Slashdot Mirror

No need to bring up just this bug, why not compare history for the last year on both IE6 and Firefox 1.x?

According to Secunia, during 2005 IE6 has had 11 advisories while Firefox 1.x has had 18.

Unfortunately I can't get the links to work properly (graphs come up blank), so take a look at the URL's yourself:

IE6: http://secunia.com/graph/?type=adv&period=2005&pro d=11
Firefox 1.x: http://secunia.com/graph/?type=adv&period=2005&pro d=4227

(you will have to copy and paste these URL's to make them work it seems)

No need to bring up just this bug, why not compare history for the last year on both IE6 and Firefox 1.x?

According to Secunia, during 2005 IE6 has had 11 advisories while Firefox 1.x has had 18.

Unfortunately I can't get the links to work properly (graphs come up blank), so take a look at the URL's yourself:

IE6: http://secunia.com/graph/?type=adv&period=2005&pro d=11
Firefox 1.x: http://secunia.com/graph/?type=adv&period=2005&pro d=4227

(you will have to copy and paste these URL's to make them work it seems)

Oh well, slashdot breaks the links. Whatever. http://secunia.com/product/73/ and http://secunia.com/product/1438/

Oh well, slashdot breaks the links. Whatever. http://secunia.com/product/73/ and http://secunia.com/product/1438/

"IIS 6.0 against Apache 2.0

"IIS 6.0 against Apache 2.0

The number of potential security holes is hard to immagine.

Oh, well, stop the FUD. That's what people said when the WHOLE SOURCE CODE of windows 2000 was leaked. And how many holes where found? One. For internet explorer. Which only worked for old versions. Even if you consider that all the holes found affecting windows 2k after that leak are due to the leak, that's a pretty low number for the WHOLE SOURCE CODE. If it's so buggy, where are all those obscure and hidden potential kernel holes, etc etc?

Microsoft CAN write secure code. Just compare IIS 6.0 against apache 2.0 - yes, IIS looks great. They have the money so they can hire the best security people to review the code before going public if they needed it, period.

The number of potential security holes is hard to immagine.

Oh, well, stop the FUD. That's what people said when the WHOLE SOURCE CODE of windows 2000 was leaked. And how many holes where found? One. For internet explorer. Which only worked for old versions. Even if you consider that all the holes found affecting windows 2k after that leak are due to the leak, that's a pretty low number for the WHOLE SOURCE CODE. If it's so buggy, where are all those obscure and hidden potential kernel holes, etc etc?

Microsoft CAN write secure code. Just compare IIS 6.0 against apache 2.0 - yes, IIS looks great. They have the money so they can hire the best security people to review the code before going public if they needed it, period.

Apache has 70% of the market, IIS has about 20%, yet the the former has only two unpatched holes.

Since Apache is more popular (by 3 1/2 times), you'd think it would have 3 1/2 unpatched vulnerabilities, eh?

So Apache 2 has had 27 Secunia advisories, with 2 still unpatched, and IIS 6 has only had 3, of which one is still unpatched. Seems to support the GP's theory pretty well. Your point?

Apache has 70% of the market, IIS has about 20%, yet the the former has only two unpatched holes.

Since Apache is more popular (by 3 1/2 times), you'd think it would have 3 1/2 unpatched vulnerabilities, eh?

So Apache 2 has had 27 Secunia advisories, with 2 still unpatched, and IIS 6 has only had 3, of which one is still unpatched. Seems to support the GP's theory pretty well. Your point?

Do you just make up statements like that?

http://secunia.com/product/566/

I see nothing in there about "going to a website causes virus infection." Do you set your browser up to automatically download and execute .zip files? If so then I can see your problem, however I don't do that, so it's not really an issue. As for PDF vulnerabilities, the odds that I might execute a malicious PDF are far smaller than the odds that I'll be aggravated by Acrobat 7's spyware-laden bloat. There's just no reason to require a net connection and a 25 meg program to read a 1 meg PDF. I open maybe 10 PDFs a year, and most of them are from "reputable" sources. If I have to choose between choosing who to trust, and offloading that choice to Adobe, the choice is clear.

