Linux/Unix Tops Charts for Vulnerabilities in 2005

BeanBunny writes "I realize that this topic is almost as volatile around here as Intelligent Design, but I think this is interesting nonetheless. US-CERT has released their year-end vulnerability summary. According to InformationWeek.com, Linux/Unix (including Mac OS) had almost three times the number of OS-specific vulnerabilities reported last year compared to Microsoft Windows. Obviously, statistics are meaningless without the proper conjecture, speculation, and opinionation, so let the debate begin again over which OS is really more secure."

"OS Vulnerability" vs "Application Vulnerability"

[javaxman]

There are more than one problem here, but something which must not be ignored is that a large number of the listed 'vulnerabilities' are very application-specific.

Want one example? The CM Cyrus IMAP server sure as heck isn't installed on my Mac OS X system, and I doubt I'd ever install it. I don't think I'd install it on my Linux box, either. If I did install it, and there was a bug in it, I sure as hell wouldn't consider that bug an "OS" problem, would you ?

And I'd be willing to make the same distinction for Microsoft, as well, at least so long as the application error isn't in a default-installed DLL or in an always-installed application, like... oh, Internet Explorer, for example. I'm not so sure I should fault Windows because the Eternal Lines web server has some sort of issue. There's the OS, then there are the apps that run on top of the OS.

So really, the counting and analysis are so broken that it's hard to even discuss. Call me back when individual distros and specific OS kernel builds are broken out into separate counts. Call me back when non-default-installed or at least not-commonly-used applications are broken out ( i.e. I'll give you web servers and browsers normally used with any platform as part of the OS ), but I don't think Linux in general is less secure because Joe's Custom Server has a bug in it. I'd like to see some *useful* summary of this information, please...

Here's a quick answer:

[khasim]

TFA says that there were 2,328 reported vulnerabilities for *nix.

I counted the lines and there are 2,329 lines.

Here's an example of 10 of them:
# BZip2 File Permission Modification
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)

Yep. BZip2 is listed 10 times, but the reference to each of them reads the same:

A vulnerability has been reported when an archive is extracted into a world or group writeable directory, which could let a malicious user modify file permissions of target files.

And then they list 10 different distributions. Hmmmmm ..... it looks like the old "multiple reporting" problem.

So, one problem in BZip2 == 10 counts of "problems".

Re:Here's a quick answer:

[OdieWan]

Removing the duplicate lines is enlightening;
cat usoft.txt| sed -e 's/(U|updated)//g' | sort | uniq | wc
    747 lines
cat unix.txt| sed -e 's/ *(Updated) *//g' | sort | uniq | wc
    1050 lines

That brings them almost in line with each other. Of course, we could do a half-assed job of cutting things down to just the OS to remove concerns about all the bundled apps;

cat usoft.txt| grep Microsoft | sed -e 's/(U|updated)//g' | sort | uniq | wc
    160 lines
cat unix.txt| egrep '((K|k)ernel)|(GNU)|(XFree86)' | sed -e 's/ *(Updated) *//g' | sort | uniq | wc # GNU/Linux, not Linux!
    167 lines

Of course, any of this would be far too much work for the author of the article.

Re:Yes, indeed.

[ajs318]

While I don't doubt that many desktop and laptop Linux / unix systems may well be running libpng, these systems most probably will be on the wrong side of a NAT box for anyone to get at them. Servers most probably won't be running X at all -- and therefore will have no need of libpng.

On a unix system, if you find something, anything, with serious enough flaws, often you can just rm it or chmod -x it until a new version is available. It'll break some things, for sure; but you have to weigh up whether the ability to display PNG images is worth more than the inability for third parties to run arbitrary code on your box {and the answer to that most probably depends on whether the system is a desktop or server}.

Anyway, the figures hardly surprise me. Everyone has access to the source code for Linux and BSD, so there are more people in a position to spot problems there {and good guys by definition outnumber bad guys}; and nobody has anything to lose from the existence of a vulnerability as long as it gets patched. But only a select few have access to the source code for Windows, and Microsoft have their own reasons for not wanting vulnerabilities to be disclosed to the public. Also, unix users seem generally to be more interested in what goes on beneath the bonnet -- and therefore more likely to apply patches in a timely fashion.

OFF TOPIC -- Good suggestion here, CowboyNeal!

[Dystopian+Rebel]

I wish I could mod submissions.

Why not make this one of a subscriber's privileges?

Re:OFF TOPIC -- Good suggestion here, CowboyNeal!

[DrMorris]

What about modding the editors? I would especially like a button [decrease karma for posting a dupe... again] :-)