Slashdot Mirror
WinInformant Says Windows More Secure Than Linux
nihilist_1137 excerpts from this WinInformant article, which reads in part: "For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet. ... A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux." I wonder how many sysadmins (Windows or Linux) would agree with this conclusion. Update: 02/04 16:54 GMT by T : Looks like the WinInfo site has gone down since the story was submitted, so you may have to content yourself in the meantime with the Bugtraq numbers. Update: 02/04 19:30 GMT by T :Several readers have pointed out that the conclusions WinInformant makes based on the Bugtraq data are not those of SecurityFocus; the headline has been changed accordingly.
Hell I have karma to burn....
Nt more secure?
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA...
Ohhh, wow.... Didnt know it was April 1st already...
Do not look at laser with remaining good eye.
The Slashdot crowd will never stand for this. I expect to see hypocrisy in full swing in about 30 seconds, with the zealots proclaiming bias. Never mind that they've consistently relied on SF for past predictions of MS's ineptitudes.
Perhaps windows has had less overall security vulnerabilities, but the ones it has had have completely ruined systems and clogged up the internet (i.e. code red, nimda etc...).
The report doesn't seem to take into account the fact that while the number Windows holes was fewer, they were far more severe. Code Red, anyone?
Btw, I'm not a Linux cheerleader, I'm a Windows guy most of the time, and I subscribe to the "best tool for the job" philosophy.
Does Windows have fewer security holes than Linux? Apparently so.
Are they smaller holes -- that is, exposing less control of the system and less potential for damage? Probably not.
The question becomes, then: would you rather be shot by a dozen BB pellets or a single shotgun blast?
Look, the obvious point about this should be that the reason Linux has more known vulnerabilities is that linux has always been very open about what is wrong with linux.
As for MS, I only have to point to the the major bug, that they knew about for weeks, but didn't let anybody know about!
Now Im not saying that linux is more secure (as much as i would like to) but the data and report based from it, just makes no sense, if you think about how vulnerabilties are and are not reported
Thanks for reading!
Sigs are dangerous coy things
Hum, this must be a joke ... i'll go and see right now it that article wasn't written by a M$ employee! ... perhaps there are people who enjoy patching their WinNT Servers every 2 days, who knows ...
But
Life sucks.
Well, that may be all well and good from a purely technical (or counting reported bugs) standpoint.
But when you consider Microsoft's installed user base, there's just no comparison to how widespread MS is.
It's a damn good thing there were less bugs reported for Windows, as with each one, the repercussions are far far greater.
~sigh~
The damn thing was already /.ed before the first comment was posted...
"We obviously need a new moderation category: (-1, Woo-fucking-hoo)" --Mr. AC
Send in the trolls, one and all.
--saint
I think we've just seen another example of the old adage, "You can make statistics say anything you want them to."
Simply put, the reason Windows systems seem more vulnerable is because SO MANY MORE people use them, and don't keep them patched. As a rule of thumb, someone running Linux at home knows what the term "security vulnerability" means and keeps his system up to date, where someone running Windows whatever doesn't.
Of course, that's not the case in the server market. If you want to talk about worms, remember one thing - the ONLY reason Code Red and other such worms exist is because of the popularity if the windows platform, on desktops and servers. Don't kid yourself for a second into thinking that the reason there aren't any widespread worms for *nix systems is because it's more secure.
br -Berj
Let's keep in mind that Linux users who find bugs or issues are far more likely to report them, document them, publicize them, and share them.
Microsoft users who finds bugs call Microsoft tech support, who informs them politely that it's a feature, and lets the issue be stored deep in their databases somewhere.
This is not an issue of who has more issues, but whose issues get reported and publicized more.
Technical Writer?
Just because there are vulnerabilities in joeblow3rdparty software means Linux, as a kernel is more insecure? Pretty funny, considering I still have Nimda spiders hitting every box I see.
Linux may have had more, but were they as bad?
The IIS holes in 2K that allowed CodeRed to spread and the uPnP holes in XP which, luckily so far, have been pretty much unexploited were both buffer overrun holes which caused, or had the potential to cause, v.serious work outbreaks.
Did Linux have anything on this scale?
---
Oregon
Oh man, I can hear the keyboards typing right now. One thing you don't do to the slashdot community on a monday morning is call their OS less secure than windows.
On a side note, it's all about how you configure your OS. At this point, you can pretty much do the same thing with each OS from a security standpoint. It's all of the other software that usually does it - web server, DB server, application server, etc. But we all know this right?
my sig is so witty and fun - it tickles almost everyone who reads it.
"Lies, Damned Lies, and Statistics."
_sig_ is away
His mathematics is pretty bad. To get the security problems for Linux, he adds all security announcements from each of the major distributions - completely ignoring that most of those announcements are for the same bug. The Linux number is thus about a factor 4 too high.
Also, the Windows announcements are for the OS itself only, while the Linux announcements cover programs that do not count as OS stuff under Windows.
Badly researched piece.
/Janne
Trust the Computer. The Computer is your friend.
Do they mean out-of-box?
(the site's been slashdotted already)
If so, than that's stupid, no Sysadmin worth his salt would leave a machine without proper updates/securing.
An workstation/server is only as secure as you want it to be, that's it.
--- Do you believe in the day?
It's the administrators. If you have someone administrating either OS that's incompetant then you will have security holes. A competant administrator will close up either OS tight.
-
Steve's Computer Service, Hobbs, NM
This should be a wakeup call to RedHat to fix their distro. They are making everyone else look bad.
It's time to get rid of apps with bad security records. This means you Bero!
Perhaps a better statistic to look at if you're interested in which is more secure is the actual number of boxes which were exploited... and I'd guess that last year the windows machines win that category by a landslide.
Of course, it all comes down to the admin in the end, so any talk of which OS is more secure doesn't really mean much. A clueless admin on a very secure OS can still open the gates wide to anyone that tries.
What matters is not how many bugs there have been, but the total window of vulnerability per bug -- the time elapsed from bug's discovery to bug'a closing. One really bad bug that remained open for a year is much worse than 10 bugs each remaining open for a week, you see.
--
Victor Danilchenko
It's all in the eye of the beholder. Especially if you have a borg eye. hehehe.
They can't be serious!
Lies, lies, and damn statistics! You can always manipulate numbers. I suspect they have a different idea of vulnerability and seriousness than the rest of us.
But we know by ourselves that linux is better and we strive every day to make that happen. Keep that in focus and don't let this bother you at all.
In my opinion, the reason for this is that Linux is more used in a non/less-commercial way than WinNT/2k.
WinNT/2k admins have money to buy that OS, so I suppose they also have more money/time to spend on security (and use it in a more professional way).
Some linux boxes on the other hand are "hacked" together, and thus not always secure. Maybe the popular fact that "linux is more secure than windows" makes them believe they are not vulnerable.
After reading the whole thing, I came to the conclusion that this is an unfair comparison:
...
-They only count bugs for one Microsoft OS product. I mean, there's Win95, Win95osr2, Win98, Win98SE, Win2000, WinME, WinCE, WinNT4.0...
-They count one bug for each distribution. I mean, if a bug is detected on rsync, it shows as one different bug for every distribution, that is, one but for Mandrake 7.0, one for Debian, one for Mandrake 7.1
So, this makes me wonder if the journalist is plainly uninformed or if has no idea of what he is talking about (a laid-off journmalist from the gardening section re-hired for a tech-writter position).
The conspiracy theories, black helicopters and Microsoft-payed journalists, from my point of view, do not apply here.
Well, who said the world was fair?
wininformant.com fails to resolve.
/. troll, and they didn't bother to realize the DNS for wininformant.com doesn't exist, or wininformant.com is dead at the moment, or wininformant.com is a group of Microsoft FUD monkeys, or I'm running the wrong desktop OS.
SecurityFocus.com has absolutely nothing on their site about this article.
I would find it at very best to be poor journalism to label an operating system more secure just based on the fact that it has less published vulnerabilities. First off, it's easier to locate vulnerabilities in *NIX software. Windows it isn't, mostly because it's closed up and the Windows common user is not motivated with finding a security exploit.
If you look at the types, and severity (which I'm hoping the article does) of it and summise a judgement based off that I think it's pretty obvious which operating system is more secure.
Either this is a
Dacels Jewelers can't be trusted.
And this is exactly the kind of flawed logic that always creeps into these kinds of discussions: there is no "Linux" to compare with "Windows", there are only a bunch of distros. Totalling up all the holes in all the distros makes no sense at all.
And when you compare Windows to a given Linux distro (much closer to a good comparison), Linux wins every time.
-Esme
Scientists have discovered that internal combustion is cleaner and more efficient than anit-matter.
Pure quantity of security holes really is not the most question. To me there are two factors:
1. How severe is the hole if exploited.
Are we talking a DOS, a root compromise, the ability to take over a domain controller. The effect of a compromise needs to be taken into account.
2. How easy to exploit is the whole.
Is it a theoretical exploit, or are there tools floating around? Can it be easily mitigated by a good firewall, or can viewing an email cause the problem.
These questions seem to me more important than pure quantity and should be taken into account when building a threat assesment of a system.
Perhaps linux has a greater number of security flaws but Window's security flaws, while less in number, are much more serious, drastic and more devastating in terms of network infrastructure.
Using a number to rate things like this is absurd.
Today security is measured in how long it takes you to break into a box, and not if you can break into the box. So on the one shoe, you can say windows is much more bombarded and patched than Linux because so many "testers" are willing to "test" the security of windows. But on the other hand, since security is measured in how long it takes to crack something, even though windows may end up with fewer holes, the fact is there are more "hole seekers" which effectively reduces the security.
Two freakin' comments in this thread when I view it, and wininformant is already refusing connections. Shame too, cuz I got plenty to say on the subject but it's kinda hard to make informed statements when you can't even read the link.
;)
Suppose I could just base my post off the story submission like most other readers do, but nah, that'd be irresponsible.
/rant off
But it is possible to have a very secure Windows environent. No, it does not involve turning the box off ;^)
.SCR, etc) were banned long before I Love You came along.
Take this example: you have a highly competent NT/2K administrator (they do exist) and a pitiful *nix administrator. Which one is going to produce a more secure box? Any objective person would have to say the NT/2K guy would, because he knows his platform well enough to shore up vulnerabilities. Nimda, I Love You, and many other worms did not hit affect my company because we took security very seriously beforehand. Malicious attachments (.EXE,
Now, having played devil's advocate for a moment, let me say that if you have a tightly controlled *nix box with a competent admin and a focus on security, you can create a damn near impregnable system. The weaknesses then lie with the applications, not the OS, and that's something ALL vendors need to work on (you listening, Larry "Unbreakable" Ellison?)
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
I can't remember hearing about many *new* security holes in win2K recently.
I can't get to the article right now, so I'm not sure exactly what their argument is, but while I can remember hearing about quite a few major security holes in the unixes (I think everyone was bitten at least once by ptrace race conditions) I can't think of any similar issues in win2k.
XP, on the other hand... but we're not talking about XP here.
Tarsnap: Online backups for the truly paranoid
If Linux did indeed have more bugs, there are two questions worth asking:
:)
1) which versions of Linux? If you were concerned about security you probably wouldn't be running the most bleeding edge version
2) how siginificant were the security holes? Are they remote root compromises or something less severe. Linux might have several more minor vulnerabilities and look numerically worse if windows has one gaping vulnerability
Having said that though, I'm willing to believe this is possible
This sig has been temporarily disconnected or is no longer in service
Let's make this perfectly clear, shall we?
Look at all the security issues that have come to light for Windows over the past year or two. I'd bet my newly purchased house that over 90% of them are APPLICATIONS that are insecure, NOT the OS.
How many security problems are a result of Outlook alone? 70%? Wouldn't surprise me a bit.
How many are direct results of VBA? 80% or more? Yeah, I'd think so (and I happen to love VBA but there's no arguing the danger that is opened up when you allow that level of integration and automation in software).
I don't think there were a massive number of problems that arise from protocol-level problems, security subsystem abuses or kernel hacks. Sure, there is always the occassional buffer overflow and things of that nature, but I'd bet the number is about equal with what you get on any other OS out there.
It's the apps folks, not the OS. Compare the Linux kernel with the NT kernel and I bet they are both secure as hell. It's what's on top of them that's a problem sometimes.
If a pion (n-) collides with a proton in the woods & noone is there to hear it, does lamdba decay into the source pa
Of course now we're going to get tons of people who say "Linux is just the kernel." Or "It's the distros that are insecure, not Linux." Or "It's apache/lpd/sendmail/wuftpd/bind/etc that's insecure, not Linux." But let's get our ass on straight here. Nobody posting here is just running Linux-the-kernel. We're all running Linux-the-kernel plus apache, plus userland tools, plus bind, plus sendmail, plus proftpd, plus etc. And we all tell people we are running Linux on our servers, and perhaps sometimes we'll say "with apache as our webserver." But ultimately it's "Linux" that is our OS. And all the mainstream apps that we include are part of that "Linux" that we tell people we use. And, yes, it is appropriate that we take our lumps on issues like this. This isn't a dick measuring contest, it's about running a quality IT enviroment and providing a quality service to our customers. Denial won't provide that.
And for those who really really want to argue that it's not Linux at fault, then make sure that you point the finger squarely where it belongs: at yourself! Right? I mean, Linux-the-kernel doesn't have any remote buffer overflows in it's webserver. It doesn't provide for local root escalation. It's the tools that you, the admin, are responsible for having in place there that are the problem. And since you obviously chose to put them there (via installing them with the standard RedHat installer, or dl-ing, compiling and installing by hand) you are the one who is responsible. So there.
Surely it's not the number of vulnerabilities that either OS displays that's important but rather their severity?
I mean, an exploit that requires the malicious party to have physical access to a machine and then only gives him access to one specific folder on a system is hardly as big a deal as one that gives a script kiddie sitting in his bedroom complete remote control of your corporate servers, allowing him to copy, overwrite and delete files, folders and hard drives at the click of a button?
Let's try to compare apples and oranges here. Just because McDonalds has more restaurants than Michelin-stared ones it doesn't make the Big Mac a better meal.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
The *nix junkies are going to make this thread 1000 posts long but the numbers are there. I can heartily belive that Windows has less security holes it's just that with Linux not having a viable market share no one really bothers to take the time to exploit those vulnerabilities. It's security by obscurity. Let's say two auto makers each make a truck and company A sells 100,000 units of truck A and company B sells 1,000 units of Truck B. Truck A explodes into a fire ball 20 times and Truck B does the same 2 times. The popular conclusion is that Truck A must be unsafe because it exploded so much but the truth of the matter is that Truck B is actually 100 times more dangerous....but it only blew up twice so nobody will believe the facts. Thats my .02 cents
-- I am baseball in Minnesota.
"Facts, schmacts, you can use facts to prove anything that's even remotely true." - Homer J.
Palaces, barricades, threats, meet promises
The other camp ain't. We do hear about some vulnerabilities out of Microsoft, but more often it's independent disclosure that open's out eyes. So, how many problems are left unaddressed, and unknown by all but the secret holders? Simple: we don't know.
At least with opensource I can look at the code.
Evan - needs to hit preview before submitting
The SecurityFocus charts seem to say that in the last several years, WinNT/2K has had 2/3 to 3/4 the vulnerabilities of Linux -- all Linuxes combined, that is.
When you break it down, however, Windows has been about equal to Red Hat and well above all the othe Linuxes and Unixes in the chart.
As a willing participant in the capitalist scheme, I don't care how secure everyone else's servers are -- just the one securing my stuff. The only thing this chart tells me is that if I want a secure server OS out of the box, I should start with Mandrake or Debian instead of Red Hat or Windows.
Well I can't seem to reach the site but I imagine that that the comparison is again invalid. If this is a comparison of Linux kernel vs bare Win2K install then I suppose the stats speak for themselves. However, if this is Win2K vs RedHat or Mandrake then this is skewed since RedHat and Mandrake contain many times over all of the software one might need for a server and a desktop. This skews the exposure rating unless the comparison is between Redhat or Mandrake and Win2K + MSOffice + everything else imaginable for a desktop and serevr PC. A comparison of Win2K with a hardened, stripped down version of Linux might be more accurate. Otherwise this is simply saying that a complete install of RedHat or Mandreake is less secure than a plain install of Win2K which is a worthless statement.
I wonder where OpenBSD ranked in this survey ? Apparently there has not been a remote root exploit in the out-of-the-box configuration for over four years.
Despite all the BSD is dying trolls out there, BSD is alive and kicking Linux and NTs asses (in security terms)
"Paul Thurrott .NET Magazine. He writes a weekly editorial for Windows & .NET Magazine UPDATE (http://www.win2000mag.net/email) and writes a daily Windows news and information newsletter called WinInfo Daily UPDATE "
Paul Thurrott is the news editor for Windows &
nice timing with the windows security initiative
perl -MIO::Socket -e 'IO::Socket::INET-new(PeerAddr="some.windoze.box:1
NTBugTrack -- `nuff said.
I sent a similar article, but was rejected. Peh, guess I need to work on my editorial skills.
Anyway, before anyone gets on a high horse here. It needs to be said that it's the code. Not the features that allow users to do stupid things. Most of what's out there choking MS-Based networks is becuase of the ease of which users can execute attached scripts and executables. Oh, and a hole in IIS, but that was mentioned in the article.
Yes, MS is a monopoly. Yes, they're trying to squeeze more cash out of their consumers (Stupid WPA). But, damn, they do produce some of the most solid code out there, as well as some of the most feature-rich, usable applications. Alas, that's just my opinion, and considering that I use mostly MS apps, I might be slightly biassed.
The (Hopefully) Great Slashdot Blackout
1. Severity - The issues that exist on Windows platforms are demonstratably larger. There is no administrator/root containment of priveldge (generally), and most of the security issues reported are indeed system-level, remote, and widespread.
2. Activeness - The common issues reported for Windows deployments are almost universally in use and actively being exploited BEFORE the report. Most *ix vulnerabilities are not being actively exploited (and definitely at a lower level of activity), and are generally patched to resolve the issue FAR quicker.
3. Openness - "Linux" has no control over the release of bug reports. Microsoft on the other hand, does, to a degree. They can actively "persue" the matter and encourage the bug reporter to remain quiet about it until they can respond. In some cases for MONTHS even for well established bug hunters like eEye, on very large vulnerabilities like UPNP.
In closing, there are lies, damned lies, and statistics. Sure, you can put whatever spin you want on it, and I think I have in this posting.
ONE thing needs to be clear, there are alot of bugs, and having many eyes isnt preventing them from happening on Linux.
No matter where you sit, its justification to yet again work diligently to reduce the number of potential bugs by secure programming techniques.
GPL'd web-based tradewars themed space game
I apologize grievously if my assumptions are incorrect. The "winformant" article is Slashdotted, and the NT Bugtraq chart was not entirely clear to me.
I am not a lawyer. Do not take my words as legal advice. If you need legal advice, consult an attorney.
how many exploits do you think people would find in the first month?
What is relevant, is the severity of the securityholes and the time it takes before the producer of the app in question puts patches out and how soon these get installed by the sysadmins. The latter seems to be the biggest problem anyway.
Unlike Windows, there are many independent distributions of Linux that may or may not be vulnerable to a security hole. Also unlike Windows, each distribution has shorter release cycles. Futhermore, many Linux distributions come with lots of bundled software that not all sys admins install.
This means that security holes discovered against Windows could be far more devastating because of the uniformity of the installed systems. Code Red/Nimda, etc. would've been much harder to pull off against all variants/distributions of Linux. There's much more paydirt in developing good Windows exploits, since they're likely to work against ALL Windows systems, which means the exploits are likely to be very refined and well tested. Compare to Linux exploits which are usually very hard to get working the first time.
It's also harder to find security holes in Windows since it's closed source (which doesn't make them any less severe). Many security analysts won't even bother since it mostly involves using a debugger to poke at a task for hours, rather than simply grepping source trees for unsafe functions.
But yeah, it is pretty disgusting that Linux in general has this many security holes.
Bias isn't necessarily what annoys me. I would like to see more stories which foster discussion as opposed to sensational bullshit. Isn't their an interesting or nerdy or thought provoking or geeky news item that we can discuss? For fuck's sake, we know Microsoft sucks, we know 80% of slashdot's traffic is from IE, we know we don't like .NET, we know Ballmer is a monkey, come on, let's talk about something (ANYTHING) else.
