Slashdot Mirror
Linux/Unix Tops Charts for Vulnerabilities in 2005
BeanBunny writes "I realize that this topic is almost as volatile around here as Intelligent Design, but I think this is interesting nonetheless. US-CERT has released their year-end vulnerability summary. According to InformationWeek.com, Linux/Unix (including Mac OS) had almost three times the number of OS-specific vulnerabilities reported last year compared to Microsoft Windows. Obviously, statistics are meaningless without the proper conjecture, speculation, and opinionation, so let the debate begin again over which OS is really more secure."
Who knows how many Windows vulnerabilities there are known to Microsoft? Can you say "Vested Interest"? They certainly have tried to have divulging them criminalized as an act against national security, never mind warning customers of all sizes that they may have been compromised while Microsoft fiddled away at a patch for the past six months.
I take this sort of revelation with a grain of salt and give it as much weight.
many eyes only make for strong code when the code can be seen
A feeling of having made the same mistake before: Deja Foobar
I tried to hack it with a First Post and all I got was "Nothing for you to see here. Please move along."!
liqbase
It may be a volatile topic, but where better to discuss the reality, validity, etc., of these purported vulnerabilities?
Get your education here (hopefully) so you can address the confrontations at work, from your friends, etc. when they accuse you of evangelizing an OS more vulnerable than Windows!
Look for answers to:
I'm sure this is a partial list, and I don't know the answers to these points, but I'd like to.
In other words, these findings are absolutely useless.
Also, even if they DID filter out updates and break out individual vulnerabilities, you would still have to know for how many days each vulnerability remained unpatched to have any useful information.
As this oh-so-well-written website told me the first time I clicked on this story, "Nothing to see here. Move along."
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
There is one Microsoft Windoze and how many different Eunuchs?
There was Cowboy Neal at the wheel of a bus to never-ever land.
Anything new compared to the earlier article in the Washington Post?
That they listed a few PHP apps that work on all 3 OS's as only on Linux. Hmmm
...they really should take into account severity, time until a fix was avaliable (from the time of discovery and not just disclosure to the public) and if the vulnrability was actually IN the OS or whether it was a third party app. Then perhaps the total numbers will start being a little more helpful.
Silly rabbit
Sigh. The statistics were flawed the first time they were posted to /., no need to repeat that bag of bad science.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
This is old news. PJ has done a pretty thorough job debunking this one on Groklaw.
Nothing new here that was not reported on slashdot four days ago.. Move along. or repost your incitefule or insightful comment. or someone elses if you karma whore.
Some drink at the fountain of knowledge. Others just gargle.
In the Microsoft section there could be an entire block for : "Clueless user -- installed malware X which caused the propagation of virus Y"
In the Linux section there would be a similar block for : "Clueless user -- caused hard drive format"
Yeah. That was wanton. Sure, okay. I agree. It's probably true that most OSS vulns are reported to public forums while most MS vulns probably get identified in house and rolled into a patch. Maybe. In 6 months or so after the devs have had fun with it for a while.
fast as fast can be. you'll never catch me.
So Linux, Unix, and MacOS X are all lumped together? Doesn't quite seem ... fair.
My beliefs do not require that you agree with them.
incase one of the links goes down, http://www.betanews.com/article/5198_Linux_Windows _OS_Flaws_in_2005/1136328858 there is where I read the story yesterday, amazing that slashdot found it this fast... usually takes several days.
If you read the actual list, a lot of the vulnerabilities are listed multiple times with an (updated) notation. So the 2,328 number isn't exactly "correct".
The theory of relativity doesn't work right in Arkansas.
Don't become a regular here, you will become retarded. -- Yoda the Retard
It would be interesting to compare the number of different versions of software and applications this covers. Windows XP has not evolved tremendously in the last several years. Certainly Microsoft has shown a renewed (if not a completely successful) focus on security lately. But I think Microsoft benefits in this survey from a more stately release cycle.
Author of Enyo: Up and Running from O'Reilly Media
Let me put this into context.
Linux (Red Hat to be specific) reported AND HAD ALREADY fixed similar JPG/GIF/PNG flaws more than 2 years before microsoft ACKNOWLEDGED that they had similar flaws. It may have been the same bug, or not, but still, similar bugs, FAR different timetables. And these are both companies right? One did base itself on code that it didn't try to lynch you for viewing, modifying or making your own. Hint: it wasn't microsoft.
--------------
What does it take for open source (being open to all) to report a flaw?
Finding it of course.
What does it take for a huge software house with stock to shill... errrr.. sell (since product sales do not a stock value raise anymore).
Reporting few security flaws. "Proving" successful implementations are the norm... (via bought studies of course, and occasional true stories, if they ever are unbiased).
--------------
And of course, having worked inside an IT house, I'm quite familiar with how they work... especially M$ partners. I've never seen a SINGLE one ever report a vulnerability... whether our fault or the customer's or anyone's. Until it was fixed, or exploited, we NEVER EVER reported them... standard policy.
~D
" What luck for rulers that men do not think" - Adolf Hitler
They're lumping Linux, UNIX, BSD, and OS X together and saying they together had more vulnerabilities than any single version of windows...
I'm sure all the GM, Toyota and Honda cars between 1970 and 1990 put together had more design flaws than the Ford Pinto, but this comparison is not relevant.
"so let the debate begin again over which OS is really more secure."
How about we don't and just say we did, better yet, whichever side you agree with, it won the debate.
Web Developers: Celebrate to our roots! Animated Gifs and Tiled Backgrounds, dont let our history die!
I will put my bare naked linux box on a raw web feed any day of the week. Try that with your XP boxen. The number of 'vunerabilities' does not directly translate into problems for the user.
If you read TFA, it also mentioned not to put too much into ththe data recorded about the vulnerabilities: as not all of the vulnerabilities reported were distinct incidents (and some were 1 vulnerability for multiple bugs).
.. how can you say that *ix is more / less safe than Windows, especially considering that not all vulnerabilities affected all platforms.
Also, with as many DIFFERENCES as there are between, say Apple, Sun, SCO, Linux
If you wanted to be more specific, then add up vulnerabilities for EACH os (not just *ix all in one lump sum), and compare them to Windows (and to be fair, put all versions seperately).
The thing we all need to realize is this: No computer hoooked to a network (including the Internet) is safe. Period.
= Grow a brain...
so let the debate begin again over which OS is really more secure.
/sarcasm>
Ha... Don't you mean "let the debate continue?"
Is it really then a good water mark? Windows seems to suffer far more attacks. Mac seems one of the safest in practice and Linux seems to suffer few attacks. IS the real reason numbers, as in there are more users so more attacks? Or is it the type of flaws? Or are the attackers more inclined to attack Windows for personal reasons? There's abviously a reason and simple numbers aren't proving to be a accurate measure. Does anyone in the know go with Windows for security?
or kernel patches? Because Linux is a damned kernel and Redhat/Suse/whatever's patches for say curl, wget, apache, etc are not OS level patches.
This guy is way out there
The *nix vulnerabilities listed are more numerous because there are more programs for *nix, more kernel-level and library developers for *nix, and generally more eyes looking at the code. However, the high and critical severity vulnerabilities are extremely rare, for these same reasons. And also, because the *nix users are miles and miles ahead of Windows users in being aware of the security issues that affect what they are doing.
I think 3-1 is pretty damn good when you consider that the "Unix/Linux" category contains more than 5 Operating Systems!
Just breezing through the list I see:
And i'd imagine there are probably more. I'd take those odds over Windows any day.
The title: Linux/Unix Tops Charts for Vulnerabilities in 2005
This is beyond any doubt, very very true. But before you call me a Microsoft Shill (I'm not, I use Debian myself), allow me to explain:
If one goes to www.linux.org, and searches for all GNU/Linux distros without a filter, they will see that there are 370 distributions. If that includes unmaintained ones, that number grows to 417. And that does not include all of the other Unixes, such as the BSD group, and, like the article pointed out, Mac OSX.
Now compare that to the Microsoft Windows operating system. Let's see, Windows 98 (I doubt people use anything worse than this), ME, 2000, XP, and even Vista. 5 operating systems. 370 / 5 = 74. Now the article claims that there were 3 times as many vulnerabilities. 74/3 = 24 and 2/3.
Unix/Linux is approximately 25 times better than Windows!
Well, the "windows" ones are "Windows Operating Systems"
And the "linux" and "osx" ones are "Unix/ Linux Operating Systems"
Seeing as "windows" ones are Windows and "linux" and "osx" are Linus, OS X, Solaris, IRIX, AIX, HPUX, Tru64, *BSD, SCO, etc., etc., I think 3x is not too bad as there are more than 3x the number of distinct operating systems.
That's without even looking at what might be classified as "application" versus "os" vulnerabilities in each category.
Sure, I love my free operating systems. But I'm going to take this as confirmation that Microsoft really has started to take security seriously. I can't see a downside to companies producing better software.
It's also worthwhile to acknowledge that Linux has issues. Since it's not a single suite of software but a collection from multiple sources, that's no great wonder. A computer populated with software from many different sources, with most of it developed by unrelated teams, is going to have a hard time competing on the security front with a computer populated by software that came from a single source, with all of the developers working fairly closely. That's why the BSD operating systems show up with fewer security vulnerabilities than Linux in all it's forms.
Besides, the fact that people are actively targeting security problems in UNIX based systems means that people are taking the stuff seriously. That's got to be a good thing.
Easy Online Role Playing Campaign Management
It is worth discussing OS security in terms of exploitable holes found. And before the detractors start coming out in droves saying "the real question is how many days a vulnerability remains unpatched," that's not the real question. That's a question, and it's certainly an important one. But it's not the only important criteria in determining the quality of an OS.
Even if a vulnerability is reported and then fixed quickly, the fact remains that it could've been used for dozens or hundreds (or more) exploits *before* it was reported.
It's not just a matter of "see, look how quickly we can bail water out of the boat." There's also the question of how many holes were in the hull to begin with.
I'm not saying that any particular platform is put together better than any other, just that it is a topic worth discussing.
I currently have no clever signature witicism to add here.
I'm not going to spend the hours it would take to check all the "Updated" entries in the list, but I picked one at random and looked at the original and two of the updates, and the only changes between was the addition of links to distribution-specific patches. Looks like they're counting individual exploits multiple times.
Sheesh, evil *and* a jerk. -- Jade
"so let the debate begin again over which OS is really more secure."
EROS.
I'm offended by the latest comparison of and . The linked article offers no measurable insight, and is exactly the kind of flamebait that bores the
Please change your editorial practices to fit my tastes better.
ComplaintGen (R) - 2006
I would agree with this.
Most companies are in the habit of finding security flaws in their products. Some even fix them. But most don't make a substantial effort to share what isn't already public. (Some do!)
Linux, on the otherhand, has only the public mechanism for identifying and resolving security issues. So any flaw that is identified is likely to be public.
And, these numbers don't tell the whole story... you need to take in account severity too.
What does it take for open source (being open to all) to report a flaw?
***Finding it of course.
What does it take for a huge software house with stock to shill... errrr.. sell?
***Exploits running about in the wild do not a good reason make, as we can see from this latest XP exploit this last week.
" What luck for rulers that men do not think" - Adolf Hitler
If you had read the article you would assume that the exploits mentioned were for the actual operating system (and indeed there were some OS exploits were). However many of the bugs were to do with end user system software that wasn't developed by microsoft or by the Unix kernel maintainers/developers.
So blaming, say, microsoft or linus for third party software is quite deceptive.
Another issue is that most Linux distro's ship a LOT of application code, like 2000 to 6000 packages, which is waaaay more than Microsoft ships with Windows. That there is an "OS" vulnerability for some rarely used application in a large Linux distro is just not comparable to the smaller set of code that Microsoft is willing to take responsibility for.
It is just irresponsible for CERT to be publishing distored numbers like this.
Crispin
Volatile is an understatement.
