 'local' exploits is, that once you run an app that has a buffer overflow exploit possible in it? It BECOMES LOCALLY EXPLOITABLE by remote users hijacking it, & under the user context in which you are logged on as... with ALL the corresponding priveleges.

So, if said app with buffer overflow exists & gets exploited while you are running it as admin/superuser/root? You see the problem with calling ANY exploit "local" only!

(Better luck next time... lol!)

APK

P.S.=> And, to the guy that replied below me stating I didn't know what versatile meant? Wake up, read this post, ok?? apk

Some MORE info. for you, as to kernel level flaws in Linux (still year 2005 current on many of them):

http://secunia.com/search/?search=Linux+Kernel&w=0

BOATLOADS OF SECURITY FLAWS STILL EXIST IN LINUX, local & remote exploitable, period, with various ratings from "critical", "less critical", to "not critical" (although, this last one is subject to opinion & discussion imo).

NOW - And, as to the popularity of Windows Server 2003 vs. UNIX & Linux @ the server level currently? Here we go:

http://www.infoworld.com/article/05/11/23/HNwindow sleads_1.html?source=rss&url=http://www.infoworld. com/article/05/11/23/HNwindowsleads_1.html

"Sales of Windows systems accounted for 36.9 percent of all server revenue in the quarter, versus 31.7 percent for Unix and 11.5 percent for Linux (Overview, Articles, Company), Eastwood said. Enterprises increasingly are using Windows-based servers for applications such as ERP (enterprise resource planning) in addition to traditional uses such as e-mail and Web hosting. Migration from Windows NT to newer versions of Windows also is driving sales, he said. Server revenue grew faster than IDC's projection, which was for 6 percent growth, according to Eastwood. For the first time, you could say that Microsoft has its own legacy, and that legacy is NT," Eastwood said. How much of Windows' gain will be permanent is hard to say, he added. However, just two years ago, Windows servers were only 31.5 percent of the market, according to IDC. Gartner's figures showed Windows servers with more than 37 percent of the market, also in first place, according to analyst Joseph Gonzalez."

* That quoted/said? Well, what's growing the fastest CURRENTLY? Read the above, & weep!

APK

P.S.=> It's best to be informed, with current info., wouldn't you agree? In addition to that, there is documentation from legitimate 3rd party tests that show for instance, that Windows Server 2003 (SP#1 fully hotfix patched) + SQLServer 2000 (SP#3 with hotfixes) is more secure than Linux variants like Redhat + Oracle or MyPHP as DBEngines, & the funny part from that analysis was the fact that most of the vulnerabilities found weren't @ the DBEngine level, but @ the OS core/kernel level...apk

You mean the Windows Server 2003 that has 8 unpatched vulnerabilities? That Windows Server 2003? And SQL Server 2000, which has a highly critical vulnerability?

Compared to something like Red Hat Enterprise Linux ES 4, which has 0 known vulnerabilities, or Oracle 7.x, which has 0 known vulnerabilities.

Funny how all the "independant" reports that claim Windows is more secure than Linux are funded by Microsoft. That's just such a coincidence.

You mean the Windows Server 2003 that has 8 unpatched vulnerabilities? That Windows Server 2003? And SQL Server 2000, which has a highly critical vulnerability?

Compared to something like Red Hat Enterprise Linux ES 4, which has 0 known vulnerabilities, or Oracle 7.x, which has 0 known vulnerabilities.

Funny how all the "independant" reports that claim Windows is more secure than Linux are funded by Microsoft. That's just such a coincidence.

You mean the Windows Server 2003 that has 8 unpatched vulnerabilities? That Windows Server 2003? And SQL Server 2000, which has a highly critical vulnerability?

Compared to something like Red Hat Enterprise Linux ES 4, which has 0 known vulnerabilities, or Oracle 7.x, which has 0 known vulnerabilities.

Funny how all the "independant" reports that claim Windows is more secure than Linux are funded by Microsoft. That's just such a coincidence.

You mean the Windows Server 2003 that has 8 unpatched vulnerabilities? That Windows Server 2003? And SQL Server 2000, which has a highly critical vulnerability?

Compared to something like Red Hat Enterprise Linux ES 4, which has 0 known vulnerabilities, or Oracle 7.x, which has 0 known vulnerabilities.

