Slashdot Mirror
Linux/Unix Tops Charts for Vulnerabilities in 2005
BeanBunny writes "I realize that this topic is almost as volatile around here as Intelligent Design, but I think this is interesting nonetheless. US-CERT has released their year-end vulnerability summary. According to InformationWeek.com, Linux/Unix (including Mac OS) had almost three times the number of OS-specific vulnerabilities reported last year compared to Microsoft Windows. Obviously, statistics are meaningless without the proper conjecture, speculation, and opinionation, so let the debate begin again over which OS is really more secure."
Sigh. The statistics were flawed the first time they were posted to /., no need to repeat that bag of bad science.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
This is old news. PJ has done a pretty thorough job debunking this one on Groklaw.
Nothing new here that was not reported on slashdot four days ago.. Move along. or repost your incitefule or insightful comment. or someone elses if you karma whore.
Some drink at the fountain of knowledge. Others just gargle.
If you read the actual list, a lot of the vulnerabilities are listed multiple times with an (updated) notation. So the 2,328 number isn't exactly "correct".
The theory of relativity doesn't work right in Arkansas.
I think 3-1 is pretty damn good when you consider that the "Unix/Linux" category contains more than 5 Operating Systems!
Just breezing through the list I see:
And i'd imagine there are probably more. I'd take those odds over Windows any day.
Groklaw has comments about this like:
Second, the Unix/Linux list duplicates items, counting a vulnerability more than once in the list. For an example, note that it lists Eric Raymond Fetchmail POP3 Client Buffer Overflow (Updated). However, the same vulnerability is listed, under the same title, four times. That's because it was reported in the week of August 10-15, again in the week of August 17-23, in September 6-13, and the week of November 9-16. Worse, for any comparison purposes, the same vulnerability is also reported as Fetchmail POP3 Client Buffer Overflow, so in reality one vulnerability is listed 5 times, making the total of 2328 meaningless unless you carefully comb through it to weed out duplications.
Kind of makes a numerical count of reported security problems pointless. (BEGIN SARCASM) Of course, the Linux/Unix security holes are much more serious than are Windows security holes because automated worms. viruses, etc. attack Linux/Unix machines but not Windows computers.(END SARCASM)
Not only do they not take into account severity, a large portion of the vulnerabilites in the Linux list are tagged with "update" meaning that a large portion are just updates to previously filed bugs, but worst of all, their lists are just plain wrong. A huge chunk of the open source projects listed under *nix are not listed under Windows, yet they run on Windows and the vulnerabilities affected windows. There are Apache, Gaim, PHP, Zope, Clam AV, Vim, Emacs,Perl, MySql and many more vulnerabilities listed just under *nix, yet equally affect Windows. Even worse, Windows has 1 firefox vulnerability listed, yet *nix has 153 firefox vulnerabilities listed (including the couple of tens of updates) but every vulnerability I saw listed equally affected Windows. This list is separating vulnerabilities by pretty much whether its open source or not (for the most part, say 90%), not by what platform it runs on, yet the latter is how they are categorized. This whole list is a big giant piece of misinformation and someone needs to correct it.
It's also not intelligent to group together all Unix derived operating systems, as they all follow completely different security structures, development paradigms, and grouping them is simply serving to inflate already misleading numbers. The fact is that the only thing this list clearly shows is that open source projects are much better at following up on security problems(noting all of the updates), and that there are far more applications that run under *nix than under Windows once you account for all of the at least semi-popular open source projects.
Regards,
Steve
Safari runs on WebKit, which itself is from KHTML and the KDE project. If the bug in Safari is Webkit specific, then it belongd with KDE, and thus should get counted.
If it's just a bug, that's plain stupid to count it...
If I recall correctly, they're actually double-counting some vulnerabilities in common software - once for Linux, once for OS/X, once for Sun Solaris etc (I think that was right - can anyone confirm?). None of this was malicious - this survey was never intended to be rigorous and the people doing the counting made that quite clear. However, it does mean that any attempts to judge the relative merits of the various operating systems are somewhat fruitless.
For the love of God, please learn to spell "ridiculous"!!!
Like, oh, the libpng vulnerability fixed in August less than two years ago?
"On 4 August 2004 a new jumbo security patch was released to address several potential vulnerabilities in libpng, at least one of which is quite serious." link
And by "quite serious," they mean "remotely exploitable vulnerability, which could lead to arbitrary code execution on an affected system." link
Remind me how many *nix distros use libpng?
It may be impossible for the various kernels, but I would bet that it's actually easier to patch a lot of things in *nix than in windows because the *nix kernels doesn't throw things like a web browser or a window manager into the kernel.