Anyway, I've used a number of different operating systems and I've realized something. Computer security isn't so much the operating system you select, it's how diligent you are in keeping it secure. If you keep the system patched, behind a decent firewall, are careful with the software you run, and don't use the root/Administrator account for normal usage, you'll probably not have any issues with your computer. Granted, there are plenty of examples otherwise, but I'm referring to the standard user or sysadmin.
The problem comes in for users that don't understand that they need to keep their system protected more than it is out of the box. Some linux distros and Windows get it right by having automatic updates (if you need to disable these, you can easily enough).
Overall, there ARE good things and bad things about each operating system, but not much matters if the user isn't going to take some type of responsibility to keep their own system updated and protected.
You have enemies? Good. That means you've stood up for something, sometime in your life. --Winston Churchill
Several operating systems have 3 times the number of vulns as Windows? Since this is that same unfortunate CERT report that counts 3rd party software as "system" vulns and since the majority of 3rd party unix software can be built on Windows... I call big piles of smelly shit. CERT have been a fucking joke in the security community for years so it's about time they displayed a sense of humour.
I opened up the page and the first thing I notice is that both show vulnerabilities of not only the OS but the applications that run on it. Its really not fair to say that an iTunes vulnerabilities makes Windows less secure since Microsoft has no control over it. It also seems that the say this is done is Windows v All(Linux, Mac, all *nix OSs). Not to mention that there are still numerous vulnerabilities on windows that are going unpatched(wmf anyone?).
1. More *nix problems have been fixed then with windows this year. Windows still has the large amount of bugs it has last year, while linux and other open source softwarte projects has much less then even before.
2. Windows is even more insecure then *nix now then ever before by virtue of these *nix bugs being reported, fixed, and the software further secured.
3. Windows bugs are not reported like linux bugs. They are more public thus there will be more to add to this list, as it would be impossable for them to add internal Microsoft bugs to this list in full.
4. People in the linux camp can not *add* security problems to Microsoft internal code, while Microsoft People have the motive (job security and company loyalty), Ability (They would not be working for Microsoft if they did not know at least basic programming), and Freedom (As per the GPL) to sabotage Open Source Software projects. And it would not be illegal to do so, since there are no restrictions against it in the GPL that would make it a crime for Microsoft-freindly and Anti-Linux parties to do such evil deeds.
- d
The statistics referenced do not seem operating system specific. For instance, an "Apache mod_include Buffer Overflow" may be severe but it hardly seems fair to count this as a mark against the *nix operating systems. Likewise there are several exploits on the windows list specific to software vendors.
Additionally, I would add that there are fundamental differences between open and commercial software:
*In commercial development it is reasonable to release software after several phases of development and testing have been completed. Also, as another user stated, closed source makes it harder to discover vulnerabilities.
*In open software the resources and time of an individual are greatly limited compared to commercial development. Releases are made frequently so that patches can quickly follow as a result of community support.
This article attempts to ignite the hackneyed flame war of windows vs. Linux. However the underlying fact here is that as software and operating systems become more complex it becomes impossible to develop exploit free code.
-Lanimilbus
than ALL unix/linux operating systems combined.
This proves nothing.
And why are Mozilla vulnerabilities listed under unix/linux but not under Microsoft Windows? Last I checked, Mozilla ran on Windows too.
Groklaw has comments about this like:
Second, the Unix/Linux list duplicates items, counting a vulnerability more than once in the list. For an example, note that it lists Eric Raymond Fetchmail POP3 Client Buffer Overflow (Updated). However, the same vulnerability is listed, under the same title, four times. That's because it was reported in the week of August 10-15, again in the week of August 17-23, in September 6-13, and the week of November 9-16. Worse, for any comparison purposes, the same vulnerability is also reported as Fetchmail POP3 Client Buffer Overflow, so in reality one vulnerability is listed 5 times, making the total of 2328 meaningless unless you carefully comb through it to weed out duplications.
Kind of makes a numerical count of reported security problems pointless. (BEGIN SARCASM) Of course, the Linux/Unix security holes are much more serious than are Windows security holes because automated worms. viruses, etc. attack Linux/Unix machines but not Windows computers.(END SARCASM)
Probably stated above already - but that number is meaningless unless you look at the percentage of those vulnerabilities that were fixed within the same year! I'm sure more of these were patched within let's say a month of them being announced. Also, just because more are announced doesn't mean there are more - just that more were found... Open Source has more eyes looking for vulnerabilities, which some may say would make it more secure to begin with!
========
77 77 77 2e 6d 65 6c 76 69 6e 73 2e 63 6f 6d
"so let the debate begin again over which OS is really more secure."
Let's not and say we did?
This is all out of context unless you look at the impact of the vulnerability, and how it is exploited. I didn't RTFA, admittidly, but I do know that the main reason for the exploit of vulnerabilities (both technology speaking, as well as the handling of these topics by the media) is largely because of the volume of Windows users in the world.
These articles only make the majority of the public even dumber.
It makes me think of the line from Billy Madison where the teacher proclaims "...At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it..."
I think I just heard the sound of flood gates opening in the distance, followed by the rushing and roaring of what is surely a massive volume of water.
Or maybe that was the sound of thousands of Slashdotter keyboards blazing...
At any rate, this is interesting because it once again prompts the lot of us to dig up the tired old argument, "Just because more vulnerabilities are being found doesn't mean the system is less secure." As I'm certain others before me have already stated countless millions upon billions of times, the fact that the vulnerabilities are being found and repaired in a timely manner and in a much higher number is probably the reason UNIX and Linux are more secure, not less. Windows, on the other hand... vulnerabilities are slowly found, but nobody can fix them except for - you guessed it - Microsoft. (Or, in some rare cases like the recent unofficial patch for the latest Windows security hole, or should I say chasm, by some concerned programmer out there who thinks the problem is serious enough to warrant them going out of their way to figure out how to fix it without having source code on hand.)
I personally feel a lot better knowing people are actually finding security holes in software I use, and fixing them on the spot. More holes doesn't mean worse software, it means better oversight. Depending upon how successfully the vulnerabilities in an operating system or application are repaired and how quickly that is accomplished, more holes found just might equate into better security overall.
That won't, however, save us from the hordes of pro-proprietary blowhards boasting that closed source commercialware is always more secure, waving these numbers like a flag. Brace yourselves for the bullshit.
You mean like how Microsoft product before and after Service Pack 2 are lumped together (firewall, security, etc)? Or how Microsoft product, Microsoft product, and Microsoft product are lumped together (system stability, BSOD)?
The difference is that those versions of Windows are all products of one company: Microsoft Corporation. In addition, Microsoft aims for binary compatibility across its line of Windows operating systems, which collapses them into two products at most (Windows 95/98/ME and Windows 2000/XP/2003).
On the other hand, GNU/Linux, Solaris, and Mac OS X are completely separate product lines published by different companies: FSF/OSDL, Sun, and Apple. Just because all three systems make more than a token effort to implement POSIX, a source code compatibility layer, doesn't make them the same product.
Seems there was something about Microsoft and bugtraq a couple years back. The flurry of bugs reported was uncomplimentary, to say the least. Damning to say the most. Microsoft pulled out of any involvement in the venture.
A feeling of having made the same mistake before: Deja Foobar
Not to mention that the majority of those vulnerabilities only affect a limited number of installations, sometimes so small as to make virus-style transmission difficult.
And of course there's the issue that for the average computer user who don't have any blackhats after them, Linux, BSD or OS X is going to a lot more secure in a practical sense just because they aren't the main target. I'm the first to admit that the most popular OS is going to get a lot more security scrutiny, but I don't really care which OS is more secure in theory. I only care that I'm not getting infected on a regular basis.
Anyway, believe whatever source you want. All I know is that while IT departments across the country raced through their holiday "vacations" to roll out unofficial patches to fix the WMF vulnerability, I sat at home drinking egg nog and watching South Park.
By the way, we need a better lexicon. "Vulnerability" sounds too bad and too good at the same time. A DoS that crashes gtk-gnutella is one thing, and needs a much softer word to describe it - perhaps "imperfection". A design flaw that gives remote root to anyone who shows you an image through any program needs something harsher. How about "sucking death wound"?
I'll take 2500 imperfections over 800 sucking death wounds any time.
Dewey, what part of this looks like authorities should be involved?
All your bases are belong to us, which is, as you may have once known, an ancient chinese secret. You are ALREAY owned, you don't know it -- you're too busy talking about MS this and MS that, that you have neglected to realize, all your bases are belong to us!
This is somewhat like any multiple step self help program, all of them say you need to indentify the problem first before you can solve it. At least *ix system know they have the problems and are willing to fix them. However in Windows they will (most of the time) tap dance around the subject before finally admitting and then fixing the problem. The problem with big corporations is that any bad news will cause their stocks to take an hit so they get their PR people to do an spin before they get the fix in.
microsoft was intelligently designed from above by a corporate structure. linux evolved from many disparate cooperating independent parties. so of course microsoft is superior, it is grdained By god
meanwhile linux is an nihilistic meaningless ramble. do you think god plays dice with operating systems? i for one do not
one day armageddeon will come and flood the internet with worms and virii and kill the babel of linux nodes. vista will record two copies of every software package, beta and release, and release it upon the world when the sea of worms and virii recede, so that win32 packages may propagate the internet again, cleansed of the faithless emptiness of the linux babel
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I'm not particularly surprised to hear that Linux and Unix have more vulnerabilities, but because they're not yet mainstream OSs, they likely get significantly less attention from "teh 1337 h4x0rz" and such and therefore, despite having more reported vulnerabilities, experience less exploitation of those vulnerabilities.
Since this is a dupe debate (it happens ALL the time) why not just link to the previous list of comments? I'm not even going to read TFA, because these useless debates have gotten to be a waste of time. There's no winning this debate - we're all losers for having editors who think that this is "news".
And this has been argued to death. Oh well. Put on your asbestos underwear and let the flames roar.
Want one example? The CM Cyrus IMAP server sure as heck isn't installed on my Mac OS X system, and I doubt I'd ever install it. I don't think I'd install it on my Linux box, either. If I did install it, and there was a bug in it, I sure as hell wouldn't consider that bug an "OS" problem, would you ?
And I'd be willing to make the same distinction for Microsoft, as well, at least so long as the application error isn't in a default-installed DLL or in an always-installed application, like... oh, Internet Explorer, for example. I'm not so sure I should fault Windows because the Eternal Lines web server has some sort of issue. There's the OS, then there are the apps that run on top of the OS.
So really, the counting and analysis are so broken that it's hard to even discuss. Call me back when individual distros and specific OS kernel builds are broken out into separate counts. Call me back when non-default-installed or at least not-commonly-used applications are broken out ( i.e. I'll give you web servers and browsers normally used with any platform as part of the OS ), but I don't think Linux in general is less secure because Joe's Custom Server has a bug in it. I'd like to see some *useful* summary of this information, please...
Move along.
Human being (n.): A genetically human, genetically distinct, functioning organism.
If you want a secure enviornment you should be running Atari 2600's
How come is a PHP hole only a Unix hole? ... This "Vulnerability Summary" is bullsh*t.
We suffer more in our imagination than in reality. - Seneca
I counted the lines and there are 2,329 lines.
Here's an example of 10 of them:
# BZip2 File Permission Modification
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
Yep. BZip2 is listed 10 times, but the reference to each of them reads the same:
And then they list 10 different distributions. Hmmmmm
So, one problem in BZip2 == 10 counts of "problems".
>Strangely, negative Windows articles don't get questioned.
That's because they are true.
my password really is 'stinkypants'
Look for apache. The only entry is *nix. They imply that Apache is not vunerable on MS. You know that Apache on Windows had the same errors. Basically, they are trying to equate the Windows OS flaws to all the flaws in a *nix distro.
I almost think that that *nix should do the windows approach and come with 2multiple "sets"; the base OS CD and then one or more types of apps CD (as a different thing).