[o]_O
In the long term Linux will have progressively fewer bugs/vulnerabilities due to its open source nature. Look at the numbers on the same chart for NetBSD. There were 9 vulnerabilities found in 2001, and 42 found in Win 2K. 54 for RedHat and only 2 for TurboLinux.
Obviously everyone should switch to Turbo Linux.
Lasers Controlled Games!
That this is in large part due to the nature of Open vs. Closed source applications. Linux is open, and a lot of the bugs tracked are found because of just that--it's open, and people can look inside and see. Windows is closed, and has statstically significant (understandment) fewer eyes examining it.
So, measuring how secure an OS (and OS) is, by the number of items in (NT)Bugtraq is a red herring.
i wonder when was the last time someone found a hole in your firewall by exploiting a hole in your apache to get your sendmail sending the contents of your harddrive to everyone and his hamster?
Greetings,
:-
I wonder how they decided what is "more secure", but my guess is that it's based on the number of reported exploits/bugs.
Does anyone know if they used any weighting on the types of exploits/bugs. I would consider a remotely exploitable bug to be much worse than a locally exploitable bug as you can't control people that aren't on your box as well as the people that are. I would consider a root/administrator access bug to be worse than a denial of service type bug.
So, given a weighting scheme of
Remote Root = 4
Remote Denial of Service = 3
Local Root = 2
Local Denial of Service = 1
How would the different OSes stack up?
My guess is that without even taking number of installations into account you would find that Microsoft was at least as bad as the various Linux/Unix versions. I'm not going to say that they were worse.
Anyone want to do some analysis on the same information given a weighting scheme and see what the differences are?
Z.
-- Under/Overrated is meta-moderation, and therefore is Redundant.
How is this Orwellian? I seem to miss the distinction...
SecurityFocus Says Windows More Secure Than Linux
In related news, we've just sent flying swines down to Hell. Initial reports from Satan's lair indicate a cold front moving through.
If you celebrate Xmas, befriend me (538
1. How many of the Linux vulnerabilities are in services that aren't linux? IE: sendmail, apache, ftp servers, and whatnot? Just because something is packaged with linux doesn't make it linux. Do the windows bugs count IE bugs and every other MS software running on the system? What about other packaged software such as AOL and whatever other links they provide?
2. Sheer number of vulnerabilities mean nothing - are they counting the severity of the vulnerabilities?
3. Are they counting the time it took before A) someone discovered the vulnerability and B) a patch was issued?
4. If there are comparable numbers of linux vs. win2k servers out there, which actually had more break-ins? (This question not valid if there is a wide gap in numbers since then the lower of the two probably benefits from that "security through obscurity").
5. I think having full source code availability leads to people actually FINDING the bugs, whereas Windows could have way more, but we don't know about them unless people are actually TRYING to crack the system (as opposed to finding them working on source or whatever).
... that now Bill Gates doesn't have to spend a month on fixing their broken security? I'm sure he'll be thrilled that he can go back to bloat...
Site are
Anyhow, how we counting bug? WindowsOperatingSystem against Linux_RedHat_FtpD_SQL_WebServer_GodKnowWhat_Dist ?
A linux dist happens to contain _alot_ more then WindowsServer2000 do.
The fact that you can cite flaws in Windows security proves that Windows security is imperfect, not that Windows is less secure than Linux.
I can't seem to access the article, so I'm not sure whether it addresses this, but it seems to me that the type of vulnerabilities discovered would be an important factor in determining how secure each OS is. Obviously remote exploits are more serious than local exploits. Likewise, the amount of privileges gained through each exploit should also play a role (i.e. does the exploit give administrator/root privileges or just guest/nobody power?) I'm not saying that the conclusion of the article is right or wrong, I'm just saying there's more to an OS's security than number of vulnerabilities.
Of course it's worth noting that the security of an operating system doesn't necessarily reflect the security of the systems using it. System security is an ongoing process that requires human intervention; if a sys admin is lazy and doesn't install patches then his system will be insecure regardless of which OS he uses.
This test is not actually sensible at it compared the W2K Os against the entire distro of RedHat. In order to be fair we should really compare either:
1. A base linux install, enough to get a window manager, against W2K, OR
2. All pieces of software available for W2K against a fully installed RedHat distro.
Basically the results make absolutely no sense and no real meaning can be taken from it.
MacOS has 11 vulns. while MacOS X Server has 1 vuln. Those numbers really suprisized me.
The problem as I see it is that I have no personality of my own.
If this is the same article mentioned on LWN (can't be sure, since it's slashdotted), this article compared the number of bugs reported against Windows against the number of bugs reported against Red Hat. And Debian. And SuSE. And another distro - forgot which one.
I'm sure it was an honest mistake that most Linux bugs were counted multiple times.
But I don't buy into the "bug count" argument anyway. It's a lot like that controversy over the "most decorated US veteran" (Hacksworth?) - a lot of people think that you can have a warehouse full of bronze stars and distinguished service medals and it's all scrap metal next to a single Congressional Medal of Honor (post.).
What was the last remote root exploit for a widely used Unix service? What about local exploit for a widely used Unix application?
Now ask the same thing about Microsoft.
Finally, "NTBugTraq" may be respected but that doesn't mean it never publishes crap -- sometimes for the purpose of shooting it down. I've seen this happen on comp.risks and elsewhere.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
The problem with weighing security vulnerabilities is that, apart from just counting the bugs, it's a completely arbitrary measurement. One might assert that Bug X is worse than Bug Y, but there's no scientific way to back up those assertions.
Some people might argue that total cost in damages caused by security vulnerabilities is a good measurement (and certainly, Windows has racked up billions of dollars in this category). The truth, however, is that with Windows' wider deployment, it's far more prone to attack in general. Since Windows machines make up some 90% of all desktops, more virus writers target it, and the viruses written for it have more places to spread. Dense, non-diverse populations are inherently more vulnerable to plagues.
Is Linux really more vulnerable than Windows, in the grand scheme of things? Given the above facts, it's difficult to say. There are valid arguments for both sides.
That said, it's been shown that Linux users as a community have the resources to get in and fix security holes far quicker than Microsoft is capable of doing with Windows. So, if you feel like complaining about the security report, my advice would be to take that energy and use it to help with testing and patching instead.
Peace,
Lendrick
Okay lets break it down:
Linux by default includes:
A mailserver
an ftp serer
a telnet server
a web server
a database server
etc....
Windows by default include:
A store receipt
IIS maybe..
ummm
okay so what are they basing their study on? The same system setups? Are they comparing postfix with exchange server or sendmail with exchange server? Mysql with MSSQL or MySQl with Oracle? I don't understand this study, nor do I believe it. I think this study is biased and fixed. It is funny that this study is released as M$ releases the W2K rollup package to fix the broken/hackable files.
-- Powered By Linux
First of all, there's no weighting in the charts. So in other words, an attacker can break into a Win2000 box and control everything about it, or he can telnet into a Linux box but has no access to change anything or even browse the root directory, yet both attacks are chalked up as a "1."
.NET, and there's that one about 6 months ago when the E*Trade mutual funds started to tank and they moved towards more MS stock... draw your own conclusions.
Also, read this from their "about us" section:
The company has approximately 50 employees and is privately held, backed by venture funding from SOFTBANK and E*Trade Ventures.
Funny, I seem to remember a story not too long ago about E*Trade joining
~ now you know
How does Slackware stack up to other distributions and to Win2k? I know Slackware 8.0 (like most other *nix distros) had a remote root exploit in telnetd, and there are updates for about a dozen other packages; how does this compare to RedHat?
Saying "Linux has more security holes than Windows" is at least as stupid as saying "I just got Linux 7.2".
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Anyone remember Code Red? Nimda? I sure do. I still get 300+ scans a day from infected Windows boxen.
Also, most linux vendor security announcements posted to Bugtraq are for add-on software not enabled by default. They are also announced by each vendor individually, and the author of the package. Most Windows announcements are about vulnerabilities in the OS (IE) or widely deployed packages (IIS, Outlook) from the author of the exploit (after secure@microsoft.com has ignored them).
The entire article needs to be modded -1 flamebait.
I read this article a few days ago. I thought it was funny. Basically, Slashdot didn't read the article before posting again. The synopsis of this boils down to "Slashdot says Winmag says SecurityFocus says NT is more secure than Linux.", except SecurityFocus never said that. Doh. Winmag instead just wrote an article counting the total number of exploits for Linux and NT, and gave the OS with the lowest number the best "secure" rating. Of course, since these stats came from the NTBugtraq list, it must be SecurityFocus sanctioned *cough*.
Your poster knew this. Way to go poster. You've successfully trolled the frontpage of Slashdot.
Who he works for doesn't make it possible for him to fudge those numbers.
You are truely desperate to deny these figures aren't yoU?
That seems like an unusal slip up for SecurityFocus. I have been trying to get to the article since this was first posted. There were no comments and it was already /.ed. Sure would like to read the article to verify this.
Even forgiving all those linux worms that flooded the entire internet for much of last year, it was the mysql/php buffer overflows left and right that allowed any script kiddy to gain root access with a web browser.
Oh wait, I think I have this backwards, never mind.
Remember people, while we can be pretty damn secure (no pun intended) in the fact that we've gotten most of the security holes out of linux, there could still be many unknown holes in various windows operating systems that simply have yet to be discovered. With the source open, you're going to find more holes, assuming all things were done equally.
Also, are we looking only at the linux kernel itself (compared to the windows kernel) or all the programs that are typically packaged with it? Gnu and Linux usually stand together, but counting vulnerabilities in every program that could ever be run suid root may be reaching a bit far.
-Restil
Play with my webcams and lights here
I am curious as to what that consider linux and what they dont. If they are counting the number of security vunerabilities of all the available linux utilities and kernel or just the 'core' parts. I know I personally would have a different definition of what programs make the the core linux and which ones are optional. GPM recently contained a vulnerability, but I dont consider it important or required at all.
in the hands of a clueless sysadmin, anything is insecure
So, how about we do a serious analysis? I'll put up a system that lets people rate the various bugs by severity along a couple of continuums. (Like theoretical impact and actual impact.) Then people can use this data to draw more accurate conclusions. If at least 10 people respond to this post, and two thirds of them think it is a good idea, I'll put one up and link it here.
Alright, someone help me understand the statistics here. In the first listing (Number of OS vulnerabilities by Year) I looked at the year 2001 column. Obviously, the aggregate linux column was very high... how many of those bugs were duplicates?
Aside from that, the only distribution in that first listing with more vulnerabilities than Win2k/NT was Redhat. Of course, there were no version listings provided for that chart.
When broken down to versions, suddenly there are more vulnerabilities than the previous generic listing. Is this a different type of vulnerability? The first is listed as "OS," the second as "package." Regardless, not only do they not list the most recent versions available, but there are 10 LESS vulnerable linux packages than Windows 2000, and 4 that are MORE vulnerable. How does that figure into the end conclusion? Does that make linux more or less vulnerable than Windows 2000?
In any case, as mentioned by several others, the statistics don't include the severity of any of the vulnerabilities at all, rendering the statistics pretty much worthless.
(Think I said "vulnerable" enough?)
The security of any OS lies in the skill of its admin. An idiot with a 2k box is no more secure than an idiot with a linux box and vice versa.
- Toby
the subject says it all.
Again, Winformant, in a desperate attempt to seem like they aren't a bunch of toadies, has struck an "independent" blow against linux's "security myth," by proving that more holes were found in linux than in Windows.
Well, duh. Linux is full of holes. But that's not winformant's problem. You see, each of those holes was cleared up in a matter of days and a patch was freely available. There were no egos and press releases claiming there are no holes. There were no programmers waiting around while Marketing decided the best colour for the patch's installation wizard. There was no downtime as millions of machines had to get the file from a single MS server because the patch's license didn't allow redistribution. There were no hours of wringing hands as sysadmins watched hackers pick off their boxes one by one because there's no workaround while the patch was built. There was no possibility for diving into the code and fixing it yourself; and if there was there'd be no way to release the patched dll. Oh, and if a linux machine was compromised, there was little chance of it polluting the entire network...because the bug affected less than 1% of the install base of that particular OS, and not 100%.
Not to mention the reason that so many Linux patches were "found" rather than "discovered" is that bored sysadmins can sit around with sheets of source code, hoping to find a hole and make a name for themselves on BugTraq. With windows...well, you'd better be good with BlackIC and ASM, because it's the only way you're finding the hole.
Hey freaks: now you're ju
Does "Ramen" ring a bell?
(/.'s 20 seconds min to reply is the lamest thing I've ever seen... I'm typing this to slow down my submit clicking because I can actually read and type faster than a 1st grader... stupid...)
However, the conclusion being drawn here is invalid. The SecurityFocus vulnerability survey is interesting, but it is not itself a reasonable methodology to generate security metrics between operating systems.
I could pick nits at this ad hoc study for hours, but the biggest problems are also the most obvious:
First: the study associates third-party software with the operating system, and aggregates all the distributions together into a meaningless "Linux" category. This study is literally just pattern matching against advisories.
Second: there is no notion of "severity" or "impact" in the study. This is a shame, because SecurityFocus has actually put some real effort into deriving a taxonomy of vulnerabilities from their (enormous) vulnerability database. There is no way to determine whether the N Linux vulnerabilities were equivalent to the K NT vulnerabilities.
Third: the study compares a kit of open-source software, which has received extensive peer review, to a closed-source product. It should surprise nobody that Linux has more documented problems than Windows: it's actually possible to go find vulnerabilities on Linux. Finding Windows vulnerabilities requires black-box reverse engineering.
Finally, both Linux and Windows do a reasonable job of locking down server configurations out of the box. What IT people need to know is vulnerability breakdown by operating system and by deployed configuration. This study does nothing to inform us of whether a Linux web server is at more risk than a Windows web server, or whether it's safer to expose a Linux print server or a Windows print server. Organizations that deploy homogenous Apache+NFS+ssh server farms don't care about XFree vulnerabilities or Samba problems.
I don't think SecurityFocus is actually trying to make claims about the relative security of Linux and Windows. I think they've been a bit careless with this report though; it's a reasonable thing to try to generate from their database, but more thought should have gone into presentation.
SecurityFocus has the on-staff expertise to publish some real conclusions about the distribution of vulnerabilities between Linux and Windows. Before this database report is misconstrued by the trade press, it would be enormously helpful if they could publish a statement about the conclusions that can be legitimately drawn from it. It'd be good press for them, too.
This same thing happened last year... Some guy wrote a piece claiming similar things, and making the same mistake: adding up all the bug entries against all the distributions, so that many bugs were counted several times over (and somehow not adding up Windows 9x bugs with Windows NT bugs..... ). When will people learn.
sigs are a waste of space
They are making some headway with this, the qchain tool, hfnetchk a couple others but it still takes longer to check, deploy and test these damn tings that it does with any other *nix I've worked with.
RANT
/RANT
I think the first thing MS needs to do is get a decent remote shell for Windows servers. There are some okay 3rd party products out there and Terminal Sevices does help too, but I don't need the full GUI just a shell that isn't hadicapped like their silly telnet server.
It tells us that when Microsoft doesn't try to over-burden their operating systems with silly gizmos and features it's actually pretty damned good. Windows 2000 was only an evolutionary change from NT 4 (many of the changes were supposed to originally come with NT 4), had the history of the NT code base behind it, and it got the job done without too much glitz and glamor.
It wasn't until Microsoft thought up NT 5.1 (aka XP) with all sorts of inane bells and whistles to try to convince us that we need to upgrade that the bottom fell through on their security again.
While this does vindicate my continued use of Windows 2000 in the XP era, I really don't feel this vindicates Microsoft too much. When it comes to operating system releases, Windows 2000 was a bit of a fluke. A fluke because nine times out of ten Microsoft tries to overload a new OS with silly features (think 98 compared to 95), and this time they "messed up."
While Windows 2000 is secure, the underlying philosophy in Microsoft that made them decide to release XP is not.
Windows is really secure, before the welcome screen is the most secure Os i have seen, but after booting ie, iss, outlook, well... better not to boot them... so is very secure as long as dont boot anything. *grin* very secure piece of crap that dont do a shit.
Sigs are for morons... Wait a minute...
If you think about it, WINDOWS hasn't had any major bugs or security holes lately. It's been Outlook and IIS who's been the victims of the Big Media holes and trojans. It might be a valid claim to say Windows (2K, XP), as an OS, is more secure than Linux, but not as an enviroment.
Th
I think the figures are probably accurate on the number of bugs. But Linux exploits aren't necessarily exploits. If someone debugs the code and finds something that is written funky that can be taken advantage of, That is not an exploit because he knows right then and there how to fix it. It should be rated on how long known exploits are out before the exploit can be patched or taken care of. That is the real measure of security. When Microsoft wants to wait 3 weeks to release patches, release patches that cause more problems, or denies that the bugs exist that is more of an issue than anything else. At least with Linux when it's found it's taken care of.
If your not cheating your not trying. If your not trying your not winning and if your not winning why play?
What someone said--a primary security hole (something you drive side-by-side trucks through) are Windows applications. Visual Basic and, by extension, Outlook, are big culprits.
But many of the things that make Windows unsecure do extend at the OS level. Here on my Macintosh, my firewall is set to lock out IPs that try a NETBIOS check, as well as various port scans. It's also aware of the Code Red variants.
My Mac OS (9 or X) ignore them. As with Linux, my OS doesn't know or care for NETBIOS.
And OS X, as a better example for all the huff, is a *nix family OS--and still in its infancy compared to the older Linux distros and UNIX itself. A UNIX class OS is only unsecure in the magnitude of Windows when we open up all the elements of the OS that are normally closed by default--permissions, certain root access, and so on. Therefore, you have to be a Raving Buffoon(tm) to set Linux or any *nix for a fall.
Window's faults are inherent to perpetuate its market share as well as stupid coding. And now MS wants to "fix" it? Give us a break.
/.
Vos teneo officium eram periculosus ut vos recipero is.
Anybody take a whole five seconds to look at the chart? Linux and it's bugs are counted by counting Red Hat,SuSE,Mandrake ETC ETC. So if a bug is found in the Linux kernel then that bug is counted Xtimes [once for every distribution] Hell they might count it once per release!.
Again, I find it disturbing how easily everyone shrugs this off as propaganda or something.
Listen, everyone: Times are changing. Linux has gotten big and complicated, and is no longer automatically secure. Long gone are the Slackware days where you'd download a minimal kernel/utilities package and then compile only the apps you need, by yourself, and understand everything. Complex software has security problems, and the linux community has done little but use the "lots of eyeballs" method to counter that. Microsoft software is also quite complex, and they have fewer eyeballs (I hope, though I am not sure), but they have publicly recognized the problem and are at least pretending to try to fix it. Microsoft also has a bunch of research into technologies for producing machine-checked code so that they don't even need lots of eyeballs. (I really wish that linux had this too; see a related rant http://slashdot.org/comments.pl?sid=26315&cid=2851 880 ).
My linux box has been rooted twice. I keep up to date on patches, I read bugtraq. My windows box, also connected to the internet all the time (and getting a lot more use), has never been compromised through 95, 98, 2000, and XP.(I have been Winnuked, that's the worst thing that's happened.)
I guess my point is: this is not something to laugh at. Some day soon, people will not think of Microsoft operating systems as crashy (already happening to an extent) and insecure (...), and then linux will have a much tougher sell to the average guy who doesn't care about Free Software. Instead of laughing smugly about an article like this, maybe we should be worrying?
illustrates the art of marketing nicely, a more well written piece of managerial verbage as was ever wrought ... ten for ten
2tek
if windows was a ship, i'd be bailing
Netcraft says that www.wininformant.com, the site which holds this report, which got promptly slashdotted, runs IIS4 on NT4.
I'll refrain from making jokes about Win boxes not being up long enough to be exploited, or something like that.
Linux is a target. When the black hats are sweeping the network, they see a bunch of windows boxes that are easy to break into; whoopty-shit, who cares. No challenge, no glory, and no use. On the other hand, when they find a linux box, it's a gold mine. Linux is the friendly unix which give it's owners a false sense of security. Linux, being easy, tends to install so much, which gives greater opportunities to install security flaws. Linux is also far more useful to a black hat. He's probably also using linux; he can just run his root kit with out thinking and then all of his tools are installed and ran without a recompile or any fuss. It's easier for black hats to own a linux box and use it's network tools than it is for a black hat to do the same with a windoze box. Most linux boxes have a compiler installed (which is right and good thing), the opposite is in windoze land.
