Slashdot Mirror
Linux/Unix Tops Charts for Vulnerabilities in 2005
BeanBunny writes "I realize that this topic is almost as volatile around here as Intelligent Design, but I think this is interesting nonetheless. US-CERT has released their year-end vulnerability summary. According to InformationWeek.com, Linux/Unix (including Mac OS) had almost three times the number of OS-specific vulnerabilities reported last year compared to Microsoft Windows. Obviously, statistics are meaningless without the proper conjecture, speculation, and opinionation, so let the debate begin again over which OS is really more secure."
Who knows how many Windows vulnerabilities there are known to Microsoft? Can you say "Vested Interest"? They certainly have tried to have divulging them criminalized as an act against national security, never mind warning customers of all sizes that they may have been compromised while Microsoft fiddled away at a patch for the past six months.
I take this sort of revelation with a grain of salt and give it as much weight.
many eyes only make for strong code when the code can be seen
A feeling of having made the same mistake before: Deja Foobar
It may be a volatile topic, but where better to discuss the reality, validity, etc., of these purported vulnerabilities?
Get your education here (hopefully) so you can address the confrontations at work, from your friends, etc. when they accuse you of evangelizing an OS more vulnerable than Windows!
Look for answers to:
I'm sure this is a partial list, and I don't know the answers to these points, but I'd like to.
In other words, these findings are absolutely useless.
Also, even if they DID filter out updates and break out individual vulnerabilities, you would still have to know for how many days each vulnerability remained unpatched to have any useful information.
As this oh-so-well-written website told me the first time I clicked on this story, "Nothing to see here. Move along."
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
That they listed a few PHP apps that work on all 3 OS's as only on Linux. Hmmm
...they really should take into account severity, time until a fix was avaliable (from the time of discovery and not just disclosure to the public) and if the vulnrability was actually IN the OS or whether it was a third party app. Then perhaps the total numbers will start being a little more helpful.
Silly rabbit
In the Microsoft section there could be an entire block for : "Clueless user -- installed malware X which caused the propagation of virus Y"
In the Linux section there would be a similar block for : "Clueless user -- caused hard drive format"
Yeah. That was wanton. Sure, okay. I agree. It's probably true that most OSS vulns are reported to public forums while most MS vulns probably get identified in house and rolled into a patch. Maybe. In 6 months or so after the devs have had fun with it for a while.
fast as fast can be. you'll never catch me.
It would be interesting to compare the number of different versions of software and applications this covers. Windows XP has not evolved tremendously in the last several years. Certainly Microsoft has shown a renewed (if not a completely successful) focus on security lately. But I think Microsoft benefits in this survey from a more stately release cycle.
Author of Enyo: Up and Running from O'Reilly Media
Let me put this into context.
Linux (Red Hat to be specific) reported AND HAD ALREADY fixed similar JPG/GIF/PNG flaws more than 2 years before microsoft ACKNOWLEDGED that they had similar flaws. It may have been the same bug, or not, but still, similar bugs, FAR different timetables. And these are both companies right? One did base itself on code that it didn't try to lynch you for viewing, modifying or making your own. Hint: it wasn't microsoft.
--------------
What does it take for open source (being open to all) to report a flaw?
Finding it of course.
What does it take for a huge software house with stock to shill... errrr.. sell (since product sales do not a stock value raise anymore).
Reporting few security flaws. "Proving" successful implementations are the norm... (via bought studies of course, and occasional true stories, if they ever are unbiased).
--------------
And of course, having worked inside an IT house, I'm quite familiar with how they work... especially M$ partners. I've never seen a SINGLE one ever report a vulnerability... whether our fault or the customer's or anyone's. Until it was fixed, or exploited, we NEVER EVER reported them... standard policy.
~D
" What luck for rulers that men do not think" - Adolf Hitler
They're lumping Linux, UNIX, BSD, and OS X together and saying they together had more vulnerabilities than any single version of windows...
I'm sure all the GM, Toyota and Honda cars between 1970 and 1990 put together had more design flaws than the Ford Pinto, but this comparison is not relevant.
The title: Linux/Unix Tops Charts for Vulnerabilities in 2005
This is beyond any doubt, very very true. But before you call me a Microsoft Shill (I'm not, I use Debian myself), allow me to explain:
If one goes to www.linux.org, and searches for all GNU/Linux distros without a filter, they will see that there are 370 distributions. If that includes unmaintained ones, that number grows to 417. And that does not include all of the other Unixes, such as the BSD group, and, like the article pointed out, Mac OSX.
