Slashdot Mirror

← Back to Stories (view on slashdot.org)

WinInformant Says Windows More Secure Than Linux

Posted by timothy on from the ho-hum dept.

nihilist_1137 excerpts from this WinInformant article, which reads in part: "For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet. ... A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux." I wonder how many sysadmins (Windows or Linux) would agree with this conclusion. Update: 02/04 16:54 GMT by T : Looks like the WinInfo site has gone down since the story was submitted, so you may have to content yourself in the meantime with the Bugtraq numbers. Update: 02/04 19:30 GMT by T :Several readers have pointed out that the conclusions WinInformant makes based on the Bugtraq data are not those of SecurityFocus; the headline has been changed accordingly.

9 of 876 comments (clear)

  1. but which were more severe? by Brandon+T. · · Score: 4, Interesting

    Perhaps windows has had less overall security vulnerabilities, but the ones it has had have completely ruined systems and clogged up the internet (i.e. code red, nimda etc...).

  2. The more accurate question by Gothmog · · Score: 5, Interesting

    Pure quantity of security holes really is not the most question. To me there are two factors:

    1. How severe is the hole if exploited.

    Are we talking a DOS, a root compromise, the ability to take over a domain controller. The effect of a compromise needs to be taken into account.

    2. How easy to exploit is the whole.

    Is it a theoretical exploit, or are there tools floating around? Can it be easily mitigated by a good firewall, or can viewing an email cause the problem.

    These questions seem to me more important than pure quantity and should be taken into account when building a threat assesment of a system.

  3. Some explanations??? by Zwack · · Score: 5, Interesting

    Greetings,
    I wonder how they decided what is "more secure", but my guess is that it's based on the number of reported exploits/bugs.
    Does anyone know if they used any weighting on the types of exploits/bugs. I would consider a remotely exploitable bug to be much worse than a locally exploitable bug as you can't control people that aren't on your box as well as the people that are. I would consider a root/administrator access bug to be worse than a denial of service type bug.

    So, given a weighting scheme of :-
    Remote Root = 4
    Remote Denial of Service = 3
    Local Root = 2
    Local Denial of Service = 1
    How would the different OSes stack up?

    My guess is that without even taking number of installations into account you would find that Microsoft was at least as bad as the various Linux/Unix versions. I'm not going to say that they were worse.

    Anyone want to do some analysis on the same information given a weighting scheme and see what the differences are?

    Z.

    --
    -- Under/Overrated is meta-moderation, and therefore is Redundant.
  4. Wait a sec... by saberworks · · Score: 5, Interesting

    1. How many of the Linux vulnerabilities are in services that aren't linux? IE: sendmail, apache, ftp servers, and whatnot? Just because something is packaged with linux doesn't make it linux. Do the windows bugs count IE bugs and every other MS software running on the system? What about other packaged software such as AOL and whatever other links they provide?

    2. Sheer number of vulnerabilities mean nothing - are they counting the severity of the vulnerabilities?

    3. Are they counting the time it took before A) someone discovered the vulnerability and B) a patch was issued?

    4. If there are comparable numbers of linux vs. win2k servers out there, which actually had more break-ins? (This question not valid if there is a wide gap in numbers since then the lower of the two probably benefits from that "security through obscurity").

    5. I think having full source code availability leads to people actually FINDING the bugs, whereas Windows could have way more, but we don't know about them unless people are actually TRYING to crack the system (as opposed to finding them working on source or whatever).

  5. Re:Actually, to be fair... by Drestin · · Score: 5, Interesting

    Actually, IIS hasn't had a hole since last August and IIS 5.1 hasn't had one, period. XP has only had the UPnP hole (new technology, consider it a version 1.00 bug).

    There are FAR fewer holes in W2K than people would like to admit. IE may have some problems but not the base OS. Even IIS has been tighted up a great deal.

    People need to understand something, we know MS almost never get's it right the first time (see version 1.00 bug) and may not the second but eventually they do. OK, they sucked at security to begin but with all those resources and the pressure from the top and from outside - did you really think they'd sit still or get worse? Nope - ask Netscape what happens when you become their focus of attention. Tux comes out and smokes IIS 5 and everyone laughs... according to the results of my beta tests with IIS6, we'll see who's laughing when it's publically benched.

