Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Critical Microsoft Hole

Posted by michael on from the your-daily-dose dept.

gmuslera writes "Not was enough that recent vulnerability in IE that can run any program in an unpatched windows system. Now there is another related to an ActiveX control that can make IE and IIS to run any code in the system. The Microsoft solution? kill the related ActiveX control and replace it with a safe one. The Microsoft problem? As this control is Microsoft signed, any site can require it, upload it and replace the "good" one with the vulnerable one. The final recomendation from Microsoft? Don't trust/run ActiveX controls signed by Microsoft." Gimble points to the appropriate locations on Microsoft's website: "Another buffer overrun (that allows arbitrary code to be run) has been admitted to by MS, and it affects IIS and IE on clients (but not on XP), and they have a patch available here Security Hotfix for Q329414. The kicker is that a patched system can be rendered vulnerable again by a hostile web site or HTML email. The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."

48 of 597 comments (clear)

  1. Re:He's right about the fonts by Rebel+Patriot · · Score: 5, Funny

    Why doesn't Microsoft wake up and just apply the "mozilla patch"? :^)

    --
    Slackware forever. Honestly, what else would you trust when it absolutely positively has to be stable, secure, and easy
  2. This bodes well by evilpenguin · · Score: 5, Insightful

    Doesn't this just make you excited for the prospect of Palladium and a world where all code is digitally signed? I'm tingling all over.

    I'm all for code signing for authenticity, but not for code signing as execution control. Code signing should be purely an audit mechanism.

    1. Re:This bodes well by kmellis · · Score: 5, Funny
      "There is no such thing as implicit trust, and if you think there is, please send me a blank check." - aphor
      Sure, just give me your address, and it'll be on its way.
  3. Re: Another critical Microsoft hole by T1girl · · Score: 5, Funny

    Not was enough that recent vulnerability in IE that can run any program in an unpatched windows system.

    Difficult to read this post is, hmmm?

  4. More Bias by OpCode42 · · Score: 5, Insightful

    Can we please stop all this MS bashing? Every piece of software has security alerts and patches issued. Why, in a week where we have alerts for Samba, php, kde (libs and network) and apache, do we have to hear about IE yet again? Yes, we know thats its not a secure bit of software. It just makes us look like insecure teenagers if we keep bashing it like this.

    *flame retardent jacket on*

    That is all.

    1. Re:More Bias by Seahawk · · Score: 5, Insightful

      Well - I see your point, an I am oppesed to needless MS bashing as well! The difference between the OSS vulnaribilities and this IE is that the OSS vulnaribilities is fixed rather easy, and Microsofts solution to the problem(Dont trust MS activex controls) just wont help the average user as he has no idea how to not trust Microsoft

      As you say - there are bugs in ALL software - but there are great differences in how quickly those bugs are fixed!

    2. Re:More Bias by warrior_on_the_edge_ · · Score: 5, Funny

      It just makes us look like insecure teenagers

      Maybe we should apply the SECURE teenager patch I thought I saw somewhere....

    3. Re:More Bias by platypus · · Score: 5, Insightful

      Why, in a week where we have alerts for Samba, php, kde (libs and network) and apache, do we have to hear about IE yet again?

      Because samba et.al. use a completely different security philosophy. This shows and proves something that many people have said before, namely that MS' security philosophy based on "trust us, we know better what to do" is flawed. In the light of this news you can only laugh about popups like "Always trust content from microsoft corp.".

      This is also not very encouraging for MS' auto-update feature in XP, and their whole fucking ideas of stuff in their OS's downloading components from the net without asking the user.

      Note that the above is also true for other software publishers, but MS takes the spotlight for various reasons, like their omnipresence and their bullheadedness concerning these problems.

    4. Re:More Bias by Blkdeath · · Score: 5, Insightful
      Can we please stop all this MS bashing? Every piece of software has security alerts and patches issued. Why, in a week where we have alerts for Samba, php, kde (libs and network) and apache, do we have to hear about IE yet again?
      Yes, Slashdot announced a recent KDE vulnerability, and security holes affecting a popular open-source RAW TCP stream library as well as recent BIND 4 and 8 security vulnerabilities, and the trojan'ing of a Sendmail distribution, not to mention the privacy leak in the poster-boy browser for OSS - Mozilla, and how could we forget the Linux Worm that created an "attack network"?