Sadly, I think that posts from groups like CERT like this does as much damage to cert's reputation as it does to security overall.
I prefer the "u" in honour as it seems to be missing these days.
*nix had the most total number of vulnerabilities, however I believe that if you look at the severity of windows vulnerabilities, you will find them to be more severe and longer lived in nature...
Plus, when the hell are people going to stop grouping ALL distrubutions of Linux into one category... how many major distrubutions by different vendors are out there? 18 or somthing like that, and hundreds of smaller distros... There is only ONE Microsoft. Compare Windows to any single distribution... and then we will see what kind of leg it has to stand on...
*This post written by an avid Microsoft Windows user who does not even know or understand Linux, yet wishes he did*
The Code Ninja is swift with his tool, precise in his delivery, and deadly accurate in his execution.
it's open source? Everyone can look at the Linux source and report a new bug, where as they cannot with Windows. This doesn't mean *nix actually has more than Windows, it means more where found, reported, and fixed.
The end-of-year vulnerability score should be taken with a grain of salt, however, since US-CERT doesn't filter out updates (so one actual vulnerability can be counted numerous times) nor does it break out individual vulnerabilities from warnings that cover multiple bugs (as in the many Mac OS X vulnerability listings).
In effect: This information is completely useless for comparing operating systems.
Only to idiots, are orders laws.
-- Henning von Tresckow
Take, for instance, the wget vulnerabilities listed in TFA. There's eight of them. Open them up, and you'll see that they're all the same pair of CVEs (CAN-2004-1487 and CAN-2004-1488) -- just updated every time a new distro releases a patch. That's a lot of redundancy -- the equivalent of reporting a bug in Windows Media Player separately for Windows 98, Windows Me, Windows 2000, Windows XP, Windows Server 2003, etc.
I have to wonder about the purpose of this article, as it ought to be fairly easy to run "grep -vi update" on the list and get more accurate numbers.
There is one (1) operating system with only one (1) local vulnerability (in older releases) and only one (1) denial of service (all releases): VMS . Certainly outstanding! But, I bet the media will not notice.
That means the "UNIX/Linux" category is at least 10 OSes. On top of that, there is this gem:
The end-of-year vulnerability score should be taken with a grain of salt, however, since US-CERT doesn't filter out updates (so one actual vulnerability can be counted numerous times) nor does it break out individual vulnerabilities from warnings that cover multiple bugs (as in the many Mac OS X vulnerability listings).
Yep. Another bullshit number designed only to spread FUD.
___
If you think big enough, you'll never have to do it.
Because as they've shown time and time again, they know everything and you know nothing.
Others have said this better in this thread: This study is garbage.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
From what I have seen, the Unix/Linux list contains security pertaining to:
FreeBSD
Debian
OS X
Apache
Adobe Acrobat
Freeciv (???????)
Gentoo
Gnome
Emacs
xine
Together with AIX, HP-UX, KDE, Mozilla, and a whole bunch of others.
Tell me, What is the point of this list if it shoves AIX, HP-UX, OS X, Solaris and a number of variants of Linux together? Just this short list constains 4+ operating systems developed by separate companies. Not to mention all the applications as well.
So a single, closed-source OS had fewer vulnerabilities publicised than a -class- of who-knows-how-many open-source OS's. Any given individual probably makes fewer mistakes than all the other people in the world combined, too. Like, *shock*!
Unpleasantries.
so let the debate begin again over which OS is really more secure.
I hear this junk all the time and can't believe people can say an OS is secure / insecure by the "applications" running on it. How is "Adobe Acrobat Reader" a reflection of how "insecure" Linux is? Or a problem with "Apache mod_install"? These are all applications which run on top of Linux. They are NOT the Linux OS by any means. The same goes for Windows with "Adobe Acrobat Reader" and "IBM Websphere". I would argue this is a garbage comparison.
Now compare what IS inside the OS. Windows cannot function without IE (according to Bill Gates). It's been incorporated deeply into the OS. Security problems with IE would qualify as a problem with the OS (for example). If it's something part of the OS then I would buy it as a security problem. Linux issues IMO would include problems such as say iptables, Linux Kernel Race Condition / Buffer Overflow and maybe Gnome/KDE (to name a few)
I understand I may be just a little picky about this but I think I've demonstrated my argument.
Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
I mean c'mon, like this one:
Windows:
A Denial of Service vulnerability exists in the parsing of ANI files. A remote user can cause the target user's system to hang or crash. A remote user can create a specially crafted Windows animated cursor file (ANI file) that, when loaded by the target user, will cause the target system to crash. The malicious file can be loaded via HTML, for example.
Risk: LOW
link
Its also easy to notice that most of the unix/linux (say, why not throw a few others in that bunch as well, huh ?) are marked as high risk.
Is there any file format that you cant infect or use to otherwise totally break/hang the system on windows ?
TXT files dont count.
Here's one simple example: MySQL and PostgreSQL account for 26 different listings under UNIX/Linux, but they are alternative products, not complementary. Why do they list both? What percentage of non-experimental Linux machines have both PostgreSQL and MySQL installed?
Here's another: Notice that a big chunk of the vulnerabilities listed have a platform by their name; Debian, OpenServer, Solaris, Apple. Why do those get counted multiple times as "*nix" but a vulnerability on Windows XP Home, Windows XP Office, and Windows 2003 only gets counted once?
Here's another: Notice the number of apps like SpamAssassin, Sylpheed, and Squid that are counted for *nix. I haven't done the numbers, but I'll bet there are a ton more freaky little apps like that listed for *nix than for Windows. Why? Because there's a lot more freaky little applications like that available for *nix. Does that mean *nix is less secure? Of course not.
And that isn't even delving into the questions of severity and windows of vulnerability.
Compile a list of the vulnerabilities related to the core operating system, compare them on severity and time to patch, then maybe there's something to talk about. Attempting to infer something by blindly counting this hodge-podge is stupid.
Stop-Prism.org: Opt Out of Surveillance
2,328 is a whole lot more than 812. that means that *nix et al are 1,516 fixes ahead of the competition.
You may be overly critical guy, but you don't seem capable of critically considering the article. As others have pointed out:
:"The end-of-year vulnerability score should be taken with a grain of salt, however, since US-CERT doesn't filter out updates (so one actual vulnerability can be counted numerous times) nor does it break out individual vulnerabilities from warnings that cover multiple bugs (as in the many Mac OS X vulnerability listings)"
1) Linux/Unix is not a single operating system. BSD and Linux are two different operating systems. Solaris is a different OS. MacOS is a different operating system.
2) from TFA
Do either of these sound like contrived excuses to you or random conjecture? If so, please explain how.
On point #1 alone this comparison is completely useless. When I run Suse, I'm not running Unix/Linux, I'm running Suse Linux. This "report" is absolutely useless when trying to determine whether Suse had more vulnerability than Windows last year. And if you think otherwise, step up to the mike and splain it.
and submitting something like this (just as the parent and GP have pointed out), that lumps every *NIX OS vs. MS Windows is perhaps the dumbest thing I've ever seen on /.. I wish I could mod submissions.
The slashdot story indicates that unix vulnerabilities accounded for 3 times as many as windows.
krappie:~/tmp$ cat winvulns.txt | wc -l
812
krappie:~/tmp$ cat unixvulns.txt | wc -l
2330
Even without taking into account how these number are completely meaningless, this is even completely wrong. If you look, most every title has "(Updated)" after it under unix.
krappie:~/tmp$ cat winvulns.txt | sed 's/ *(updated\?)\?//i' | uniq | wc -l
679
krappie:~/tmp$ cat unixvulns.txt | sed 's/ *(updated\?)\?//i' | uniq | wc -l
1046
And dont forget this counts all flavors of unix and even mac os.
Seriously, is there some way to mark the posted article as flamebait?
US-CERT is virtually worthless. Hell, they still consider Mac OSX to be part of Unix. Whats worse is that they list the **same freakin vulnerabilites numerous times**. I'm not going to say much more... anything I would say would be a repeat of the OSVDB blog at http://www.osvdb.org/blog/?p=79 which addresses this issue.
Navicula hydraulica plena anguilarum est. Omnes castelli tuus nostri sunt. Ed elli avea del cul fatto trombetta.
Fair and balanced does not equal fairly retarded. If you do not question the methods by which these statistics were arranged to favor an OS renowned for its flaws over a whole group that have a great reputation for security then you are fairly judged as being retarded.
Distributions ship with a hell of a lot more than just a kernel and basic command-line tools. Windows, on the other hand, has quite a few. The data shown is really unclear on how an OS is defined. It would be much more interesting taking a standard Windows desktop installation as a base and pairing that with an open source OS that meets the same level of functionality - then doing the test.
And people tend to forget during a security debate that with proprietary products you're working on the assumption that the source code is never released. I think that's a rather dangerous assumption, given the history of this occuring.
Significantly less than the number of Windows vulnerabilities that were exploited? Thought so.
It doesn't matter how many vulnerabilities there were, all that matters is how many of them actually get exploited.
I make my living supporting Macs. If there was an exploit in the wild for any of the vulnerabilities Apple patched in 2005, I would have heard about it. But there wasn't. Just like always, this week I got to sit back and watch my Windows-supporting colleagues running around like headless chickens trying to mitigate the effects of the recent (and STILL officially unpatched) WMF exploit.
So yeah, this whole article is flamebait.
Dear Slashdot,
Your recent article on
[ ] Popularized science
[ ] Wikipedia
[ ] MS security lapses
[ ] Blu-ray vs. HD DVD
[ ] DRM
[ ] BSD
[x] Linux vs. Windows
[ ] More things to do with Legos
is
[ ] Blatant advertising.
[ ] MS FUD.
[ ] Two years old.
[ ] Incorrectly titled.
[x] Flamebait.
[x] Misleading.
[ ] Full of spelling errors and bad grammar.
[x] A dupe.
Therefore I
[ ] Want my money back,
[x] Demand better articles,
[x] Demand more editorial control,
[ ] Have a terrible sense of deja vu,
[ ] Have decided to become a Slashdot troll,
[x] Just like to complain,
You
[x] Insensitive Clods.
[ ] CowboyNeal.
The careful reader will note that one problem is that both "tcp dump"[sic] and "TCPDump"[sic] have a "BGP Decoding Routines Denial of Service". Of course, WinDump isn't listed there, even though it has the same decoder, although, as it doesn't come with Windows, perhaps it isn't counted as a Windows vulnerability.
It would also be worth checking to see whether, as noted, any of the updates really deserve to be treated as separate vulnerabilities (regardless of whether they're UN*X vulnerabilities or Windows vulnerabilities). As far as I can tell, the updates for the tcpdump BGP decoding DOS just either say "oh, this OS also has it" or "oh, this OS also has a fix" - there are a small number of those you can get for Windows, but a larger number for "Unix/Linux" vulnerabilities, given that there several major Linux distributions, four major BSD/386 descendants, and several "commercial UNIXes".
sold itself to m$. keep see'n damn windoz factoz every day now. nice. feel sad though to see / compromised this way. will also sell my / account for just $.02 and be off
This happens everytime a fucked up article hit slashdot. I'm not even sure why this is news either. All the article does is say that for all *nix operating systems there are more vulnerabilities for windows and these numbers aren't definitive because it counts repeated submisions the same as the fist report.
Linux is *Only The Kernel*, everything is the distro!
By saying everything in a distro that has a reported bug is a flaw in Linux is like saying every piece of Freeware, Shareware, Commercial software for Windows that has a reported bug is a bug with Windows.
Remember as well: "There are Lies, Damn Lies, and then Statistics!"
ttyl
Farrell
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
Points not mentioned :
... etc. etc.
-amount of risk caused by vulnerability
-percentage of high-risk vulnerabilities per OS
-time taken to patch vulnerability
-whether the vulnerability is in some tiny obscure piece of shareware or in a VERY common software (such as MSIE)
Statistics aren't so useful with such lack of completeness.