Funny how all the "independant" reports that claim Windows is more secure than Linux are funded by Microsoft. That's just such a coincidence.

any script kiddie can use them to break into a Linux program (like SSL, SMBFS) whenever he wants to.
OK here are critical unpatched vulnerabilities for an up-to-date XP (anyone can use these now)
http://secunia.com/product/22/
for IE:
http://secunia.com/product/11/

Now show me the same critical unpatched flaws for Linux + openSSL + smbFS + Firefox !

any script kiddie can use them to break into a Linux program (like SSL, SMBFS) whenever he wants to.
OK here are critical unpatched vulnerabilities for an up-to-date XP (anyone can use these now)
http://secunia.com/product/22/
for IE:
http://secunia.com/product/11/

Now show me the same critical unpatched flaws for Linux + openSSL + smbFS + Firefox !

unpatched and known (exploits) vulnerabilities are still a big MS problem: any script kiddie can use them to break into a MS program (like XP or IE) whenever he wants to. Any day, any time, you find plenty of these:
http://secunia.com/

Gentoo has significantly more vulnerabilites than Fedora, even if you add up all the vulnerabilities for all 4 cores (not that those raw numbers really matter in the end as long as they all get patched)

Well, first I'd like to irraterate what you already pointed out, that neither has unpatched vulnerabilities.

Second, you're comparing EVERY release of Gentoo ever to Fedora Core 4.0. Notice how Fedora Core 4.0 doesn't have any vulnerabilities before Feb 2005? That's because it didn't exist much before then.

You forgot the 186 patched vulerabilities in FC 3, the 132 patched vulnerabilities in FC 2, and the 74 patched vulnerabilities in FC 1.

No, that 448 patched vulerabilities is much less than the 746 vulnerabilities for Gentoo, but that's a stupid rubrik anyway. 746 vulerabilities covers the entire portage tree, where as 448 vulnerabilities only covers those packages distributed on the RedHat installation media.

Keep your meta distribution, it's no skin off my nose. But at least attempt to make like comparisons in your arguments.

Gentoo has significantly more vulnerabilites than Fedora, even if you add up all the vulnerabilities for all 4 cores (not that those raw numbers really matter in the end as long as they all get patched)

Well, first I'd like to irraterate what you already pointed out, that neither has unpatched vulnerabilities.

Second, you're comparing EVERY release of Gentoo ever to Fedora Core 4.0. Notice how Fedora Core 4.0 doesn't have any vulnerabilities before Feb 2005? That's because it didn't exist much before then.

You forgot the 186 patched vulerabilities in FC 3, the 132 patched vulnerabilities in FC 2, and the 74 patched vulnerabilities in FC 1.

No, that 448 patched vulerabilities is much less than the 746 vulnerabilities for Gentoo, but that's a stupid rubrik anyway. 746 vulerabilities covers the entire portage tree, where as 448 vulnerabilities only covers those packages distributed on the RedHat installation media.

Keep your meta distribution, it's no skin off my nose. But at least attempt to make like comparisons in your arguments.

Gentoo has significantly more vulnerabilites than Fedora, even if you add up all the vulnerabilities for all 4 cores (not that those raw numbers really matter in the end as long as they all get patched)

Well, first I'd like to irraterate what you already pointed out, that neither has unpatched vulnerabilities.

Second, you're comparing EVERY release of Gentoo ever to Fedora Core 4.0. Notice how Fedora Core 4.0 doesn't have any vulnerabilities before Feb 2005? That's because it didn't exist much before then.

You forgot the 186 patched vulerabilities in FC 3, the 132 patched vulnerabilities in FC 2, and the 74 patched vulnerabilities in FC 1.

No, that 448 patched vulerabilities is much less than the 746 vulnerabilities for Gentoo, but that's a stupid rubrik anyway. 746 vulerabilities covers the entire portage tree, where as 448 vulnerabilities only covers those packages distributed on the RedHat installation media.

Keep your meta distribution, it's no skin off my nose. But at least attempt to make like comparisons in your arguments.

Gentoo has significantly more vulnerabilites than Fedora, even if you add up all the vulnerabilities for all 4 cores (not that those raw numbers really matter in the end as long as they all get patched)

Well, first I'd like to irraterate what you already pointed out, that neither has unpatched vulnerabilities.

Second, you're comparing EVERY release of Gentoo ever to Fedora Core 4.0. Notice how Fedora Core 4.0 doesn't have any vulnerabilities before Feb 2005? That's because it didn't exist much before then.

You forgot the 186 patched vulerabilities in FC 3, the 132 patched vulnerabilities in FC 2, and the 74 patched vulnerabilities in FC 1.

No, that 448 patched vulerabilities is much less than the 746 vulnerabilities for Gentoo, but that's a stupid rubrik anyway. 746 vulerabilities covers the entire portage tree, where as 448 vulnerabilities only covers those packages distributed on the RedHat installation media.

Keep your meta distribution, it's no skin off my nose. But at least attempt to make like comparisons in your arguments.