Conclusion: Linux is still better and more powerful than windoze any day, which makes is a more attrative target. Since the barrier to entry with linux has been deeply lowered, may nieve good people are installing a powerful OS for fun, just to find out that with power, comes resposibility.
Democrats and Republicans only disagree about how to enslave you
Well, I've never used a computer in my life, so I obviously have no bias whatsoever in this. I don't know the details of why Windows is said to be more secure than linux (slashdotted already, of course) but it seems pretty obvious.
I'm not one to bash Linux, though I prefer a real *nix any day. However, I'm not one to bash Windows either, it's actually a pretty good OS. (Something that I can see a lot more now that I work with a copmpany designing systems dozens of time more bloated and complicated than even XP) The real reason Windows seems so much more insecure is because so many people use it, and it's become such a standard that it makes an easy target for custom made cracking tools. It's just as easy, if not easier, for someone who knows what he's doing to break into a linux system and completely take over. In fact, it's always seemed to me like someone could do more damage with a cracked linux box than with a Windows one.
But of course windows doesn't stand a chance here, it's hard to argue with an "I'm right because I said so" attitude that a lot of the more vocal people seem to have. I honestly thought my monitor was going to burst into flames when I started reading the above comments...
-Space for rent
Typical.
The more a system is up, the more you can break into it. The BSOD (copyright MS) is the security that Linux needs. Its the one secure feature that even the best crackers cannot get past. Show me a room full of BSOD NT Servers, and you'll also see a room of secure data and apps. Linux does win with file security though. If you direct all data to /dev/null, I dare anybody to break in and read that data. We call that Write many, read none.
According to the page OSX-server had only 1 vulnerability in 5 years. I doubt this is very accurate (if it is feel free to chime in with recommendations that we all switch OS's immediately). I think we need to keep in mind that This whole thing is wildly inaccurate. Rounding errors, double counting, unreported bugs, firewalls. If you're using these numbers to do anything important, you're insane.
Setting aside the accuracy of the results, this is a comparison of a system where the code can be examined by anyone and a system that doesn't allow the public to view the code. Even if the systems had an identical number of bugs (which I am not claiming) the open system would have more bugs reported simply based on the fact that the errors can't hide behind compiled binaries.
Scalable and stable too :)
OOOOOPS the site is gone lol
Maybe since they are reporting that Windows is more secure.
SecurityFocusdotcom is now switching over from Linuxto XP.
Ok, here's what I noticed. The SUM of all Linux's put together had a higher bugcount than windows 2000.
Now, how many people do you know that install redhat, then add to it all the security bugs in caldera, Connectiva, Mandrake, Slackeware, Suse, and Turbo Linux?? None, that would be extremely difficult. This is akin to saying the Ford Taurus has fewer bugs than all of the Nissans put together, therefore it is a better product.
Also, we are assuming that all bugs are created equal. Guess what, not so. Windows bugs have superpowers, faster than a speeding packet, stronger than a firewall, able to leap entire networks in a single bound! Linux security bugs take down processes, sometimes servers. Windows bugs take down Networks, or internets!!!
But I'm sure they'll never get called on it, because their readership is windows users. They are preaching to the choir, and they will ignore us and our quest for accuracy.
Do not meddle in the affairs of sysadmins, for they are subtle, and quick to anger.
LOL, this so called "scientific" data has been presented in such a way that a Windows marketer would love. First note that Linux has an AGGREGATE column while Windows does not. A better use of the graphs would be to remove the aggregate column. I mean really, does a Linux distribution exists that incorporates ALL other distributions? I don't think so. If the Linux aggregate column cannot be removed, then a more fair representation would be to also aggregate the Windows vulnerabilities, then check to see how the numbers compare. I also wonder how the numbers have changed with the introduction of XP. A side note: Besides...what good is an OS that had less vulnerabilities crop up last year when that system is unstable! (IE Windoze)
Well, now we know what they were really talking about when Microsoft said they were going to place a new focus on security - "SecurityFocus", or focus on Linux security and not Microft security.
Of corse it's been known for a long time that Linux has more security flaws *REPORTED* simply because it 's open source, and people do alot of intense study of it's security. But this does not mean that Linux is less secure, it means that we find and fix security flaws faster than Microsoft can find them.
I was thinking to myself yesterday about how the nature of open-source lends itself to a lack of "talent auditing". Meaning, there **MAY** be a greater chance of bugs being introduced into an open-source project because the programmers are often not hired professionals.
:-P
I would like to see a comparison in bugcounts (say, per line of source code) between open-source projects supported by professionals (i.e. people trying to make money off of it, i.e. mySQL) and projects supported by weekend programmers.
I just had an ironic thought. Since most open-source business plans revolve around providing support, would that make those companies want to introduce MORE bugs?
Take another look at the data refrenced by the article! It actually shows the Windows 2000 was one of the worst as far as security goes. The linux aggregate score does not resemble any of the individual linux distros mentioned. What I would like to know is, How did the author ever draw the conclusion that Windows 2k was more secure ? And what was the point of comparing the score of an os with an aggregate score ? That makes no sense either!
X
These idiots probably counted up security reports by adding each report from each distribution together rather then per package/kernel/etc.
The same report from Debian, Redhat, Slackware, and Mandrake doesn't frickin mean that there are 4 holes! It means that there is 1 hole. When will they get this through their head?
You have to look at each report, match each hole, count it as 1, and move onto the next. I'll bet that in the end, 9x/NT will have about 2x as much security holes, if not more.
Brielle
I can't connect to WinInformant, but if you look at the numbers available at SecurityFocus, you'll see that they did not simply add up the numbers. Linux is listet with 96 aggregated vulnerabilities for 2001, while e.g. Red Hat has 54, Debian got 28, and Mandrake got 36. There are more Linux distributions listed, but these numbers allone show that your claim is wrong (unless WinInformant has different numbers).
You'll also see that Red Hat had 54 vulnerabilities while Windows 2000 had only 42.
However, I'd still agree that the WinInformant article is badly researched (but please note that, as stated above, I've not read it, I only know the part that Slashdot quoted). The article claims that Windows is more secure "according to the reputable NTBugTraq," however, SecurityFocus does not make any claim concerning the security of either Windows or Linux, they just make the numbers available as a statistic. In other words, WinInformant doesn't have any source for their claims, they just found some more or less interesting numbers and made up a story.
Sig (appended to the end of comments I post, 54 chars)
A system is only as secure as its weakest link...and that includes sysadmins. If this a security issue, windows and linux can both be as secure or insecure, depending on how it's set up. And there is NO system so secure you can't get into it. The numbers mean didley in a case like this...
What exactly does the linux aggregate represent. Who would be idiot enough to install all of the major distributions on the same machine. Or even on multiple machines. Why don't they have a windows agregate that includes all of the different windows variants (not too mention where is XP). More secure than what? Apples to orange here (not oranges they compare one distribution to multiple distributions). Get a clue on your reporting.
Are they referring to the core OS? Regarding kernel vulnerabilities? Regarding Apache vs. IIS? I noticed one of the tables on the SecurityFocus site, show "Top Vulnerable Packages 2001" - what exactly does that mean? , installed packages and running daemons? or the kernel each OS is packaging?
Look at those tables. How can you refer to Windows NT 4.0 versus Internet Explorer versus IIS versus RedHat Linux 5.2!!!
Those are really huge apples and massive oranges... This is marketing fluff, vague and doesn't do anyone any good! Doesn't matter if you are referring to Windows, Linux, Solaris, QNX, or whatever. These are raw stats, without enough detail to make an informed decision regarding their meaning.
Look deeper into statistics, et al. before flaming one way of the other!
OK , so let's narrow it down Microsoft IIS servers are more secure than Linux/*NIX/Apache servers? How about the immesnse propogation of crap that unpatched IIS servers are propogating on the 'net?
I am running a little hobby server at home, running FreeBSD and I have been getting a HUGE number of NIMDA requests, so , is NIMDA resolved? ummm I think not...
Here's the proof, it's a quick and dirty generation of the requests my apache is getting from the clueless IIS dorks on Rogers@Home (an informal traceroute has shown most of the requests coming from within the @Home network).
I like SF , I read SF, but those tables and statistics are completely ridiculous and I'm not even slamming MSFT one way or the other....
When I was in tech support, everybody thought USRobotics modems sucked. We spent a lot of time dealing with USRobotics problems, much more than any other modem. Then we realized that USRobotics modems were in 70-80% of the PCs on the market. That meant that if USR modems caused 60% of our problems, they were actually better than the average modem!
I can't get to the article, but if they are talking about desktops, then anything less than 90% of the security problems coming from Windows actually means that Windows is better than average. For servers that number would have to be what, 30%?
There are other statistics involved here too. For example, Linux people always point out that Linux bugs get fixed faster than Windows bugs. True, but if the Windows patch gets released after 2 weeks, you still are still running clean more than 90% of the time--it just doesn't make that big a statistical difference.
Then of course there is the difference between "bugs found" and "bugs exploited". I imagine fewer "hackers" exploit Linux bugs because of sheer hate for "M$". If they ever let an AOLinux loose on the market, it might become a hate-target, and then all of the sudden Linux looks a lot less secure.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
The accounting is wrong... they are counting Mandrake, Red hat, etc... they aren't sorting out common exploits to distributions... e.g., if the snuff_server X.YZ had an exploit bug and that version of snuff_server was present in 6 different distros they are counted as 12 different exploits... it's not correct... if they want to summarize all distros as LINUX, they should account only individual exploits. By the way... I think that flame bait was posted about one year ago... was an article written by some MS-friendly journalist...
Looks like the WinInfo site has gone down since the story was submitted, so you may have to content yourself in the meantime with the Bugtraq numbers.
Musta been hacked.
hahahahahahahaha....
demonic, uncontrollable laughter continues indefinitely....
[figz@figz figz]$ kill -9 `ps -ef | awk '$1=="figz" { print $2 }'`
The moron at wininformant added all exploits for all linux distributions together. Image the obvious scenerio, where bind8.x.x has a root compromise. This would only count as a single exploit, however the article counts it once for eash distribution that acknowledged it.
If you look at the charts yourself, you see that Win2k had 42 exploits in 2001. In comparison, SuSe had 21. Redhat had 54. OpenBSD had 14. The figures also are not focused on a particular release. I would expect that the numbers would be substantially lower if it only look into account the current releases. Suprise, SuSE still publishes security announcements for 6.x in addition to 7.x, and those are counted.
THe author of the atricle need to look up Aggregate and try writing an article again.
Squash
Of course, that's not the case in the server market. If you want to talk about worms, remember one thing - the ONLY reason Code Red and other such worms exist is because of the popularity if the windows platform, on desktops and servers. Don't kid yourself for a second into thinking that the reason there aren't any widespread worms for *nix systems is because it's more secure.
Dont kid yourself. The various free o/s's are simply a harder target. They are more diverse, both across O/S's and distributions, and even within a distribution there are different configurations. On top of all that any individual box can be a totally custom system built from the source pool.
There are countless email readers, multiple web browsers, all types of competing server daemons. When you take the windows monoculture you simply dont find such diversity. The competing software are simply wiped out.
Its a well known and intuitive fact that monocultures are far more vulnerable to disease and parasites than a healthy diverse population.
Is this news? We all know that Windows is reliable, secure and easy to use. My MCSE friend told me that, so it must be true!
On a more serious note, there might have been more reported Linux vulnerabilities, but the Windows vulnerabilities were much more serious. Also, you can't compare the number of vulnerabilities discovered in the code of open-source software with the number of vulnerabilities discovered in closed-source, not-allowed-to-be-reverse-engineered software.
aka... It's much harder to find a Windows vulnerability than it is to find a Linux one.
Connectiva has been declared the safest operating system ever with combined vulnerabilities over the last 5 years equalling 0. Everyone in corporate america and those banks too should immediately through out all other operating systems and switch over to Connectiva.
Warning: Connectiva does not support vulnerabilities and all calls will be redirected to the nearest OS distributor.
The 20 second limit I'm sure is to avoid the "Me too!" type posts that say such trivial things as "I agree!". I hardly think it's some indicator that your brilliant typing skills are so 133t that you are outside of the normal bounds.
In 20 seconds a fairly good typist (60wpm) can type about 20 words. The 20 second limit is sorta saying "If what you have to say is less than 20 words then maybe you shouldn't say it?".
I dont understand.
They compare each Linux distribution individually AND combine them all together? The statistic that WinInformant must be using is comparing Linux (aggragate) aka all Linux distro's combined. And when you combine all of the Linux distro's together _all_ of them have had more security exploits then Microsoft Windows? Well, uh, duh! You don't have Debian NT, Redhat NT, SuSE NT, et all. You have Microsoft NT. Whoever wrote the summary for that survey is a complete moron. But maybe thats what the article moderators want? Submissions by morons? To not carefully analyze what gets posted so that people can get really pissed, so I'll be here posting this message? The title should _not_ say Security Focus says windows more secure then Linux. Maybe WinInformant did, but I haven't been able to look at the original article yet. Morons. All of them.
Regards,
Tom
I like the page widening troll. I think hes funny so suck it!
The charts at BugTraq seem to follow the market share and usage rather than actual bug information. In other words they are handling only reported bugs.
One thing I think people often forget to consider is the familiarity the sysadmin has with administering his particular distro. With the exception of a few, even the some of the most hardcore Linux zealots cut their teeth on Windows before switching to Linux. Thus, no matter how secure an OS is, it's only as good as the person running it-- and the majority of the population is better at running Windows. I think that the open source nature and sheer simplicity (in design, anyways) of Linux lends itself to being a much more capable performer, given an experienced user. It just happens to take a lot more time and effort to patch, recompile, reinstall, and reboot than it does to download and execute the latest patch from Microsoft. And of course, being geeks, we have the burden of upholding one of Larry Wall's three sacred virtues... laziness. ;)
"Software is like sex. It's better when it's free." -Linus Torvalds
Get off my virtual lawn, you damned virtual kids!
Let's just put it this way. More people use windows, more people want to exploit windows... and at the very least, from a social perspective, windows is bound to be less secure.
This last year the window community has really taken quite the widespread beating with viri (as usual). The linux community has not. Less people use linux, less people know what to do with linux, less people hate linux, less people wish to exploit it, and therefore less people are going to screw with it.
No operating system is perfect and or totally secure, however the more you scrutinize something the more apparent its flaws become. The Windows operating system has a hell of a lot more people looking at it under the micro scope...and that's an understatement. This, along with geek loathing and common software variables, is the reason why windows is less secure. The widespread common viri are just the result of all of this BS, and in my mind they totally prove that Windows is less secure. This is the same argument that us Mac diehards have been spitting out for years.
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
another take can be found on this story, here: vnunet and here .
Pretty much all DoS attacks come from hacked linux boxes. 95% mabye? Oh... and the other 5% doesn't come from Windows-based machines either. Script kiddies hijack (l33t word of the week for 'hack') linux boses and use them for their own agendas. From using age-old security flaws to exploits which are not even publicly known yet, they take over boxes (most often undetected by their admins) and use them to attack. I know code-red was very wide spread (no pun intented), but in my opinion the problems DoS attacks can cause are be faw worse than such windows-based viruses.
Windows security holes typically have exploits in the field, whereas linux vulnerabilities are commonly realeased from code review- hence having no preexisting exploits (that are known and demonstrated). Some are in fact purely theoretical, and may have to use to a malicious user.
So even if you keep on top of your windows updates religiously, keep in mind that they are generally reactive. So there is always that window of vulnerability...
This is a troll right?
Number of Linux/etc tests/developers = x^n (a lot)
Number of MS testers = *CLASSIFIED* (but less than x^n by a laarrge magnitude).
Likelyhood to spread diserturned information.
Linux = 90% (or alot of them)
MS *CLASSIFIED* (they never spread the information, until forced to)
ERR 411[Max number of witty sigs reached]
I'll keep this study in mind next time I think about running Linux Aggregate Server on my machine.
Morning sir....
I'd like to report that although I still have 38 karma, my +1 bonus no longer works.
I used to be able to post at "0" (-1 with a +1 bonus), but that no longer seems to be the case.
What great things you have to look forward to once you choose to stop crapflooding! -1 posting forever?
-- Anomymous Coward.
Linux (aggr.) has more, but each individual distribution does not. Simply put, if you add up every security issue with every OEM release of Windows (Compaq, Dell, HP, etc.), Windows would aggregate to a much, much higher number. The worst Linux distribution, RedHat, had 95 compared to W2k/NT's 97 (in 2000). And while Redhat was worse in 2001, the Windows numbers don't include XP. (Before you bitch at me about the "single" RedHat vs. the "aggregate" W2k/NT, RedHat had multiple versions out these years.
What is the Linux (aggr.) anyway? The individual distribution numbers don't add up to that aggregate total. Does bugtraq not even know the Linux distros?
A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
The mindset of the user.
Considering windows has a larger install base and a large portion of those users are average people, security to large portion of window users constitutes less of an issue. It's not that windows users don't think security is not important, but rather they don't care to know the guts of an OS. Large portion of windows users don't understand the hacker culture or realize hackers do it for the fun. By virtue of the user-base, hackers will see windows has a more attractive playing field. Therefore any security hole in windows has a higher risk potential than the *nix counter part. People who use and administer *nix systems tend to have a better understanding of security and the hacker culture. I have no proof of this, but I would guess unix users have a higher percentage of security freaks, than windows. Unix users tend to be technologists, therefore vulnerabilities are caught sooner than later and patches are applied more frequently.
The article should have taken these and other issues into consideration when calculating the relative risk of security holes. Lazy writers are a dime a dozen. Perhaps more people in the unix community should write articles and provide objective analysis of OS security issues.
So I suppose that now means that 42 33.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Linux is a relative term... There are many flavors of linux out there. Slackeware, which I use, happens to be much more secure (according to SecurityFocus, that is) than any Windows system. But it is all relative to the size of the holes and the serverity of them, as well as the speed at which they are patched. Also, the fact that the stats haven't been updated since August might have some baring on the totals(Re: the message at the top of the page). As far as OSes go, to each, his or her own.
That is why *I* use FreeBSD.
Since its release, there have been 29 security fixes. So, lets have a look at them:
- 1 fix for syncookie vulnerability (not enabled by default
- 1 fix for apache-devel where you could trick apache into displaying a directory index
- 1 fix for OpenSSH, must be enabled by admin to be vulnerable
- 1 fix for xchat which would allow other IRC users to execute IRC commands as you - not exactly a root exploit
- 1 fix for uucp - RedHat 7.2 is not vulnerable, down to 28
- 1 fix for at - RedHat 7.2 is not vulnerable, down to 27
Given that 2 have to be enabled to be vulnerable, we're down to 25.All in all, almost all vulnerabilities were from different packagea. Only 1 kernal problem. So, you would need to be running ~25 specific packages to be vulnerable. So, any reports using the 29 patches on RedHat's site (see above link) without actually reading the descriptions is going to be way off base. Now the same thing may be true for W2K machines, but I haven't looked to see.
Most were not remotely exploitable, and some weren't even local-root exploitable. Some all you could do was view files!
In any case, at the bottom of the SecurityFocus's page should be slashdot's poll disclaimer:If you're using these numbers to do anything important, you're insane
This is pure bullshit, and its even old bullshit. SecurityFocus have themselves claimed so. It's been around before.
This always comes up due to several problems with the statistics:
First, they're comparing Linux distributions with everything from several database servers through webservers, through rsh, ssh, telnet, ftp, compilers, etc to plain Windows. Include IIS, SQL server, shareware telnet servers windows, ftp servers, Outlook, etc and do it again. It is not quite the same thing, nor will your average linux machine have those services running anymore than your average Windows machine. Still, the vulnerabilities are counted if they ship with the CDs.
Second, the 'aggregate' statistics are completely misleading. Those statistics add up every vulnerability in every program that any Linux distribution vendor has seen fit to put on a cd. That is even more farfetched.
Sigh.
Microshaft might have more money to throw at the problem, but OSS has more people to throw at it!!
And if you do crapflood, you post at -1 forever as well.
Seems like I have nothing to lose, my friend.
-TM5K
The same damn story was posted a year or two ago, with the same misuse of stats and the same knee-jerk reaction from posters here who didn't read the blinkin' story!
There are lies, damn lies, and statistics.
Another for instance: I have a couple boxes that are only used for web servers, with everything else cut off (no telnet, no ftpd, etc.) and one box that is dns only (no other services, except identd, etc.)