Of course that page isn't there to be a useful guide for statistics on vulernabilities, but the Slashdot article seems to be portraying it as such...
... the size of the lists are nearly identical. I copied and pasted the two lists into two seperate text files, unix and windows:
dice@entropy ~/test $ cat unix | grep -v Updated | wc -l
887
dice@entropy ~/test $ cat windows | grep -v Updated | wc -l
672
887 vulnerabilities vs. 672. Now account for the fact that the "Unix" camp includes a dozen OS's and a much wider scope of software than the Windows list does and I think you can draw your own conclusions.
There is no such thing as a completely secure OS. As well, whether this is full of hot air or not, Micro$oft will never get a fair hearing in this place.
The thing is, I see most people here actually analyzing the data and seeing the flaws within it. But many many computer users will simply see the headlines and start telling everyone that there are these things called "Linux" and "Mac" that are really insecure, so everyone should use Windows.
Semper Fi
There is also the issue of how many of these incidents are actually 3rd-party incidents and not part of the core OS. And then, from the incidents that are actually part of the OS, the severity of them (exposures on Windows are usually catastrophic).
The only intelligence there is in regards to windows is that of marketing... market it no matter what condition it is in. If "Intelligent Design" was more popular you can be sure MS would market Windows in a manner to ride off that, as they do everything else they can. I mean Hey, they got the singularity OS....(rolls eyes)
I think everyone knows how out of context the article is, which only shows the deceiptful intent of those responsible for it being written.
Taking things out of context is a known action of those having intent to deceive.
Now if there were laws against such that applied to marketing.... We'd all have better things in life, cept for the deceptive.
But for those of us who do know to see past the BS... we are better off, depending on how deep the BS goes, and sometimes its gets rather deep.
Read isc.sans.org--not to mention Groklaw--they pretty much rubbish any attempt to draw too many comparisons from merely the number of reports of flaws for each OS. Even ignoring the fact that the number of reports is in no way an accurate way to count--several concern multiple, independent flaws, whereas others are merely updates of old bugs--one thing still stands out:
...
The number of bugs is completely insignificant when scored in that way.
A more practical measurement is something I will call herein the vulnerability window and define as: assuming that you patch your computer immediately after an official patch is posted, compare the amount of time over which you are vulnerable to known attacks vs. the time which you are fully patched.
So, say, there were 50 days this year in which there were publically known, unpatched exploits, that would be your vulnerability window. This measurement is more meaningful. Right now, for example, GDI32 is completely vulnerable on pretty much all windows systems[1], and so their exploit window is growing pretty rapidly for this year.
Granted, this isn't perfect: the flaws, obviously, exist even without anyone to exploit them. But this model focuses attention on where most of the problems occur most of the time: known holes that are actively being exploited.
[1] Older systems like Win 95 & 98 lack any easy, remote vector for exploitation, having nothing to process the WMFs and trigger the vulnerable Escape() function in GDI32, even though they are vulnerable. Even browsing with IE isn't enough according to reports that have been posted.
[2] Slashdot captchas are weirdly relevant sometimes. I'm not sure if this is a psychological effect or something in the code, but I just got "adequacy"
Perhaps someday they'll get me, but I have never had to re-install, or fix my Linux system because of a virus or other malware. I do know of six Windows users that have told me their particuler virus woes (so reported to me anyway.. who knows about those too ashamed to admit it).. So I conclude from this, that Windows is at least six times more likely to have a virus..
waiting for ad.doubleclick.net
Windows CE ME NT.
It's not the 'quantity' of security vulnerabilities that counts, it's the 'quality' i mean, some obscure buffer overflow that _might_ enable a short string of random code to be run as 'user apache' when you combine apache with 7 modules (6 of which are common) is not the same thing as a 'integrated file browser/web browser' that will auto execute any exe that has the right wmf 'play assist' headers on it. and will run that executable as 'administrator' level privaledges...
https://www.gnu.org/philosophy/free-sw.html
If I recall correctly, they're actually double-counting some vulnerabilities in common software - once for Linux, once for OS/X, once for Sun Solaris etc (I think that was right - can anyone confirm?). None of this was malicious - this survey was never intended to be rigorous and the people doing the counting made that quite clear. However, it does mean that any attempts to judge the relative merits of the various operating systems are somewhat fruitless.
For the love of God, please learn to spell "ridiculous"!!!
While I am a big fan of Linux and open-source in general, I think it is safe to say that if a vulnerability is never found then it doesn't matter that it is there or how severe it is. Now, if it's found by one evil hacker and no one else, then it is a problem, but if nobody ever finds it, then good for it.
Stop Global Warming!
Just say no to irreversible processes!
1. Windows is ONE OS. Unix mentioned is more than one, there's SuSE, RH, Debian, *BSD... its not fair to compare one OS to many.
2. It's not just how MANY vulnerabilities there are, also how much chaos they cause and how much money they cost.
3. With OSS, finding problems is not as bad a deal, that just means someone will come up with a patch soon enough. With windows that means someone will come out with an exploit soon enough. It therefore means different things on different systems.
Given enough eyes all systems become perfected. The difference with Windows and Unix is the path to that perfection. Windows is obviously a longer painfull path.
I love humanity, it is people I hate
So 3 os's, at least, so BSD, Linux and OSX have more vulnerabilities that one single operating system?
Do the math.
BS.
Anyone with half a clue and experience with both OSes in a production environment already knows the truth, but there's some points for those who actually believe some of the shit that seems to be deemed newsworthy...
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
I copied the list to a file ran 'uniq' and 'grep -v "(Updated)' on it to remove any duplicates and rows contaning the string 'Updated'.
Only turned up 813 lines.
This article in a TLA : WTF ?..
Go compare "Linux Kernel" vulnerabilities (9 unique) vs "Microsoft Windows" vulnerabilities (46 unique). Even that isn't apples to apples, but it's a lot more indicative than the random counts of vulnerabilities for every piece of software shipped with an OS.
"Linux and Unix, including the Mac, had 2,328 vulnerabilities last year, compared with 812 vulnerabilities for Microsoft Windows" humm there are at least 10 well known versions of linux and i dont know much about unix but there is at least one and then there are 4 versions of OS X out there so that puts us at 15 and up so 2328 / 15 = 155.2 .... thats way less then 812 .... so we are looking at a substantial ammount less in comparison (given there are a lot more versions of linux and unix out there and i didnt count the server versions of OS X)....
(yes i know i suck at spelling fell free to correct my grammar and/or spellin i dont care, im still not going to change
Why are people putting so much thought into these numbers? I know my opinion has probably already been made above, but I just had to add to the millions that logically understand the meaning of these numbers. I know someone already said, who the hell knows how many M$ security threats exist that aren't made public. This is true. They only release the information when an exploit or worm is making use of them, or they release the information once a month to say they are "working hard on patches". Two hundred minor security flaws is less of a threat to me than one M$ flaw that is EXTREMELY DANGEROUS to my system or network. M$ may have less, but am I wrong in saying that majority of their flaws are WAY MORE dangerous??? And these are just what we find out publically. Isn't fast, publically made reporting of flaws, bugs and vulnerabilies the best part about Linux security? In that those flaws can be quickly dissected by the community and patched quickly? This isn't a competition to see who can make a product with the perfect security record. Only OpenBSD is capable of that! (snicker) This is a competition to see who has the best response and is open to the public. As well as the capability for the IT world to do their own investigations into the source code of their systems that run their mission critical services and applications.
...Dupe posting tops the SlashDot vulnerability list for the 8th year in a row.
When are we going to hear from the people responsible about getting this vulnerability fixed?
This space for rent. Call 1-800-STEAK4U
Funny!
Windows shows less bugs than Linux/Unix! I was always shure that Micro$osft is the best.
No Office suite exploits... It should be secure, now!
And, however, even kids knows that "A known bug is a dead bug"!
(same kids knows that "Bugs enter from open Windows")
What? WMF? Still unpatched since 3 months? But is a bug related to a feature coming from 1990, it's not a real bug...
What? Is a *deadly* bug?
But a company that depict his logo on my keyboard can't be wrong!
Lets get the religion out of this ok?
For several years now Linux has had more security flaws than Windows.
Last year the stats were crunched that showed that Windows fixes on average came out faster than Linus fixes. And lord knows they are easier to install, thus more effective.
HOWEVER, A Locked BMW parked in the city is less secure than a Lexus with the windows down parked in the dessert.
While servers can be affected Windows is targeted for two reasons:
More Desktop user make viruses etc easy to spread.
There is a large jerk contingent that also thinks crashing Windows somehow helps Linux and other Opensource.
Finally Linux servers were just as likely to be compromised by targeted attacks as Windows. There are lots of sites hacked each year running pretty standard Linux configurations.
IF you run servers, you need to lock down both beyond the defaults and update your software.
If you run desktops Macs and Linux are safer because they are not targets, not because the OS's were written by humans able to write perfect code or some other BS.
Read it:
I totally find this hard to believe. I've been using Linux for 10 years. At any point in time I can install windows on one of my computers and get infected by spyware, virus's, or hackers. I've run my Linux box on the net without a firewall for months at a time with all the services turned off. No security breach. I'm wondering who funded that study.
Also just because there are more security holes found doesn't mean anything. Its easier to find security holes when you have the code available to you. But thats as much a strength as it is a weekness.
I guess that if I compile gzip natively on windows, any vulnerabilities that plague the linux / unix version just magically disappear, right?
Who the hell's running the show, anyway?
Coderz 4 Life
If you believe your Windows security best practices are up to snuff, you may paste this link into your browser to initiate a self test:
tinyurl.com/b8oqu
Disclaimer: Do not under any circumstances do that from a computer that's running any version of Windows, no matter what your precautions are. Unpleasantness will occur. You were warned.
Help stamp out iliturcy.
Vulnerabilities in KDE are counted as vulnerabilities. Vulnerabilities in GNOME are coutned as vulnerabilities. Separate vulnerabilities in Gentoo, Red Hat, and all other distros are counted as separate vulnerabilities. Even MacOSX vulnerabilities are considered Linux/Unix vulnerabilities. That doesn't seem like a fair comparison. After all, you can't run Linux on both KDE and GNOME at the same time...
Here's what I find most interesting...
Its nearly unanimous amoung this community that MS OS's (whatever flavor) are by far inferior to Unix (whatever flavor) and that not a one will apparently consider that there is any validity to the story or statistics.
Now I am not saying that I agree with the article, but I will say that our community is severely biased. To believe that there is not a shred of truth to the article is absurd.
-STankyG
People are always blaming their circumstances for what they are. I don't believe in circumstances...
Multiple versions of course, yet one OS.
.15 vulnerabilities for the average *nix distro for every 1 vulnerability in Windows. That changes the numbers dramatically. Showing a 6.66 to 1 (Oh, my - the number of the beast - how'd that get in there - could it by Bill Satan perhaps?) ratio of Windows vulnerabilities to 1 *nix variant.
HP-UX, AIX, Solaris, Mac OSX, OpenBSD, FreeBSD, NetBSD and the 4 score and 7 variants of Linux, even, dare I say it, some SCO stuff added into the mix.
Hmmm - somewhere on the neighborhood of let's pick a good round number, say 20 *nix variants, versus 1 os.
20 to 1, and only 3 times the number of vulnerabilities - that's approximately
Interesting how numbers can be skewed now, isn't it.
Who is general failure, and why is he reading my hard drive?
The article is correct - I am quite certain *Nix's may have more OS vulnerabilities than Windows. Possibly many more OS vulnerabilities.
What the article doesn't bother mentioning, hooray for bad journalism everywhere, is that Microsoft's Internet Explorer is completely riddled with vulnerabilities. And it's integrated with the OS in such a way that the IE vulnerabilities can really mess up the whole OS. And the browser cannot be uninstalled or removed completely.