In short, as I said in my original post, the new "features" of the newer versions don't outweigh their annoyances. If they are more prone to exploits then I'll just be that much more careful.

You say you use Winzip 8.0? Hmm, hit the right website and you get infected with a virus. You need to be on the latest 9.x release to prevent this;

See the details;
http://secunia.com/search/?search=winzip

Same thing with Adobe Reader;
http://secunia.com/advisories/16466/

Good luck. I wouldn't want to be your bank.

You say you use Winzip 8.0? Hmm, hit the right website and you get infected with a virus. You need to be on the latest 9.x release to prevent this;

See the details;
http://secunia.com/search/?search=winzip

Same thing with Adobe Reader;
http://secunia.com/advisories/16466/

Good luck. I wouldn't want to be your bank.

Yes, they had vulnerabilities - but they're all fixed.
Secunia links:
Firefox - 14% unpatched, 'Less critical'
Opera - 0% unpatched, not rated (possibly an error)
Internet Explorer - 29% unpatched, 13% partial fixes, 'Highly critical'
Safari - 0% unpatched, yet 'Less critical'

Of course my above post was modded down for saying that a commercial product is better than an F/OSS product, but that doesn't make it less true.
Opera is more safe than other browsers, end of story. Yes, greymagic has a list of known vulnerabilities - that have all been patched. No dice.
It would be a valid point if they released new fixes bi-weekly as new exploits were discovered - but that's not the case. It's on 8.02 now.

If you don't want to pay for the browser, fine. If you can live with a small banner, it's actually free.

I am, however, writing this from my preferred browser, Firefox. Opera is safer, but Firefox has better expansibility, and it has the plugins I like.

Yes, they had vulnerabilities - but they're all fixed.
Secunia links:
Firefox - 14% unpatched, 'Less critical'
Opera - 0% unpatched, not rated (possibly an error)
Internet Explorer - 29% unpatched, 13% partial fixes, 'Highly critical'
Safari - 0% unpatched, yet 'Less critical'

Of course my above post was modded down for saying that a commercial product is better than an F/OSS product, but that doesn't make it less true.
Opera is more safe than other browsers, end of story. Yes, greymagic has a list of known vulnerabilities - that have all been patched. No dice.
It would be a valid point if they released new fixes bi-weekly as new exploits were discovered - but that's not the case. It's on 8.02 now.

If you don't want to pay for the browser, fine. If you can live with a small banner, it's actually free.

I am, however, writing this from my preferred browser, Firefox. Opera is safer, but Firefox has better expansibility, and it has the plugins I like.

Yes, they had vulnerabilities - but they're all fixed.
Secunia links:
Firefox - 14% unpatched, 'Less critical'
Opera - 0% unpatched, not rated (possibly an error)
Internet Explorer - 29% unpatched, 13% partial fixes, 'Highly critical'
Safari - 0% unpatched, yet 'Less critical'

Of course my above post was modded down for saying that a commercial product is better than an F/OSS product, but that doesn't make it less true.
Opera is more safe than other browsers, end of story. Yes, greymagic has a list of known vulnerabilities - that have all been patched. No dice.
It would be a valid point if they released new fixes bi-weekly as new exploits were discovered - but that's not the case. It's on 8.02 now.

If you don't want to pay for the browser, fine. If you can live with a small banner, it's actually free.

I am, however, writing this from my preferred browser, Firefox. Opera is safer, but Firefox has better expansibility, and it has the plugins I like.

Yes, they had vulnerabilities - but they're all fixed.
Secunia links:
Firefox - 14% unpatched, 'Less critical'
Opera - 0% unpatched, not rated (possibly an error)
Internet Explorer - 29% unpatched, 13% partial fixes, 'Highly critical'
Safari - 0% unpatched, yet 'Less critical'

Of course my above post was modded down for saying that a commercial product is better than an F/OSS product, but that doesn't make it less true.
Opera is more safe than other browsers, end of story. Yes, greymagic has a list of known vulnerabilities - that have all been patched. No dice.
It would be a valid point if they released new fixes bi-weekly as new exploits were discovered - but that's not the case. It's on 8.02 now.