You don't see as much of this in the windows world, where you pay for each license, and dedication is expensive. I use older machines (ppro 200, etc) for lesser, smaller tasks, and I know I am not the only one.
So, while the fact may be true that there are more POTENTIAL security holes in Linux, it does not equal lower security. You can't just compare them like "apples to apples" this way.
Tequila: It's not just for breakfast anymore!
Ill tell you what the flawed logic is. You can completely ignore that stats, and you can completely ignore direct comparisons. It all lays in the software. Most of the Linux vulnerabilities were for software that most people dont install, non standard stuf. Like, bitchx exploits or exim exploits. Not everyone installs that by default. So this aggregated Linux number is basically exploits from the tens of thousands of pieces of software available for unix systems. This is why its flawed logic. Most of the Windows vulnerabilities are default install problems. They are standard with the OS. Even under the break down by Mandrake, that includes all software you find on the Mandrake cd. Not only software that is by default installed (under all install options even). If you include ever peice of software that runs on the windows platform, that was exploitable last year, I think you would get a number that would blow it out of water. On a side note, thats not even taking into consideration source is available for most of this linux software, so it is easier to find more exploits. This is a good thing, not a bad thing. This just means they havent found all the exploits yet, because they use closed source. Security by obscurity does not mean its more secure :P
Jeff Knox
have been filed under 'Humor'?
There's an old saying that goes something like this:
There are only three types of lies in the world: Lies, Damned Lies, and Statistics.
It's important not to summarize the meaning of statistics too sharply, or they will tend to obscure the truth rather than highlight it. Here we have a comparison between NT and Linux based on a simple statistic of number of security vulnerabilities reported for each. Hmm... so what's been compared then?
If I take an NT 4.0 CD and install it on a PC, then take a CD (or more likely a set of CDs) from a Linux distribution and install that on the same type of machine, how much software is on each? How many security holes are there? Even forgetting that there are dozens of choices as to which Linux distribution I install, you have the problem of determining in each case, where do OSes end and Applications and Services begin?
NT, when installed has the kernel, some core services and some libraries, a few minimal applications and that's about it. If you want the thing to run various enterprise services, go install the whole Back Office suite. Want a database server? Go add MS SQL Server, or Oracle or whatnot. Need Desktop apps? Add Office in any of its varieties to get the combination of apps you want. What about graphics apps? Any number of other tools, utilities, services, development environments, drivers, libraries, etc... install them.
Are we measuring security holes introduced by these additional software products installed?
With a standard Linux distribution (take your pick which one) you'll get all of these things, in dizzying array, straight out of the box. Measure the security holes now.
My point, of course, is that you're comparing apples to oranges if you don't split the apps from the OS. Or at a minimum make the same types of apps, services and libraries available on both machines regardless of what came on the CD from the OS vendor. If you do that, I'd doubt you'd come to the same conclusion.
Of course, the site is slashdotted at the moment, so I can't read the actuall comparison, so if the methodology used took all this in to account, then by all means throw my comments out the window. Yet somehow I feel it a safe wager that this wasn't factored into the comparison.
-- Begin thoughtfuly, end insensitively.
It has more impact that way.
An interesting Sub-topic would be in reply to the numerous posts about all the software that is included in a Linux Distro.
I thought everyone complains that MSFT bundles too many apps with their OS and that's why they are a monopoly.
People here seem to claim they don't bundle much of anything compared to Linux Distros. So do Slashdotters think MSFT is not a monopoly?
Windows 2000 is a completely secure OS. So is Linux. The problem is all the stuff that runs in them. I've never considered IIS to be a part of Windows, nor do I think Apache is a part of Linux. As long as people who are detached from the core OS security concerns (and indeed the whole QA thing that goes on at the kernel level) continue to write code that answers to marketing more than it does to basic development guidelines we'll continue to see these problems. That goes for all OS's - the problem is Windows is a lot more visible than Linux or Unix for that matter.
It's not "my OS is more secure than yours"... it's "my web server sucks less". Tacking everything on to the OS is short sighted.
...if Linux weren't GPL'ed?
I doubt M$ has the guts to use a half-baked statistical white-wash such as this against another party that could sue them --such as HP.
Nearly fifty percent of all graduates come from the bottom half of the class!
Making a machine secure is a process of very careful testing, updating, and maintaining a machine. From a stock install of a distribution like RedHat, you have to first shut down services you don't want to run, verify that you have shut them down with a portscanner, install updated kernels, daemons, local tools & programs to avoid *local root* exploits, modify MANY default configuration files to make the system more secure, and subscribe to mailing lists at various security sites to test things out.
Quite honestly, you probably need to get cracked a few times to really learn this lesson correctly. Setting up a publicly networked Linux server is not a job to be taken lightly, especially if you don't want to donate your system resources to crackers!
What the article doesn't tell you is that the installation of Windows 2000 that had only 42 security holes runs on a box not connected to the Internet.
And secured in a Class III bank safe.
And launched into Mars.
It's still insecure, though.
Goddamn Martian hackers.
The "raw numbers" have always been a point of contention. What is the phrase? "There are lies, damn lies, and statistics." This is almost certainly a case of adding up the numbers and drawing conclusions from them without seeing what they represent.
The raw number of reported vulnerabilities is not an accurate reflection of security of an OS. Add to that the fact that the many of the "Linux" vulnerabilities are in applications that are common across multiple distros and often (in the case of the numerous bind and sendmail vilnerabilities for example) common to many flavors of UNIX.
I would be actually interested in seeing an Apples to Apples compareson done here. How many "remote root exploits" (Admin access for Windows boxen) have been reported, v "Local root" v "Elevated privilege."
Also, should vendor software exploits that simply RUN under Windows be included in the numbers? In the case of "Linux vulnerabilities" that's often exactly what's happening.
Raw numbers really don't mean jack.
Never attribute to malice what can as easily be the result of incompetence...
I'm sure that XP and NT and 2k are really secure, but everyone and their mom wants to find a bug in the software, trying to make it look bad. I'm sure if everyone worked toward making worms and virii for kmail, it would be considered the worst mail client....EVER. So just look at who the script kiddies are targeting.
Crashx99
Where does this reporter get off comparing Windows to the Linux Aggregate? Looking at the stats he evidently used, you will have less vulnerabilities using all the Linux distros, except Redhat. The reporter makes it sound like if you install Linux you will have more than twice as many vulnerabilities, when in all actuality you will have many fewer, unless you use Redhat and then you only have twelve more.
NT Bugtraq is not associated with Securityfocus.
The 'regular' bugtraq list is a securityfocus site. But NTBugtraq is part of TruSecure if I remember right (and moderated by Russ Cooper).
---- join dshield.org Distributed Intrusion Detec
Well, the guy has a point.
The last bug I saw listed on the linux list on this site was: kicq DoS attack. LOL.
From the newsletter on Friday.
Thanks to David Byrne for this tip: For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet. (The company's 2001 statistics are available only through August 2001 for the time being.) According to NTBugTraq, Windows 2000 Server had less than half as many security vulnerabilities as Linux during the reported period. When you break the numbers down by Linux distribution, Win2K had fewer vulnerabilities than RedHat Linux 7.0 or MandrakeSoft Mandrake Linux 7.2, and it tied with UNIX-leader Sun Microsystems Solaris 8.0 and 7.0. A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux. So once again, folks, you have to ask yourselves: Is Windows really less secure than Linux? Or is this one of those incredible perception issues? For more information and the complete stats, visit the SecurityFocus Web site. I'll check back on this story to see how all of 2001 shapes up.
http://securityfocus.com/vulns/stats.shtml
Since when did NTBugTraq become reputable by anyone's hand OTHER than the moderator, Russ Cooper? Is anyone actually reading NTBugTraq? How does a history of a moderator editing other people's posts, a moderator who uses the list as his own personal battleground, how did NTBugTraq all of a sudden become so reputable?
And Russ Cooper himself? Uhm, what background does he have that makes him reputable? TruSecure, a front organization created by him with little background? What research has Russ contributed to the security community? Where is his experience that proves he knows what he's talking about?
No one can argue with numbers, and I'm not arguing that statistics can be manipulated out of context to prove just about any assertion, but reputable? Give me a break. Russ Cooper is a flaming idiot. Just read his posts about w00w00 to his own list recently, and ask yourself if he doesn't sound like a clown.
--jordan
Anyone who has used linux knows that all the different distros are slightly different and that this is not a fair comparison.
In looking into the data further it would be more plausable to compare the aggregate of Linux vs the aggregate of BSD. Then you could say that the BSD's ahve less security flaws.
If you compare lets say Redhat to WinNT4.0/2k then you have an almost even amount of bugs per year. Okay so neither has less security issues.
The real questions then become 1) how serious the bugs? 2) how long a fix took? 3) Were people who installed the OS and then used NOTHING but what came with the OS to secure still affected?
In the case of Redhat or BSD you can turn off all your services and thus you are not affected by bugs in the ftp daemon. You can do this on NT as well, but by default NT does not come with an ftp daemon. (NT server maybe?)
In the case of BSD and Linux you can enable the firewall that comes with the distro/OS. Once again NT 4 (maybe 2k does?) does not have one by default install.
Lastly how many windows machines were takes over last year by the security flaws vs Linux? Now rather than do this on a 1 to 1 comparison a more reasonalbe level of comparison would be a perscent, like % of linux boxes take over by a security flaw out of the total linux server numbers, vs the % of Windows boxes taken over due to security flaws. I.E. if you have 1000 windows boxes adn 100 linux boxes but 10 of the linux boxes were taken over and 50 of the windows boxes were taken over then you have 50/1000 or .05 and 10/100 or .1 which is 5% and 10% respectivly, thus windows would be better but these number I have made up so real numbers are needed. The same could be done with BSD as well as Sun and the other OSes they mention.
Only 'flamers' flame!
They made this same claim 1 or 2 years ago and did their math the exact same way
That was the infamous Mr. Moody.
I can't read the most recent article (/.ed), but from what I can gather, the old article was much worse..
This one takes the aggregate, the Moody article took the aggregate and added it to the total of the individual linux numbers to arrive at his number..
So this article is wrong because it says "if you add all of the holes of all of the Linux distributions, Linux is worse than NT"
Moody's article is worse because it said "if you add all of the holes in all of the Linux distributions, THEN DOUBLE IT, Linux is worse than NT"
Worms thrive on total volume, not specifically servers. The more systems infected, the more powerful it is. It is much more attractive to write a worm that can:
a) Exist on a platform that has millions of machines running a relatively similar configuration.
b) Get in as a trojan horse to an uneducated user (how many laymens install Linux?).
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Please, tell me: adding the numbers of vulnerabilities of win9x to win2k is fair to you? Or is it more fair to just compare the win2k vulnerabilities with the linux vulnerabilities? I don't know, but I know who will 'win' according to those numbers.
Never underestimate the relief of true separation of Religion and State.
Mandrake 8.1 => 109 Packages
Mandrake 8.0 => 161 Packages
These are the number of updates on the ftp sites, but all are not scurity updates, but some may include several security updates, so thses numbers may be quit close to the real security bugs found in Linux, so wath was the number for Windows?????
Let's be fair. Some of the malicious hackers are extremely good. Does source code peer reviews improve security? If the guy reviewing the code is dumber than mr. evil hacker, then he might leave open an exploit for mr. evil hacker to enjoy and abuse.
With closed source, mr. evil hacker will need to spend more time discovering the inner workings of the software than he will with open source.
So - will he then produce more exploits running through open source software grepping for common starting points for exploits than he will when dissecting closed source programs?
Remember - at any moments, the black hat community knows about exploits the rest of us don't know about. No computer has yet been classified as formally secure (to the best of my knowledge). We could all be at risk.
Stop the brainwash
I think you are right - they run a linux-bashing peice, that is controversial enough to get put up on slashdot...and only after it is up do they realize what they have done. So as soon as their servers get some hints of slashdot, they just shut down and wait for the horde to give up. BTW, I read this article the other day, and came up with the same conclusions as the slashdot crowd seems to have. I'll see if i can't find it in my mozilla's cache at home and put up a mirror of some sort. but that will have to wait, i'm in school now.
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
Exactly right.
... years of it, all in the public record.
These numbers only reflect that GNU/Linux is more open and public in reporting its bugs than Windows, which is not surprising given Bill Gates & Co.'s efforts to suppress information about existing bugs in their operating system (the rightly rediculed notion of achieving security through obscurity).
There is absolutely no correlation between number of bugs reported and number of bugs existing, be they security related or not. This is doubly true when one party (Microsoft) is actively working to suppress such information about their own products.
The incompetence of the author writing this story, and of the Security Focus editorial staff for letting it through, is staggering. With this kind of security "expertise" is it any wonder at all that Nimda worms and the like run rampent across the net?
Indeed, if one wants to draw correlations (always a risky endeavor without corraborating evidence) it would make far more sense to correlate the percentage (vs. installed base) of demonstrably compromized systems running one operating system vs. another. As Code Red, Nimda, etc. have demonstrated, Microsoft's products win this one hands down. Indeed, in this case there is massive corraborating evidence to back up the conclusions of such a correlation
The Future of Human Evolution: Autonomy
I thought this was probably true, but I could not confirm it until I manually added up the bugs for a given year. Maybe you could explain the terms a little better on the page itselft?
Regardless of anything else, using these number to declare that one thing is more secure than another is a mistake.
That sounds like another piece of advice that should be on the stats page, not buried in a slashdot comment. Its unfortunate that someone misinterprets your statistics and publishes a misleading article every 6 months, but I can't help but wonder why you don't take proactive steps to help people understand the meaning of your web page.
-Mike
I wonder if these stats would look the same if a count of the bugs in the fix packages were counted and not just the BugTrax ones..... hummmm.
>
> This is not an issue of who has more issues, but whose issues get reported and publicized more.
>
Well said. The best defense to this FUD I've seen so far. Be sure that there are 100's of Microsoft employees who's only job is to figure out holes in the Linux model such that it makes Windows look better. There was the re-surgence of communism and the GPL cracks the foundation of our economy to name 2 off the top of my head.
The Microsoft model is to hide the bugs because it makes the product "look" more flawed. Having flown the BSOD flag over Redmond for the last few years shows they NEED to hide the bugs because perception is that the product IS FLAWED. Now the flag is SECURITY and they need to hide the bugs again.... Linux and opensource on the other hand, project reliability and security through openness. So like always, Microsoft uses manipulated statistics to ATTEMPT to show Windows is better. Remember in 1995 when NT sould 100% explosive growth of NT?....
Your one-liner blows the thousands of dollars spent on that report right out of the water. IMHO.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
There's not only the NUMBER of security holes that counts. The general stability, the intensity of the security problem caused by the hole (remember CodeRed?), the time of reaction to patch, the general knowledge of NT admins vs. unix/Linux, all of that makes NT a very poor candidate speaking of security history. I'm pretty sure SecurityFocus got a special subsidy since M$ announced new investments in security... for a company that never knew anything about security but snakeoil.
Clearly windows is better defended against linux specific virii.
But really, for security, its CP/M! dear god is that brilliant.
Microsoft are catching up with the world though, they are only 9 years behind apple now, and about 20 years behind UNIX systems. Fantastic.
Flamebait is served best liquered up.
The limits of my language are the limits of my world. -- Witgenstein.
0xC3
The argument that "Linux has a smaller installed base, so its security holes are less important" sounds like a paraphrasing of the old "security through obscurity" canard.
After all, aren't you really saying that those security flaws are less critical because script kiddies and crackers are less likely to come across a Linux box than a Windows one?
umm OpenBSD unhacked for last 5 years (http://openbsd.org) ... why was that not in the article?
While the Super Bowl was playing, the Detroit Lions defeated the Carolina Panthers in an exhibition game.
Linux security vs. Windows security. Sounds like a battle for last place.
I can't connect to WinInformant, but if you look at the numbers available at SecurityFocus, you'll see that they did not simply add up the numbers. Linux is listet with 96 aggregated vulnerabilities for 2001, while e.g. Red Hat has 54, Debian got 28, and Mandrake got 36. There are more Linux distributions listed, but these numbers allone show that your claim is wrong (unless WinInformant has different numbers).
I thought that too after looking at the SecurityFocus numbers, but then I figured it out. Scroll down the page a bit to the "Top Vulnerable Packages 2001 Packages", and there you'll see the numbers that the article references -- "MandrakeSoft Linux Mandrake 7.2: 33", "RedHat Linux 7.0: 28", etc.
Me too!
...but, I'm bored out of my skull sitting here at work. It is interesting to see how few vunerabilities exist for the Mac OS. I recently switched from the x86 platform to Apple after exclusively using x86 based machines for the last 12 years.
:)
So far, I'm impressed. And very broke.
The incompetence of the author writing this story, and of the Security Focus editorial staff for letting it through, is staggering. With this kind of security "expertise" is it any wonder at all that Nimda worms and the like run rampent across the net?
We didn't write the article in question, nor are we hosting, nor did we have any opportunity to see it ahead of time. (Or now... still can't see it.) Sadly, we have very little editorial control over other people's websites.
The problem here is just that there is no "aggregate Microsoft" category. Heck, there's not even a W95/98/ME category! But if you lumped together all W95/98/ME/2K/NT/XP vulnerabilities, then made sure that you dealt with apps evenhandedly, "aggregate Linux" would start looking great all of a sudden.
Now consider exploitability. Let's take Mandrake for example -- although their figures are already way lower than NT's (or, no doubt, 95/98/ME's), a default install includes 'libsafe', which means that none of the buffer overflows or format bug exploits will work. There go 3/4 of the theoretical vulnerabilities, including the ones which haven't been discovered yet. And a libsafe rpm could be installed on almost any Linux system in a matter of seconds without breaking anything, making the whole raw tally concept very questionable.
The only way to secure an MS system that broadly and quickly is to cut the Ethernet cable.
I leave my Linux box on the Internet without worry, and my investment in security has been maybe an hour and $0.00. I can and do take my time on patches because I know that almost none of the bugs have any chance of being exploited on my system. That is a realistic measure of Linux security, and I will delightedly compare it to Windows any day of the week. Securityfocus' figures, taken by themselves, don't mean anything.
And the game is 2 to 1
OS:Linux
--------------
Virus:Sendmail, Wu-ftpd
OS:Windows
--------------
Virus:Windows
They neglect the 600 OE viruses each year...
forget it.
Screw securityfocus, let's look at bulletins released by manufacturers.
:)
Microsoft security bulletins released in 2002:
MS02-001
Redhat security bulletins released in 2002:
2002-018
2002-015
2002-014
2002-012
2002-011
2002-009
2002-007
2002-004
2002-005
2002-003
2002-002
2001-171
2001-168
2001-165
And if you look at 2001 results you'll see a somewhat similar trend, although not near as pronounced. Somethink like 80 versus 60.
Are these statistics meaningful? Of course not. If you have read Paul's columns you would know he reported this tongue and cheek. It was a slow news day, he noticed this, had to make fun of it.
What makes this story interesting, and why Paul reported it is because if the numbers had been reversed you would be assured that would be the headline of the day on slashdot, and if anybody questioned it they would be called Microsoftie apologists.
And look at the responses you see here. They're almost comical. Reminds me of the responses to the Mindcraft benchmark. Fear, Uncertainty and Denial.
gah.. i mean, from a server standpoint i'd much rather run linux for reliability reasons, but this data is all garbage.
:)
this must be with a standard install. they're basing the linux numbers on distrobutions when what they should be doing is reviewing IIS vs. various packages and so forth. it is possible to install and properly configure redhat with no known remote exploits.. just as it is possible to more or less secure a windows box.
the #1 security vunerability that exists for absolutely EVERY platform is a lazy sysadm.
however, for my love of video games, nothing replaces windows on the desktop for me.
It gets worse than that. Let's consider:
Most bugs that show up for redhat or any other linux distribution will NOT affect a well-secured machine in the first place. If you plan, for example, a standard web or database server, you're only going to permit ssh and apache or ssh and your brand of sql. How many vulnerabilities in the past year have been on those services? Practically none. Only 1 in ssh, and there was AMPLE warning to get patched before exploits were in the wild. The majority of bugs are for packages not often deployed, or not relevent to a server system where there is no user access.
Meanwhile, an enormous number of these linux bugs are irrelevent on a firewalled system, never mind the incompetency of sysadmins. A firewall will protect your X font server or your installed-by-default nfsd/statd, but Microsoft has had many high-profile, extremely-widely-abused holes in a server's primary services (IIS, MS-SQL, etc).