If there is a security hole with Konquror browsing files on KDE then KDE issues a patch and it should mostly work on all of the various systems it runs on.
Famous Last Words: "hmm...wikipedia says it's edible"
I copied the list to a file ran 'uniq' and 'grep -v "(Updated)' on it to remove any duplicates and rows contaning the string 'Updated'.
Only turned up 813 lines.
This article in a TLA : WTF ?..
What percentage of discovered bugs do you think are actually found by looking at the source code of a program?
All of them?
I know your point: that the INITIAL discovery and exploit is not typically found by looking at the code. But to fix vulnerable code, one must FIND and edit it. The point is, once an exploit is discovered, there are many people who can locate the faulty code and fix it fast.
Open Source is a good thing. Really, what is the down side of source code availability?
Computational Chemistry products and services.
Utter rubbish! This is comparing one operating system with two varieties to a dozen different Unix and Unix-like operating systems with hundreds of variants, distributions and versions.
How about comparing just ONE operating system to ONE other operating system? Like Windows XP to Solaris/SPARC? Or Windows Server to FreeBSD 5.x branch?
Don't blame me, I didn't vote for either of them!
Basically UNIX (BSD, Solaris, AIX, IRIX, SCO, OS X), and ALL LINUX distributions are counts as ONE (1) bin, against MS Windows!!! So, have basically EVERY popular mainstream operating system other then Windows in one bin and windows in another, and you are trying to toute THAT as a stat that Windows has less flaws then Unix/Linux? Sure, it does when you count ALL VERSIONS OF UNIX AND LINUX TOGETHER AND ADD UP ALL THE VULNERBILITIES FOUND IN ALL THE DIFFERENT VERSIONS!!!!!
THEN there is the fact that different CERT warnings appear multiple times! For instance, Eric Raymond Fetchmail POP3 Client Buffer Overflow (Updated) is counted at least 4 times under the SAME NAME, and at least 1 more time under a different name, but it is still the same vulnerbility!!!
See http://www.groklaw.net/article.php?story=200512311 42317870 for more details.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
There is a difference between a vulnerability and an exploit. A vulnerability is just a potential weakness, a chink in the armor so to speak, but potential weaknesses cannot be taken advantage of unless it is exploited. It is thus the number of exploits that is the primary consideration when speaking of security.
Of course, Linux will have a large number of visible vulnerabilities! It is open source and anybody with two eyes and a passing knowledge of C should be able to find vulnerabilities almost everywhere. However, are those vulnerabilities actually exploitable? In most cases, Linux security alerts consist entirely of possible vulnerabilities and in most cases also, those vulnerabilities are quickly patched up and repaired; well before any practical exploits are written for it.
The case is not the same with Microsoft Windows. Because Windows is closed-source, the only way to demonstrate a vulnerability in Windows is to actually write an exploit for it! Thus, whenever a vulnerability has been discovered for windows, you can bet your Momma's last penny that there is a very good chance of the existence of a working exploit for it.
How many vulnerabilities are there in Windows we do not know of because we cannot examine the source? Judging from the number of exploits (written by people without access to Windows source code, by the way) we can infer with good accuracy that the total number of vulnerabilities in windows should be several times that of the number of exploits. I am too lazy to make a count but perhaps someone with the inclination can create a matrix showing Vulnerabilities vs exploit vis a vis Windows vs Linux. If we assume that the ratio of exploits to vulnerabilities is the same for both operating systems, what would be the estimate of the number of vulnerabilities in windows? If we further include the fact that Linux is open source while Windows is not, what would be the estimated number of exploits in Windows?
That would make an interesting study.
It is Linux's open-source nature that gives it the disadvantage when a simple-minded count of the security alerts for Windows versus the number of security alerts for Linux is made. But keep in mind that almost all security alerts for windows are not of vulnerabilities but of practical, demonstrably working, and potentially already widespread exploits. Most security alerts for Linux are of vulnerabilities.
In any discussion of security between Linux and Windows, the crucial distinction between vulnerability and exploit should be clearly enunciated.
Not probably. The same vulnerabilities were counted multiple times.
See this story over at Groklaw
It's not offtopic, dumbass. It's orthogonal.
All the bugs I find and report which result in Advisories are as a result of source code auditing.
It looks like I made the CERT list a couple of times, e.g. uw-imapproxy.
But these bugs are trivial things in applications which are either "extra", or not typically installed.
Fixing bugs in programs is important, but having a list of 500 simple buffer overflows in rarely used games (for example) on Linux says nothing about the relative security of Linux vs. Windows.
The worlds are too different, comparing every application included in Debian, say, against Windows would only make sense if you installed every single shareware/freeware/optional piece of software on the windows machine - and that clearly isn't a real world scenario.