WinInformant Says Windows More Secure Than Linux

nihilist_1137 excerpts from this WinInformant article, which reads in part: "For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet. ... A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux." I wonder how many sysadmins (Windows or Linux) would agree with this conclusion. Update: 02/04 16:54 GMT by T : Looks like the WinInfo site has gone down since the story was submitted, so you may have to content yourself in the meantime with the Bugtraq numbers. Update: 02/04 19:30 GMT by T :Several readers have pointed out that the conclusions WinInformant makes based on the Bugtraq data are not those of SecurityFocus; the headline has been changed accordingly.

To use bit of old wisdom....

[MxTxL]

It's quality not quantity.

Perhaps linux has a greater number of security flaws but Window's security flaws, while less in number, are much more serious, drastic and more devastating in terms of network infrastructure.

Using a number to rate things like this is absurd.

WIDNOWS is secure, APPS aren't...

[fzammett]

Let's make this perfectly clear, shall we?

Look at all the security issues that have come to light for Windows over the past year or two. I'd bet my newly purchased house that over 90% of them are APPLICATIONS that are insecure, NOT the OS.

How many security problems are a result of Outlook alone? 70%? Wouldn't surprise me a bit.

How many are direct results of VBA? 80% or more? Yeah, I'd think so (and I happen to love VBA but there's no arguing the danger that is opened up when you allow that level of integration and automation in software).

I don't think there were a massive number of problems that arise from protocol-level problems, security subsystem abuses or kernel hacks. Sure, there is always the occassional buffer overflow and things of that nature, but I'd bet the number is about equal with what you get on any other OS out there.

It's the apps folks, not the OS. Compare the Linux kernel with the NT kernel and I bet they are both secure as hell. It's what's on top of them that's a problem sometimes.

Wait for the fury.

[freakboy303]

The *nix junkies are going to make this thread 1000 posts long but the numbers are there. I can heartily belive that Windows has less security holes it's just that with Linux not having a viable market share no one really bothers to take the time to exploit those vulnerabilities. It's security by obscurity. Let's say two auto makers each make a truck and company A sells 100,000 units of truck A and company B sells 1,000 units of Truck B. Truck A explodes into a fire ball 20 times and Truck B does the same 2 times. The popular conclusion is that Truck A must be unsafe because it exploded so much but the truth of the matter is that Truck B is actually 100 times more dangerous....but it only blew up twice so nobody will believe the facts. Thats my .02 cents

Much harder to compare "Linux" versus Windows

[defile]

Unlike Windows, there are many independent distributions of Linux that may or may not be vulnerable to a security hole. Also unlike Windows, each distribution has shorter release cycles. Futhermore, many Linux distributions come with lots of bundled software that not all sys admins install.

This means that security holes discovered against Windows could be far more devastating because of the uniformity of the installed systems. Code Red/Nimda, etc. would've been much harder to pull off against all variants/distributions of Linux. There's much more paydirt in developing good Windows exploits, since they're likely to work against ALL Windows systems, which means the exploits are likely to be very refined and well tested. Compare to Linux exploits which are usually very hard to get working the first time.

It's also harder to find security holes in Windows since it's closed source (which doesn't make them any less severe). Many security analysts won't even bother since it mostly involves using a debugger to poke at a task for hours, rather than simply grepping source trees for unsafe functions.

But yeah, it is pretty disgusting that Linux in general has this many security holes.

This study has "vulnerabilities."

[Uttles]

First of all, there's no weighting in the charts. So in other words, an attacker can break into a Win2000 box and control everything about it, or he can telnet into a Linux box but has no access to change anything or even browse the root directory, yet both attacks are chalked up as a "1."

Also, read this from their "about us" section:
The company has approximately 50 employees and is privately held, backed by venture funding from SOFTBANK and E*Trade Ventures.

Funny, I seem to remember a story not too long ago about E*Trade joining .NET, and there's that one about 6 months ago when the E*Trade mutual funds started to tank and they moved towards more MS stock... draw your own conclusions.

Re:What?!?

[Drestin]

Does "Ramen" ring a bell?

(/.'s 20 seconds min to reply is the lamest thing I've ever seen... I'm typing this to slow down my submit clicking because I can actually read and type faster than a 1st grader... stupid...)

Re:Simply put,

[FortKnox]

You are correct, but this opinion will be drown in the sea of "No way! M$ sucks!" replies (and when slashdot posts a troll like "Windows is better", it gets about 400 replies). Its funny how people back security focus when it talks about MS vulnerabilities, but once it mentions Linux, they are "Uniformed" or a variety of other things (just read from any other thread to see what I mean).

What's the definition of a Zealot??

This Sounds Like The "USRobotics Effect"

[istartedi]

When I was in tech support, everybody thought USRobotics modems sucked. We spent a lot of time dealing with USRobotics problems, much more than any other modem. Then we realized that USRobotics modems were in 70-80% of the PCs on the market. That meant that if USR modems caused 60% of our problems, they were actually better than the average modem!

I can't get to the article, but if they are talking about desktops, then anything less than 90% of the security problems coming from Windows actually means that Windows is better than average. For servers that number would have to be what, 30%?

There are other statistics involved here too. For example, Linux people always point out that Linux bugs get fixed faster than Windows bugs. True, but if the Windows patch gets released after 2 weeks, you still are still running clean more than 90% of the time--it just doesn't make that big a statistical difference.

Then of course there is the difference between "bugs found" and "bugs exploited". I imagine fewer "hackers" exploit Linux bugs because of sheer hate for "M$". If they ever let an AOLinux loose on the market, it might become a hate-target, and then all of the sudden Linux looks a lot less secure.