If you don't want to pay for the browser, fine. If you can live with a small banner, it's actually free.

I am, however, writing this from my preferred browser, Firefox. Opera is safer, but Firefox has better expansibility, and it has the plugins I like.

1. The only thing they can use to make an IE only web application is ActiveX and tell them how vulnerable THAT is. You can use Secunia for that. The last thing they would want is government computer security being compromised by a script kiddie who has just enough skill to navigate BugTraq
2. If in the future they wish to move to a non-Microsoft or even a non-Windows platform, they would experience first hand what vendor lock-in means
3. If you make it standards compliant (with a few hacks, ofcourse) it will be IE compliant anyway.

First of all, Linux distros support every package on the system, not just the core files like MS update. That means perl, MySQL, apache, even the modules for apache. Everything. With that in mind, compare the Secunia security reports for Mandrake 10.0 and Windows XP Pro 10.0, which hit the market at about the same time. Have a look at the amount of unpatched vulnerabilities in both and see if you can still come to the same conclusions. Sheesh!

First of all, Linux distros support every package on the system, not just the core files like MS update. That means perl, MySQL, apache, even the modules for apache. Everything. With that in mind, compare the Secunia security reports for Mandrake 10.0 and Windows XP Pro 10.0, which hit the market at about the same time. Have a look at the amount of unpatched vulnerabilities in both and see if you can still come to the same conclusions. Sheesh!

This is obviously not about the PHP Language itself as you are definitely looking at your alternative as better... While I can program java, I can program python, etc etc... I use PHP for the web, and in an enterprise environment as that! You claim PHP is the root of all evil, take a look at an operating system, whose job is it to make sure that any type of security whole is plugged? Yours. Next lets talk about scalability, PHP is highly scalable as long as you understand the structure and logic of the language, which is not like your current language. That is why it bugs you. Currently I have around 30 files that operate 70 websites (and no this is a single set they are not mirrored on all the sites). Pretty much they are mainly objects and a few controllers which the user can override the global scope in site of their local scope for pages. The configuration is easy and sql injections can happen in just about any language. Programming for the web I can pretty much show you vunrible applications everywhere. This is not just a PHP thing. How about the infamous buffer overflows with Java? Had that one happen? This thread is mainly all opinionated with no factoral history. And if you are going to call out something as huge security risks without providing a fact then you are just blowing steam up everyone for no reason. Get a job, learn more about secure computing, and stop trying to advocate other languages as better than this or that when it is simple opinionated with out any benchmarks, security advisories, references. Now heres my turn. Java has security problems because people code them in according to your philosophy, as for the tutorial on writing secure php code... well here is one for java: http://www.javaworld.com/javaworld/jw-12-1998/jw-1 2-securityrules.html Meanwhile here are the latest records for programming languages (latest versions) php: http://secunia.com/product/3919/ asp.net: http://secunia.com/product/2173/ java jdk: http://secunia.com/product/4621/ j2ee: http://secunia.com/product/2644/ python: http://secunia.com/product/4604/ As for scalability : http://www.onjava.com/pub/a/onjava/2003/10/15/php_ scalability.html http://www.oreillynet.com/pub/wlg/5155 there are numerous resources on the net on writing secure code for all programming languages, everything you mentioned in this entire "rant" is worthless and doesn't do anyone any good. Please go crawl back in your hole.

