WinInformant Says Windows More Secure Than Linux

nihilist_1137 excerpts from this WinInformant article, which reads in part: "For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet. ... A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux." I wonder how many sysadmins (Windows or Linux) would agree with this conclusion. Update: 02/04 16:54 GMT by T : Looks like the WinInfo site has gone down since the story was submitted, so you may have to content yourself in the meantime with the Bugtraq numbers. Update: 02/04 19:30 GMT by T :Several readers have pointed out that the conclusions WinInformant makes based on the Bugtraq data are not those of SecurityFocus; the headline has been changed accordingly.

Much harder to compare "Linux" versus Windows

[defile]

Unlike Windows, there are many independent distributions of Linux that may or may not be vulnerable to a security hole. Also unlike Windows, each distribution has shorter release cycles. Futhermore, many Linux distributions come with lots of bundled software that not all sys admins install.

This means that security holes discovered against Windows could be far more devastating because of the uniformity of the installed systems. Code Red/Nimda, etc. would've been much harder to pull off against all variants/distributions of Linux. There's much more paydirt in developing good Windows exploits, since they're likely to work against ALL Windows systems, which means the exploits are likely to be very refined and well tested. Compare to Linux exploits which are usually very hard to get working the first time.

It's also harder to find security holes in Windows since it's closed source (which doesn't make them any less severe). Many security analysts won't even bother since it mostly involves using a debugger to poke at a task for hours, rather than simply grepping source trees for unsafe functions.

But yeah, it is pretty disgusting that Linux in general has this many security holes.

This study has "vulnerabilities."

[Uttles]

First of all, there's no weighting in the charts. So in other words, an attacker can break into a Win2000 box and control everything about it, or he can telnet into a Linux box but has no access to change anything or even browse the root directory, yet both attacks are chalked up as a "1."

Also, read this from their "about us" section:
The company has approximately 50 employees and is privately held, backed by venture funding from SOFTBANK and E*Trade Ventures.

Funny, I seem to remember a story not too long ago about E*Trade joining .NET, and there's that one about 6 months ago when the E*Trade mutual funds started to tank and they moved towards more MS stock... draw your own conclusions.

Re:Simply put,

[FortKnox]

You are correct, but this opinion will be drown in the sea of "No way! M$ sucks!" replies (and when slashdot posts a troll like "Windows is better", it gets about 400 replies). Its funny how people back security focus when it talks about MS vulnerabilities, but once it mentions Linux, they are "Uniformed" or a variety of other things (just read from any other thread to see what I mean).

What's the definition of a Zealot??

This Sounds Like The "USRobotics Effect"

[istartedi]

When I was in tech support, everybody thought USRobotics modems sucked. We spent a lot of time dealing with USRobotics problems, much more than any other modem. Then we realized that USRobotics modems were in 70-80% of the PCs on the market. That meant that if USR modems caused 60% of our problems, they were actually better than the average modem!

I can't get to the article, but if they are talking about desktops, then anything less than 90% of the security problems coming from Windows actually means that Windows is better than average. For servers that number would have to be what, 30%?

There are other statistics involved here too. For example, Linux people always point out that Linux bugs get fixed faster than Windows bugs. True, but if the Windows patch gets released after 2 weeks, you still are still running clean more than 90% of the time--it just doesn't make that big a statistical difference.

Then of course there is the difference between "bugs found" and "bugs exploited". I imagine fewer "hackers" exploit Linux bugs because of sheer hate for "M$". If they ever let an AOLinux loose on the market, it might become a hate-target, and then all of the sudden Linux looks a lot less secure.