Study Finds Windows More Secure Than Linux

cfelde writes "A Windows Web server is more secure than a similarly set-up Linux server, according to a study presented yesterday by two Florida researchers." In addition to the Seattle Times article, there is also coverage on VNUnet. From the article: "The researchers, appearing at the RSA Conference of computer-security professionals, discussed the findings in an event, 'Security Showdown: Windows vs. Linux.' One of them, a Linux fan, runs an open-source server at home; the other is a Microsoft enthusiast. They wanted to cut through the near-religious arguments about which system is better from a security standpoint."

Another study

[suso]

Study finds Slashdot as repetitive as Philip Glass

Integrity?

[samtihen]

Well, apparently this is the second time Microsoft has come out on top of a research project by Mr. Richard Ford.

http://www.virusbtn.com/magazine/articles/letters/ 2004/01_01.xml

Apparently there was some question to the validity of an earlier project because it was sponsored by Microsoft.

However, I would like to note that both researchers seem very well educated, especially in computer security. And, additionally, they both note that a lot more could be done to lock down the Linux server.

Re:Integrity?

[leuk_he]

from the article

Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk -- the period from when a vulnerability is first reported to when a patch is issued.


I hoped for a deeper analysis, like the security model used or how it behaves in networks. But it just back to counting vulnerabilities.

--Nothing to see here, move on.

Re:Integrity?

[jedidiah]

This study appears to be a clear example of redifining terms and using statistics to muddle an issue. While the conclusion of the study might be valid given the assumptions, I challenge the assumption.

I challenge the assumption that Redhat vulnerabilities are equal to Microsoft vulnerabilities.

Given the history of malware, they clearly are not.

This study is nothing more than a more formalized version of a certain form of trolling once popular on COLA.

Re:Integrity?

[LurkerXXX]

Unfortunately they don't tell you the real server that is more secure.

The correct answer is the one with the better administrator. You can have a Linux box locked down tight, and a Windows box wide open. You can also have the inverse. Probe around, and you will find boxes of all those flavors out there. It all depends on the competence of the guys running it. The competence of the administrator at running the system he is running has a much larger effect on overall security than which OS is chosen.

Re:Integrity?

[Bastian]

I, too, would like to see a more involved, academic analysis of the security of each platform. But even as a quick quantitative analysis, this technique for deciding how secure a system is falls on its face. Instead of counting vulnerabilities, I would be interested in counting number of viruses and script kiddie tools that take advantage of those vulnerabilities. Just counting known vulnerabilities and numer of patches, etc, has a few issues. One is that I honestly believe that a Windows vulnerability is much less likely to be announced once it is discovered than a Linux vulnerability - it's a questionn of culture.

Another is that just counting vulnerabilities gives you a worst-case scenario. However, my practical experience suggests that if there aren't any script kiddie tools or viruses out there that take advantage of said vulnerability, your chances of getting compromised through it are exceedingly small.

I'd also like to see some weighting for the likelihood of an attack succeeding through a given vulnerability. I'm going to be a lot more scared of the exploit that works every time than I am the buffer-overflow that lets you run arbitrary code, but only works once in a blue moon.

Granted, these studies will never have that info; they aren't meant to mean anything, they are just mindcandy for the PHBs put together by industry pundits looking for a quick paycheck or some attention. If I were really looking for a security analysis or comparison that included an open source server that ran on x86 hardware, I would expect OpenBSD to be one of the operating systems tested.

These studies are pointless. Both can be secure

[Mustang+Matt]

I don't get it. I guess I need to read the article.

A webserver needs port 80 and maybe 443 open. Any webserver can be secured.

Where's the news?

Not again...

[PoprocksCk]

"Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk -- the period from when a vulnerability is first reported to when a patch is issued."

So Windows is more secure than Red Hat because Microsoft chooses to report less vulnerabilities and release less patches? Hmmm...

(Move along, nothing new to see here.)

The security of a server...