      Slashdot reports security vulnerabilities that affect large portions of the userbase. All of the above affect large portions of the OSS world, and IE vulnerabilities affect the vast majority of the workstation userbase (globally!). The difference between OSS and Microsoft security bulletins, however, tends to be that the OSS bulletins are generally followed-up shortly after release with "... and get the patch here, here, and here, and download [updated|backported] versions from your vendor here, here, and here". Only too often do we see updates to Microsoft bulletins that read along the lines of "... and Microsoft is stonewalling [me|us] ... " or "... Microsoft has officially denounced this as invalid ... " or "... Microsoft has accepted the bug report and is working on a solution ... " (which doesn't arrive for six weeks, and does so very silently with little more than yet-another-MS-bulletin and another item in the Windows Update listing).

      The reason Slashdotters 'bash' Microsoft, especially in the face of "yet another IE/IIS critical security vulnerability" is that they're so recurring. The fact that this one happens to be digitally signed by Microsoft themselves, and that the only way to get around the vulnerability is to literally stop trusting Microsoft makes it more than hilarious; it's downright embarassing for them. When something embarasses one of the Open Source world's largest nemeses, and the very giant who has its sights set on Linux (primarily) and phasers set to kill, it gives us a warm tingly feeling, and human nature dictates that when this feeling is present, "I Told You So!" is a response that gives us imense amounts of pleasure.

      Speaking of "I Told You So", I have to remember to show this one to our co-op student when he's next in. It'll make for a good practical demonstration of why I told him not to check "Always trust from ... " checkboxes within IE.

      --
      BD Phone Home!

      Shameless plug. Like you weren't expecting it.

  5. Question by zero-one · · Score: 5, Insightful

    Why can't IE run in a process with reduced privaliges? Why does IE need the privalages of the current user on NT/2000 when all it does is browse the web?

    1. Re:Question by gmoschin · · Score: 5, Informative

      Actually, you can.. at least, on Windows XP.. I haven't tried earlier versions.

      Create a shortcut to Internet Explorer.

      Right-click the shortcut, choose "Run As.."

      The option "Current User" and "Protect my computer and data from unauthorized program activity" should be checked.

      Click OK to run Internet Explorer in "secure mode".

      Caveats to running in this mode:
      Your bookmarks or links won't appear, but they'll still be there if you run it in normal mode.
      Other web-based programs may not run correctly.

      You can test to see if it's working by going to Windows Update - if it's secure, you'll see something about having to run Windows Update as an administrator.

  6. This is big by ceswiedler · · Score: 5, Insightful

    Wow. Some heads must be rolling at Microsoft over this. Recommending that Microsoft be removed from the list of trusted signees? They're certainly not pulling punches on this one. It looks to me like they're placing a higher priority (with the treatment of this bug) on user security than company image. That's a first...

    The reason they're in this mess is the whole "trusted computing" paradigm which they started with this signed-ActiveX stuff and are continuing with Palladium. Perhaps this will make them reconsider. Quis custodiet ipsos custodes: Who watches the watchers?

  7. Re:Sound Advice by nougatmachine · · Score: 5, Funny

    I removed Microsoft from my "trusted publishers" list a long time ago ; )

  8. The admission is in the faq section. by terradyn · · Score: 5, Informative

    Reproduced for your enjoyment:

    What steps could I follow to prevent the control from being silently re-introduced onto my system?

    The simplest way is to make sure you have no trusted publishers, including Microsoft. If you do that, any attempt by either a web page or an HTML mail to download an ActiveX control will generate a warning message. Here's how to empty the Trusted Publishers list:

    1. In Internet Explorer, choose Tools, then Internet Options.
    2. Select the Content tab. In the Certificates section of the page, click on Publishers.
    3. In the Certificates dialog, click on the Trusted Publishers tab.
    4. For each certificate in the list, click on the certificate and then select Remove. Confirm that you want to remove the entry.
    5. When you've removed all entries from the list, select Close to close the Certificates dialog, then click on OK to close the Internet Options dialog.

  9. DOJ reaction by MosesJones · · Score: 5, Funny


    Today the DOJ announced that they would no longer trust Microsoft and had removed Microsoft from the list of companies it would allow to police themselves. This was done on Microsoft's advice as they felt they could not be trusted not to screw around like they had before.