Anyhow, trying to say these statistics show that NT is more secure than Linux is not only irresponsible but absurd.
What they SHOULD do is look at the percentage that were FIXED. Linux development rolls out more stuff each year, so naturally, there are more security notices. But they get fixed. Micro$oft drops a golden turd every few years, calls it an operating system, and pays people to keep quiet about the exploits.
Invalid statement, Linux is just a kernel. Now if they compared Windows to a distribution then that would be valid. Compare it to say Redhat for a decent comparision, not every damn distribution verus just one windows release(distribution).
Sigh...
I can't read the original article, It's been Slashdotted to death. But I think I can make a pretty good guess as to what happened.
First off, we host Bugtraq, not NTBugtraq, which is Russ Cooper's list. (Any chance we can get that fixed in the story intro? Anyone know if the same mistake is in the original article?)
Secondly, I'm constantly amazed at how people mis-read our stats page. The Linux aggregate stats are the total of all unique bugs across all the various distributions we track. It's supposed to answer the question "How many Linux-related bugs were there that year." It's based on things like which distro ships a particular package, and when that package is found to have a hole, it also gets attached to the distro. This is so you can look up your distro, and see what bugs you might need to patch.
Take a look at the top of the page, our script hasn't been running since August, when we switched from Roxen to Apache. So, we're missing the whole last quarter of 2001 stats.
Regardless of anything else, using these number to declare that one thing is more secure than another is a mistake. Based on our numbers, why didn't they declare that everyone should run MacOS for security? Or that if you want to be more secure, run Debian instead of Win2K?
"It's funny. On the outside, I was an honest man. Straight as an arrow. I had to come to prison to be a crook."
man, this all story is kinda sad. first, the sillyness of using this figures without actually doing any analysis on them first. irresponsible, to say the least. second, we have this pissing contests so regularly that i'm beginning to suspect there is a formula capable to predict when the next one is going to be.
what i really want to see is something very simple. a little application, distro-specific, that downloads data from a central, trust-worthy website and then does a check on each of the applications on a computer and certifies it. if the computer does not pass the check, management gets a mail. if you have a non-certified computer, your sysadmin is liable for any damanges.
thats what i would do if i was a security dude.
soup
none
Virus' or other malicious programs on my other brother's WinME machine in the last year? 1, and it took a week for my brother running the Linux server (who is more knowledgeable than my other brother and myself when it comes to computers) a week to find and isolate the virus to keep it from running itself. Even then, there's nothing that can wipe it out so far except a total HDD reformat. Norton can find it, but won't clean it.
Now you tell me which system is more secure? A buggy system with all kinds of networking insecure options inherently on and a brother too busy to go to WindowsUpdate.com every 2 weeks for the latest security fixes, or a Linux system with very few networking options turned on by default and a brother who knows what he's doing when he turns on a service that could potentially allow virus' in?
It's great that Windows is pretty simple to use, but for goodness sake, why turn on things a typical user won't ever need to use when you could prevent more bugs this way. And another thing. I'm tired of proprietary webpage coding. Those damn 'best viewed in IE4.0+' pages are usually so damn annoyingly not rendered well except in IE that I just won't buy stuff from websites where I have to use IE to use the website. If you ask me, that alone is a malicious virus built into IE that threatens future use of the web for the less fortunate who don't want to pay $399 for "WinowsUltra64! Home Upgrade Edition"
I'm sorry, I just don't understand your argument.
Are you still defending them counting a single bug in the source code up to four times if all distros fixed it? And that it's legitimate to count the same bug fewer times if some distros never issued an advisory for it? (Shades of the usual closed source "it's not a bug until we admit its a bug!" attitude!)
Or are you using the author's inability to add a few two-digit numbers as some perverse proof that we should trust those numbers? Unless we have a list of the vulnerabilities behind those numbers, that explanation makes as much sense as anything else I've heard.
Ultimately, it's all irrelevant anyway since Microsoft itself has come out strongly against public discussion of vulnerabilities. Some vulnerabilities are undeniable because of exploits, but there's a huge grey area where it's not clear if its a bug or a vulnerability - and many people defer to the authors on these reports. This policy wasn't as explicitly stated at the time in question, but it's obviously been their policy for some time.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
but wasn't there some issue before about Microsoft hindering how and which bugs are reported to the bugtrack web site? if so, then there u go. Another thing is the Linux source being open. So bugs may be easier to find. but with windows, most users won't know if they are seeing a bug or not much less where to report it.
The title of this story is "SecurityFocus says windows is more secure than Linux" but that is a clear lie. SecurityFocus said nothing of the sort.
Look at the chart on security focus and count the local root exploits... Oh wait! Windows 98 doesn't have any protection to begin with so how can the protection fail?
It's embarassing when Linux weenies can't see that they are being trolled.
Securityfocus is the definitive sight for security news. To say the numbers are "purely for entertainment" is the most ridiculous thing I've ever heard. You only proved your ignorance later in the post when you said, "the WinInformant site is Slashdotted (they must be running Windows, haha)" when OBVIOUSLY this would have more to do with their BANDWIDTH than their OS. I know I'll get modded down for posting this, but I don't care. I hate to see people discount anything that doesn't agree with their opinions. Oh, and I run Windows NT at work, Windows2000 and Mardarke 8 at home. I love Linux, but I love MS more for some things (games, word processing, etc.)
"Da ist ein Technölüst in mein Unterpanten!"
They are looking at this from the wrong perspective. Instead of saying "Linux had more bugs than Windows in 2001" it should say "Linux *fixed* more bugs than Windows in 2001". Simply becuase those Windows bugs haven't been found yet does *NOT* mean tha they are not there waiting to be exploited (or are already being exploited).
"Your superior intellect is no match for our puny weapons!"
Considering they're running IIS (netcraft lookup), it isn't surprised that the site got /.ed so easily...fine secure OS they're running though apparently.
THAT must explain why the web services are slower...all that "security" checking!
We don't need to get all up in arms over this article. People who believe this at face value obviously smoke crack.
I mean does anyone really thing that comparing the sum of all bugs across all Linux distros against the number of bugs M$ acknowledges for WinXX means diddly squat?
Easy.
Because you didn't say so.
We know who SecurityFocus is. It's Alfred Huger and Oliver Friedrichs and Art Wong, the Secure Networks, Inc. crew.
Secure Networks dealt with exactly the same problem we're talking about now: the trade press doesn't know a damn thing about technology and software engineering. Everything in the trade press is based off of newswire press releases and superficial articles. Alf and Art and Oli had to deal with this problem constantly as their competitors made bogus claims about SNI and their products.
Towards the end of their work on the Ballista product, Alf had gotten pretty good about educating the trade press about the issues, or at least at swaying them towards his way of thinking.
Alf and Oli and Elias are scrupulous guys, and they know how the world works. It is simply an embarassing oversight that there aren't loud disclaimers on the vulnerability report at your site explaining how to interpret the results. You all know how the page is going to be interpreted. You just saw Slashdot interpret it the wrong way. Slashdot is dumb, but InfoWorld is a million times dumber.
You could fix this problem right away, and pre-empt unethical use of your data, by releasing a statement explaining that the numbers on the page aren't a legitimate security metric. It won't cost you anything and it will help (us, and you!),
Or you could act like Russ Cooper and try to use the polarizing effect of the unexplained numbers to generate controversy, page hits, and press.
It's all a question of how much your credibility means to you.
Comparing the two on security issues is tough. With windows-based systems, your 'configurable' options are limited (unless prepared to scour ms knowledge base for occasional registry fixes + patches - of course the patches typically lock you in to a certain behaviour.. not always desired).
With linux, you can make a system as secure or insecure as you wish - with the 'HOWTO's' coming from a wide variety of sources. So..
Limited security configurability and limited knowledge base or massively configurable system in terms of security with large knowledge base? I'll stick to linux (or *bsd
A strange game. The only winning move is not to play. How about a nice game of chess? - Joshua (Wargames)
Until you start using IE, it doesn't create a vulnerability. You could immediately go get Netscape or Opera and boom, no more need for IE. Even if it is part of the OS, until you go to the internet with it, it's not much of a vulnerability.
Should it be better out of the box? Certainly!! But I consider that a bug of IE rather than a bug in the OS, even if the OS is dependent on it.
"Derp de derp."
Possly an accurate argument, if the Linux in question is anything but Slackware.
Anonymous Coward
Hey Locutus - I've never seen you trolling this hard before. Have you become an Adequacy editor or something? Add some funny links and your post would fit right in on their front page.
Either that or your tinfoil hat is out of adjustment.
You're talking as if crackers are the only ones checking out source code.
I'm pretty sure there are more white hats than black hats.
proactive?? reactive?? I'll take proactive, thanks.
A idiot with a 2k box is obvioulsy less secure than an idiot with a linux box. Besides, there's less idiots on linux than windows. It seems to me that skilled sysadmins would be better off with a system that gets patched as soon as the vulnerability is found, instead of 2 weeks-2 months later. Plus you could make your own patch on Linux.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
I wonder how many buffer overflow errors go unreported in windows. Closed source software may obfuscate many potential security errors that open source software make blantenly obvious. Although I'm sure it's harder to find those errors in closed source software but with so many windows applications it's hard to believe they are not there.
NTBugtraq is actually part of TruSecure, not SecurityFocus. What SecurityFocus has in a separate list called BugTraq. Very confusing...
Security of the system, in the hands of society is really based on the installation. Sure, a good admin can secure Windows or Linux. The fact is that most people that install either are not good admins. Most people here on /. are.
If linux stopped bundling bind, and other exploit-happy software, or atleast didn't install it by default, we would easily be more secure. The default install of Windows usually doesn't include all sorts of fun exploit happy software(with the exception of IIS).
Plus, what are we talking about here? Are they counting the number of exploits against Windows and trying to compare them to all the different packages in linux? Most people don't install bind and other exploit-happy software by default.
We ought to think about software that goes into default installs, based on their prior exploits, and see if they should be included, or use an alternative.
Sometimes i wonder if they just make up numbers like this to get slashdotted and get some throughput...
I recall a popup somewhere there on that page...
The limits of my language are the limits of my world -- Wittgenstein
0xC3
Try some numbers of Slackware linux vs. windows nt. Redhat is probably the least secure of the linux distributions, however there have been less security flaws in Slackware Linux in it's entire history, than Windows nt in it's best year.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
What with all of these informed responses, you'd think the original article by wininformant was available or something.
-DB
[ a directive occured while processing this error ]
requires some methods, and since I'm too lazy today to look for the mothods they used to compile all that data, I'll create my own.
1- let's stablish what's a windows OS and what's a Linux OS (and the nots too)
1.1 Windows 3.1 is NOT an operational system. is a graphic user interface (GUI) for DOS. let's assume win 95/98/me and NT 3.5/4.0/2000/XP are OSes.
1.2 Linux is NOT an OS. Is a KERNEL. the combination between Linux and GNU OS makes the operational system we know as GNU/Linux
2 Let's determine the minimum instalation of each one that's capable of doing usefull work, including user tasks such as reading e-mail and browsing the web and server tasks such as serving web pages, sharing files, routing e-mail, et al.
2.1 Both in Windows and GNU/Linux you'll have to select all the packages neccessary to the proposed tasks using the minimum ofered by the standard install CD. If the CD doesn't ofer some of the functionalities they must be downloaded from the manufacturer's site.
2.2.1 for windows you'll keep only:
- networking drivers;
- the standard MS file sharing;
- Internet Explorer;
- Outlook express/MS mail;
- IIS/personal web server
- Exchange server;
2.2.1 For GNU/Linux:
- Network modules and associated tools;
- NFS or Samba;
- Mutt os pine (remember, in GNU/Linux you can read e-mail/browse from command line, so XFree is not installed);
- Lynx or Links
- Apache;
- Sendmail;
3 count the number of security holes in the test systems, including:
- vulnerabilities to e-mail virii;
- vulnerabilities to malicious web-pages;
- remote exploits that grant root/administrator access;
- local exploits that grant root/administrator access;
- holes that allows an atacker to succesfully launch a DoS atack, freezing the machine;
- unauthorized read and/or write access to files;
- any other vulnerability you can think of;
In a test like this who do you think'll win ? please post your comments.
What ? Me, worry ?
Update: 02/04 16:54 GMT by T: Looks like the WinInfo site has gone down since the story was submitted
.. sweet revenge ;)
D.
According to the Netcraft survey, it is 49% WIN and 45%*NIX. That is not a big deal, and we can say that the *nix have about the same server marketshare than windows. Espescially that we dont know the margin of error of this survey. It may be very high, so it may be possible that *nix are more (or fewer) than that.
Open Source projects use the public internet to keep everyone well informed of software weaknesses and we're not afraid to keep doing that because it makes the software stronger.
Besides the fact that it is unfair to count 6 releases of Red Hat as one OS and not count NT and Win2k as one release over the same period, the initial period for a Linux distro is going bring issues to the surface, that is part of the process.
The linux bug finders are, as a rule, supported, appreciated and recognised in the open source community as pioneers. There findings are widely shared and listenned to -- I'm glad you can find the reports.
The Windows Bug Finders are threatenned, hushed, denied information, ignored and actively discouraged. Furthermore any recovery data is typically horded till a shiny executable can be sent out in a subdued and 'professional' manner when it wont embarrass Microsoft.
Where would you rather be???
I'll take linux any day.
why can't we stop this linux window whatever bullshit, post some funny cmr taco story's something about aibo or whatever, but we have to face it, some windows people see themself as geeks, and this is news for geeks. We all know linux and windows zealots exist and both parties are to stuborn to admit there faults. No side wishes to learn from the comment the other side gives. I know, some find it entertaining to read this kind of endless, useless discussions, but please, i don't think it's fun anymore... especially since there seem to be more and more windows zealot(marketing trained msce's) too out. I just mean, aibo like stuff is cool, fo windows and linux users alike. Discussions about which is less worse than the other ed nowhere. they both have ther faults, and both sides are to stupid to admit it. And the way most discussions start??? by pointing out to a stupid article writen by some housemom/dad(not to discriminate anyone) who recently installed nt/linux and thinks he's a nt-admin/linux-root journalist that has the right to spread his cheap talk (as opposed to free speech). Ow please... So like i care if linux would have more bugs, it never failed me, and probabley just the same way, a good nt-admin has never been letten down by his nt. Crap, with the bullshit and (mostly-)unmotivated arguments i could break down just as easy a linux user as i could break down a windows user... It's not a matter of which one is best, they are both equal. even when it comes to 'the-microsoft-asshole-attitude', i think most linux newbie-zealots are capable of compiting with that attitude (linux-zealot-newbie-...-ashole-i-think-i-know-it- all-asshole attitude'?).. it's all just a matter of what you like and what you are best at... personally
No time to track it down now, but I saw an article about two weeks ago about this soon-to-be-released "study", which clearly indicated that the authors of the study had been hired by MS.
I think it may have been linked through Wired or CNet.
As of this morning, however, the dog seems to be dead (www.wininformant.com.) Coincidence? You tell me.
It's Linux, damnit! Pay no attention to renaming attempts by self-aggrandizing blowhards.
I agree
For those who are curious I listed the information below from Microsoft's own site. You'll note that Windows 2000 alone had considerably more than one bug that required a patch.
.HTR Vulnerability
.IDA and .IDQ Mappings Restored After You Install Service Pack or Add/Remove a Windows Component
Before anyone criticizes the patches below for including apps like telnet and IIS, many of the bugs that are cited by Bugtraq in Linux distributions also have nothing to do with the OS itself, and everything to do with installed packages that are included with the distribution.
Q252795 MS01-046: Windows 2000 Does Not Support Mapping Virtual COM Ports to Infrared Ports
Q273854 MS00-077: Denial of Service Can Occur with Microsoft NetMeeting
Q276471 MS00-079: Patch for "HyperTerminal Buffer Overflow" Vulnerability In Windows 2000
Q282806 MS01-031: Telnet Service Prevents an Idle Telnet Session from Timing Out
Q285156 MS01-013: Windows 2000 Event Viewer Contains an Unchecked Buffer
Q285851 MS01-007: Patch Available for Network DDE Agent Request Vulnerability
Q285985 MS01-004: Patch Available for New Variant of File Fragment Reading via
Q286043 MS01-051: Patch Available for Telnet Logging Vulnerability
Q287397 MS01-011: Patch Available for Malformed Domain Controller Service Request Vulnerability
Q287912 MS01-031: Predictable Named Pipes Could Enable Privilege Elevation with Telnet
Q288855 MS01-026: FTP Service Allows Login to Domain Guest Account
Q289243 MS02-001: Forged SID Could Result in Elevated Privileges in Windows 2000
Q289782 INFO: Post Windows 2000 Service Pack 2 COM+ Rollup Hotfix 8 Is Available
Q292435 MS01-040: Invalid RDP Data Can Cause Memory Leak in Terminal Services
Q293826 MS01-026: Pattern-Matching Function Can Cause Access Violation on FTP Server
Q294370 MS01-026: Updated Patch for Microsoft Security Bulletin MS00-060
Q294379 Addressees Appear in Body of SMTP Message Instead of the Header If You Specify Many Addressees
Q294391 MS01-024: Malformed Request to Domain Controller Can Cause Memory Exhaustion
Q294774 MS01-044: IIS Loads ISAPI Extension In-Process Even When Application Is Marked for High Isolation
Q295534 MS01-026: Superfluous Decoding Operation Can Allow Command Execution Through IIS
Q296185 MS01-025: Patch Available for New Variant of the "Malformed Hit-Highlighting" Vulnerability
Q297860 MS01-044: IIS 5.0 Security and Post-Windows NT 4.0 SP5 IIS 4.0 Patch Rollup
Q298009 Cipher.exe Security Tool for the Encrypting File System
Q298012 MS01-041: Malformed RPC Request Can Cause Service Problems
Q298340 MS01-044: Patch Available for WebDAV Denial of Service
Q299553 MS01-031: Logon Command That Contains a Particular Malformation Causes an Access Violation in the Telnet Service
Q299687 MS01-036: Function Exposed By Using LDAP over SSL Could Enable Passwords to Be Changed
Q299796 MS00-077: Denial-of-Service Attack on Port 1720 May Cause a Memory Leak in Conf.exe
Q300477 MS01-035: FPSE: Potential Buffer Overrun Vulnerability in Visual Studio RAD (Remote Application Deployment)
Q300855 MS01-031: Windows 2000 Telnet Security Rollup
Q300901 MS01-031: Telnet Service Allows Logging On to Domain Guest Account
Q300905 MS01-031: Handle Leak in Telnet Service Causes a Denial-of-Service Vulnerability
Q300908 MS01-031: Program Running with Normal Privileges Can Terminate a Telnet Session
Q300972 MS01-033: Unchecked Buffer in Index Server ISAPI Extension Can Enable Web Server Compromise
Q301625 MS01-044: Patch Available for SSI Privilege Elevation Vulnerability
Q302755 MS01-037: Authentication Error in SMTP Service Could Allow Mail Relaying
Q303984 MS01-043: NNTP Service in Windows 2000 Contains a Memory Leak
Q304867 MS01-044: Patch Available for MIME Header Denial of Service Vulnerability
Q305601 MS01-060: FIX: CRT String Format Functions May Underwrite Buffer
Q306118 FPSE2000: List of Issues Fixed in FrontPage Server Extensions Service Release 1.3
Q306121 MS01-051: Malformed "Dotless" IP Address Can Cause a Web Page to Be Handled in the Intranet Zone
Q307454 MS01-052: Invalid RDP Data Can Cause Terminal Services Failure
Q308268
Q308414 MS01-051: Patch Available for HTTP Request Encoding Vulnerability
Q311355 MS01-041: The Danish Version of Security Hotfix MS01-041 Is Not Installed
Q311371 Terminal Services Sessions Are Disconnected Because of a Decryption Error
Q315404 MS01-052: Clients with an Expired Temporary License May Be Unable to Connect to Terminal Services
Get off my virtual lawn, you damned virtual kids!
I want to see 1,000,000 COMMENTS by the end of the day! Trolls, crapflooders, Linux zealots! Post, post, post! Post soon, post often! One million comments!!!
It seems from reading the comments here that a very unfair comparison between 'everything Linux' and specific versions of Windows is being made. You have to take into account all of the versions of the moderm windows OS (95/98/NT/2000/XP) to begin to compare to the range of uses for Linux, and even then you're not doing Linux's flexability justice. Although they use the phrase 'Windows' from time to time I am led to believe they are actually comparing any kind of Linux vulnerability to specifically only Win2K and WinNT vulnerabilities. And on top of it, although I'm admittedly not sure, I get the feeling this comparison only took into account perhaps IIS on the Windows side while lumping into Linux the vulnerabilities of a great many more applications.