This is obviously not about the PHP Language itself as you are definitely looking at your alternative as better... While I can program java, I can program python, etc etc... I use PHP for the web, and in an enterprise environment as that! You claim PHP is the root of all evil, take a look at an operating system, whose job is it to make sure that any type of security whole is plugged? Yours. Next lets talk about scalability, PHP is highly scalable as long as you understand the structure and logic of the language, which is not like your current language. That is why it bugs you. Currently I have around 30 files that operate 70 websites (and no this is a single set they are not mirrored on all the sites). Pretty much they are mainly objects and a few controllers which the user can override the global scope in site of their local scope for pages. The configuration is easy and sql injections can happen in just about any language. Programming for the web I can pretty much show you vunrible applications everywhere. This is not just a PHP thing. How about the infamous buffer overflows with Java? Had that one happen? This thread is mainly all opinionated with no factoral history. And if you are going to call out something as huge security risks without providing a fact then you are just blowing steam up everyone for no reason. Get a job, learn more about secure computing, and stop trying to advocate other languages as better than this or that when it is simple opinionated with out any benchmarks, security advisories, references. Now heres my turn. Java has security problems because people code them in according to your philosophy, as for the tutorial on writing secure php code... well here is one for java: http://www.javaworld.com/javaworld/jw-12-1998/jw-1 2-securityrules.html Meanwhile here are the latest records for programming languages (latest versions) php: http://secunia.com/product/3919/ asp.net: http://secunia.com/product/2173/ java jdk: http://secunia.com/product/4621/ j2ee: http://secunia.com/product/2644/ python: http://secunia.com/product/4604/ As for scalability : http://www.onjava.com/pub/a/onjava/2003/10/15/php_ scalability.html http://www.oreillynet.com/pub/wlg/5155 there are numerous resources on the net on writing secure code for all programming languages, everything you mentioned in this entire "rant" is worthless and doesn't do anyone any good. Please go crawl back in your hole.

This is obviously not about the PHP Language itself as you are definitely looking at your alternative as better... While I can program java, I can program python, etc etc... I use PHP for the web, and in an enterprise environment as that! You claim PHP is the root of all evil, take a look at an operating system, whose job is it to make sure that any type of security whole is plugged? Yours. Next lets talk about scalability, PHP is highly scalable as long as you understand the structure and logic of the language, which is not like your current language. That is why it bugs you. Currently I have around 30 files that operate 70 websites (and no this is a single set they are not mirrored on all the sites). Pretty much they are mainly objects and a few controllers which the user can override the global scope in site of their local scope for pages. The configuration is easy and sql injections can happen in just about any language. Programming for the web I can pretty much show you vunrible applications everywhere. This is not just a PHP thing. How about the infamous buffer overflows with Java? Had that one happen? This thread is mainly all opinionated with no factoral history. And if you are going to call out something as huge security risks without providing a fact then you are just blowing steam up everyone for no reason. Get a job, learn more about secure computing, and stop trying to advocate other languages as better than this or that when it is simple opinionated with out any benchmarks, security advisories, references. Now heres my turn. Java has security problems because people code them in according to your philosophy, as for the tutorial on writing secure php code... well here is one for java: http://www.javaworld.com/javaworld/jw-12-1998/jw-1 2-securityrules.html Meanwhile here are the latest records for programming languages (latest versions) php: http://secunia.com/product/3919/ asp.net: http://secunia.com/product/2173/ java jdk: http://secunia.com/product/4621/ j2ee: http://secunia.com/product/2644/ python: http://secunia.com/product/4604/ As for scalability : http://www.onjava.com/pub/a/onjava/2003/10/15/php_ scalability.html http://www.oreillynet.com/pub/wlg/5155 there are numerous resources on the net on writing secure code for all programming languages, everything you mentioned in this entire "rant" is worthless and doesn't do anyone any good. Please go crawl back in your hole.