    "Lets face it" said Bill Gates "asking us to police ourselves is like asking Dan Quayle to front a literacy program, its just not a good idea"

    --
    An Eye for an Eye will make the whole world blind - Gandhi
  10. Re:why? by jandrese · · Score: 5, Informative

    Because if you don't bring these problems out into the open, Microsoft won't fix them. There have been several cases in the past where security vulnerabilities were left unpatched until people started clamoring for a fix. Also, this hole is rather severe (if a similar hole was found in SSH or Apache Slashdot would announce it) and the fact that it is digitally signed makes it unusual and newsworthy.

    --

    I read the internet for the articles.
  11. why the kill bit does not work. by leuk_he · · Score: 5, Insightful

    According to the MSTECH bulletin:
    Why isn't it feasible to set the Kill Bit in this case?

    The ActiveX control involved in these vulnerabilities is used in many applications and web pages to access data. Many applications, including third-party applications, contain hard-coded references to it; if the patch set the Kill Bit, the web pages would no longer function at all - even with the new, corrected version. As a result, the patch updates the control to remove the vulnerabilities, but does not provide a brand-new control and set the Kill Bit on the old one.


    Conclusion:
    -Microsoft refuses to kill itself.

    how does this relate to: the story Microsoft on Security: We'll Break Your Apps

    Hey... linus refused to change the behaviour of kill -9 -1 also

  12. Re:why? by NecroPuppy · · Score: 5, Interesting

    Because there are still quite a few of us
    who still use Windows...

    I've got half a dozen software packages that
    are currently only available for Windows or
    Mac, and as I don't like Macs, I'm stuck
    with Windows for the time being.

    This kind of story is "News for Nerds", and
    as such, is, IMO, much more valid a story than
    most that get posted here.

    And as far as the Open Source comment; yes,
    Open Source systems have bugs. However, I
    don't know of a single one that will have a
    website pop-up ask you to download a major
    security hole under the name of trusted
    computing.

    Do you?

    --
    I like you, Stuart. You're not like everyone else, here, at Slashdot.
  13. I found it ammusing... by oconnorcjo · · Score: 5, Interesting

    but I think Microsoft is doing the right thing here. They are in a pickle and they have given a good solution (and one that is embarrasing to them). Of course what they should really do is redesign IE to not run in "root" mode but that is another story. I wish the slashdot editors did not relish so much the foibles of Microsoft in their editorial comments.

    --
    I miss the Karma Whores.
  14. I find it amusing... by analog_line · · Score: 5, Funny

    ...that the only safe place to run a Microsoft browser is on an Apple Computer operating system.

  15. WTF ? by FauxPasIII · · Score: 5, Insightful

    How is it that they implemented a cryptographic signature system and don't provide for revocation? Surely somebody's missed something here...

    --
    25% Funny, 25% Insightful, 25% Informative, 25% Troll
    1. Re:WTF ? by dbarclay10 · · Score: 5, Insightful

      They did. The reason why they refuse to revoke this control is that many sites hard-code the object ID, thus they would stop working.

      While I commend them for suggesting a fairly complete solution (including not trusting Microsoft-signed controls any more), I piss on them for not being willing to revoke the old control simply because some sites would not work.

      Were they to do this, there's no doubt that administrators and programmers everywhere would TRULY understand the issue, and fix their code to not use the hardcoded value. Instead, Microsoft is coddling them, and now we have another hundred thousand zombied machines in DDoS attack-networks.

      --

      Barclay family motto:
      Aut agere aut mori.
      (Either action or death.)
  16. Why don't people use something else? by Mr_Silver · · Score: 5, Insightful
    See this comment followed by my response.

    People don't move to something because, firstly it's something different and many people are happy to stick with something comfortable. Secondly many people don't see the point in downloading something that they already have installed ("it works for me, why do I need anything else?" mentality) and finally, for many people they never experience the nasty possible ill-effects of these security alerts.

    Sure, plenty of people were hit by Code Red but it never really affected them. Sure it affected their computer, but as far as their documents were concerned - there was no change.

    Until we see a security alert that does cause damage to personal files and does roam rampant in the wild, the average Joe Blow user doesn't give a toss whether or not there 6 or 6000 security alerts.

    --
    Avantslash - View Slashdot cleanly on your mobile phone.
  17. Re:Typical slashdot crap by evilpenguin · · Score: 5, Insightful

    The problem is that unless you remove Microsoft from the list of trusted publishers, a malicious web site or e-mail message can reinstall the vulnerable version without your knowledge or consent.