Now compare that to the Microsoft Windows operating system. Let's see, Windows 98 (I doubt people use anything worse than this), ME, 2000, XP, and even Vista. 5 operating systems. 370 / 5 = 74. Now the article claims that there were 3 times as many vulnerabilities. 74/3 = 24 and 2/3.
Unix/Linux is approximately 25 times better than Windows!
Well, the "windows" ones are "Windows Operating Systems"
And the "linux" and "osx" ones are "Unix/ Linux Operating Systems"
Seeing as "windows" ones are Windows and "linux" and "osx" are Linus, OS X, Solaris, IRIX, AIX, HPUX, Tru64, *BSD, SCO, etc., etc., I think 3x is not too bad as there are more than 3x the number of distinct operating systems.
That's without even looking at what might be classified as "application" versus "os" vulnerabilities in each category.
It is worth discussing OS security in terms of exploitable holes found. And before the detractors start coming out in droves saying "the real question is how many days a vulnerability remains unpatched," that's not the real question. That's a question, and it's certainly an important one. But it's not the only important criteria in determining the quality of an OS.
Even if a vulnerability is reported and then fixed quickly, the fact remains that it could've been used for dozens or hundreds (or more) exploits *before* it was reported.
It's not just a matter of "see, look how quickly we can bail water out of the boat." There's also the question of how many holes were in the hull to begin with.
I'm not saying that any particular platform is put together better than any other, just that it is a topic worth discussing.
I currently have no clever signature witicism to add here.
Another issue is that most Linux distro's ship a LOT of application code, like 2000 to 6000 packages, which is waaaay more than Microsoft ships with Windows. That there is an "OS" vulnerability for some rarely used application in a large Linux distro is just not comparable to the smaller set of code that Microsoft is willing to take responsibility for.
It is just irresponsible for CERT to be publishing distored numbers like this.
Crispin
Volatile is an understatement.
Anyway, I've used a number of different operating systems and I've realized something. Computer security isn't so much the operating system you select, it's how diligent you are in keeping it secure. If you keep the system patched, behind a decent firewall, are careful with the software you run, and don't use the root/Administrator account for normal usage, you'll probably not have any issues with your computer. Granted, there are plenty of examples otherwise, but I'm referring to the standard user or sysadmin.
The problem comes in for users that don't understand that they need to keep their system protected more than it is out of the box. Some linux distros and Windows get it right by having automatic updates (if you need to disable these, you can easily enough).
Overall, there ARE good things and bad things about each operating system, but not much matters if the user isn't going to take some type of responsibility to keep their own system updated and protected.
You have enemies? Good. That means you've stood up for something, sometime in your life. --Winston Churchill
This is all out of context unless you look at the impact of the vulnerability, and how it is exploited. I didn't RTFA, admittidly, but I do know that the main reason for the exploit of vulnerabilities (both technology speaking, as well as the handling of these topics by the media) is largely because of the volume of Windows users in the world.
These articles only make the majority of the public even dumber.
It makes me think of the line from Billy Madison where the teacher proclaims "...At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it..."
Now PJ is a security expert?
No. But she has access to a lot of people who are very informed.
It's amazing what the community can do when organized by a good leader.
Since this is a dupe debate (it happens ALL the time) why not just link to the previous list of comments? I'm not even going to read TFA, because these useless debates have gotten to be a waste of time. There's no winning this debate - we're all losers for having editors who think that this is "news".
The end-of-year vulnerability score should be taken with a grain of salt, however, since US-CERT doesn't filter out updates (so one actual vulnerability can be counted numerous times) nor does it break out individual vulnerabilities from warnings that cover multiple bugs (as in the many Mac OS X vulnerability listings).
In effect: This information is completely useless for comparing operating systems.
Only to idiots, are orders laws.
-- Henning von Tresckow
so let the debate begin again over which OS is really more secure.
I hear this junk all the time and can't believe people can say an OS is secure / insecure by the "applications" running on it. How is "Adobe Acrobat Reader" a reflection of how "insecure" Linux is? Or a problem with "Apache mod_install"? These are all applications which run on top of Linux. They are NOT the Linux OS by any means. The same goes for Windows with "Adobe Acrobat Reader" and "IBM Websphere". I would argue this is a garbage comparison.
