Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux/Unix Tops Charts for Vulnerabilities in 2005

Posted by samzenpus on from the better-safe-than-sorry dept.

BeanBunny writes "I realize that this topic is almost as volatile around here as Intelligent Design, but I think this is interesting nonetheless. US-CERT has released their year-end vulnerability summary. According to InformationWeek.com, Linux/Unix (including Mac OS) had almost three times the number of OS-specific vulnerabilities reported last year compared to Microsoft Windows. Obviously, statistics are meaningless without the proper conjecture, speculation, and opinionation, so let the debate begin again over which OS is really more secure."

7 of 438 comments (clear)

  1. One Take by ackthpt · · Score: 5, Insightful
    It's because most *ix vulnerabilities are reported (and usually fixed rather quickly, particularly in the case of Linux distros.)

    Who knows how many Windows vulnerabilities there are known to Microsoft? Can you say "Vested Interest"? They certainly have tried to have divulging them criminalized as an act against national security, never mind warning customers of all sizes that they may have been compromised while Microsoft fiddled away at a patch for the past six months.

    I take this sort of revelation with a grain of salt and give it as much weight.

    many eyes only make for strong code when the code can be seen

    --

    A feeling of having made the same mistake before: Deja Foobar
  2. Yes, indeed. by DaedalusHKX · · Score: 5, Insightful

    Let me put this into context.

    Linux (Red Hat to be specific) reported AND HAD ALREADY fixed similar JPG/GIF/PNG flaws more than 2 years before microsoft ACKNOWLEDGED that they had similar flaws. It may have been the same bug, or not, but still, similar bugs, FAR different timetables. And these are both companies right? One did base itself on code that it didn't try to lynch you for viewing, modifying or making your own. Hint: it wasn't microsoft.

    --------------

    What does it take for open source (being open to all) to report a flaw?

    Finding it of course.

    What does it take for a huge software house with stock to shill... errrr.. sell (since product sales do not a stock value raise anymore).

    Reporting few security flaws. "Proving" successful implementations are the norm... (via bought studies of course, and occasional true stories, if they ever are unbiased).

    --------------

    And of course, having worked inside an IT house, I'm quite familiar with how they work... especially M$ partners. I've never seen a SINGLE one ever report a vulnerability... whether our fault or the customer's or anyone's. Until it was fixed, or exploited, we NEVER EVER reported them... standard policy.

    ~D

    --
    " What luck for rulers that men do not think" - Adolf Hitler
  3. How about pointing out... by Anonymous Coward · · Score: 5, Insightful

    They're lumping Linux, UNIX, BSD, and OS X together and saying they together had more vulnerabilities than any single version of windows...

    I'm sure all the GM, Toyota and Honda cars between 1970 and 1990 put together had more design flaws than the Ford Pinto, but this comparison is not relevant.

    1. Re:How about pointing out... by molnarcs · · Score: 5, Insightful
      Yeah, I agree.

      In other words:

      There are at least 12 distinct operating systems in their list - Solaris, Cisco, SCO Unixware, OpenBSD, FreeBSD, NetBSD, HP-UX, AIX, HP Tru64, MacOS X, Linux variants like SuSE, Debian, Gentoo, RedHat (I counted Linux as one, even though most of the vulns. are found in their specific configuration/management tools). Add an arbitrary number of applications: KDE and GNOME, that in itself has more apps that are counted for Windows, every free SQL database server, mail server, (LotusDomino for Christ's sake!), imap client, ftp client, ftp server, etc...

      Now we have a comparison of a single operating system (Windows) + apps running on it with at least 12 distinct operating systems + 10x the number of apps that was counted for windows. The result is rather surprising: there are JUST 4x more bugs in 12 operating systems + 10x more apps than in windows + windows apps alone! This result is much more unfavorable for Microsoft than to any Unix/Linux OS!

      Of course, the fallacy of the comparison is that it suggests that Linux or Unix is an Operating System. For someone who does not look at the details, it might seem that installing a specific Linux or Unix operating system is more risky - hey, there are more bugs found in Linux/Unix, that's what the article says! In fact, the opposite is true, if you look at the details.

