Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux/Unix Tops Charts for Vulnerabilities in 2005

Posted by samzenpus on from the better-safe-than-sorry dept.

BeanBunny writes "I realize that this topic is almost as volatile around here as Intelligent Design, but I think this is interesting nonetheless. US-CERT has released their year-end vulnerability summary. According to InformationWeek.com, Linux/Unix (including Mac OS) had almost three times the number of OS-specific vulnerabilities reported last year compared to Microsoft Windows. Obviously, statistics are meaningless without the proper conjecture, speculation, and opinionation, so let the debate begin again over which OS is really more secure."

6 of 438 comments (clear)

  1. Already hashed over in depth on GrokLaw by jmac880n · · Score: 5, Informative

    This is old news. PJ has done a pretty thorough job debunking this one on Groklaw.

  2. Re:Along with the total numbers... by LnxAddct · · Score: 5, Informative

    Not only do they not take into account severity, a large portion of the vulnerabilites in the Linux list are tagged with "update" meaning that a large portion are just updates to previously filed bugs, but worst of all, their lists are just plain wrong. A huge chunk of the open source projects listed under *nix are not listed under Windows, yet they run on Windows and the vulnerabilities affected windows. There are Apache, Gaim, PHP, Zope, Clam AV, Vim, Emacs,Perl, MySql and many more vulnerabilities listed just under *nix, yet equally affect Windows. Even worse, Windows has 1 firefox vulnerability listed, yet *nix has 153 firefox vulnerabilities listed (including the couple of tens of updates) but every vulnerability I saw listed equally affected Windows. This list is separating vulnerabilities by pretty much whether its open source or not (for the most part, say 90%), not by what platform it runs on, yet the latter is how they are categorized. This whole list is a big giant piece of misinformation and someone needs to correct it.

    It's also not intelligent to group together all Unix derived operating systems, as they all follow completely different security structures, development paradigms, and grouping them is simply serving to inflate already misleading numbers. The fact is that the only thing this list clearly shows is that open source projects are much better at following up on security problems(noting all of the updates), and that there are far more applications that run under *nix than under Windows once you account for all of the at least semi-popular open source projects.
    Regards,
    Steve

  3. Re:How about pointing out... by Pollardito · · Score: 4, Informative
    it's even worse than that, here's some of the UNIX vulnerabilities :
    # Adobe Acrobat Reader mailListIsPdf() Buffer Overflow (Updated)
    # Adobe Acrobat Reader mailListIsPdf() Buffer Overflow (Updated)
    # Adobe Acrobat Reader UnixAppOpenFilePerform Buffer Overflow
    # Adobe Acrobat Reader UnixAppOpenFilePerform Buffer Overflow (Updated)
    # Adobe Reader / Acrobat Arbitrary Code Execution & Elevated Privileges
    # Adobe Reader For Unix Local File Disclosure
    # Andrew Church IRC Services LISTLINKS Information Disclosure
    this isn't a list of OS vulnerabilities, it's a list of application vulnerabilities sorted by OS
  4. Re:How about pointing out... by Dolda2000 · · Score: 4, Informative
    Now we have a comparison of a single operating system (Windows) + apps running on it with at least 12 distinct operating systems + 10x the number of apps that was counted for windows. The result is rather surprising: there are JUST 4x more bugs in 12 operating systems + 10x more apps than in windows + windows apps alone! This result is much more unfavorable for Microsoft than to any Unix/Linux OS!
    Actually, it's far worse than that. If you filter out the "Updated" entries for each vulnerability, it lands on 672 for Windows and 892 for the so called "Unix/Linux" category, which means a mere 32% more vulnerabilities for 12 systems + 10x more apps than in Windows + Windows apps alone!
  5. Re:Suuuuure by dsci · · Score: 4, Informative

    What percentage of discovered bugs do you think are actually found by looking at the source code of a program?

    All of them?

    I know your point: that the INITIAL discovery and exploit is not typically found by looking at the code. But to fix vulnerable code, one must FIND and edit it. The point is, once an exploit is discovered, there are many people who can locate the faulty code and fix it fast.

    Open Source is a good thing. Really, what is the down side of source code availability?

    --
    Computational Chemistry products and services.
  6. Re:Suuuuure by stevey · · Score: 4, Informative

    All the bugs I find and report which result in Advisories are as a result of source code auditing.

    It looks like I made the CERT list a couple of times, e.g. uw-imapproxy.

    But these bugs are trivial things in applications which are either "extra", or not typically installed.

    Fixing bugs in programs is important, but having a list of 500 simple buffer overflows in rarely used games (for example) on Linux says nothing about the relative security of Linux vs. Windows.

    The worlds are too different, comparing every application included in Debian, say, against Windows would only make sense if you installed every single shareware/freeware/optional piece of software on the windows machine - and that clearly isn't a real world scenario.