Now compare what IS inside the OS. Windows cannot function without IE (according to Bill Gates). It's been incorporated deeply into the OS. Security problems with IE would qualify as a problem with the OS (for example). If it's something part of the OS then I would buy it as a security problem. Linux issues IMO would include problems such as say iptables, Linux Kernel Race Condition / Buffer Overflow and maybe Gnome/KDE (to name a few)
I understand I may be just a little picky about this but I think I've demonstrated my argument.
Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
and submitting something like this (just as the parent and GP have pointed out), that lumps every *NIX OS vs. MS Windows is perhaps the dumbest thing I've ever seen on /.. I wish I could mod submissions.
Points not mentioned :
... etc. etc.
-amount of risk caused by vulnerability
-percentage of high-risk vulnerabilities per OS
-time taken to patch vulnerability
-whether the vulnerability is in some tiny obscure piece of shareware or in a VERY common software (such as MSIE)
Statistics aren't so useful with such lack of completeness.
Of course that page isn't there to be a useful guide for statistics on vulernabilities, but the Slashdot article seems to be portraying it as such...
This isn't about making numbers meaningful. This is about discussing the topic.
The proper thing to do if someone wants to argue about whether or not the inaccuracies are technically balanced is to categorize them (multiple listings, updates, more than one OS in Linux, 3rd part apps) and then ask them to be moot or, if that's denied, cede them outright.
Then you can move on to the real topics... if there are any left.
fast as fast can be. you'll never catch me.
The only intelligence there is in regards to windows is that of marketing... market it no matter what condition it is in. If "Intelligent Design" was more popular you can be sure MS would market Windows in a manner to ride off that, as they do everything else they can. I mean Hey, they got the singularity OS....(rolls eyes)
I think everyone knows how out of context the article is, which only shows the deceiptful intent of those responsible for it being written.
Taking things out of context is a known action of those having intent to deceive.
Now if there were laws against such that applied to marketing.... We'd all have better things in life, cept for the deceptive.
But for those of us who do know to see past the BS... we are better off, depending on how deep the BS goes, and sometimes its gets rather deep.
Anyone with half a clue and experience with both OSes in a production environment already knows the truth, but there's some points for those who actually believe some of the shit that seems to be deemed newsworthy...
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Go compare "Linux Kernel" vulnerabilities (9 unique) vs "Microsoft Windows" vulnerabilities (46 unique). Even that isn't apples to apples, but it's a lot more indicative than the random counts of vulnerabilities for every piece of software shipped with an OS.
The idea of a security score card is good but the way they did it is meaningless. The ranking should be more like:
Number of bugs +
Number of bugs with known exploits x 5 +
Number of bugs with known exploits x the number of days the exploit was in the wild before the bug was patched.
Then multiply the whole thing by an risk factor (1-5) based on how much harm it can do.
No lumping multiple OSs. Each one should get it's own card. Lumping applications bundled with the OS is reasonable but skews things too. For an accurate comparison, only bugs in features common to all platforms and bugs in non-optional components should be counted.
The way the current ranking they use works you could have 50 non-exploitable, local user only, file permission modifying bugs in 100 different Lunix distributions and it would count as 5,000 bugs. Similarly you could have one remote attack that completely takes over a Windows box with known exploits which remained unpatched for 100 days and it would count as 1 bug. The score would be 5,000 to 1 in favor of Windows which is about opposite from what it should be in this example. These are completely meaningless numbers.
I don't know how the OSs would stack up given an accurate reporting but I would be interested to see.
set softtabstop=4 shiftwidth=4 expandtab nocp worlddomination
I never said open source was a bad thing, or there was a downside. Just that that particular 'benefit' is overrated. Firefox bugs are certainly fixed faster than IE bugs - but according to my logs half of firefox users who hit my website still run vulnerable versions.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
The sed lines are removing the "updated" string from each processed line. Sort is grouping lines, uniq is removing all duplicated entries.
:) There are much better places to start, mind you.
sed -e(expression) 's(search)/(U|updated)(search regex)/(empty replacement text)/g(global)'
So:
1
2
1 (Updated)
1 (updated)
2 (Updated)
Becomes: (through sed)
1
2
1
1
2
Becomes: (through sort)
1
1
1
2
2
Would drop to simply: (through uniq)
1
2
And then "wc" counts the lines.
In this case, the GP compressed it to 747 unique Microsoft flaws, and 1050 unique unix flaws.
And yes, learn regex! It is extremely useful, and can help manipulate massive data sets easily and quickly. "man 7 regex" is a good place to start.