      Not that the comparison is useful in any way - why are Safari bugs counted at all? Safari runs on OS X only, so you can't just dump safari bugs into linux/unix bugs category (how retarded is that?). Why are bugs found in SuSE YAST counted as Linux bugs? They have nothing to do with linux or unix - they are specific to one operating system: SuSE linux (the same applies for all the bugs counted in Debian, RedHat, Gentoo, etc.) Not to mention the duplications: Eric Raymonds "Fetchmail POP3 Client Buffer Overflow" is counted 5 times for linux and BSDs. There are duplications for windows as well though. In other words, this list or comparison is pretty much unusable.

    2. Re:How about pointing out... by LnxAddct · · Score: 5, Insightful

      So out of curiosity, I removed all (Updated) lines from the results,and all blatantly duplicate exploits, and also any non-linux exploits, just to see how they matched up. Keep in mind that I kept alot of the php, apache , and other exploits in the list but did not add them to windows despite that these also affect windows and should be included. The numbers I got were 784 to 672, Linux to Windows. Then, because in the windows list they strictly kept to vulnerabilities that only affected windows and not multiple platforms, I took out any vulnerabilties from the linux list that would 100% for certain be cross-platform and affect Windows as well. The list reduced to 669, which is right on par with Windows (keeping in mind that I left some exploits in the list because I was only say 80% or 90% sure and so I gave Windows the benefit of the doubt). Just out of curiosity, I then tookout any linux vulnerabilities that were specific to one vendor(i.e. Red Hat, Suse, Gentoo, Debian) for a number of reasons which I won't get into. This brought it down to 639. That last number doesn't really represent anything other than a curiosity of mine.

      I was originally going to have a disclaimer stating that these numbers are accurate probably to within +-30, but since they were so close, I don't think it's necessary. One observation I've noted is that the Linux vulnerabilities are spread over a far greater variety of applications. Another thing worth noting is that it looks like Windows can not easily be effectively secured as long as security updates are done as they are currently. Most linux distros (Red Hat/Fedora, Suse, Debian, Gentoo, etc.. off the top of my head) provide a central repository that will update everything on your system for you. This appears to be a much more optimal method of applying updates. If nothing else, these results show that not just core functionality, but also supporting functionalities must be kept up to date and are just as much of a security problem, if not more so. Linux distributions support such update methodolgies natively, Windows does not.

      It appears that Linux is the winner here no matter how you look at it, and we didn't even begin to look at severity or the time from disclosure to time patched (which isn't available using the information in the report, but my inclination is to say that open source wins hands down here, call me biased if you will). For the files that I referenced and modified to get these numbers, you can get the windows list here and the first linux list here (the one with 784 exploits, not 669). These lists are not 100% accurate as I'm sure the regexs I used missed some things, or were too greedy in other cases. I also did some manual pruning that wasnt appropriate to be done with regexs, which I'm sure wasn't 100% accurate either, but these lists are close.
      Regards,
      Steve

  4. BeanBunny is a known troll by Anonymous Coward · · Score: 5, Insightful

    and submitting something like this (just as the parent and GP have pointed out), that lumps every *NIX OS vs. MS Windows is perhaps the dumbest thing I've ever seen on /.. I wish I could mod submissions.

    1. Re:BeanBunny is a known troll by MECC · · Score: 5, Insightful

      Actually, it wasen't BeanBunny that lumped the various 'Nixes and 'Nix-like OSes into one catageory - it was CERT. Also, the CERT list include all vulnerabilities for all software running on an OS, not just the os themselves. Also , its only a list - no mention of how severe a given vulnerability is.

      To really get a picture of how the OSes themselves stack up in comparison to one another with respect to vulnerabilities, try Secunia. They list vulnerabilities, and how severe a vulneraiblity is, and why a given vulnerability is a problem, along with other interesting and relavent info about vulnerabilities.

      --
      "We are all geniuses when we dream"
      - E.M. Cioran