    To me, this proves that digitally signed code, that is, "trusted systems" are absolutely no guarantee of security. Bad code can be signed.

  18. Does no one realize its a TROJAN PR MOVE by peculiarmethod · · Score: 5, Insightful

    Doesn't anyone consider this a mysterly convenient way to incourage the masses of windows users who won't drop them to move over to XP? All the news sources highlight that XP isn't vunerable.. yeah.. not with THIS flaw. I wondered how long it would be before they started admitting the really bad flaws in all the other versions to move everyone towards their .net mordern os. hmph

    or maybe I'm just nervous 'cause my coffee just accidently cross bred with a poison-ivy staph-infection vaccine GE plant and was recalled after I drank it

    pm

    --
    ** "It's not my job to stand between the people talking to me, and the ones listening to me." -- Pego the Jerk
  19. Re:Aaahhhh! by andrew_0812 · · Score: 5, Funny

    Wait a minute. You mean I can't trust Microsoft?

  20. Use separate certificates for each control? by virtcert · · Score: 5, Interesting

    According to the MS release, the reason that they can't simply revoke the certificate for the control is that they signed other controls with the same certificate.

    Wouldn't it make sense for them to just sign every control with a DIFFERENT certificate, so when one is found to be flawed they can revoke the cert and only the new version will install easily?

    It's not like MS can't afford the cost of the individual certs, if they aren't a CA themselves already...

    1. Re:Use separate certificates for each control? by zbuffered · · Score: 5, Insightful

      I say they revoke the certificate anyway, and re-issue the other controls with new certificates. Inconvenient? Yes. But it would fix the problem, and that's job #1 for them. If, as others have said, heads are rolling over this one, I think revoking the certificate is the least they could do.

      --
      Synergy is your friend
  21. Re:Sound Advice by RyoSaeba · · Score: 5, Funny

    Well yes, but now you run in the horrible paradoxal loop !!
    Suppose MS say that they shouldn't be trusted. Assume you think it's right, so you don't trust'em, so you believe THAT sentence is false ! Therefore MS should be trusted. So of course you must trust'em, and believe they shouldn't trusted... And so on & on !
    Finally their claim is just another way to make your system / brain crash due to stack overflow...

    --
    Tsuyoikoto ha taisetsu da ne, dakedo namida mo hitsuyousa (Strength is an important thing, but tears too are necessary)
  22. While it's fun to pile on his Majesty Satanic... by smittyoneeach · · Score: 5, Insightful

    I'm interested in seeing any other browser that can provide robust, arbitrary plug-in support without a security compromise.
    Security and utility are two contestants in a zero-sum game.
    Which is not to say that <insert browser here> isn't a technically superior product...

    --
    Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
  23. Feeding this to port 25... by KjetilK · · Score: 5, Insightful
    Oh well....

    From MS02-065:

    After emptying the Trusted Publishers list, if I do see a warning saying that a web site or an HTML mail wants to download a control, how can I decide whether to let it proceed?

    The best criterion to use is whether you trust the web site or the sender of the HTML mail. If you don't trust the web site offering the control, cancel the download.

    So, who want to bet that the e-mails we will soon see circulating will have something like:

    From: billg@microsoft.com
    Subject: You can safely trust me

    <html><body> Please read this e-mail carefully and make sure you download the provided control.

    Asking people to decide whether or not they trust somebody based on, uh, well, whatever, that's asking for disaster. People will do that based on what they see in the From-field, most likely...

    Well, admittedly, I haven't touched a windows machine in a long time, so I might be totally off here... :-)

    --
    Employee of Inrupt, Project Release Manager and Community Manager for Solid
  24. Re:So what.. by richie2000 · · Score: 5, Interesting
    If my Linux box wasn't kept up to date, there would be quite a few remote root exploits similar to this.

    Hang on, let me catch up here. Did Linus digitally sign a control in a subsystem designed to download code from any old webserver you might happen upon and run it as root while I was looking the other way? And did he, after it was discovered that such a system is not perfectly, 100%, safe *astonished look* issue a warning on the Linux kernel developer mailing list stating, in effect, that he's a jackass and people should stop trusting him with anything more dangerous than a moist sponge in a bathtub?

    I don't think so.

    --
    Money for nothing, pix for free
  25. Re:why? by GnomeKing · · Score: 5, Informative

    Why are these things posted here? Is it because of the many /. users that use windows :-), or is it because we're always trying to make windows look bad?