Furthermore, Linux and UNIX and company still enjoy very strong security through obscurity. Scriptkiddies are simply not interested in these systems and so very few vulnerabilities are actively exploited.
I am government man, come from the government. The government has sent me. -- G.I.R.
Huh? What does this mean? I don't understand.
Furthermore, is this where they got all their information? Where did the Windows vulnerabilities come from? Open source? Can't be!
Of course you can find the vulnerabilities in the source, if it's open. Is this how they found the Windows vulnerabilities, or in some report? Looking at the source? I'd like to view the source myself. Maybe Linus would like to see it too.
This is our government!!!
bob@media:~/projects/ryu/software/build$ cat ~/nixvuln.txt | egrep -vi 'Updated|Apple|FreeBSD|Gentoo|HP-UX|IBM AIX|OpenBSD|Red ?Hat|SCO |SGI IRIX|Solaris|SuSE' | wc
737 5484 41307
bob@media:~/projects/ryu/software/build$ cat ~/winvuln.txt | egrep -vi 'Updated|Apple|FreeBSD|Gentoo|HP-UX|IBM AIX|OpenBSD|Red ?Hat|SCO |SGI IRIX|Solaris|SuSE' | wc
668 4985 39090
Updates don't imply increased vulnerability. I removed all but one distro (Debian, the one I use). That gets it down to 737 versus 668.
That's without removing competing software like MySQL/PostgreSQL and KDE/Gnome, without removing platform specific software that isn't listed by OS, without accounting for the higher disclosure rate of *nix, and without considering time-to-patch and severity. 737 versus 668 is still a meaningless comparison without looking at those factors, but at least the blatant stupidity of multiple counting is largely mitigated.
Stop-Prism.org: Opt Out of Surveillance
The idea of a security score card is good but the way they did it is meaningless. The ranking should be more like:
Number of bugs +
Number of bugs with known exploits x 5 +
Number of bugs with known exploits x the number of days the exploit was in the wild before the bug was patched.
Then multiply the whole thing by an risk factor (1-5) based on how much harm it can do.
No lumping multiple OSs. Each one should get it's own card. Lumping applications bundled with the OS is reasonable but skews things too. For an accurate comparison, only bugs in features common to all platforms and bugs in non-optional components should be counted.
The way the current ranking they use works you could have 50 non-exploitable, local user only, file permission modifying bugs in 100 different Lunix distributions and it would count as 5,000 bugs. Similarly you could have one remote attack that completely takes over a Windows box with known exploits which remained unpatched for 100 days and it would count as 1 bug. The score would be 5,000 to 1 in favor of Windows which is about opposite from what it should be in this example. These are completely meaningless numbers.
I don't know how the OSs would stack up given an accurate reporting but I would be interested to see.
set softtabstop=4 shiftwidth=4 expandtab nocp worlddomination
I don't buy that argument for a second. What percentage of discovered bugs do you think are actually found by looking at the source code of a program?
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
And lord knows [Windows fixes] are easier to install, thus more effective.
If they're so easy to install, how come so many people don't install them and end up getting pwned by exploits that Microsoft has fixed months before? Like Slammer, Blaster, Sasser, etc?
There is a large jerk contingent that also thinks crashing Windows somehow helps Linux and other Opensource.
Uh huh. And there's an even larger jerk contingent who hates Apple/Macs, so please explain why in five years there hasn't been a single sighting of an OS X-specific worm or virus. There are plenty of people who'd love to take Apple and Apple zealots down a peg, so why hasn't anyone tried? You know if OS X malware was spotted in the wild it would be a huge story on all the techie sites-- yet none seems to exist.
...how many vulns would be found if anywhere near the number of people used (i.e., cared) about OSX as they do Windows.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
I check isc.sans.org daily and I can't remember the last time I saw a Linux/UNIX vulnerability mentioned (of course they occasionally pop up). On the other hand there are *serious* problems with Windows daily. They've been on Yellow alert for days because of a current VERY serious Windows vulnerability that Microsoft says they'll have a patch for next week:
http://isc.sans.org/
Hello, McFly, is there anybody in there?
Void Main
Utter rubbish! This is comparing one operating system with two varieties to a dozen different Unix and Unix-like operating systems with hundreds of variants, distributions and versions.
How about comparing just ONE operating system to ONE other operating system? Like Windows XP to Solaris/SPARC? Or Windows Server to FreeBSD 5.x branch?
Don't blame me, I didn't vote for either of them!
If GNU/Linux with 3rd party software bugs be counted as whole Linux/Unix bug, then cygwin with same 3rd party softwares on Windows should be counted as "Windows bug" + "Linux/Unix bug".
Therefore Windows should carry over its own bugs and Linux/Unix bugs. It's not only logical, but it's factual.
To me it seems, US-CERT just collected data and published junk stat. Perhaps it's time for US-CERT to raise the bar a bit more than half critical thinking skill level of a baboon for employee/employer.
"Don't let fools fool you. They are the clever ones."
Basically UNIX (BSD, Solaris, AIX, IRIX, SCO, OS X), and ALL LINUX distributions are counts as ONE (1) bin, against MS Windows!!! So, have basically EVERY popular mainstream operating system other then Windows in one bin and windows in another, and you are trying to toute THAT as a stat that Windows has less flaws then Unix/Linux? Sure, it does when you count ALL VERSIONS OF UNIX AND LINUX TOGETHER AND ADD UP ALL THE VULNERBILITIES FOUND IN ALL THE DIFFERENT VERSIONS!!!!!
THEN there is the fact that different CERT warnings appear multiple times! For instance, Eric Raymond Fetchmail POP3 Client Buffer Overflow (Updated) is counted at least 4 times under the SAME NAME, and at least 1 more time under a different name, but it is still the same vulnerbility!!!
See http://www.groklaw.net/article.php?story=200512311 42317870 for more details.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
It's interesting that they lumped the information that way. Actually, it makes the Linux/Unix side look pretty good that they ADDED together all Linux, MacOS, various BSDs, Solaris, Irix, AIX, gods know what, etc. including every Linux distro big or small, together and only found 3 times as many vulnerabilities as Windows.
Of course it's all worthless even if split out per OS since they also lumped in (on both sides of the equasion) 3rd party apps. I don't use windows, so I can't comment there, but on the Linux/Unix side they included things like Acrobat reader (does anyone with Linux actually use that?), some backup software I've never heard of (I use rsync myself) IRC clients galore (Is anything on IRC secure? Never IRC as root boys and girls!), shar utils (I remember shar! I think I used it a couple times in the '90s), Opera, etc. These (other than IRC clients) are not apps you'll find in most Linux distros (if any). Certainly the many 3rd party apps for Windows don't come on the Windows install disk. So, even when split out, the worthwhile figure is drowning in noise.
Of course, rt-11 is superior to all of those because there were no vunlerabilities found in it at all last year. :-)
While Windows hadn't brought out anything new for trhe OS except security patches and bug fixes while *nix's have had numerous new versions of almost every single part os the OS and think of it as a percentage, it would probaly be Unix 5% Windows 90%
How many of these Linux/UNIX vulnerabilities allowed remote execution of arbitrairy code as a superuser...
Also, note that PER-vendor Microsoft far outwieghed the competition.
These aggregate numbers are meaningless. That being said, US-CERT made pretty clear that this was simply a list of reported vulnerabilities, not any sort of analysis, so I blame the news sites with taking the meaningless numbers and trying to create a news story that will get Windows and Linux/UNIX/MacOS X fans all excited to read and post (and generate ad revenue).
:-)
) were more useful, because they at least made it clear which issues were high risk, and which application or OS each vulnerability was associated with, and they avoided the misleading totals. Let's hope that next year they at least go back to the 2004 report format, even if they don't bother to do any meaningful analysis.
Why do I say that the aggregate numbers are meaningless?
1) They count "updates" to vulnerability reports as vulnerabilities, so there are many vulnerabilities that appear to be counted 5-10 times in the "UNIX" list, and 2 times in the "Windows" list. My guess is that these "updates" are individual OS reports, meaning that a single vulnerability in a cross-platform application would be reported as 2 Windows vulnerabilities and 10 UNIX vulnerabilities. CERT should break out each OS into its own counts in order to correct for this. Eliminating duplicate reports isn't good enough, because there are many OS-specific reports, and it doesn't make much sense to count vulnerabilities specific to Solaris AND Mac OS X AND Linux AND HPUX etc., in a single number, since you run only one OS as a time.
2) They count reports of multiple vulnerabilities as a single vulnerability, which means that OS's that release fewer updates, each of which patch multiple vulnerabilities (e.g. Apple, Microsoft) as having far fewer vulnerabilities than OS's that release specific patches for each vulnerability. Strangely, this punishes OS vendors that rapidly address and release patches for vulnerabilities, and reports vendors that are less responsive. CERT should count a single announcement that covers multiple vulnerabilities as if each vulnerability were reported individually.
3) They include third-party application vulnerabilities in the counts, and the number of those reports dwarfs the number of actual OS vulnerabilities (90-95% of the vulnerabilities listed aren't in the OS's). CERT should separate bugs in the OS's from optional third-party application bugs. Many of the vulnerabilities are in extremely obscure applications, and while uses of those applications might want to know about these issues, it's hardly a reflection on the OS' security if there's a 'Wojtek Kaniewski EKG Insecure Temporary File Creation & SQL Injection' in some project's "contrib" directory, which is hardly comparable to 'Sun Solaris ARP Handling Remote Denial of Service' or 'Microsoft DirectX DirectShow Arbitrary Code Execution'.
4) Their OS coverage is quite spotty. For example, if an application runs on all OS's (e.g. Mozilla, bzip) and has a vulnerability that applies to all OS's, sometimes they're reported only for Windows, sometimes only for UNIX, sometimes for both, sometimes with many repetitions and sometimes only once. While this would require CERT to do some analysis (i.e. actually read the reports), they should consistently recognize cross-OS issues and remove them from the OS-specific lists and report them in the multiple operating system list.
Since each of these issues appears to introduce error rates that are an order of magnitude larger than the useful data, there's nothing meaningful data left.
Of course, people have pointed these problems out about these CERT reports for many years. Still, since we have these same pointless discussions every year, CERT should make some basic changes to make these reports somewhat meaningful. Their previous years' list (http://www.us-cert.gov/cas/bulletins/SB2004.html
Enable 3D printed prosthetics!
There is a difference between a vulnerability and an exploit. A vulnerability is just a potential weakness, a chink in the armor so to speak, but potential weaknesses cannot be taken advantage of unless it is exploited. It is thus the number of exploits that is the primary consideration when speaking of security.
Of course, Linux will have a large number of visible vulnerabilities! It is open source and anybody with two eyes and a passing knowledge of C should be able to find vulnerabilities almost everywhere. However, are those vulnerabilities actually exploitable? In most cases, Linux security alerts consist entirely of possible vulnerabilities and in most cases also, those vulnerabilities are quickly patched up and repaired; well before any practical exploits are written for it.
The case is not the same with Microsoft Windows. Because Windows is closed-source, the only way to demonstrate a vulnerability in Windows is to actually write an exploit for it! Thus, whenever a vulnerability has been discovered for windows, you can bet your Momma's last penny that there is a very good chance of the existence of a working exploit for it.
How many vulnerabilities are there in Windows we do not know of because we cannot examine the source? Judging from the number of exploits (written by people without access to Windows source code, by the way) we can infer with good accuracy that the total number of vulnerabilities in windows should be several times that of the number of exploits. I am too lazy to make a count but perhaps someone with the inclination can create a matrix showing Vulnerabilities vs exploit vis a vis Windows vs Linux. If we assume that the ratio of exploits to vulnerabilities is the same for both operating systems, what would be the estimate of the number of vulnerabilities in windows? If we further include the fact that Linux is open source while Windows is not, what would be the estimated number of exploits in Windows?