How about someone produce a more useful article such as a comparison of vulnerabilities between WinXP and Linux kernel 2.4.17, and this time take into account the most important factor of all; how long the vulnerabilities are known in the wild before a fix is available.
----- sXe
Why?
The moronic Winnuts will include vulnerabilities such as, say, ICQ clients, P2P crap, E!.. Shit that we're smart enough to not let near a server... but they'll insist are server vulnerabilities.
Then there's the many other reasons why we can't trust anything out of the mouth of Winnuts.. How many of the bugs are from third party software? How can there be more vulnerabilities for Linux when SecuriTeam keeps shoving Windows bugs in my mailbox?
In the end, bugs or no bugs, a Linux box can be secured appropriately. A Windows box?
"Ha ha ha, that's some funny shit."
...then why did my Win98 box die without me touching it? It got that virus from somewhere
/. gets something wrong, or puts it's foot in it's mouth, it's just a bunch of geeks pointing at each other.
... THIS IS WHY.
...why am I finding ways to filter out all the Win virus spiders from the apache logs
...was Outlook the cause of millions of dollars in damages for corporate IT security?
ALL of the major viruses that came out this year, and this was a stellar year for security and virus growth, were Windows. We all know that Linux isn't fundamentally virus-proof, but the big security blunders of 2001 were Windows.
This is the real danger of internet reporting. No need for subscribers. At least when
This is just outright FUD, but if people had to pay for the FUD, it wouldn't be around. Ah well, good and the bad I guess. Hopefully the real press has done it's job in reporting Windows' security flaws to make this kind of brochure-ware journalism ineffective.
The next time someone asks "Why do you have to point out EVERY Microsoft flaw"
inky
The three names you mentioned are all viruses in APPLICATIONS ran on Windows, not the operating system itself.
Nimda was an Outlook virus (...right?)
Code Red was an IIS virus,
and I Love You was an Outlook virus as well.
All of these are not flaws in the operating system, rather they exploit the applications running on Windows. Consider this: is Linux itself insecure because a large majority of Linux computers exploited are running BIND, and BIND runs on Linux?
void women (int money, time_t time);
Linux security vulnerabilities come in two flavors, those remote exploitable, and those locally exploitable.. The latter of these vulnerabilities shouldn't be considered since Windows doesn't have security for local users.(You can get admin rights pretty easy sitting at the keyboard, and you can't really use a windows system remotely except via external services such as SMB networking)
I think if you compare the externally exploitable holes on linux vs externally exploitable on windows it would come out more favorable..
It's also a fair comparison, on my servers on my uses only hit the box via POP3, IMAP, SMB, etc. They have no shell access so I don't really have to worry as much about that side of security matters.
Just a few thoughts.
OK.. 2 years ago around april 13th.. A BIG security hole was found within Microsoft IIS/Front Page Where a user could a) cause a buffer overrun in IIS and b) be able to fetch files off of the webserver before being parsed (ie pulling ORIGINAL VBScript ..asp source code) using a encypt/passord of "NetscapeEngineersAreWeenies". The following Day Microsoft sends a press release denieng the bug, only saying the bugger overrun exists.. I had downloaded the exploit code from SecurityFocus and tried it out on our servers.. The bug was there.. I even tried changing the "password" and it didn't work.. only when the password was NetscapeEngineersAreWeenies..
Hmm... Microsoft NEVER released a patch..
That password was inside several of the frontpage dlls!!!.. The Microsoft solution to the "buffer overrun" was to remove a few key dlls from FrontPage.. thus disabling Most of the functionality of frontpage but preventing the exploit..
Microsoft plays the game of "deny the bug". They've been going after organizations that find security holes and "making" them NOT release info about security holes in Microsoft products...
And when Code Red came out.. I hunted around their blastes site for like an HOUR trying to find the fix.. it was WELL hidden.. I mean it wasn't even IN the Critical Updates...DUH!!!!
but over time the bugs will be found by the thousands of people who are looking at the code every week. Meanwhile Windows will continue to have a steady stream of bugs that will never begin to taper off.
The amount of code that is being generated by Microsoft is much greater than the amount of lines Windows hackers can disassemble. Therefore the number of bugs is growing, but the number discovered is staying the same. IMO, I have written exploits and done disassembly for both Linux/BSD/Opensource and Solaris/Microsoft/ClosedSource and naturally it takes TONS more time to look over your average daemon in the latter. There are more holes, but they're more difficult to find. Eventually they will be found and the disparity will become more clear.
The story, for what it's worth, is just another FUD troll by a Microsoft supporter, and has nothing to do with real life.
"values of beta will give rise to dom!"
Windows users who jump in without having a single idea what they're doing, who download and run countless virii...
Linux users who jump in without having a single idea what they're doing, who ignore security updates entirely because they live under the myth that Linux is all that is good in the world, and can do no wrong...
In the end, it's user error on both sides that cause the security prolems, and the skript kiddiez who exploit them...
Just because you can mod me down, doesn't mean you're right. Shoes for industry!
Even if the numbers were counted fairly/correctly, the fact that the Linux numbers were as close to NT as they were says something. After all, the code can be reviewed for vulnerabilities whereas NT bug hunting seems to be more of a 'shot in the dark' effort. And yet the numbers were still comparable. Silly.
e.g. I just downloaded a GNU program and followed the instructions to compile it under Windows. This failed. I guess that's what the distro companies are for...
Unfortunately this credo is also taken up by a large number of PC game writers, so I'll stick with Nintendo for a while yet... their stuff actually works.
Now I get it. Microsoft is actually devoting a month to working on security...both by (yeah right) trying to fix the holes in the code and by trying to rewrite history. You do have to admire their multi-pronged approach.
-Mike-
Like so many, I've been slashdotted out of the article so I'll have to make some guesses about the data. It would be reasonable to assume that more errors are found by the many thousands of eyes pouring over open source code than the few looking at closed source code. So, finding more errors in an open source OS is no proof that Windows is more secure. The numbers that I would like to see are: Of the Windows vulnerabilities reported, how many of them actually came from Microsoft and how many of them were first reported by a victim who reports "My Windows box has been hacked! There must be a vulnerability!"
The race isn't always to the swift... but that's the way to bet!
1) yes
2) no
3) depends on admin
4) cow boy neal
"Update: 02/04 16:54 GMT by T: Looks like the WinInfo site has gone down since the story was submitted, so you may have to content yourself in the meantime with the Bugtraq numbers."
I don't mean to complain, but this is an opportunity I can't sit on. Why is it important to update everyone that the site was slashdotted? Doesn't this happen to over 75% of the front page stories? Every time I come to Slashdot to read a few interesting articles, I can't because they always get slashdoted. Isn't it about time to implement some sort of mirror system? Maybe some readers can donate some time and resources to get this started (I would...). What fun is it to keep "wishing" that I could read all these interesting articles, when the whole point is to have stories that people can actually read? Is anyone with me here?
just sick of the crap streaming from Redmond. without their monopoly on the OS, they would be a much smaller application company. MUCH SMALLER. And by reading the dial on the FUD METER, it looks like Linux is THE target. Therefore Bill and Steve are FUD-WRESTLING again and the media is at ringside taking notes. A tinfoil hat is all I need to keep the FUD from getting on me. It's THAT weak these days. ;/
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
Did anyone else notice that the listing only goes through August 2001? That would put this before several very nasty Windows vulnerabilties were released or attacked by virii and worms.
I'm confused here. Is IE just an application or "subcomponent" of a MS operating system? That's not what they've been argueing in court. They say they've "integrated" it with the operating system, that it's an "integral part"! They even went on to argue (unsucessfully) that the operating system cannot function without it.
And why does which ever answer I get smell like an Enron balance sheet?
In the BSD community we pride ourself on disclosure. Besides, I do not think most administrators take as much issue with windows security as it may seem (although it seems funny at times). Here is a question, on service packs that come out, how many bugs are fixed those binary patches that could be security flaws that no one knows about?
After disclosure the next issue most people overlook is the level of granularity most UNIX systems patch to, for example, lets say there is a 1 byte overflow in the less pager. If microsoft had less (they do have more though!) would they bother posting that as a security flaw or even a possible security flaw? Most likely not, yet we see these bugs posted all the time with open source software.
Without looking at the difference in granularity and disclosures - there can never be a real comparison between windows and any other system in the world, open source or not.
Exchange Server Hits 100 Million Users
Given that the company announced its 75 millionth seat just this past October, that's a lot of new seats. There's a joke here waiting to happen, but I don't know what it is.
I think it's something along the lines of "Microsoft consider their customers to be assholes". Reading the laughably inacurate reporting plastered across the site, it would seem they're not far wrong...
Code, Hardware, stuff like that.
And apparently an idiot with Mac OS X Server needn't worry at all. Lets see the debian HURD developers pull that off. All I have to say is long live Apple and Linux.
Haven't we been over this already?
-- Have you ever noticed that at trade shows, Microsoft is always the company that is handing out stress balls?
Satan claims his fires aren't all that hot, come roast some marshmallows with us.
... is when a windows exploit comes out, it effects most windows systems in opperation. When a linux exploit comes out (proftpd, apache, etc) it rarely effects all the systems in the field. I know about 90% of the bugs that show up in bugtraq and else where dont apply at ALL to my system because I dont run those daemons. Where in windows... how many people DONT run activex scripting or diable javascript in outlook?
Shadus
a few suggestions i think would be usefull:
I believe sex is highly over rated... unless it involves me
I was just at the Security Focus Vulnerabilities page and the page has had the linux aggregate stat removed from the list, sometime between 9am pdt and 12:30pm pdt. I guess some good came out of the article.
first of all, this article was NOT written by security focus.
this article was written by the same idiot that always writes a bunch of misguided FUD about Linux.
I forget his name now, and the site is down.
don't believe me? read all the other stories this author has written. it's all in the wininformant page. and it is ALL FUD and misinformation.
the fact that a slashdot editor posted this drivel on slashdot tells me a LOT about slashdot editors....
www.WinInformant.com came back up a little while ago, the text of the "article" is basically what was quoted for the topic subject. I tried to do a little digging to find out if the author or the company he works for is affiliated/owned by MS, but wasn't able to really turn up a lot. However, I did find this little rant at one site talking about how the credibility of the author is pretty much nil. Can anyone else turn up other info?
This is not the greatest sig in the world, no. This is just a tribute.
Do the names "Nimda", "Code Red" and "I Love You" ring a bell?
Thoes were FEATURES not security flaws!
Sheesh I wish people would get it right. That's why MS has less bugs. They count half of them as hidden features!
Vote early. Vote often. Vote CowboyNeal.
I think this is totally biased.
Of course every Linux user and their mom is going to go up in arms over a review. Especially when it attacks their OS of choice.
Vice versa man. If you had a windot.org site where peole ranted and raved against Linux and an article of the same magnitude came out. Then Windows users will do the exact same thing.
How about we try this. Why don't you just believe in what you know. Follow what you know is right. And for fucks sake, not get a hair up your ass and freak when a simple article says one is better than the other.
I mean I know we are children here but one would think that at some point you can just let go. Stop rolling your eyes and just say fuck it.
~Admrlnxn
"I got your mom in my trunk"
If Microsoft halts all new feature development for a month to fix bugs!
http://www.ntsecurity.net/Articles/Index.cfm?Artic leID=23971
Posted by the same author of the misleading bug brief, Paul Thurrott.
Too big to fail? Does that make me to small to succeed?
It is plainly stated that the numbers aren't necessarily accurate...
There is a distinct difference in the way that vulnerabilities are counted for Microsoft Windows and other operating systems. For instance, applications for Linux and BSD are often grouped in as subcomponents with the operating systems that they are shipped with. For Windows, applications and subcomponents such as Explorer often have their own packages that are considered vulnerable or not vulnerable outside of Windows and therefore may not be included in the count. This may skew numbers.
That's good enough for me.
All the servers infected with a virus hitting my web server requesting http://www/root.exe are UNIX machines, uh huh.
//WORKGROUP/C\$ -I 207.88.220.61
Why not try this.
With any of the following IPs, type 'smbclient -L 207.88.220.61'
If you're more of a cracker than I am, you might then try smbclient
and just hit return when prompted for a password.
this also works with:
203.228.232.188
203.231.119.70
203.231.166.49
203.233.20.86
203.231.216.208
203.199.54.26
203.231.217.5
203.231.122.227
203.244.13.72
and countless others.
These machines (all Win2K) have their entire filesystems exposed over the internet, and are promiscuously advertising their presence because they are infected by a virus that leaves a clear trail in the logs of any web server they attempt to infect.
These machines are engaged in abuse of my web services, and I hold Microsoft at least partly responsible for this situation.
Presumably the virus itself is responsible for opening their shares with guest access, but maybe it's M$'s lame out-of-the-box security.
If your machine's IP is on this (small fragment of my) list of machines banned from accessing my web server due to virus infection, then i suggest you replace your hopelessly insecure OS with a decent one.
I was incredulous when i analysed my web-servers logfiles and found the sheer number of virus-infected hosts, all Windows NT and 2000, and most of which were sharing the entire contents of their hard-drives over the public internet.
I know Windows can be secure as the admin is competent, but the ease with which it's security is breached through Outlook/IE is breathtaking.
The idea that Windows is somehow more secure than Linux/UNIX is laughable to me.
I gots ta ding a ding dang my dang a long ling long
I posted a couple years ago on this topic. My hypothesis at the time was that Open Source would show more bugs for quite some time, as people poked through the code, but would gradually settle down and become very secure. I also believed that Windows vulnerabilities would continue to be discovered at a more or less constant rate.
The jury is still out.
The SecurityFocus statistics broke in August, 2001, per their web page, so one has to extrapolate the partial 2001 total to get the projected total for the year.
In that extrapolation, one sees that the expected number of bugs (assuming the 96 reported bugs cover through the end of August) would be 144. There were 153 the year prior, which is likely well within the margin of error. In addition, many of the black hats have STOPPED REVEALING their exploits, so in fact there may be many more than what we see.
Now, it's worth pointing out that this is not necessarily a good measurement of security. We may be measuring the wrong thing.
An example of bad measurement is the one the government used to determine how many cod were left out in the ocean, to prevent overfishing. Year after year, the catches were about the same, so the government assumed that the fish stocks were constant. But suddenly there were no more fish -- the industry collapsed.
Why? Because they were measuring the wrong thing. They weren't measuring the total number of fish, they were measuring the fish that were caught. They didn't realize, as the fish stocks dwindled rapidly, that the fishers were getting newer and better technology to fish with. The total number of fish coming out of the water was constant -- but as a fraction of the total fish in the water, was going up very quickly. Eventually the fish were all but wiped out.
Measuring security by bugs reported is very similar. It may or may not reflect the number of bugs in the 'ocean'. It is an indirect measurement at best.
We need to differentiate between fish 'caught' and fish 'available'. From a security perspective, I think we are talking about TRUE security (the number of fish in the water) versus FUNCTIONAL security (the number of fish actually being caught).
Now, as security people, our goal is to reduce the fish catch as much as possible. There's two ways to do this; we can reduce the number of fish, or we can somehow control, limit, or damage the profession of fishing.
The real professonals are trying to reduce the number of fish in the water. That's the true long-term solution. But from a short-term perspective, what I care about personally is how many fish are CAUGHT. Every time they come up with a new exploit, I have to run around like a maniac patching systems.
However, the fishing analogy starts to break down, as most do eventually. Truly secure systems are still run by people, and people make mistakes. Even if the OS is perfect, the attack will often come against the weakest link, the employees. Thus, even though I would prefer to have true security, I have to argue that it isn't really necessary. The OS just has to be stronger than the other avenues of attack. ("Why are you putting on tennis shoes? You can't outrun a bear!" "I don't have to. I just have to outrun you.")
Security through obscurity, in other words, may be adequate for most uses. It slows down the rate of fish catching. If nobody discovers the bug until the next version of the OS is out, the bug is less important. The longer it takes to discover the bug, in general, the less damage it will do -- at least as long as we're on the upgrade treadmill.
But, a counter-argument to that just occurred to me: Security through obscurity may be long-term counter-productive -- making it hard to catch fish may have the effect of increasing the fish supply. Every time a fish is caught, it can't breed, and reduces the total population by that much. Likewise, in code, once a vulnerability is discovered, many related vulnerabilities may also be patched. Thus, security through obscurity may work well for a long time, but may actually be making the fundamental problem worse.
Another observation I have to add is that programmers like to create new programs. Very few of them like to audit code. New projects and programs are being added to the Open Source world at an amazing speed, and I don't think they're being stringently audited. In other words, they're adding to the fish stocks every day. There is no QA department in Open Source, and the code is getting more complex than individual people can understand anymore. I think, unless we come up with a better development method, Microsoft's ability to fund a billion dollar a year QA department is likely to reduce their fish count below that of Open Source.
So I think I will need to expand on my original hypothesis. I now believe that Open Source will probably lag behind closed source in terms of FUNCTIONAL security. In terms of TRUE security (absolute number of exploitable bugs, known or unknown) -- there's no easy way to tell. If catching fish reduces the fish supply, and if the programmers don't add too many new fish, eventually Open Source will start winning. But if Microsoft's QA department does a good job with their nets and lures, their fish supply may drop just as fast or faster. Money is definitely a good way to motivate people, and Microsoft has a lot of it.
It's also worth pointing out that even if things are getting more secure, the catch rates may be roughly constant, because presumably the crackers will get better and better, catching a higher and higher percentage of the fish. If the analogy holds, and I suspect it may, then eventually the fish stocks will be exhausted and the black hats will be very suddenly unable to crack machines anymore.
It's going to take at least five more years to know -- and twenty might be a more reaonable time frame. It took a long time to wipe out all those billions of cod. It may take just as long to wipe out the pool of security flaws.
<<RON>>
Let us know when you're mature enough to come out of your playpen, put away your toy computers, and use the real thing!
I'm not really surprised by this. Following the recent long Microsoft DNS outage when it was revealed that quite a few of Micrposoft's own DNS servers were running Linux (not to mention they use akamai for their downloads), Paul Thurrot came out with the classic report that although this might be true `its proves Open Source zealots wrong as Linux wasn't being used for anything mission critical'
What the fuck? According to WHAT kind of logic is DNS not mission critical? If it its not critical, let's take those DNS servers offline (both Microsoft's and WinInfo's) and see how long either MS or Thurrot last.
Many NT shops won't apply a service pack since they will break more things than they fix. Or you have to be very careful and verify that things still work. Hot fixes have similar problems.
Linux/GNU/sendmail/BSD/etc. vulnerabilities tend to affect one item which is fixed without bothering anything else.
The other statistic which isn't mentioned is how many sites ARE STILL VULNERABLE to all the common exploits.
If the result of Mr. Bill's focus on trustworthiness is a series of huge service packs that break everything yet again it will only be good for Linux. Robustness and compatibility are not in focus right now but probably will be about 48 hours after super service pack is released.
Oh, and will they do that for NT or will they force everyone to upgrade to 2K or XP to fix all the vulnerabilities?
BIND is a horrible project. It is such a piece of dewdew, I can't believe it hasn't been replaced yet. There are alternatives to BIND on Unix, (DJDNS for one) but they are new and as yet not as flexible.
Satan has bought a ski lift.
In a press conference held earlier today, he stated, "Slashdot needed an excuse to post something good about Windows."
Y2K Compliant since the late 1890s
If you notice he mentions Redhat and mandrake, the two RH based distributions. "Linux" is not Redhat, nor any other distribution. If you look at Slackware for instance, he fails to mention the fact that it has less than 1/4 of the exploits of windows NT. The reason; Slackware pimps NT, not to mention (I bet I'm gonna get a ton of people calling me a troll for this, but it's the truth) RH is not really a "serving" OS, it's more of a workstation setup without being tweaked a good bit. I'm not even speaking of SuSE, connectiva, OpenLinux, deb or TurboLinux, all of which have a better average security record then Windows NT or RH, which I believe still has Wu-FTPd installed by default, the script kiddie's best friend. and I am through.
Don't call my crazy, that's what they called me back in the home!
[Here's what I posted to the comments section of wininformant.com. Doubtful they'll display it.]
Excellent satire.