    I guess the same reason that...
    Security Vulnerabilities in KDE 2.1-3.0.4, 3.1 RC3
    Trojan Found in libpcap and tcpdump
    Bind 4 and 8 Vulnerabilities
    and
    Vulnerability In Linksys Cable/DSL Router

    were posted?

    i.e. this particular article would have been posted were it about windows, redhat, solaris or pretty much any other "widly used" system

  26. Re:why? by gosand · · Score: 5, Insightful
    Why are these things posted here? Is it because of the many /. users that use windows :-), or is it because we're always trying to make windows look bad?

    1. Yes, a lot of Slashdotters use Windows. I am using it right now. I have to, because that is what is mandated where I work. I am sure that is the case for many other people. I am sure some of the admins have to administer Windows systems. Basically, we are stuck with Windows, so we need to know this information. At home, on the other hand, I only boot up the Windows machine if I need a Quake fix.

    2. We don't have to make Windows look bad, it is doing a fine job of doing that itself, thank you very much. Slashdot didn't release this alert, Microsoft did. Would you rather not know about it?

    --

    My beliefs do not require that you agree with them.

  27. why remove *ALL* certificates? by oktaya · · Score: 5, Insightful

    "The simplest way is to make sure you have no trusted publishers, including Microsoft."

    So OK. If this signed certificates thing was a good idea to begin with, why are they suggesting people remove ALL trusted publishers?

    It's only Microsoft's own certificate that can reintroduce the problem. Why would they advise removing all certificates?

    Is it because they think their users are too stupid to remove Microsoft only? Are they trying to look less bad by making it look like the problem effects all publishers? Or are they simply admitting that this signed certificate thing isn't working?

    Oh, if we can't run anything we want on your system, nobody else should either. pfft.

    oktay

    --
    ---------------
    Founder of the The Free Linux CD Project
  28. Re:why? by _bug_ · · Score: 5, Informative

    Because in a recent /. story there is reference to a recent /. poll which shows 47% of those who responded still use a Windows operating system.

    Nearly half of /. users use Windows.

    This would seem to validate the need to have stories about Microsoft software bugs, especially those as grevious as this, on /.

  29. More design flaws by SgtChaireBourne · · Score: 5, Insightful
    Actually, the bias seems to be pro-Microsoft. If any other project had the same severity and quantity of compromises as MSIE, it would be history.

    What we have here is a clear case of people letting their ideology interfere with their business sense. Ideology / religion seems to be the only reason anyone would not go right over to better products like Opera or Mozilla. The only value MSIE can add, beside keeping the AV and security consultants in gravy, is vendor lock in.

    Microsoft is falling further behind in technology every month. Rather than trying to catch up, they've been trying to hold everyone else back. It's time for them to get out of the way and stop hindering economic growth in the IT sector.

    --
    Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
  30. I realize most /.ers use IE, but... by autopr0n · · Score: 5, Interesting

    Why all the focus on microsoft products, I submitted an exploit for opera a month or so ago, and it was rejected.

    --
    autopr0n is like, down and stuff.
  31. Re:Oooo! He card read good! by gl4ss · · Score: 5, Funny

    beowulf cluster of yoda there are.

    karmasuicide2k2

    --
    world was created 5 seconds before this post as it is.
  32. RTFM : lol... Try Runas.. by bored · · Score: 5, Informative

    Re enable the runas service (it's on by default). Now try right clicking an exe with the shift button held down. See that "Run As..." menu item? Click it, now the program will run with alternate use privledge. Welcome to NT... What I want to know is why 99% of the fscking setup programs need to run as admin to install simple little applets into my user context..

  33. Click...refresh...huh? by CodeShark · · Score: 5, Funny
    'xcuse me -- thought I'd pulled a Rip Van Winkle and woke up just in time for a Malda & Co. April Fools Joke.....Microsoft admitting that that content from Microsoft can't be trusted?

    --note to self--

    Consider buying stock in proposed Hades Ski and Ice Skating resort... it must be getting real cold down there about now, somewhere between slushy and completely frozen over.

    --
    ...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
  34. Unsafe at any release? by geoff+lane · · Score: 5, Informative
    For those of us still running Win95 on hardware that cannot support '98 or XP there is no fix for the recent critical IE security problems.

    So, to fix this particular little problem needs a hardware replacement "upgrade" :-(

  35. In other news... by pixelated77 · · Score: 5, Funny

    Microsoft has warned about a security hole in Notepad. While Microsoft prepares a fix, it advises that we all use EDLIN in the mean time.