That would make an interesting study.
It is Linux's open-source nature that gives it the disadvantage when a simple-minded count of the security alerts for Windows versus the number of security alerts for Linux is made. But keep in mind that almost all security alerts for windows are not of vulnerabilities but of practical, demonstrably working, and potentially already widespread exploits. Most security alerts for Linux are of vulnerabilities.
In any discussion of security between Linux and Windows, the crucial distinction between vulnerability and exploit should be clearly enunciated.
Unless you been living in a cave the wmf exploit pretty much affects every windows out there and it is being exploited. Don't even think it is only people who visit weird porn sites. The most harmless forum wich allows those avatar images is vulnerable. Yes even those that only allow the jpg/gif extensions. Since MS in its infinite wisdom allows wmf images to properly load even when the extension is wrong because of content guessing.
A nice trick but as it turns out a rather dangerous one.
I don't remember any exploits like this for all the linux unix bsd even mac OS'es out there. Ever in fact. Not in my live time anyway.
And that is I am afraid what counts. Not how many bugs are reported but how many bugs go unfixed or unnoticed and become exploited.
On a side note am I the only one to find it hilarious how all the MS apologist say the WMF exploit is easy to avoid by going to the command line and putting in a super complex command? Isn't linux/unix bad because it is CLI orientated?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
What do Adobe Acrobat Reader bugs have to do with 'Linux'.
Perhaps the best measure of security would include the number of vulnerabilities, their priority, and the avg time to fix them once discovered. That might get us a nice measure for open source OSes where the vulnerabilites can be found by inspection, but it wouldn't help much with Windows.
It also might be good to take into consideration the number of users affected. Because of it's market dominance, every Windows vulnerability affects a far greater population than a vulnerability in any other OS, thus all those vulnerabilities have a higher overall cost to the computing population.
-All that is gold does not glitter - Tolkien
www.ra
Windows is more secure than Mac OSX, all of UNIX and all of Linux combined. But Windows is not more secure than any of those individual operating systems, only when you add them together does math work out.
So, there ya have it folks. I think we can all agree now, Windows truely is the most secure and trusted computing OS available. It has the best TCO, everyone knows this, and is virtually open source. So just buy Windows. I mean, what choice have ya got?
If they are lumping all the *nix OS's together, why do they bother distinguishing between UNIX and Linux? Even when they are fucking something up they can't get it right.
The Admin and the Engineer
Tabulate the data on how many of them were critical and the whole argument against *nix breaks down.
My last sig was ridiculed
Yeah! Using Wine, Linux can have all of Windows vulnerbilites too! Wahoo! We're #1 we're #1!
I just spent a long time going through that list and decided to compare Microsoft and Debian. To be fair I included all GNU reports under Debian. I counted the first instance of any vulnerability, for anything with "Microsoft", "Debian" or "Gnu" or "GNU".
The total for Gnu/Debian is 51.
The total for Microsoft is 128.
So Debian Gnu/Linux is 2.5 times safer than Microsoft, based on ZD-net logic!
I also found it interesting that there's 2 Mozilla reports under Windows, yet dozens under Unix. I though Moz was cross-platform....
compare only os vulnerabilities.
release the source code so thousands of people can review for vulnerabilities.
if that is all that was found on the nix os's and app's with the number of people reviewing the code, in the whole year of 2005 who can complain that its insecure.
and that list is across all releases.
I wonder what would happen if ms and just about every vendor of ms platform software releasesed thier sources to the world for review.
Personally, I will never ever run any Win* on any of my systems ever again. However, I think we need to keep in mind "expansion = problems".
I think the argument that there are more Win* vulnerabilities than there are *nix vulnerabilities because Win* runs on 99% of desktops is valid. It only makes sense. Why would a malicious author write something that effects 1% versus 99%?
With the rise in popularity, and in my estimation, the continued winning of desktops by linux, I think the *nix community should stop whining about unfair comparisons/studies and really take a serious look at the actual basis of the comparisons.
In order to maintain momentum in winning desktop space from Win*, *nix developers/distros/companies need to continue the good work fixing vulnerabilities or eliminating them prior to realeases of distros/apps/updates etc...
Statistics can say anything you want them to say. However, since perception is reality for most people, the *nix community has to be impressive and secure in the minds of consumers.
Only then will the momentum remain sustainable.
Just my 2 cents
"Given enough eyes, all bugs are shallow"
Didn't Infoweek read the (long) list at all ?
1 2210&tid=172
Part of the list:
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
There are MANY vulnerabilities with updates counted as different and there are many containing with the word "multiple vulnerabilities" in their name.
I cleaned the list removing the updates and the correct amount for Windowses is 672 (not 812) and Unixes and all the rest OS's 1034 (not 2328).
It's yet stupid and misleading to combine all Windows OS'es in one pile and the rest in the other. And even more stupid is to count pathced and unpatched vulnerabilities together!
See the http://secunia.com/product/ for clearly categorized advisories.
The amounts "Unpatched" of "Total advisories"
25 109 Microsoft Windows XP Home Edition
29 124 Microsoft Windows XP Professional
14 63 Linux Kernel 2.6.x
0 2 Ubuntu Linux 5.10
1 182 Debian GNU/Linux 3.1
0 84 Fedora Core 4
0 230 Mandrakelinux 10.1
0 63 Apple Macintosh OS X
Notice that some OS-versions are older than others. (The total count should be divided with the time.)
Of course the criticality should be counted too.
I checked Linux Kernel 2.6 unpatched vulnerabilities and none of them can be used remotely, 7 (of 14) was DoS and 7 where the local user could potentially escalate privileges or get sensitive information.
Of the Win XP Home Ed I unpatched vulnerabilities 11 out (of 25 total unpatched) could be remotely exploited.
Based on the above I come to the conclusion that Brian Krebs is either spreading FUD intentionally or plain stupidity. But what is the reason for Slashdot to do it ?
BTW The story is duplicate:
http://it.slashdot.org/article.pl?sid=05/12/31/08
There's bound to be a major fuckup in the ratio. I'll be willing to bet that those that run *nix and are getting virii are either deliberately doing it, or are Class-A noobs that don't know you NEVER run as root, thus giving you the full priviledges as Windows would give you to the OS while running as Administrator. How much you wanna bet they didn't fully include that fuckup factor into their equation/statistic?
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
The guy who wrote the infoweek article in question got PAID for such an obvious distortion. It's clear the article has nothing but flaws and really illogical assumptions and associations as people have pointed out. I wonder what his motivation was; the conspiracy theory says m$ partially funds or is in some way associated with infoweek.. the humorous theory is that one of our beloved slashdot trolls finally got a REAL JOB and is now trolling and getting paid for it.
Anyhow I sent out an email that basically pointed out all the flaws that have been mentioned here and "accidentally" cc'd most of the listed editorial staff. It would be nice if morons like that got fired for stupidity.. but he'll probably just get a bonus for actually driving some traffic to that POS site.
Ah well.
Um, that's really great news isn't it ? These geesers had to start countin' Several Seperately Maintained Linux Distributions AND Several Classic Unicexs AND Several Releases of Mac OsX to get a 3 to 1 ratio compared to just One Version of Microsoft Windows
People, the wind is certainly blowin' in the right direction here !
free dom(inion) - free energy - free your mind - whee!
There are several other issues here that are important to note, How many of the vulnerabilities can be remotely exploited, taking that on board how many of them have exploits in the wild, and then how many of those vulnerabilities are Operating system specific,. When I read down the list i See several web applications that are reported as vulnerable. But they are not platform specific. for example I can install phpBB on a windows or linux system with little to no difference.
This survey lumps "UNIX" in together, meaning solaris, linux, *BSD, AIX, IRIX, Tru64, OSX and whatever else.. Some of these OS's are abandoned by their vendors (IRIX, Tru64) and aren't undergoing much active development..
A much fairer comparison would be between actual off-the-shelf distributions of a given OS, instead of lumping everything together.. And it should also take into account the amount of bundled software (more bundled software, more chance of a vulnerability) and possibly do a comparison between each OS with all the optional components removed (baseline vulnerabilities)
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
M$ may have 1000 times more bugs, but they are not always reported
When all is said and done, nothing changes...
The question is not what vulnerabilities are found. The question is what happens.
No security system = no vulnerabilities. Of course all systems need a proper security review. Here also a role of the governments can be observed: Review code.
In the field of Open source a formal documentation of security reviews leaves a lot of room for improvements. The situation improved over the use of profiling tools but automatic detection of vulnerabilities and problems can still be improved. Test cases for code reviews, safer programming styles and languages, and time and review are key to ultimate security. Software does not get worse.
It has been my observation that Microsoft takes security vulnerability to a whole new level. Microsoft Internet Explorer has had the most extremely serious vulnerabilities of any software I've seen.
Below is something I wrote for customers about this week's astounding Microsoft vulnerability. Microsoft customers of any version of Microsoft Windows after Windows 3.1 can lose control over their computers just by visiting a web page. Security experts are saying it is the worst security vulnerability they have ever seen.
It's been there for 7 years. How many countries have secret police or espionage departments that have used this vulnerability?
Microsoft is taking a leisurely approach to fixing the problem. The company plans to release a patch on January 10. Part of the problem is that there is an ENORMOUS conflict of interest. Many customers, when they discover that their computer has become slow, don't realize that it is infected. They buy another computer. They don't want to spend the money to learn another operating system, so the new computer has another copy of Windows. So Microsoft profits from security vulnerabilities. Corporations are usually a group of generally moral people, but it has somehow been established that the corporation can be allowed to be immoral.
I wrote the instructions below for those of my customers who are interested in protecting their home computers, and have the minimal technical ability required. These instructions and the explanation will help them understand the importance of the work we do for them, and the problems we face in helping them.
________________
New, Very Severe Security Vulnerability In Windows
There are big problems now with a new, very severe security vulnerability In Windows. You can become infected even if you merely visit a malicious web site. See the articles linked below.
The vulnerability exists in all versions of Microsoft Windows, including Windows 98, except Windows NT. Macintosh and Linux computers are not affected.
NEVER follow instructions like those here unless you verify they are correct by reading an official source! In this case, you can see the instructions in the Microsoft article linked below. To see the instructions, load the article in a browser, click on "Suggested Actions", click on "Workarounds", and click on "Un-register the Windows Picture and Fax Viewer".
Temporary Fix -- Here is the temporary, incomplete fix given in the Microsoft article linked below. This adjustment does not make a computer secure, it just makes it more secure:
regsvr32 -u %windir%\system32\shimgvw.dll
This command, un-installation, will disable the automatic loading of graphics files in Microsoft Picture and Fax Viewer. That is better than risking infection of your computer with viruses, spyware, and other malware.
After un-installation, you will need to open a graphics program to view photos and other graphics. You can use Microsoft Paint, for example: Start/ Programs/ Accessories/ Paint. However, be careful to open only image files from trusted sources. If you view an infected graphic with Microsoft Paint, your computer will be infected.
Graphics in email programs like Mozilla and Thunderbird and Opera will display normally after un-installation.
Before the un-install, if your computer is about to be infected, you will see a pop-up message from those three em
because 'Linux/Unix' represent a large number of different operating systems. What might be more interesting (yes I know all vulnerabilities are not born equal) is a comparison with a particlular Linux distro, or a particular flavour of Unix. What are the numbers then?
Why not make this one of a subscriber's privileges?
Rich And Stupid is not so bad as Working For Rich And Stupid.
I was interested what was that (Update), so I took a look. And, what can you see. Every that (Updated) means another distribution discovered that same bug. So, cause of that you have, for example, "GNU Gzip file permisson modification" counted 12x times. Odd? :)
That just might be because they are comparing a group of systems (the entire Unix world) with one system (windos, though there are several flavours, one might count it as actually two systems - those NT based and those win32 based).
Then there's the whole issue of assigning issues, especially with applications. Yadayada.