[jmcmunn]

...is only as good as the security of the admin setting it up. It doesn't matter how many updates need to be run, whether one or one hundred. If the system admin doesn't keep the server up to date, it's only a matter of time until the server will be vulnerable.

Now let the flaming begin, so you can all argue about the number of patches/updates required for each system, how long it takes for Linux/Windows to respond to problems, and all that good stuff. We all know that's the only reason this kind of story shows up on Slashdot is to start a good flame/troll war! :-)

Self-Evident

[Wvyern]

"...Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance." By his own admission the Linux administrator is a "Wizard" compared to the average MS Systems Admin. Well, that just about says it all doesn't it?

I'm no zealot

[InfallibleLies]

of either Linux or Windows, but really, how is one more secure than the other? If there's an equally exploitable hole in each, is it the one that gets fixed faster more secure? If it is, then the only thing making one more secure than the other is the administrator. He/She's the only one who can patch their systems by actually downloading the patch and applying it.

No matter how fast a patch is issued, you still have to install it for it to work.

A lot more could certainly be done...

[emil]

OpenBSD runs chroot() Apache. Does IIS have similar capability?

The chroot() patch was never taken up, but it would probably not be that difficult to install on Linux.

I would be disinclined to run any other way at this point.

Re:A lot more could certainly be done...

[n0-0p]

It's pretty easy to make Apache chrooted under linux. With Apache2 you still need to allow dynamic libraries though, which often bothers people. Having hardened both Windows and Linux servers on a regular basis, I'd pick Linux every time. It can be locked down much more than Windows. I haven't found anything that compares to a combination of PP buffer protection on binaries, chroot jailed services, iptables, and SELinux policy. I just don't understand why more vendors haven't tried to create default installs that support this level of security.

Not only that, but I find this quote odd..

[schon]

A Linux enthusiast at the RSA Conference in San Francisco has reluctantly concluded that Microsoft produces more secure code than its open source rivals.

Umm, so MS showed him their source code? I find that a little hard to believe.

If he can't see the source, how can he make any determination at all?

"Days of Risk" vs. Full Disclosure

[Daedala]

Neither article defined "days of risk" to my satisfaction. Is it "days since the vulnerability was published" or "days since the vendor was informed of the vulnerability"? I suspect that Microsoft is more likely to hear things privately early. ASN.1 library anyone? It was discovered in July 2003, and announced and patched in February 2004. Was that six months of risk or one day?

Secondly, there's no discussion of how the criticality of a vulnerability was weighed. If every "day of risk" for Windows was "critical," and every "day of risk" for RedHat was "moderate," then I'd differ with their conclusions. Further, there was no mention of whether they considered actual exploits in the wild.

Knock Knock Joke

[R2.0]

Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?

Phillip Glass

My 8 year old daughter, a great afficionado of knock knock jokes, didn't appreciate it.

Re:Newsflash... ONE Linux Fan..

[bonch]

No offense. But it sounds like people are searching for things to dismiss this study. Um, yes, a Linux guy changed his mind after seeing the conclusions of the study. That means it's not a valid study?

I'm getting a little disturbed at the way all pro-Linux studies are being accepted and all other studies are being dismissed here. Critical thinking should always be welcome. And, yes, Linux is NOT perfect, it is NOT flawless, and it IS full of security holes like anything else. Nobody should take their operating systems so personally that they feel attacked when Linux is criticized.

Note that this doesn't go for everybody. But there are a lot of zealots in the community who need to learn to see outside their own perspective.

Linux thrives on criticism

[Paradox]

I wish I could mod you up, bonch. I've experiened the head-in-the-sand Linux mentality too, and it is scary. It misses the whole point of linux.

Linux is awesome, this study doesn't change that but we always need to work to make it better and easier to secure. Critics of Linux are our best friends, because they do the work of finding out where we need to improve for free.

The best thing about linux is that when people have a legitimate complaint, it's well within our power to fix it! If Linux is temporarily less secure, so what? After reading this, everyone will adapt their linux distros to render the complaints moot.