This is obviously not about the PHP Language itself as you are definitely looking at your alternative as better... While I can program java, I can program python, etc etc... I use PHP for the web, and in an enterprise environment as that! You claim PHP is the root of all evil, take a look at an operating system, whose job is it to make sure that any type of security whole is plugged? Yours. Next lets talk about scalability, PHP is highly scalable as long as you understand the structure and logic of the language, which is not like your current language. That is why it bugs you. Currently I have around 30 files that operate 70 websites (and no this is a single set they are not mirrored on all the sites). Pretty much they are mainly objects and a few controllers which the user can override the global scope in site of their local scope for pages. The configuration is easy and sql injections can happen in just about any language. Programming for the web I can pretty much show you vunrible applications everywhere. This is not just a PHP thing. How about the infamous buffer overflows with Java? Had that one happen? This thread is mainly all opinionated with no factoral history. And if you are going to call out something as huge security risks without providing a fact then you are just blowing steam up everyone for no reason. Get a job, learn more about secure computing, and stop trying to advocate other languages as better than this or that when it is simple opinionated with out any benchmarks, security advisories, references. Now heres my turn. Java has security problems because people code them in according to your philosophy, as for the tutorial on writing secure php code... well here is one for java: http://www.javaworld.com/javaworld/jw-12-1998/jw-1 2-securityrules.html Meanwhile here are the latest records for programming languages (latest versions) php: http://secunia.com/product/3919/ asp.net: http://secunia.com/product/2173/ java jdk: http://secunia.com/product/4621/ j2ee: http://secunia.com/product/2644/ python: http://secunia.com/product/4604/ As for scalability : http://www.onjava.com/pub/a/onjava/2003/10/15/php_ scalability.html http://www.oreillynet.com/pub/wlg/5155 there are numerous resources on the net on writing secure code for all programming languages, everything you mentioned in this entire "rant" is worthless and doesn't do anyone any good. Please go crawl back in your hole.

This is obviously not about the PHP Language itself as you are definitely looking at your alternative as better... While I can program java, I can program python, etc etc... I use PHP for the web, and in an enterprise environment as that! You claim PHP is the root of all evil, take a look at an operating system, whose job is it to make sure that any type of security whole is plugged? Yours. Next lets talk about scalability, PHP is highly scalable as long as you understand the structure and logic of the language, which is not like your current language. That is why it bugs you. Currently I have around 30 files that operate 70 websites (and no this is a single set they are not mirrored on all the sites). Pretty much they are mainly objects and a few controllers which the user can override the global scope in site of their local scope for pages. The configuration is easy and sql injections can happen in just about any language. Programming for the web I can pretty much show you vunrible applications everywhere. This is not just a PHP thing. How about the infamous buffer overflows with Java? Had that one happen? This thread is mainly all opinionated with no factoral history. And if you are going to call out something as huge security risks without providing a fact then you are just blowing steam up everyone for no reason. Get a job, learn more about secure computing, and stop trying to advocate other languages as better than this or that when it is simple opinionated with out any benchmarks, security advisories, references. Now heres my turn. Java has security problems because people code them in according to your philosophy, as for the tutorial on writing secure php code... well here is one for java: http://www.javaworld.com/javaworld/jw-12-1998/jw-1 2-securityrules.html Meanwhile here are the latest records for programming languages (latest versions) php: http://secunia.com/product/3919/ asp.net: http://secunia.com/product/2173/ java jdk: http://secunia.com/product/4621/ j2ee: http://secunia.com/product/2644/ python: http://secunia.com/product/4604/ As for scalability : http://www.onjava.com/pub/a/onjava/2003/10/15/php_ scalability.html http://www.oreillynet.com/pub/wlg/5155 there are numerous resources on the net on writing secure code for all programming languages, everything you mentioned in this entire "rant" is worthless and doesn't do anyone any good. Please go crawl back in your hole.

Therefore, this notice seeks information whether any potential preregistration filers would have difficulties using Internet Explorer (version 5.1 or higher) to file preregistration claims, and if so, why.

Because your idiot monkey ASP programmer can't write a line of valid Javascript to save his life, that's why. I mean, how farking hard is it to do document.getElementById("name").value? No, 'document.forms.name.value' is stupid (even IE sometimes gets confused with that), and you're stupid for allowing your monkey to write it.