  36. Great solution, what about SPAM? by insac · · Score: 5, Funny

    (...)
    "The simplest way is to make sure you have no
    trusted publishers, including Microsoft. If you do
    that, any attempt by either a web page or an HTML
    mail to download an ActiveX control will generate a warning message."
    (...)

     We could use this idea also with SPAM. Why use Bayesian filters (that aren't still 100% safe)? We could open every single message and decide if it is SPAM or not. If it is SPAM we can then delete it... it's easy!!

    This message doesn't need a signature

    --
    This message doesn't need a sig
  37. Score one against DRM !!! by Anonymous+Custard · · Score: 5, Informative

    From the MS Technet article:

    Q: Why would an attacker be able to silently re-introduce the old version of the control? Shouldn't there be a warning message?

    A: A warning message is generated anytime there's an error associated with a digital signature (e.g., a bad signature or expired certificate) or the signer isn't trusted. But in this case, the digital signature on the old version of the control is still valid, and the signer is Microsoft - which is a trusted publisher in many cases. Because of this, most users would not see a warning message of any kind if the old control was re-introduced.

    Ha! Microsoft is now providing very well written ammunition to the Anti-DRM movement; this makes me very happy.

    --
    $8.95/mo web hosting
  38. Re:Sound Advice by DarrylM · · Score: 5, Funny

    Ahh, It's all coming clear... Microsoft is using A.L.I.C.E. now!

    Microsoft1: All things you need to trust are from Microsoft.
    Microsoft2: But all things are not always me need to trust are from Microsoft.
    Microsoft1: Umm. But all things are not always are not always you need to trust are from Microsoft.
    Microsoft2: Interesting. But all things are not always are not always are not always me need to trust are from Microsoft.
    Microsoft1: Interesting. But all things are not always are not always are not always are not always you need to trust are from Microsoft.
    Microsoft2: Huh. But all things are not always are not always are not always are not always are not always me need to trust are from Microsoft.
    Microsoft1: Huh. But all things are not always are not always are not always are not always are not always are not always you need to trust are from Microsoft.
    Microsoft2: Umm. But all things are not always are not always are not always are not always are not always are not always are not always me need to trust are from Microsoft.
    Microsoft1: And. But all things are not always are not always are not always are not always are not always are not always are not always are not always you need to trust are from Microsoft.

    etc.

    :-)

  39. Re:Why MS bugs so publicised?... by foniksonik · · Score: 5, Insightful

    Linux users know all about their bugs. They are the ones fixing them. Bugs in proprietary software are more interesting/important because they acknowledge commercial vendors inability to get working code out the door before profiting from it, a despicable but almost always necessary evil (if you're commercial and proprietary, that is).

    1. Get an idea for useful softwaree
    2. Write a lot of working but buggy code
    3. ??????
    4. Profit

    Then later when you can rest assured that the investors or collectors are happy...

    5. Fix bugs

    And if you're a monopoly...

    6. Release bug-free "Upgrade" and charge more money.

    --
    A fool throws a stone into a well and a thousand sages can not remove it.
  40. Re:Don't trust Linux either... by derF024 · · Score: 5, Insightful

    Kind of a silly statement, since they're comparing every piece of software that runs on a linux platform to only microsoft applications. what would happen if you compared the "Linux security flaws" to flaws in every single piece of software that ever ran on Windows..

    in addition, i think you'll find that since applications and libraries can be used by 3rd party applications more easily on open source systems, you have more code re-use. thus, 1 vulnerability, such as the one in OpenSSL, turns into 10 when you count in all the packages that use OpenSSL's SSL libraries. since MS closes the ssl libraries that they use with IIS, you'll find that there are probably 10 different ssl implementations on any one MS based system.

    a third point is that this study counts advisories from each vendor regarding the same application as seprate advisories. so you have the following situation:

    1 bug in OpenSSL affects 10 applications that use the OpenSSL libraries. advisories for those 10 applications are reported by 10 different Linux vendors. therefore, 1 bug in a piece of linux software generates 100 vulnerability reports. according to this logic, there are still roughly 100X more bugs in microsoft software alone then there are in every piece of software that is capable of running on Linux based OS's. that number is somewhat inflated, however my points are still valid, this study is turning 1 bug into many and comparing apples to oranges.