This is part of why we love open source, right?

The Real Truth...

[eno2001]

...is too hard to handle for most:

An OS is only as secure as it's admin is competent. This will NEVER change no matter what platform you are dealing with.

If you give some RedHat CDs to a complete goof off and have them install it on a system that is going to be directly exposed to the internet, that box is going to get rooted eventually. It might take longer to get rooted than a Windows box, but it will be cracked.

If you give Windows 2003 Server to a knowledgable admin, he will secure the box and make certain that the likelihood of it getting cracked is fairly low. He will know not to put the box on the internet until he's applied all SPs and critical updates. He will know to use an internal SUS or WUS to make sure that the box is updated without exposure to the internet.

If you give a complete moron who *thinks* he knows all about [insert platform] any installation media, you're going to have an insecure box.

It's been my experience that the best people to set up an internet exposed box using any OS are people who are most familiar with all OSes and have a good understanding of how to secure each one. It's not that hard to hit the main security points and still keep on top of all OSes. However, since egos aer so intrinsically tied to how secure a box is, people point the finger at the OS distributor. Sure, they are to blame in many cases, but the implementor is usually far more guilty of being lax. That's the hard truth and it cannot be refuted.

Re:The Real Truth...

[mark-t]

Your point is valid, however...

Windows isn't "just another OS"... it has the rather unique position of being on a substantial number of desktops in people's homes. In and of itself this is not a problem and requires no greater security, however, a significant percentage of _THOSE_ systems are also on the Internet. And of course, the problem is that most people are simply not qualified to do a respectable job of administering and securing their home computer. Which brings us to the point you mention. The security problem with Windows are primarily caused by the inescapable fact that most of its users *ARE* ignorant when it comes to security and the fact that MS chooses to continue to market its products at this demographic while at the same time ignoring security issues or sweeping them under the rug is why people may be inclined to blame the operating system or Microsoft for the problems.

Although, interesting enough, if Darwinism really works, Windows users may ultimately adapt to having to always struggle to keep their boxes secure, and perhaps even end up being better than most Unix gurus at home computer security. Time will tell.

Re:The Real Truth...

[einhverfr]

You have a valid point. Furthermore I never talk about a "secure" OS. Personally I don't think Linux is a "secure OS" anymore than Windows is.

The primary questions include:

1) How *securable* is the OS?

2) How gracefully do services respond to failures?

Secondary questions (addressed in this study) include:

1) How secure is the OS *by default.*

2) What constitutes a typical setup?

Now, personally I don't care much about these secondary questions from a secure server perspective. Linux security is easier than Windows security, and Linux is more securable than Windows. A lot of this is because Windows depends on things like RPC which does not fail gracefully.

On the other hand, you can mitigate a lot of this risk by proper security practices. A skilled admin is going to be trying to balance usability and security and will do it well if given the approrpiate tools.

Again the quesition should be "how securable" rather than "how secure" for exactly the reason you mention.

Knocking music

[starwed]

Hmm:
Who's there?
Knock Knock.
Who's there?
nock Knock.K
Who's there?
ock Knock.Kn
Who's there?
ck Knock.Kno
Who's there?
kKnock. Knoc
Who's there?
Knock. Knock
Who's there?
Steve Reich

She probably wouldn't like that one any better. :(

Bruce Schneier on Linux security

[frozenray]

Which is more secure, Windows or Linux? It depends on whom you ask. Here's what Bruce Schneier, a reputable security researcher and author of "Applied Cryptography" and other computer-security related books has to say on the matter:

Linux Security

I'm a big fan of the Honeynet Project (and a member of their board of directors). They don't have a security product; they do security research. Basically, they wire computers up with sensors, put them on the Internet, and watch hackers attack them.

They just released a report about the security of Linux:

Recent data from our honeynet sensor grid reveals that the average life expectancy to compromise for an unpatched Linux system has increased from 72 hours to 3 months. This means that a unpatched Linux system with commonly used configurations (such as server builds of RedHat 9.0 or Suse 6.2) have an online mean life expectancy of 3 months before being successfully compromised.