Yes, we know that you are forced to deal with govvy programmers, but this is one case where you really need to put out an RFP for some DEVELOPERS to code up your app.

Oh, and the 'why' is because IE is an insecure, low-tech POS.

FIREFOX 3 less critical (including one only for apple ) and 1 moderately citical (part fix)http://secunia.com/product/4227/ IE 6 Not critical 6 less critical 4 moderately citical Part Fix 5 Not critical 1 moderately citical 1 Extremely Critical http://secunia.com/product/11/ Also have a look at the amount of Extremely Critical vulrabilites in both 10 IE Vs 0 Firefox Hang on what was your point again?

FIREFOX 3 less critical (including one only for apple ) and 1 moderately citical (part fix)http://secunia.com/product/4227/ IE 6 Not critical 6 less critical 4 moderately citical Part Fix 5 Not critical 1 moderately citical 1 Extremely Critical http://secunia.com/product/11/ Also have a look at the amount of Extremely Critical vulrabilites in both 10 IE Vs 0 Firefox Hang on what was your point again?

...of COURSE you're using IIS. It's far superior to Apache...

In what way? Seriously, I havent heard anyone claim that for years, I'm very intrested in what has changed...

Security?

And before you start rolling on the floor laughing, look here:

Apache 2.0 has had 25 advisories, of which 3 are still unpatched at the moment of this writing (one since March 2004)

IIS 6.0 has been affected by a grand total of 2 advisories, both patched.

...of COURSE you're using IIS. It's far superior to Apache...

In what way? Seriously, I havent heard anyone claim that for years, I'm very intrested in what has changed...

Security?

And before you start rolling on the floor laughing, look here:

Apache 2.0 has had 25 advisories, of which 3 are still unpatched at the moment of this writing (one since March 2004)

IIS 6.0 has been affected by a grand total of 2 advisories, both patched.

...and this was modded insightful?

In a more direct comment about the "exploit" I don't consider it terribly important, hardware access leads to a lot of trivial expoits.

USB flash dev ices are being used to share lotsa things nowadays. I use them routinely as a floppy replacement (since most apps files are just too damned big for a floppy anymore).

So I do everything right; I run as a limited user, not as Admin, lock my machine down tight and some co worker comes up with a USB drive and says "Here, just grab a copy of the spreadsheet from this..." Pwned!

Too few actual axploits in Windows as of late to get up to the required quota perhaps?

No, there is no lack of those! Just take a look!
http://secunia.com/product/22/

Parent poster is a moron!

Umm IIS6 has less exploits and no unpatched vunerabilities compared to Apache 2.0.x which still has unpatched vunerabilities.

Have you looked at the apache security vulnerabilities? There was only one in 2005, and here is the link to the cve:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2004-1387

It's not even about apache, it's about a third party apache-utils. That package isn't even part of my distro. i have no such script called check_forensics.

The only other unpatched issue with apache is this one:

http://secunia.com/advisories/11176/

Which is rated as non-critical. And it says it's confirmed for 2.0.46 and lower. The latest version is 2.0.54.

Regardless IIS6 & Apache have both been really good. A lot of IIS's reputation comes from IIS5, and let's face it, it is really well deserved. IIS5 is horribly unsecure without first running the lockdown tool, which not all Win Admin's do!

Firefox security information

Surprisingly enough, IIS5, still in wide use, has unpatched vulnerabilities.
http://secunia.com/product/39/

Also, the only unpatched Apache exploit is an insecure temp file problem. Do you know of a decent-sized Apache-running website that allows rlogin from malicious users? That's why it's called less critical.

Also of interest is the comparison...Apache has more exploits or lesser criticality, and most require a mis-configured web-server before succeeding. Many IIS exploits are more severe, also succeeding on a properly-configured web-server.

IIS 6 Exploits
Apache 2.0x.

Please do some basic research before making comments on security.

IIS 6 Exploits
Apache 2.0x.

Please do some basic research before making comments on security.

Actually its a moderately critical flaw. You are at risk only if you have enabled Remote Desktop, and are not using NAT.