    Your lesson is: MS learns. It's almost never right the first time but... it learns.

  6. Re:Not being a Windows apologist by prisoner-of-enigma · · Score: 5, Interesting

    Microsoft certainly does little to help those of us trying to secure their systems. The knowledgebase is confusing when it comes to system hardening, and MS loves to ship their products with absolutely every feature and doo-dad turned on. It makes setting up a Win2k webserver such a pain in the ass, but over time we've compiled a checklist that makes things much easier. Much like Linux, we made the checklist with the input and experience of many others.

    Contrast this with a typical RedHat install. Sure, you can elect to not install a ton of stuff, but the dependencies can and will drive you nuts if you need widget-1.12-i386.rpm, which conflicts with Perl, glibc, and about ten thousand other things you don't want to fool with. Then couple that with the overwhelmingly nonexistent or conflicting/out-of-date documentation that is (isn't?) available for some Linux modules, and you're reduced to playing Sherlock Holmes again. And what do you do when the HOWTO doesn't answer your question? Posting in a newsgroup results in about 50% of the responses being "read the HOWTO you fucking l00ser", 40% being wrong/misinformed/don't-know-either responses, and only 10% being useful and helpful.

    What both Windows and Linux need is a "Secure" install option that by default has nearly everything turned OFF, and then a simple way to add/enable functionality as needed. Templates for webservers, DNS, FTP, mail servers, and such would be great, and they should keep pace with patches and updates for the OS and related applications. Why no one has bother to do this is beyond me, but I think this laziness has resulted in 90% of the exploits seen in ALL OS's on the web.

    --
    In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
  7. This ignores so much... by uucpbrain · · Score: 4, Interesting

    The problem here is just that there is no "aggregate Microsoft" category. Heck, there's not even a W95/98/ME category! But if you lumped together all W95/98/ME/2K/NT/XP vulnerabilities, then made sure that you dealt with apps evenhandedly, "aggregate Linux" would start looking great all of a sudden.

    Now consider exploitability. Let's take Mandrake for example -- although their figures are already way lower than NT's (or, no doubt, 95/98/ME's), a default install includes 'libsafe', which means that none of the buffer overflows or format bug exploits will work. There go 3/4 of the theoretical vulnerabilities, including the ones which haven't been discovered yet. And a libsafe rpm could be installed on almost any Linux system in a matter of seconds without breaking anything, making the whole raw tally concept very questionable.

    The only way to secure an MS system that broadly and quickly is to cut the Ethernet cable.

    I leave my Linux box on the Internet without worry, and my investment in security has been maybe an hour and $0.00. I can and do take my time on patches because I know that almost none of the bugs have any chance of being exploited on my system. That is a realistic measure of Linux security, and I will delightedly compare it to Windows any day of the week. Securityfocus' figures, taken by themselves, don't mean anything.

  8. Glass half full... by gnovos · · Score: 5, Interesting

    They are looking at this from the wrong perspective. Instead of saying "Linux had more bugs than Windows in 2001" it should say "Linux *fixed* more bugs than Windows in 2001". Simply becuase those Windows bugs haven't been found yet does *NOT* mean tha they are not there waiting to be exploited (or are already being exploited).

    --
    "Your superior intellect is no match for our puny weapons!"
  9. Its Paul Thurrot. Don't expect logic. by Nailer · · Score: 4, Interesting

    I'm not really surprised by this. Following the recent long Microsoft DNS outage when it was revealed that quite a few of Micrposoft's own DNS servers were running Linux (not to mention they use akamai for their downloads), Paul Thurrot came out with the classic report that although this might be true `its proves Open Source zealots wrong as Linux wasn't being used for anything mission critical'

    What the fuck? According to WHAT kind of logic is DNS not mission critical? If it its not critical, let's take those DNS servers offline (both Microsoft's and WinInfo's) and see how long either MS or Thurrot last.