One only needs to look at the SecurityFocus stats referenced to find holes in most (if not all) statements made by Paul's article. An example:
"A look at the previous 5 years [there were only four previous years reported on - tsmith]--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux..."
Lets take a look at the previous "five" years, starting with 2000. Redhat Linux 6.2 i386, listed as the most vulnerable of the linux flavors with 65 vulns, is bested outright by MS Windows NT with a whopping 71 vulnerabilities. To compare apples to apples requires adding in MS IIS 4.0, with 29 reported vulns, for a total of 100 vulns, or over %50 more vulnerabilities than the _buggiest_ distribution of linux. Even the combination of the lowly, four-years-on-the-market, mature Windows95 with IIS (if such a combination were possible - it matters not, because if not then W95 cannot honestly be compared to RHL) results in 64 vulns. Note that Win95 had the least vulns reported (at 35) of all the Wins. Also not that despite it being out a solid 3 years longer than RHL, it can only best the mark by 1 vuln. Not quite what I'd describe as "far fewer".
Paul's statement is even more humorous in light of the data from 1999. In that year, Microsoft's products fill the top of the list almost exclusively, with the exception of Solaris 7.0 having slightly more vulnerabilities than IIS and NT4.0SP5. That's right folks, IIS _alone_ had more vulns than any flavor of Linux and most of the Solari. NT4.0 without a service pack? 75 vulns.
1998 is the only year during which Paul may have a contention regarding NT besting Linux. 8 vulns vs RHL's 10. Note, however, that this is not including bugs from IIS, and is akin to comparing apples to oranges. In any case a difference of two is not what I would consider "far fewer". The comparison of RHL to Win95 is laughable in this case - what does a count of security vulnerabilities show in a system which has virtually no security?
Once again in 1997, RHL's 6 bests WinNT's 10.
Paul, how exactly are we to interpret the phrases "five", "each year", and "far fewer"? Perhaps as "four", "maybe one year", and "a little bit"? I suppose your wording was close enough though - I mean, it _is_ just your journalistic integrity on the line, right?
"Win2K had fewer vulnerabilities than RedHat Linux 7.0 or MandrakeSoft Mandrake Linux 7.2"
Note that niether BO nor IIS are reported on in the 2001 tables, thus no conclusion may be drawn.
"...despite the fact that Windows is deployed on a far wider basis than any version of Linux"
Excellent heresay. Well un-supported by reliable references. After reading the prior claims in your article, I'll be sure to give this little tidbit all the credit it deserves (incidentally, none).
Thanks again for the good laugh Paul! What's next week? "WinXP Embedded Has Smaller Footprint Than vxWork? Yepppp!" I can almost imagine you shaking your pom-poms in the air.
There are 11 types of people in the world: those who understand unary, and those who don't.
Sure, more security flaws are discovered in Linux than in Windows... which is precisely the reason Linux is more secure.
Because Linux is open source, millions of eyes scan the code on a daily basis. This is where the old rule of QA applies: the number of bugs found in any piece of software is directly proportional to the amount of testing (or scrutiny) applied to that software. In other words, there is no such thing as bug-free software, and you will continue to find bugs with asymptotic frequency as long as you continue looking for bugs. You find the easy, obvious ones first, followed by ever-more-rare bugs.
Because Linux has been scrutinized so heavily, it follows that many more bugs will be found than with Windows products. That doesn't mean Windows has less bugs than Linux, it just means they haven't yet been discovered. Microsoft, despite the fact that they are a behemoth, has a finite number of engineers and testers. My guess is that a relatively small percentage of them spend any time whatsoever looking for security flaws. That leaves the bulk of the job to the security community, which doesn't have the luxury of being able to scrutinize the Windows source code. No source code makes finding security flaws significantly harder. That, in combination with the fact that there are far fewer people investigating security flaws means Windows cannot possibly be as secure as Linux or any other open-source OS.
I think the claim that MS products are more secure than Linux is just more MS propaganda.
From the article:
A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux
Win2K had zero reported security vulnerabilities before it was released....
The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
Actually, I think leonbev was refering the psychology of the script kiddie/script kiddie tool writer. They tend to target MS targets out of politiccal/cultural affiliation w/ Free Software, Open Source, anarchist, whatever.
This would be the same thing as not wearing red of blue back when the bloods and cryps targeted people wearing the other color.
"One man can change the world with a bullet in the right place."
- Mick Travis, "If..."
So it's just like any other informant - willing to say anything for a price.
Finally some analysis of the figures!
I wonder if anybody can still remember how Microsoft threatened several security companies telling them not to publish the flaws discovered in Windows? Maybe that had something to do with the "less bugs" picture painted by Microsoft?
I had no idea it was that bad for RedHat - MS only had 51 in all of 2001 (and not all for the OS itself or even a particular version - that's 51 across all MS products).
Why don't people look at these stuff and make the obvious connection?
I stole this from someone else's post:
Microsoft security bulletins released in 2002:
MS02-001
Redhat security bulletins released in 2002:
2002-018
2002-015
2002-014
2002-012
2002-011
2002-009
2002-007
2002-004
2002-005
2002-003
2002-002
2001-171
2001-168
2001-165
Hmm... you like them apples now?
Please change the way inwhich stats are reported. IIS, IE, Index Server, and the like all ship now with Windows 2000/XP just like Apache, WuFTP ship with most Linux Distros. Since this is the case, those security flaws are also security flaws in Windows 2000/XP in the much in the same way that Apache, WuFTP and other packages security flaws are being reports with Linux Distros.
Thank You.
ha ha ha ha ha ahaha ah ha hah ah (tears running down face) ha ha ha ha ha aha ah
Could it be that RedHat is more diligent and open in acting on security flaws than its slower-moving competitor?
From my own personal experience I've had numerious break ins on various Linux boxes, where the hacker had root (uid0) privledges. Thankfully they never did too much damage.
I've never had a break in on my FreeBSD box, nor on my WinNT/2k boxes.
You all seem to forget that the first Internet worm spread on UNIX boxes.
Don't blame the OS for all of these security breaches, blame the langauge C/C++. Thanks for a shitty implementation of an array.
I don't need caffeine anymore!
And when I see 734 comments I'm just in heaven!
Thank you Slashdot! :)
~shiny
WILL HACK FOR $$$
Evil is better than good, dark is brighter than light, less is more, and the Earth is flat. Fnord.
I can't believe there are people that actually stand-up for microsoft garbase!
Don't kid yourself - everything microsoft has done/will do is indeed garbage.
That my friends, is a fact.
Our Apache web server keeps on logging attempts to execure cmd.exe and files like that. We are logging about 100.000 records a day. We already counted like 7 GB of those logs...
:-) toghether with a huge discount.
One time, our colocation provider asked us to monitor our system because someone on the subnet was abusing the link. They couldn't find the problem until i asked "are there any NT servers on the subnet?". 1 hour later apologies where in my mailbox
unfinished: (adj.)
Lots of misinformation going on around here.
It seems that the site(s) are back up, I've appended the meat of both in case they go down again. The good deal of the posts I'm reading stat the stats are invalid because it is an aggregate of all linux distros in comparison to windows 2k. This is not true, the stats make a clear distinction between distro's and count them separately, for example Redhat 7.2 had 28 exploits in 2001 where Win2k had 24.
Which is what this article was attempted to exploit itself. Its very clear that the original article (as shown below) is a blatant attempted to drum of a flame war between linux and windows supporters. With a headline like 'Windows More Secure Than Linux? Yep!' it doesn't try to hide that fact either. The entire basis is of the article is a 4 "exploit" difference between Redhat linux and win2k within the last year. Of course the severity of these exploits are not detailed.
Considering that windows has dramatically improved its numbers from the previous years I think a more accurate headline would have been "Windows security much improved from previous years"
As many people has said far my eloquently them myself, these statistics do nothing to prove or disprove a superiority between linux and windows security, as there are so many problems with even trying to prove such a thing.
-Jon
below is the full text of the article and the stats from Security Focus.
------------------- WinInfo artical ------------------
Thanks to David Byrne for this tip: For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet. (The company's 2001 statistics are available only through August 2001 for the time being.) According to NTBugTraq, Windows 2000 Server had less than half as many security vulnerabilities as Linux during the reported period. When you break the numbers down by Linux distribution, Win2K had fewer vulnerabilities than RedHat Linux 7.0 or MandrakeSoft Mandrake Linux 7.2, and it tied with UNIX-leader Sun Microsystems Solaris 8.0 and 7.0. A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux. So once again, folks, you have to ask yourselves: Is Windows really less secure than Linux? Or is this one of those incredible perception issues? For more information and the complete stats, visit the SecurityFocus Web site. I'll check back on this story to see how all of 2001 shapes up.
-------------------SecurityFocus Stats -------------
Number of OS Vulnerabilities by Year
OS 1997 1998 1999 2000 2001
AIX 21 38 10 15 6
BSD/OS 7 5 4 1 3
BeOS 0 0 0 5 1
Caldera 4 3 14 28 27
Connectiva 0 0 0 0 0
Debian 3 2 31 55 28
FreeBSD 5 2 17 36 17
HP-UX 9 5 11 26 16
IRIX 28 15 9 14 7
MacOS 0 1 5 1 4
MacOS X Server 0 0 1 0 0
Mandrake 0 0 2 46 36
NetBSD 2 4 10 20 9
Netware 1 0 4 3 1
OpenBSD 1 2 4 17 14
RedHat 6 10 47 95 54
SCO Unix 3 3 10 2 21
Slackware 4 8 11 11 10
Solaris 24 33 34 22 33
SuSE 0 1 23 31 21
TurboLinux 0 0 2 20 2
Unixware 2 3 14 4 9
Windows 3.1x/95/98 3 1 46 40 14
Windows NT/2000 10 8 78 97 42
Top Vulnerable Packages 2001
Packages # Vulns
MandrakeSoft Linux Mandrake 7.2 33
RedHat Linux 7.0 28
MandrakeSoft Linux Mandrake 7.1 27
Debian Linux 2.2 26
Sun Solaris 8.0 24
Sun Solaris 7.0 24
Microsoft Windows 2000 24
MandrakeSoft Linux Mandrake 7.0 22
SCO Open Server 5.0.6 21
RedHat Linux 6.2 i386 20
MandrakeSoft Linux Mandrake 6.1 20
MandrakeSoft Linux Mandrake 6.0 20
Wirex Immunix OS 7.0-Beta 19
Sun Solaris 2.6 19
RedHat Linux 6.2 sparc 18
RedHat Linux 6.2 alpha 18
Debian Linux 2.2 sparc 18
Debian Linux 2.2 arm 18
Debian Linux 2.2 alpha 18
Debian Linux 2.2 68k 18
Top Vulnerable Packages 2000
Packages # Vulns
Microsoft Windows NT 4.0 71
RedHat Linux 6.2 i386 65
RedHat Linux 6.2 sparc 53
RedHat Linux 6.2 alpha 53
Microsoft Windows 2000 52
Debian Linux 2.2 48
RedHat Linux 6.1 i386 47
Microsoft Windows 98 40
RedHat Linux 6.1 sparc 39
RedHat Linux 6.1 alpha 39
MandrakeSoft Linux Mandrake 7.0 37
Microsoft Windows 95 35
RedHat Linux 6.0 i386 33
Microsoft IIS 4.0 29
Microsoft BackOffice 4.5 29
Microsoft BackOffice 4.0 29
RedHat Linux 7.0 28
MandrakeSoft Linux Mandrake 7.1 26
RedHat Linux 6.0 alpha 25
Conectiva Linux 5.1 25
Top Vulnerable Packages 1999
Packages # Vulns
Microsoft Windows NT 4.0 75
Microsoft Windows 98 44
Microsoft Windows 95 40
Microsoft Windows NT 4.0SP3 33
Microsoft Windows NT 4.0SP1 32
Microsoft Windows NT 4.0SP2 31
Microsoft Windows NT 4.0SP4 30
Microsoft Internet Explorer 5.0 for Windows 98 29
Microsoft Internet Explorer 5.0 for Windows NT 4.0 28
Microsoft Internet Explorer 5.0 for Windows 95 28
Microsoft BackOffice 4.0 28
Microsoft BackOffice 4.5 27
Sun Solaris 7.0 26
Microsoft IIS 4.0 25
Microsoft Windows NT 4.0SP5 23
RedHat Linux 5.2 i386 22
Sun Solaris 7.0_x86 21
Sun Solaris 2.6_x86 21
Sun Solaris 2.6 21
RedHat Linux 6.0 i386 21
Top Vulnerable Packages 1998
Packages # Vulns
IBM AIX 4.3 36
IBM AIX 4.2.1 29
IBM AIX 4.2 29
Sun Solaris 2.6 28
Sun Solaris 2.6_x86 25
IBM AIX 4.1 25
IBM AIX 4.1.5 24
IBM AIX 4.1.4 24
IBM AIX 4.1.3 24
IBM AIX 4.1.2 24
IBM AIX 4.1.1 24
Sun Solaris 2.5.1_x86 23
Sun Solaris 2.5.1 23
Sun Solaris 2.5_x86 22
Sun Solaris 2.5 21
Sun Solaris 2.4 18
Sun Solaris 2.4_x86 17
Sun Solaris 2.3 13
Sun Solaris 2.5.1_ppc 10
SGI IRIX 6.4 10
Top Vulnerable Packages 1997
Packages # Vulns
SGI IRIX 6.2 25
Sun Solaris 2.5.1 23
Sun Solaris 2.5 23
SGI IRIX 5.3 23
Sun Solaris 2.5_x86 22
Sun Solaris 2.5.1_x86 22
Sun Solaris 2.4 22
Sun Solaris 2.4_x86 21
SGI IRIX 6.3 20
IBM AIX 4.1 19
Sun Solaris 2.3 18
SGI IRIX 6.1 18
IBM AIX 4.2 17
SGI IRIX 5.2 15
SGI IRIX 6.4 14
IBM AIX 4.1.5 14
IBM AIX 4.1.4 14
IBM AIX 4.1.3 14
IBM AIX 4.1.1 14
Sun Solaris 2.5.1_ppc 13
Privacy Statement
Copyright © 1999-2001 SecurityFocus
this is my sig.
"The numbers presented below should not be considered a metric by which an accurate comparison of the vulnerability of one operating system versus another can be made."
To me, this just shows that you should always take into account WHO you get your information from as well as the information itself.
--I don't mind the school of hard knocks, it's those darned refresher courses I hate. =)
The trouble with comparing Linux distros to Windows lies in the fact that Linux distros include so many different applications. I just did a count of installed packages on a RedHat box I am using, and I got 780 installed packages. I'd like to see a comparison of the number of exploits between the RedHat distro and Windows installed with 700 of the most common applications for it. That might be a more useful comparison. Also, I will readily acknowledge the weakness and lack of true usefulness of the numbers below, so no need to flame me for the lack of usability...I'm only posting the info I found, so no need to stone the messenger.
Windows
4336 Windows NT
1070 Windows 2000
2 Windows 95
5408 Windows total
All UNIX and Like
1185 Linux Red Hat
999 Linux unknown distributions
36 Linux Connectiva
23 Linux Debian
17 Linux Cobalt
17 Linux SuSE
13 Linux ALZZA
12 Linux Mandrake
1 Linux Slackware
2304 Linux total
485 Solaris & Sun OS (1)
267 IRIX
163 FreeBSD
121 BSDI
44 SCO
28 Generic UNIX
18 Compaq Tru64 UNIX
9 AIX
7 HPUX HP
4 Digital UNIX DG
3 OpenBSD
2 NetBSD
1 PowerBSD
1 Digital OSF1
1153 UNIX & Like total
3457 UNIXs & Linux
8865 Total Windows and all UNIX
Other
2 Mac OS
1 Netware
63 unidentified
--It's Pimptastic!--
I agree with most of what you said, but while more people run Windows, there is probably more intelligent scrutiny on an Linux because people have access to the source code.
Of course, it may be more valuable to developers to have more mindless bug reporters than fewer knowledgable ones.
Bugs aren't fun. But which is cheaper to license and maintain. You paid good money for windows software and should be recieving a secure product.
While linux is free with free bug fixs or you can fix the bug yourself. In the end it's just cheaper to run linux.
When i have read the title of the article,i wondered. Is windows more secure than the linux kernel? or maybe is it more secure than a specific distro. Or is it more secure than certain applications? you know it makes a whole lot difference when we know what we are talking about.
Would you still say that if it were the other way around? Or would it still be proof that "M$ suX0rz"?
...wearing a skin-tight topless leather jumpsuit, with cutaway buttocks and transparent crotch panel.
I have a few points to make.
1: Linux is a kernel. Name the last security hole in the kernel.
2: There are TONS of Linux distributions. Hundreds. There's also gobs of software includd in your standard Windows distribution. If you count ALL of their security vulnerabilities from ALL DISTRIBUTIONS and ALL SOFTWARE PACKAGES, I'm not surprised it's a bit higher than the number of holes in the *core Windows OS*.
3: The rate of release of Linux is much faster.
4: Linux distributors are still relying on the wrong software (sendmail/bind/inetd).
It's like they say, "Liars figure and figures lie"
OpenBSD - Four years without a remote hole in the default install! Linux is nice but BSD is the future. Just ask Steve Jobs.
First of all, let's put this in perspective. Take a look at the top right corner of that site: "Windows Network & .NET Magazine".
This spin is almost as amusing as the Redmond claim that "we're not coding anything new for a month so we can concentrate on 'security'". One whole month? Wow.
SecurityFocus now warns that the data upon which these assumptions are based "should not be considered a metric by which an accurate comparison of the vulnerability of one operating system versus another can be made." Yet I don't see an update on the WinInformant site acknowledging this, disputing it, or ANYthing.
If one actually READS the data, Windows came in at #1 for the year 2000, and Microsoft products grab 14 of the top 15 vulnerabilities for 1999.
Could it be that these vunerabilites were found from people looking a the code, and then emailing someone "hey theres an error", and then fixing it? I mean how many holes would there be in windows if we could see the code. Finally microsoft doens't admit theres a whole until someone finds, there not going to volenteer it like some writing a program
Mr. W and Mr. L each have a spouse and 3 kids.
Mr. W has been moderately sick this past year, and had to make 3 trips to the doctor. He really had to go - his boss was going to fire him if he didn't do something about the grapefruit-size abscess festering on the back of his head and the odour from the gangrene in his left foot was getting unbearable. We suspect he has an undiagnosed brain tumour, but since nobody can smell that he hasn't had it checked out. His kids have had to make 3 trips to the doctor as well: 1 required an MRI, one has cystic fibrosis, and one of the poor dears needs a liver transplant. His wife Explora has been very ill and had to make emergency trips to the hospital 7 times.
Mr. L and his family each made two trips to the doctor. The whole family got the flu, plus they each had their yearly checkup.
STATISTICS SAY:
Q: Mr. W, how many trips to the doctor have you had this year?
A: 3 trips.
Q: Mr. L, how many trips to the doctor have you had this year?
A: 10 trips, but that includes my family.
CONCLUSION:
(drumroll please)
Mr. W is healthier than Mr. L.
Let's give him health insurance.
I happened to be using a Mac running OS X and Classic (OS9).
I wanted to comment on the article (I still think it's some sort of joke) and use of I.E. (X), Mozilla (X), iCab (X), WannaBe (9), Mozilla (9), and iCab (9) all crashed on the "add comment link."
Well, at least it was a good exercise in net-non-compatibility and the non-coder who wrote the html for that pop up window you get clearly knows what he's doing.....coding html exclusively for a Windoze world.
It's time for MS and their thralls to put up or shut up, and stop trying to bullshit their way out of Code Red and SirCam and their hordes of incestuous cousins. Have them demo one security hole as kick-me-i'm stupid as the holes those exploited, by writing their own.
As always, all IMO. Insert "I think" everywhere grammatically possible.
I moderate this story -1, Troll.
VOS/Interreality project: www.interreality.org
but mod this up because some people still, sadly miss the point :-(
:-)
An OS is hardly "secure" or "insecure".
To illustrate my point, lets just imagine that the default install of my Win2K server is more "secure" than the default install of my debian box.
Neither of them are connected straight to DSL!
Your whole environment (firewall, router, switch, servers etc) can be secure or unsecure, that's true, but one componant can't rate the whole environment.