This is much greater than that of Windows systems, which have average life expectancies on the order of a few minutes.

It's also important to remember that this paper focuses on vulnerable systems. The Honeynet researchers deployed almost 20 vulnerable systems to monitor hacker tactics, and found that no one was hacking the systems. That's the real story: the hackers aren't bothering with Linux. Two years ago, a vulnerable Linux system would be hacked in less than three days; now it takes three months.

Why? My guess is a combination of two reasons. One, Linux is that much more secure than Windows. Two, the bad guys are focusing on Windows -- more bang for the buck.

Bruce Schneier
Posted on January 06, 2005 at 01:45 PM
------------
Different methodology, different results. My money's on Schneier.

Once again, RTFA!

[khasim]

A study comes out saying Windows is better than Linux? Question the results, Impugn the source and dig as deep as it takes to find some political or financial affiliation between them and Microsoft, no matter how assinine or inconsequential.

You left off the part where comments such as your's are mod'ed up even though they contain zero content.

From TFA:

They compared Windows Server 2003 and Red Hat Enterprise Server 3 running databases, scripting engines and Web servers (Microsoft's on one, the open source Apache on the other).

That sounds good. A real comparision of real services running on real servers.

But wait!

The setups were hypothetical, however. Both were in the most basic configuration, an approach that some in the audience suggested may tilt the results in favor of Windows, which comes with more features.

Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance.

They aren't real setups.

And it gets worse.

Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk -- the period from when a vulnerability is first reported to when a patch is issued.

Hmmmm, I wonder if they included the info from www.eeye.com http://www.eeye.com/html/research/advisories/AD200 50208.html 190 days is a long time.

On average, the Windows setup had just over 30 days of risk versus 71 days for the Red Hat setup, their study found.

That's amazing. Particularly with that single 190 day vulnerability I referenced. And those kinds of "studies" have been completely discredited.

So, a "study" that doesn't test any real world criteria is somehow valid?

Oh, it's not that the study is not valid, it's that pointing out the flaws in the study shows the groupthink on /.

And pointing out that perceived groupthink gets you mod'ed up as "insightful".

Re:More FUD

[LnxAddct]

Their analysis was based on number of patches and time it took to get patched from the time it was publically released. Microsoft stays quiet about most vulnerabilities until a patch is ready and will ship it some time that month, thus the average 30 days. In addition to this, there are still IE holes unpatched from last july. This didn't make the report because its a server. Also, Linux comes with *much* more software by default and much more functionality. They said that these were default setups. That means that if they were using a distro like Red Hat, every single program gets updated as necessary over 2000 programs judging from one of my boxes). Far fewer programs get updated from Windows Update (usually only core programs and utilities... or things that Microsoft deems necessary).

Also, many OSS exploits are theoretical in nature... if a strcpy() passes an unchecked ptr and some coder sees this... whether or not that code could have been exploited... he fixes it and out goes the patch. Its a patch for something that may have never been even able to be taken advantage of. That would never happen in a commercial project. All this study shows is that these researchers define security as the ability to hide security problems as long as possible until a patch is ready and if the patch never gets ready, just never tell anyone about the problem. Following the two above stated rules would easily make any software company "secure" by their standards. As stated previously, their criteria was # of patches and time to release. Time to release is shortened by waiting until the patch is ready (which Microsoft does) and # of patches is shortened by simply not releasing non-major patches and just rolling them out with the next version. The criteria these guys used was meaningless and if anything shows that linux is doing something right if they are updating several times more programs with only twice the delay (which i really doubt is the true delay time). One other thing worth noting, the Ford guy has been paid by Microsoft several times to do studies and release them in favor of MS, I'd hardly call him a true linux fan. Maybe this time they just covered it up better... you wouldn't want to bite the hand that feeds you.
Regards,
Steve