Then there's the whole issue of configuration. It's a well-known fact that windos systems can be made reliable and secure, if you can find one of the rare really good windos admins. Unix admins, on the other hand, are better on average, though the real pros are just as hard to find. But it's easier to set up well, so with better admins and better default settings it tends to be more secure on average, but that's due to secondary factors, not higher code quality.
In the end, you arrive at one conclusion: These things are sufficiently different that they are hard to compare. Whatever you do, you have to make some assumptions, and if your assumptions are wrong, your results are worthless.
Speaking strictly for me personally: I'd much rather entrust data worth $1 mio. to a Unix system - any unix system - than data worth $100,000 to a windos box. Call it prejudice or experience, I don't care, I've been proven right often enough to know that's a good rule-of-thumb.
Assorted stuff I do sometimes: Lemuria.org
Using Linux or BSD (I use both, Debian serving Apple) I can plug into the internet without getting infected, serve web pages, receive email from strangers, browse the internet and view WMF pictures without even being Owned!
I used to think my old Win98 box was pretty funny, being immune to last years rash of debilitating viruses, but Microsft has simply left too many doors hanging open - for decades..
Windows was safer before Microsoft discovered TCP/IP, we should have hidden it from them better..
True for most cases, however I would like to make one exception:
If an application error allows an attacker to gain root (Admin on windos) on the vulnerable system, the problem becomes an OS vulnerability.
In other words: It very well is the job of the OS to ensure that applications can not hurt the system. Both windos and most Unixes do a pretty shabby job at that, though stuff like privilege seperation have pushed Unix ahead in the game.
The real solution to this, SELinux, Trusted Solaris, etc. - the whole RBAC/MAC area, is currently still too much in development and too complex for the average admin to get mainstream acceptance.
Assorted stuff I do sometimes: Lemuria.org
Sometimes I think /.'ers are all sadomasochistics.
When they're not watching HENTAI porn of girls they'll never have, they're repeating dead yet painful discussions to keep the juices flowing. It's like masturbation with barbed wire. We all KNOW what this debate is all about. My penis IS bigger than yours. And my dad kicks your dad's ass.
Defining Statistics and Social Research
But many linux distributions blur the distinction between third party and core OS...
Linux distributions come with a large wealth of software, while windows comes with a comparatively minimal set. How would a linux distribution fare when stripped down to the same level as windows? and not to mention the fact that virtually anything can be removed from a given linux distro, whereas windows has lots of components which can't be removed/replaced.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Infoweek:
"The end-of-year vulnerability score should be taken with a grain of salt, however, since US-CERT doesn't filter out updates (so one actual vulnerability can be counted numerous times) nor does it break out individual vulnerabilities from warnings that cover multiple bugs (as in the many Mac OS X vulnerability listings)."
Ya gotta love CYA jargon and short disclaimers, the white wash for troll reporting.
Some days it's just not worth
chewing through my restraints.
Using the somewhat specious metric of the number of vulnerability notices listed, we find....
:-)
:-)
FreeBSD-specific vulnerabilities: 16
OpenBSD-specific vulnerabilities: 6
NetBSD-specific vulnerabilities: 2
Now, which one is supposed to be the "secure" BSD?
(I wont even bother comparing those numbers with the Linux-specific vulnerabilities - I lost count of those
So much Linux distros are out there. The Gentoo developers, for example, do not even fix a blocking bug (marked as minor) for mplayer since weeks.... although it is extremely obvious how to do that...
...they're all derivatives of SCO Unixware, right?
The view was horrible and the smell was even worse; Julie severely regretted becoming a proctologist.
Having worked maintenance-coder in a past life, I can tell you that on review of code to add some new functionality or to tweak some bit of code, bugs and flaws are discovered that (almost) never would have been discovered by users ... while not a daily occurence, I suspect that every maintenance coder has found flaws in just this manner...
If you think imaginary property and real property are the same, when does your house become public domain?
I read this list and I was shocked at the ridiculousness of the categories. First, a lot of the vulnerabilities listed are due to third-party software, so you can hardly attribute those flaws to the platform itself. (If I install an add-on to my car that makes it easier for people to break in, is Honda responsible?) Second, the Linux/Unix category is beyond absurd. In addition to covering many different Linux distributions, it also includes multiple flavors of BSD, HP-UX, AIX, and OS X among others. To make it even worst, the Linux/Unix category includes software which should definitely go under the multiple operating systems category. SquirrelMail? Apache? Come on.
This list makes about as much sense as saying: “This Ford car has fewer flaws than this Honda, Toyota, Kia, and this microwave oven combined! Great job Ford!” I suppose someone over at CERN is on the Microsoft pay role. And Slashdot bought into it. Silly.
Join Tor today!
One day Windows has vulnerabilities from zero to none and Linux is so insecure that nobody has courage to use it. Why?
Programming techniques! While Linux party is favouring ol' good C, competition has switched completedly to more advanced languages that make buffer overflows, memory leaks, etc, impossible. Usage of C should be rated as highly critical security issue when software becomes complex.
If you bare your ass to the world (linux) everyone is able to count the pimples. If you keep it covered, how does anyone ever really know?
Join the Slashcott! Feb 10 thru Feb 17!
You guys are all analyzing this as though this list is trying to make Linux look bad but this list isn't supposed to be used to determine core OS bugs.
You are supposed to use this list to say "I have a Linux machine. Let me check this list to make sure the Linux version of my Acrobat Reader doesn't have a bug in it."
This list just means that a bug was found in some piece of code that runs on that particular operating system. They are saying right from the start that this list has NOTHING to do with the core OS. If a bug was found in Linux Acrobat Reader it just means one bug was found on a piece of code designed to run on Linux. They are not trying to say that the Linux core is less secure, just that SOME piece of insecure code was found that was designed to run on that particular OS. The reason *nix is lumped together is because much of the SOFTWARE found in that list can run on many different distributions.
...to the point where finding them while attending is almost a Hallowed Tradition now.
Got time? Spend some of it coding or testing
Vulnerabilties on the *nix platform aren't going down. Regardless of how easy it is to retrieve and install patches/updates, one is seemingly bombarded with the need to update. One hears the Linux zealots, for example, brag how fast the response to bug/exploit reports are and how quickly (this varies from vendor to vendor) the bugs/exploits are fixed. Great. While the response and ability to band-aid is admirable (very much so!), where is the quick response to improving software processes to help prevent all these potential exploits? Where is the quick response to fix the root causes?
Every time these articles get posted there always seems to be a great deal of deflection of discussion from the root cause. I wish articles like these fostered dicussion of possible paths to solution and/or how people can help protect themselves in light of all these vulnerable, bundled, applications.
We all know how responsive the *nix community is, in particular the GNU/Linux platform, what a lot of us don't know is how we can stop this problem or at least more significantly mitigate the effects.
All this list means is that more are reported. Doesn't mean that Unux is less secure, and by saying that let me qualify it by saying 'When used correctly'. There are many Windows admins who can make a windows machine more secure than a bad Unix guy, and there are Unix guys who will make a machine impregnable next to a well patched windows machine. It's all about Difficulty and Severity. Let me qualify that:
I think the real question is two fold:
#1 - If you get compremised, how bad is the damage?
#2 - How much of the exploit is really your fault and not the developer?
-- As a Unix admin, if you install a copy of a program, leave it for a few years and then turn on a bunch of useless protocols that were beta to begin with, you didn't read the manual -- who is at fault? The development team or the admin who didn't take the risk into effect? In this case, a default install on Windows might actually end up being more secure than your dumb self.
-- Now as a Windows admin, all you can do is wait and feed off the microsoft trough. If something breaks, you can't exactly go debug the code and fix it. You're only lucky if someone writes a workaround, such as this recent wmv exploit. But in general, the tools aren't usually bad for working, and if you're really good you can problably find a workaround, or go delve into the registry for that particularly sticky key some developer left in there for you to find. Obviously for the smart Unix admin, finding settings is a 'man' call away even for a mediocre admin.
SO:
And Like so many have mentioned, this is all about reported bugs. And the difference is, when you report a bug to an open source team, they take it personally and complete it at any cost. When you report a bug to Microsoft, they look at it and figure out how much it'll cost them before they even acknowledge it. They are a company, that's just how it works. I would say don't get pissed about it, just realize the consequences and do the best you can.
And for gods sakes, pick a good d4mn root/Administrator password.
- Brett
A chap named Chris MacDonald at the University of WA does it routinely.
But he's the only one I know.
The bits and pieces in MS-Windows are all heavily tied together not so much for technical as for marketing reasons. If everything is one great hairball, it's easier to argue that it can't be split. If you still have MSIE lurking even after you "uninstall" it, it will eventually work its way back to being used as a browser again. If MSIE "cheats" and uses little-known APIs to speed its operation, then other browsers look slow and clumsy on the same system. But most importantly, everything on the system is a kind of sales link to everything else on the system. As soon as one gets a foot in the door, the others get dragged in as dependencies.
Developers, developers, developers my ass. It's all about sales, sales, sales.
Got time? Spend some of it coding or testing
Come on, does anybody even report MS vulnerabilities anymore? Wouldn't that be like the meteorologists reporting that tomorrow the sky will be blue?
Does anyone else find it pretty absurd that the list of vulnerabilities is that long anyway? All statistical concerns (and as a student of that discipline, I have many) and OS opinions (I run Gentoo) aside, I think it's rather telling about the state of the industry, and consequently rather depressing, that there are literally thousands of reasonably major holes in the machines we've imbued with as much trust as the sum of all the Linux/UNIX and Windows boxes out there. Being a programmer, I know expecting perfect code out of the box is irrational, but maybe it's time for some paradigm shift.
"My heart is in the work." - Andrew Carnegie
Quality vs Quantiy, a thousand little issues that are context specific does not mean as much as just one huge universal hole in an OS.
The WMF problem is public now, but has been with us since 1990, if anyone has known about this flaw for all those years Windows users may have been totaly owned for ages.
The nature of the WMF bug is such that it is not blocked well by generic security measures. Many of the small *nix issues are stopped by good security practices and generic measures.
Why don't people get it?
Some users here are forgetting that Windows by itself is not an OS. I can not go to the store and buy the Windows operating system. There is Media Center (basically XP), XP Home, XP Pro, XP 64, 2000 Pro, NT, CE, and so on. Same goes with the various distros of *nix. I like to use Fedora, Redhat 9 and Win XP. I say use whatever works for you. I do believe that since you have a company (Microsoft) with such a huge OS market share, more people are writing malicious code to screw with Microsoft. It's also easy for malicious code to take adavantage of a system where most users are working on their personal pc as the administrator. Every owner of a new microsoft os is the admin of their pc. You never see instructions included with a dell pc with xp stating that users should work with the least amount of privliges. I also believe that you have more computer intelligent users using the a *nix system. Given enough time, any OS can be exploited.
Windows *may* have less vunerabilities than all other existing OSes together, but it sure is triying to keep up...
Maybe Vista will turn the tide.
Look at the actual list. As each different Linux or Unix vendor released a patch, an update was released to the notice. A single Unix vulnerability would spawn many updated notices for a single flaw, and each one gets counted in this stupid statistic.
Personally though, I think Linux has the more important edge, I can always download some kludge of a .patch file and recompile the broken component. Although, it has been demonstated with the current WMF hole that once a binary vulnerability has been discovered in Windows, unofficial kludge fixes and workarounds can be put out, however rare these may be.
....
I think there must be some sort of a scam going on with the responses here.
I can't believe that you don't all know that riding a box that will not automatically load all the cookies that God and the NSA sends is itself a massive security flaw!
Hmmmm.... I wonder if they know?
Course they do. Just being flippant. God knows everything.
So why does his agency need
Ah, never mind.
Pollardito (781263) sez: "this isn't a list of OS vulnerabilities, it's a list of application vulnerabilities sorted by OS"
From CERT: "Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information."