Remote Desktop is disabled by default in every version of XP. Including SP2.

To be clear. The bug is in Remote Desktop not the Firewall. A denial of service. The Firewall has an exceptions for Services like RDP, FTP, WWW, POP3 nearly all Firewalls have this except the most basic.

Given that slashdot has been reduced to trolling about moderate flaws in windows, i would say SP2 is a great success :)

"The argument that a larger target leads to a more vulernable system is flawed. Apache has > 60% marketshare, yet IIS has more vulernabilities."

Bullshit. IIS6 has fewer vulnerabilities than Apache2.

IIS6:
http://secunia.com/product/1438/
(3 Vulnerabilities since 2003)

Apache2:
http://secunia.com/product/73/
(22 Vulnerabilities since 2003)

STOP SPREADING THIS LIE. Apache *does* have more security problems than IIS6.

"The argument that a larger target leads to a more vulernable system is flawed. Apache has > 60% marketshare, yet IIS has more vulernabilities."

Bullshit. IIS6 has fewer vulnerabilities than Apache2.

IIS6:
http://secunia.com/product/1438/
(3 Vulnerabilities since 2003)

Apache2:
http://secunia.com/product/73/
(22 Vulnerabilities since 2003)

STOP SPREADING THIS LIE. Apache *does* have more security problems than IIS6.

Secunia has data for XP Pro since Jan 03, so it's not exactly fair the way it is. Let's do some number fudging to find some "fair" info.

Of the three pieces of data you listed, total advisories and remote exploits can reasonably turned into "per month" values. Unpatched dosen't make much sense as a "per month" (though you could indeed try if you wanted since the numbers would be VERY good for Debian) but does still make sense as a ratio of unpatched:patched as you listed. Remote exploits:total exploits also makes sense, and I'll be using it as well.

Let the number fudging begin!

XP Pro (data since Jan 03)
3.4 advisories / month
25% unpatched advisories
1.7 remote exploits / month
62% of all exploits are remote

Debian Sarge (data since May 05)
8.6 advisories / month
3.8% unpatched advisories (Secunia shows only 1 unpatched advisory for me... http://secunia.com/product/5307/)
6 remote exploits / month
69% of all exploits are remote

Debian Woody (data since Jan 03)
17.6 advisories / month
0.2% unpatched
11 remote exploits / month
62% of all exploits are remote

The reason I threw Woody into the picture is because Sarge has only been out since early June from what I can see on their site, so the data probably isn't very accurate yet. Woody being the earlier generation should provide a similar picture to Sarge, and has been tracked for just as long as XP.

As you can see, XP has very VERY few advisories released each month when compared to either Sarge or Woody (80% less than woody). Obviously XP coming with nearly nothing helps that number, though less than 20% of the advisories would have to be from Debian itself (and not the applicaitons included) to "beat" XP on this front.

As far as unpatched percentile goes, it's no contenst. Debian SLAUGHTERS XP. 1 out of 26 for Sarge, and an even more impressive 1 out of 546 for Woody.

In the category of remote exploits per month, we see Windows ahead by the exact same margin as total exploits per month. This is because the next category (% of exploits that are remote) is nearly identical between all three OSes. ~60% (higher in the case of Sarge, but I'll bet that's just noise from it's very low time since introduction) of all exploits are remote for each OS.

Looking that THESE numbers, it's not hard to say that XP is probbaly close to Linux in terms of how often vunerabilities are found ("Better" or "Worse" lies in trying to ignore applicaiton-based vunerabilities in the applicaiton-rich Linux). Furthermore, even a blind man could probably see that XP is light-years behind in terms of patching their problems.

Looking at OTHER numbers hurts the case fo Windows more though =D
System access vunterabilites: XP 50%, Sarge 35%, Woody 35%
"Extremely" or"highly" rated vunerabilites: XP 36%, Sarge 15%, Woody 17%

I don't think XP is quite as secure as Linux yet (especially when 25% of all problems aren't patched, and you're twice as likely to stumble on a severe one), but it's not miles behind either. At the very least, its much closer than any other version before I'd be willing to bet.