"I'm better than you because my Win2k box is tighter than your debian box" won't cut it here either, for the simple fact that you just can't get to my debian box so it dosen't matter if it has a hole that you can throw a cat through (which it dosen't)
So if we believe that stats, it could read more things than OS security anyway because it's about which holes are known (M$FT dosen't always feel the same open-ness as the rest on this topic, remember)
Anyway, don't let me get in the way of the flames
how about the fact that there are people all around the world who find the bugs in linux, and make fixes for them. Ive found that bug in linux is fixed almost right away as opposed to waiting for microsoft to decide that there is a security hole, hold a meeting about it, prepare statements for the world about it, fix it, then release a patch.
Possible scenario
------------------
Problem: We have a large group of linux users, we need them to use windows, or at least stop developing linux and making other people not use windows.
Solution: We use a manufactured and obviously inflammatory story, posted to a shrine of the linux-worshippers, to cause the (generally) obese linux crowd's blood pressure to blow. Problem Solved!
:)
-raph
Excellent. Mod parent up.
Bush's education improvements were
Has any one else noticed that winformant.com is running Linux? Apparently they don't think it is all that unsecure. The site winformant.com is running Apache/1.3.3 Cobalt (Unix) (Red Hat/Linux) on Linux. I also like the notice on securityfocus.com in BOLD type. The numbers presented below should not be considered a metric by which an accurate comparison of the vulnerability of one operating system versus another can be made.
26 days to go. We are now finding out what Bill means when he said that February will be focussed on security.
Derek
Linux has more reported security problems because there is a community working to uncover problems in order to get them corrected. While Microsoft, on the other hand, gets mad if people make bugs/vunerabilites known to the public and tries to prevent it (I have heard that they want it to be illegal to spread info on security vunerabilites, although I don't see how this wouldn't violate the 1st ammendment).
The real difference in the statistics is that they just don't deal with their software in the same way.
They say that it talks about all distributions. Distrubution security flaws then would not be related to linux itself but the applications that each distribution includes.
This has a couple of problems then:
1. Wininformant would then include all sendmail, etc, security holes as linux bugs. I don't think that they would include extra Microsoft products that a user may/may not choose to install - they are probably talking about the machine after installation. As such, IIS, Sendmail, Outlook, etc, on a windows installation would not be counted towards the number of bugs.
2. The increased number of security holes reported for linux may actually not be representative of the number of holes present, but instead be a measurement of the amount of exposure that linux receives, therefore eliminating more bugs. Following this logic you could conclude that linux was more secure for that 8 months. Of course, you could probably never measure this, making it pure hypotheses.
If Microsoft weren't actively advocating non-disclosure of vulnerabilities, then sure -- I'd say it the other way around as well. The point is, RedHat seems eager to fix and disclose their own vulnerabilities (to the point of accidentally jumping the gun), and Microsoft seems eager to squelch discussion on theirs.
Given their stances, who would you trust to release advisories in a timely manner?
--JoeProgram Intellivision!
Both Linux and NT have plenty of security holes to go around. But Linux is also clearly far preferable from a security point of view: it is much easier to run only the software/servers you actually need on Linux, it comes with full sources, and serious security holes are fixed usually within hours of being reported.
Claims like those on WinFormant mainly demonstrate the incompetence and inexperience of their authors.
Boy oh boy, and Aids didn't happen from sleeping around with monkeys. What next? Bill Gates gives away millions. The idiot troll that posted this and the idiot troll editor that accepted it -- /. focused on
do you know how many MS-is-better-than-Linux articles I can find in a day? If I wanted to read
this crap I'd go on google and search for it.
If you can't keep
stealing someone else's "decent" stories instead of the fermented hogwash that you post just close shop and go try to understand Zorn's lemma again! For the 3350th time!
What was contained in each bulletin, how was it resolved? Numerical titles sans text is pointless.
Enronian (en-RAHN-ee-an) adj.
1 : Presenting misleading numbers for purposes of aggrandizement.
ex.: The microserf resorted to an Enronian argument to back up his false implications.
Acquiescence leads to obliteration
a redhat 6.2 install is plenty secure if you use the right tools. http://victim.cylant.com
yeah, i work there.
Like the electorial college uses.. heh. Or claiming that a processor with a higher clock speed means it can process faster. Blah.
So am I to understand that WinXX has had less reported vulnerabilities over the last 5 years? I believe that. MS believes in security thru obscurity, and god only knows how many hidden security flaws there are in say, Win9x that have never even been discovered.
However, that doesn't mean they won't be. Anyone who's got a clue (the meager minority, I'm afraid) seem to understand that reporting and fixing bugs is kinda how open-source works. I'd be MUCH more concerned if Linux (distros)_didn't_ have more reported security problems, for an unreported security flaw is the one that goes unfixed. Microsoft can probably tell you all about it.
What could possibly hurt the security of the American people more than giving our own government the ability to hide its
Just what was that 'Site Migration' Mentioned on the Security Focus page?
- Security Focus migrated TOLinux!
I wonder why?!?
While the citing of the many viruses to which Windows alone is vulnerable may not be sufficient. As a programming and computer security professional I can state with confidence that Microsoft's corporate position on security has indeed contributed to a less secure product. Further, the underlying system design (complete reliance on DLL's that any SW provider can replace) has been, and continues to be basically unsecure. I am not an MS basher, but one must be a realist when it comes to computer security. Hopefully MS new security first development strategy will eventually yield a secure MS product.
The numerical titles are merely references to the bulletins posted at www.redhat.com. There ye shall find the text and become enlightened.
I checked my dictionary and there is no such word as enronian. The only reference I could find to it on the web was in discussing President Bush's deficit spending package.
Later I upgraded Kenny to a recent Redhat release, either 7.1 or maybe 7.2, running in a medium-security configuration. I didn't notice any problems after that - whatever the popular security holes were had been patched or they were in services I hadn't turned on. I had some other serious problems with those distributions - basically they're not made to be installed on small machines unless you do one big partition or a lot of hand-tuning, and you can't netinstall from a single CDROM drive any more, so you'd better have at least one machine with a lot of disk space. But the security was much improved.
By the way, a couple of the intrusion detection techniques I used were:
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
% wide I would bet that linux has more systems unpatched that MS does. Face it the patching of linux in general is horrible. I want patches not. hmm bug in cvs...better go upgrade cvs, yeah right...no I want a patch...add patch...done. And I want it tested.
Besides most of the linux software that comes out is crap for the first couple years. Far less that want MS puts out the first run. Lets see it took Sendmail 10 years to be developed so it worked without major flaws...It took MS 3 years to get exchange perfected, and now exchange can handle and do more that sendmail does.
mysql, its nice but small and it still has bugs...sql server first run was bad but from then on it screams.
Come on folks get off your high horse, linux is a nice toy and a niche here and there, but it has a LOT!!!! farther to go that MS does.
t this thread needs is an appropriate Mark Twain quote:
If Mr. Edison had thought smarter he wouldn't sweat as much. --Nikola Tesla
The numbers are relevant. They are simply completely misinterpreted by WinDesInformant.
The compare accumulated bugs of all Linux Distributions to those of NT/2000 or 3.1/95/98
even Redhat, with the largest number of reported bugs of all compared Linux distributions, breaks even with NT/2000.
But that's not all. SecurityFocus themselves admit that application related bugs are likely to be left out of the count of Windows bugs but not of the Linux bugs count.
Have you ever *seen* these lists of bugs found in Linux and published publicy? While the occasional real bad humdinger is found, most are of the form, "I read the source and found out that someone could in theory do such-and-such, but I don't know if anyone has actually done this yet."
In linux, the white-hat hackers and the black-hat hackers operate on equal footing with regards to
access to the information. That's the key difference.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
It's a Flemish expression wich means something like not knowing if you should cry or laugh.
Face it, this article is the ultimate proof most Windows related magazines and websites are full of bogus information.
1. They are pointing to a website (securityfocus) wich itself claims the figures are highly disputable and incomplete.
2. WHO! in his right mind would consider using UNreliable data to make a statement as such.
3. I cannot believe they are adding up every distro to point out Linux is less secure ! It's like counting all versions of windows to accumulate a number illustrating it's robustness.
4. Really not very long ago (day or two) Microsoft released a 17MB patch with security updates for Windows 2000.
I'd start a flamewar on that website if i could but their servers don't seem to able to keep up with the load for now.
...run an HTTP server on it. Don't tell anyone that it's there. What will you see?
In my case it was few hundreds of Code Red requests from few tens of hosts per day.
Contrary to the popular belief, there indeed is no God.
The tally of Linux security issues, in addition to remotely exploitable ones, includes each and every buffer overflow bug which could allow a non-privileged local user to get root access, even ones not known to have been exploited. For Windows, the number indicates only remotely exploitable security holes, and only the ones publicly known. Ever seen Microsoft admit there is a scurity problem before it has been heavily exploited ?
"And you are dying so slowly, you believe to be living" - Bertrand Besigye
Sadly? Well, pull out that bug list. I'm sure you could have plenty of control over other people's web sites :^)
bwaahahahahahaha !!!
Another question that should be addressed, but can't be quantified, is how many times an individual bug has been exploited to compromise the security of a system.
The summation of the time a bug was exploitable, as well as the quantified exploitation would be revealing figures (heh heh...figuratively).
For each OS, the exploitation figures would have to be divided by the number of machines running the OS.
If you patch a mess, you get a patched mess.
What do the numbers really represent?
From what little I know of Linux (I will be going over after 20+ years with Microsoft) it's rather hard to break security or get a virus to do anything. I understand it depends on the 'state' of Linux at the time (who's logged in, etc).
I would rather run Linux with more security holes than Windows if those holes are hard to find and even harder to exploit.
'A charging bull will fly thru an open door but won't get very far going thru a cheese grater.'
The GEEK shall inherit the earth...
Administrative Contact, Billing Contact:
/etc/hosts
Hostmaster (HO7948-ORG) billgates@microsoft.com
Penton Media, Inc.
1300 E. 9th St.
Cleveland, OH 44114-1503
USA
(216) 931-9350
Fax- (216) 931-9149
vi
i
www.wininformant.com 127.0.0.1
^:wq
Just to cut throught the FUD on both sides here:
/. a tabloid now?
Paul: Fuck You. You don't know shit. How's the page views today? That's what I thought.
CmdTaco: Stop feeding the trolls. This guy just made $x money because you decided to link to his crappy site. Now everyone is here literally frothing at the mouth. If this was real life someone would've been stoned to death by now or branded a witch. Is
Everyone:
Lies and statistics. August 2001 huh? So the stats were last compiled just after Code Red, but not since Code Red II, not since the UPnP fiasco, not since the most secure Windows OS ever? Nice to see "journalists" grouping distros together on the basis of which *kernel* they use. If you want to assess the security of *linux* then only focus on expoits that compromise the kernel. If it's just another BIND or wuFTP vulnerability, count it just once for "OSes that use that GPL'd kernel*" *note: packages included with each distro are not uniform across platforms. Not all Linux distros are alike.
But that is rational and fair, and we can't have that can we? No. We need to increase page views and banner hits, we need to convince so-and-so in management that *OS-not-right-for-the-job* is the right tool for the job.
Windows on the desktop and *nix in the server room; the Buddha smiled and farted. And God said "It is Good".
I would say the same about windows and its many variants and device drivers and service packs. If I buy an application for Windows there is a chance it may work, or it may not (for instance my sound sequencer Cubasis VST does not like Windows XP). If I buy a game for the Gameboy Advance, plug it into the machine and turn the machine on, it works. (Of course you may say I cheated by choosing the GBA because other consoles have horrible regional coding schemes :-)
If you have just begun reading this discussion, maybe you shouldn't waste your time. Basically, the original article is a troll, or a paid MS public relations stunt, and Slashdot fell for it.
If you must read this discussion, just browse at +5.
Bush's education improvements were
Offtopic I know, but:
If the friend/foe system worked as I think it
should, then I could still browse at -1 but
have all my foes disappear because I've given them a -6 bias.
Why doesn't it work like this?
Jeff
stty erase ^H
According to the beginning Bugtrack statements, the WinInfo article is completely backwards. I quote:
There is a distinct difference in the way that vulnerabilities are counted for Microsoft Windows and other operating systems. For instance, applications for Linux and BSD are often grouped in as subcomponents with the operating systems that they are shipped with. For Windows, applications and subcomponents such as Explorer often have their own packages that are considered vulnerable or not vulnerable outside of Windows and therefore may not be included in the count. This may skew numbers.
This means that all of the Outlook and Internet Explorer vunerabilities are not included in the Win 2000 numbers, but appearently, any Sendmail, Apache, or Modzilla numbers are included with Linux.
Unless I am reading this wrong, the article is not comparing apples to apples, and shows that there are about as many bugs in the Win 2000 kernel as there are in all of Linuxdom!
MS really only cares about the bottom line and obviously security issues are about to bite them financially. Right now, Bill can't do much except blow smoke. The distraction is really needed right now. Especially when you consider:
That the effort to squelch bug reporting is a tacit admission that none of the products in the current development cycle are likely to be secure
Prestigious and influential groups like the National Academy of Sciences are calling for punishment of software firms that skimp on security.
MS products will be magically secure and stable after February.
They've been found guilty of illegally maintaining a monopoly and the punishment is under discussion.
Several U.S. states and some European governments and commissions are pursuing / considering their own legal action.
The MS legal counsel is stepping down
MS-Passport, their new cash cow, can't even be made secure (thus their hop to Kerberos)
Revenue from upgrades is nil and given that Intel is not expecting to do well either the next few quarters will be for MS also.
Simply put, Bill is on so many people's shit list with no easy way off. A few decades ago, IBM used to have most computing centers by the short-n-curlies, but pushed it too far and more or less disappeared. MS is in a prime position to do the same.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Security is relative, Windows just like any other operating system can be made to be fairly secure, however I have to disagree with your comments in your article about it being impossible for Linux to be more secure than Windows. Windows as an operating system is flawed when it comes to security. Sure Windows eventually added slightly better filesystem security, but Microsoft have always made security an after thought to features. The reason your article received a knee-jerk reaction from the slashdot crowd is that you are comparing apples to oranges. If you look at the majority of Windows related security problems, they have not been blown out of proportion because Windows is used more, they are fairly serious security issues that effect the operating system itself (eg. stuff you cannot NOT install). On the other hand, if you look at the security problems that are logged under Linux, they are for applications and tools that distribution companies add into the distribution. Comparing most of the security problems in Linux distributions would be like adding up all the application problems that might get installed on Windows. If you did that, there would be hundreds if not thousands of security problems under Windows, but half of them wouldn't be an issue because not everyone has or installed that application. So to do a fair comparision, you would need to compare OS level problems, so you would compare security problems with the Linux kernel itself, core libraries such as glibc, and components needed for networking. I think if you did that you'd see that Windows has far too many security problems.
:)
On this continued stance about Windows having more users, sure it does, why? Well it helps if your operating system is sold on the majority of PC and servers that have been sold in the past 10+ years, however, look at the expense one has to go to to "make" windows secure. You need to purchase firewall software (yes lets be realistic here, XP firewalling doesn't cut it), thats about $4k+ for Checkpoint FW-1, you need anti-virus software to make sure your server doesn't get trashed, thats at least $50+, depending on your choice, then you have licensing fees, but here is the thing that I don't understand, all of that stuff eats up system resources. You have the GUI eating resources, you have the AV software eating resources, you have the firewall software eating resources, you'll probably have something like PC anywhere to remote control the server eating resources. Why do people think this is a viable server system? Take Linux or BSD, or even solaris, you can install debian down to take up about 50MB of disk space, have your firewall protection, and slim down the kernel since you have the source code, eliminating support for stuff you don't need. If its done properly you can get hundreds of more users on a server, whether its pop3/smtp users, more web traffic, etc.
Windows just doesn't make business sense, it costs more money, its less secure, its less scalable and it provides less capacity than something thats well, free. The only thing that is keeping Windows in places is IT managers who aren't smart enough (or don't have the time) to learn linux, who have the trust of the executives of companies. Windows is there because the people who should be experts, aren't experts, sooner or later, that is going to catch up to the Windows folks, and when business people see that they are paying $200k a year for someone who has been making very poor IT decisions, lets just say, there might be a couple more MCSEs working in fast food industry
What is the problem with the moderators?
... specialy if your first language it is not English.
When I posted my comment there was no comments at all on this story. You know, it takes time to write a message longer than 2 lines, preview, correct and send
And, then, I see no other previous post with the same ideas. Maybe there are some in the answers to previous comments, but sended way after mine.
What's all this "redundant" thing?
Please, check the timestamp of the comment before being ridiculous.
We didn't write the article in question, nor are we hosting, nor did we have any opportunity to see it ahead of time. (Or now... still can't see it.)
/. link did make it look like your article to the casual glance (though the /. effect did preclude many of the banners, etc. from ever loading, and a more precise look at the URL does reveal it to be hosted elsewhere).
I'm curious why you would like to an article without reviewing it. If this is to be believed, you linked to an article without even reading it. While I expect that sort of looseness with slashdot to some degree, I confess I'd always held Security Focus in a little higher regard, and consiquently expected more selectivity in what articles they choose to headline and link to.
Unfortunately this thread is already ancient history and probably no longer being followed, but if you see this I would very much like some clarification on exactly how articles like this are selected for inclusion in SecurityFocus' headlines. Following the
The Future of Human Evolution: Autonomy
With that many vulnerabilities and that much press, I would say that Linux has arrived! (All the *BSD folks are green with envy and wish they had such attention)
You could say that old distros and less experienced sysadmins are facing a hacker culture that probably is more adept with open source tools than they are shooting bullets into Windows and IIS for BO's.
So, then, how much monetary loss is attributed to Windows insecurities vs Linux insecurities, eh?
"Provided by the management for your protection."
Another Microsoft public relations employee. Look at the name: LinSux.
Bush's education improvements were
I'm curious why you would like to an article without reviewing it. If this is to be believed, you linked to an article without even reading it. While I expect that sort of looseness with slashdot to some degree, I confess I'd always held Security Focus in a little higher regard, and consiquently expected more selectivity in what articles they choose to headline and link to.
What makes you think that we linked to it? We didn't, they linked to us. We run a little stats page because people were asking us for the numbers all the time. These other people wrote a short blurb and claimed, based on their misunderstanding of the numbers, that SecurityFocus was claiming that Windows was more secure than Linux. We make no such claim, that's their conclusion.
The article in question was not linked to by us, was not in our headlines, was not endorsed by us, wasn't even known to us until the Slashdot story.
"WinInformant" lol! what an ironical name
I disagree about that 99%. There are bad programmers everywhere! not just in open source, i am sure ms has thier share of bad programmers as well. I have worked at many companies, and have seen my share of bad programmers on company payrolls. Just because they get a paycheck does not make them better programmers. In fact, in my experiences, people who code for the love coding (of which i am one, and so are many other oss developers) tend to take better care of their code than those who only code for the love of money. I certainly cannot speak for other oss programmers, i only know my own motivations, but i develop software for the love of programming, and when i undertake a project, my goal is to make the best program i can. None of my programs have ever had serious flaws, because i took the time to test them thouroughly before letting anybody else having them. I am not saying there were no bugs, but there were none that caused a serious impediment to the use of the program. Certainly they never crashed! Just like me, i am sure there are many other oss developers who also care about their work, just as sure that there are some who do not. And that goes for programmers on company payrolls as well, the good and bad are there too! In the case of MS products that have been bad (in my opinion, due to crashes) i am sure is not totally fault of the programmers, but marketing who insists on shipping products when they are not ready. MS seems to me to be far more interested in takeing as much money as they can from their customers at every opportunity rather than serious stabalize their code. This is not just a problem with MS, but nearly every large software company! or even OSS projects. The need to be constantly rushing to market is the problem that needs to be dealt with. not the methodology of how software is produced (whether open or closed source).
The article in question was not linked to by us, was not in our headlines, was not endorsed by us, wasn't even known to us until the Slashdot story.
... I'm usually better at attributions, and I shouldn't have gotten that one wrong.
I went back and looked at the article more thoroughly (now that it isn't slashdotted, and the grafics, etc. come up, ie. it is no longer filled with blank spaces). Amazing how much more obvious these relationships become once you can see the whole thing without 10 minute lags (and once someone has pounded you over the head with a clue stick).
You are absolutely right, I was absolutey mistaken, and my comments misaimed. My sincere apologies. The diatribe to which you replied should have been directed at WinInformant, not Security Focus which, as you clearly point out, remained above reproach in this fiasco. Sorry about that
Thanks for your reply, and pointing out what should have been obvious (but apparently wasn't, to me at least, on that day).
The Future of Human Evolution: Autonomy