Meaning, of course, that the statement in the parent "According to InformationWeek.com, Linux/Unix (including Mac OS) had almost three times the number of OS-specific vulnerabilities reported last year compared to Microsoft Windows" is complete FUDcrap.
The difference between bias and ignorance is you treat one with the wide side of a clue by four, and the other with the narrow side, but it doesn't matter which is which. Corrective phrenology is not an exact science.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
Comparing how many patches or even how fast they are fixed, for any given OS, tends to be a useless comparison. Every OS will have them occasionally, and any vendor can inevitably twist the numbers to say what they want. And it only takes one to hurt you.
The true long term difference is whether the flaw is a design flaw or a coding bug, and if exploited, how damaging it is. A coding bug like a buffer overflow or missed exception can be fixed, because it is an unintended result of how the program functions. In contrast, a design flaw cannot necessarily be fixed, because the program was intentionally coded this way, and fixing it means breaking the intended functionality of the program.
With a design flaw, the product was intentionally written to do something that turns out to be a bad idea. It's things that may be trumpeted as great features of a product, that people may use for valid business reasons, but that because they were not thought out with security in mind, are easily exploited by attackers. Because they are intentional functionality, you can't create a fix that prevents the attacks while leaving the product intact and working as it did before.
Microsoft's biggest problems are not the unintentional bugs (which ever OS has) - they are the design flaws that are all so common in MS software. Some of the more common examples of this are:
Windows OS itself
Every user is, by default, superuser/administrator/root on Windows. You can change this if you know how, but most people don't bother, or even know it's an issue. As a result, users can accidentally destroy their OS, and any program they run has the potential to do so, either by accident or design (i.e. viruses and trojans). The OS can't really protect itself from the average user (or processes the user runs - intentionally or otherwise). And if you do know enough to create non-admin users, there are lots of programs out there that break when you do so, because they expect the default wide open access.
Consider a flaw in a program like IIS or Exchange - The whole point of them is to expose them to the Internet. If there is a bug in these programs (i.e. an unintentional, fixable issue), the fact that they cannot be jailed by the OS means that if an attacker exploits a bug and gets in, the entire machine is suspect (i.e. if IIS or Exchange is compromised, so is the OS). Contrast that to a typical unix web or mail server, where they often can be put in a chroot jail (completely isolated from the majority of the OS), or at least run as a user with limited access. By design, MS has a very thin shell that, once broken, leaves the entire OS wide open. Unix variants, including Linux and MacOS, have many layers of protection that Windows simply lacks.
One only has to point to Code Red and it's many variants to prove this point.
MS Office macros
MS Word/Excel contains macros that allow you to do just about anything in the OS - including writing to system files, etc. And it allows this wide open access by default. Open Office and others don't allow this, so you don't get macro viruses. It used to be that we had things like boot sector viruses or exe infectors, and these were easy to catch and get rid of. They took a certain level of skill to write (typically assembly or c), and were very sensative to OS changes, so there were relatively few of them. Now, we mave thousands of macro viruses, they are easy to write, and people readily accept them into their system (via social engineering - viruses can say "here's that doc I promised you", and too many people will open it to see what it was they "forgot they asked for").
Microsoft can't truly fix this issue without completely breaking MS Office. Add to that the fact that MS Office (which because all users are superuser by default) has full access to the entire OS, and you're in a lot of trouble. Contrast that to, say, Linux: By default anyone with a lick of sense does not run normal user processes like word processing as root. If you run MS Office on Linux (say, in cr
When you group all OS specific vulnerabilities against Unix like operating systems into one large non-OS specific category, they out number the still OS specific windows category.
This is as useless as comparing apples to orange groves
One more time ... This was reported DAYS ago and the conclusion was that windows had about 800 bugs and ALL flavors of unix/linux(including *BSD and all kernels) had about 2200 bugs. There could even be cases where one bug is reported twice or more.
What you are doing is trolling.
Say something bad about Linux?!?!?! Surely you jest. I see that already the apologists and zealots are out in full rationalizing it away. Unfair comparisons, "yeah, but they are fixed faster", etc.... *yawn*
Tell me why samba is *still* broken on x86-64 on SuSE when it has been known about for quite a while...
When I talk to my boss about moving over to Linux for some of the servers, this is the type of article that he will throw in my face. As a matter of fact, before I saw this on slashdot, this article was already printed and sitting on my chair - with a smiley face drawn by my boss. It's hard to argue the obvious when crap like this circulates in the media. There is a reason open source is called open. When 10,000+ coders look at open source code, you find many more security holes that you plug up than if 1000 Microsoft programmers look at their own code. Microsoft programmers also face political issues. Imagine my friend, who works for MS. His partner wrote and released a piece of code. 2 days after it went into production, he discovered a bug. This was right before bonuses were handed out. Of course he held back on the info until after the bonus, and then he submitted the fix.
Intelligent Design
I think, as time progresses, we will hear more of this, that linux has more vunerabilities.
Not because it really does, but because linux is becoming more mainstream, adopted by more people. And as the user base becomes larger, the overall technical expertise of the user base lowers. And since linux gives the user complete control over the OS, its much easier for some one not in the know to expose their system and become susceptible to "vunerabilities"...
hope that makes sense lol...
Ignoring Applications vs OS, and Severity, and speed of fix, let's look at one example:
"Ethereal" is listed 9 times under Linux/Unix and zero under Windows.
Ethereal is an application that runs on both systems and all of the vulnerabilities reported are equally applicable to the Windows version yet amazingly nothing is listed.
This entire list is nonsense!
On the eve of a major attack to the windoze OS you tell us other OS' are 3 times worse, yeah right buddy... http://www.theregister.co.uk/2006/01/05/secfocus_z eroday/
http://www.heise.de/english/newsticker/news/68019
http://www.google.ca/search?hl=en&q=Sober.Z+worm&b tnG=Google+Search&meta=
"Of course, as usual this vulnerability only affects Unix computers."
or when hell freezes over, whichever comes later.
For a variety of technical, social and corporate reasons the effects of Windows vulnerabilities are generally magnitudes more damaging than those found in Unix.
A simple bug-count can never give a real picture about what's what.
~ Better a freak than a sheep. ~
Windows had more vulnerabilities listed than Linux.
Then it would have been heralded as proof that Windows sux!
There is only 1 vendor providing Microsoft Windows, and there are several providing Linux and Unix operating systems. So on a per-vendor basis, it's clear that Windows has more vulnerabilities.
This doesn't surprise me. Look at it this way, your giving away the source code. Yes, the code is changed often and is highly secure for systems like Linux and Darwin but your're also giving hackers a road map as how to proceed in compromising a system. Staying proprietary has it's merits. There's just no denying it. On the flip side, you also have to remember that Microsoft's system runs on a high percentage of the worlds computers. And most of those computers are run by non-technical people who run as root user (Administator in Windows' case). This gives hackers a much larger and less secure target so it would appear that Windows has all the security problems (viruses, spyware, etc). Linux, users on the hand are more knowledgable users than their Windows counterparts and so this, in and of itself, leads to less commpromises. Linux users "get" the concept of running multiple, non-root accounts which, as we all know, is a much more secure way of running a system.
In 2003, the most stolen car was the 1995 Saturn SL, now does this mean a 1995 Saturn SL is an insecure car technically? Or could this mean that it's in car thieves' financial interest to steal this car? It's a Tech Vs. Economics question. I think it's all about perception and what people want to believe. All I can say is I've run some very secure Windows systems and never had a problem. As for the mom and dad Windows users, perhaps the next version of Windows will run as a non-root by default and I bet we'll all see less Windows compromises.
What we have from this is the indisputable fact that more *nix vulnerabilities were reported in the year than Windows vulnerability. This could mean a wide variety of things though...
For instance, this could just mean that the open source model is working as it was meant to and many eyes are finding more bugs. Windows could still have far more.
Also, consider that this does not go into detail on the severity of the codes. I am far more concerned about one serious vulnerability that would allow someone to readily get my sensitive information and control my pc than a dozen minor ones which may be exploitable only under uncommon circumstances or that allows only less severe exploits.
I find it interesting that they dump Macs, every linux distro, and unix into one category and windows into another. The main point being all of the linux distrobutions lumped together. These are ongoing projects with new versions coming out frequently. Counting XP SP2 and 2003 SP1 I believe windows had 2. This is the same thing as saying Ford, Chevy, and GM combined had higher crash ratings than toyota last year. The "No Duh!" response leads me to believe this is Objective reporting at its best.
What I want to know is a breakdown of how many vulnerabilities each OS, distribution, and version had reported. How many of these were cross platform, found in every version of a OS, and which were version specific. Add another column for the number of bugs that where reported by a 3rd party interest and how fast these bugs were patched. Then add the same column but for self-reported bugs. Lastly, too be fair to MS, give the current estimated market share.
Unix/Linux = Dozens of operating systems and hundreds of distros
Windows = One operating system and a handful of versions
Register the editry.
Here's another example of what I was talking about above: Circumventing Group Policy as a Limited User.
Note the end of the article: "It's also important to note that the ability of limited users to override these settings is not due to a bug in Windows, but rather enabled by design decisions made by the Microsoft Group Policy team."
That's another example of Microsoft's mindset, in my opinion. It appears to me that Windows is deliberately weak. It's not an accident that Windows has low security.
Looking at the summary I've seen that there are no vulnerabilities of Apache on top of a Windows machine. Moreover php versions showed bug-free last year. So Apache/PhP is a killer web server for windows, switch to w2k3 + apache now !
Ridiculous, I don't to say who's behind the scenes ...
wow, either M$ has joined forces with CERT, or has bribed them with some obscene amount of green stuff (which turned out to have cockroaches in it... all you M$ stuff is belong to BUGS) anyways... thought i'd troll some...
M$ is working on "In Soviet Russia, you annoy M$ bug!"
Flame away folks!
Is it just me or are all the open softwares under *nix? Don't ImageMagick vulnerabilities exist on Windows as well?
Atheism is a non-prophet organisation
Never mind that the majority of both lists are third-part applications anyway... yah, so exploited applications on *dos are much more dangerous than *nix - it is still harder to assign specific blame to microshaft, even if they made it easy to corrupt their platform.
Didn't anyone see the "sponsored by Microsoft" link on that site?
I'll agree to that. Privilege escalation should only be possible via system calls, and there shouldn't be holes that allow arbitrary escalation.
I'll still hold that I'm not terribly interested in counting some linux-specific IMAP server's security issues as a 'possible' OS X security issue when nobody is known to even have built that IMAP server on OS X, though, and vice versa. My main point is that the whole concept of grouping "Unix/Linux/MacOS" together stinks, as surely not all of those flaws affect all of those systems.
How many *nix admins have the patch managment in place to tacke the updates. In a windows shop your prepare and expect "ugly patch day" just like you do woth every OS. So, I don't care about the OS as long as it does the job when I need it to and when it breaks I can fix it without too much headache. Serriously stop crying, I will mahe a huge assumption that most slashdoters are computer enthusiasts and that we all know one thing, no matter the product or vendor, at some point youre gonna take it in the ass.
I agree with you - up to a point. If it does the job it's OK for me. If it breaks, I'll fix it - but I will not have a headache over it. And I'm most certainly not crying. I am a computer enthusiast and so like working with them - all of them. I know that all vendors make a mess of it on occasion and have grown accustomed to the idea that I have to clean up after them if I want my little corner of the IT world to continue to work. But "take it in the ass" no! If we get down to that level I rapidly develop "an attitude problem" and quickly demonstrate that I'm part of the "leave blood on the floor and hair on the walls" fraternity. There has to be limits and, if pushed, I'll impose one or two.
How many beans make five, anyhow ?
...but probably patented.
Got time? Spend some of it coding or testing
how about this, they found all of the bugs in windows like 2 years ago so they didn't find that many in 2005? :D It doesn't prove anything anyway...