If you go to Secundia and check their ratings of, for example, Microsoft Windows Server 2003 Enterprise Edition with, for example, SUSE Linux Enterprise Server 9, and RedHat Enterprise Linux ES 4, it looks like:

Microsoft: 7 less critical unpatched vulnerabilities
SUSE: 0 unpatched vulnerabilities
Redhat: 1 not critical unpatched vulnerabilities

My question is: Why didn't the article's author spend the 10 minutes of research I did? Granted, there's more to it that just grabbing summaries from Secundia. But, if the author couldn't even do that, how useful is quoting 'experts'? At least Secundia can make a believable claim to be unbiased.

As for 'neck and neck', 7-0-1 doesn't look 'neck and neck' to me. Unless, of course, its Bill's FUD noose around my neck.

If you spend any time at Secunia, you will find all of the leading Operating Systems listed.
One of the things you will notice, is that not all Operating Systems are created equally.
Windows XP is here
http://secunia.com/product/22/
and Redhat 9 is here
http://secunia.com/product/1343/
With the biggest difference being in HOW CRITICAL THE SECURITY DEFECTS ARE and HOW MANY ARE STILL UNPATCHED
Funny, that...
Windows and Linux neck and neck? Not according to these numbers.

If you spend any time at Secunia, you will find all of the leading Operating Systems listed.
One of the things you will notice, is that not all Operating Systems are created equally.
Windows XP is here
http://secunia.com/product/22/
and Redhat 9 is here
http://secunia.com/product/1343/
With the biggest difference being in HOW CRITICAL THE SECURITY DEFECTS ARE and HOW MANY ARE STILL UNPATCHED
Funny, that...
Windows and Linux neck and neck? Not according to these numbers.

Microsoft releases patches for IE, Mozilla foundation releases patches for Firefox, why isn't Opera patching their browser?!

Oh yeah, 0 unpatched vulnerabilities.

..there has been no security audit that found this flaw.

Been at the crack pipe again? "Provided and/or discovered by: Tavis Ormandy, Gentoo Linux Security Audit Team" here.

I agree with one of the commenters who noted that the most secure browser wasn't mentioned. (Well, okay this one is mentioned and it has a better history than the competition.)

I agree with one of the commenters who noted that the most secure browser wasn't mentioned. (Well, okay this one is mentioned and it has a better history than the competition.)

I agree with one of the commenters who noted that the most secure browser wasn't mentioned. (Well, okay this one is mentioned and it has a better history than the competition.)

You somehow assume that you actually have to "click" a link and "save to disk" to download a file through IE. This is not so. Sites can use IE to install software on your computer, without your knowledge, even with all the preventative measures you mentioned. This is possible with what are known as "exploits" in the system. The insecurity of IE is not so much the default settings, as it is that changing the settings means practically nothing. That is why IE is flawed and broken beyond belief with critical security vunerabilities.

If you want to see how easily a PC is infected without you clicking, saving, or knowing ANYTHING, this series of articles will help: http://isc.sans.org/diary.php?date=2004-07-23

GrBear (63712): Nice illusion of security....wonder how many people will fall for it.

- How many corporations continue to run MS IIS to drive their corporate websites?

- How many people continue to run IE?

- How many people continue to run Windows and download the latest spyware infected software because it's trendy, even after they've had their computers infected countless times?

Your right, security is an illusion, and some people prefer to turn a blind eye rather than look at the root cause.

IIS 6 (3 advisories)http://secunia.com/product/1438/
IIS 5 (11 advisories) http://secunia.com/product/39/
IIS 4 (6 advisories) http://secunia.com/product/38/

Apache 2 (24 advisories) http://secunia.com/product/73/
Apache 1.3 (15 advisories) http://secunia.com/product/72/

Apache - 29 Advisories
IIS - 20 Advisories

Did I miss something?