Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux/Unix Tops Charts for Vulnerabilities in 2005

Posted by samzenpus on from the better-safe-than-sorry dept.

BeanBunny writes "I realize that this topic is almost as volatile around here as Intelligent Design, but I think this is interesting nonetheless. US-CERT has released their year-end vulnerability summary. According to InformationWeek.com, Linux/Unix (including Mac OS) had almost three times the number of OS-specific vulnerabilities reported last year compared to Microsoft Windows. Obviously, statistics are meaningless without the proper conjecture, speculation, and opinionation, so let the debate begin again over which OS is really more secure."

5 of 438 comments (clear)

  1. "OS Vulnerability" vs "Application Vulnerability" by javaxman · · Score: 4, Interesting
    There are more than one problem here, but something which must not be ignored is that a large number of the listed 'vulnerabilities' are very application-specific.

    Want one example? The CM Cyrus IMAP server sure as heck isn't installed on my Mac OS X system, and I doubt I'd ever install it. I don't think I'd install it on my Linux box, either. If I did install it, and there was a bug in it, I sure as hell wouldn't consider that bug an "OS" problem, would you ?

    And I'd be willing to make the same distinction for Microsoft, as well, at least so long as the application error isn't in a default-installed DLL or in an always-installed application, like... oh, Internet Explorer, for example. I'm not so sure I should fault Windows because the Eternal Lines web server has some sort of issue. There's the OS, then there are the apps that run on top of the OS.

    So really, the counting and analysis are so broken that it's hard to even discuss. Call me back when individual distros and specific OS kernel builds are broken out into separate counts. Call me back when non-default-installed or at least not-commonly-used applications are broken out ( i.e. I'll give you web servers and browsers normally used with any platform as part of the OS ), but I don't think Linux in general is less secure because Joe's Custom Server has a bug in it. I'd like to see some *useful* summary of this information, please...

  2. Here's a quick answer: by khasim · · Score: 5, Interesting
    TFA says that there were 2,328 reported vulnerabilities for *nix.

    I counted the lines and there are 2,329 lines.

    Here's an example of 10 of them:
    # BZip2 File Permission Modification
    # BZip2 File Permission Modification (Updated)
    # BZip2 File Permission Modification (Updated)
    # BZip2 File Permission Modification (Updated)
    # BZip2 File Permission Modification (Updated)
    # BZip2 File Permission Modification (Updated)
    # BZip2 File Permission Modification (Updated)
    # BZip2 File Permission Modification (Updated)
    # BZip2 File Permission Modification (Updated)
    # BZip2 File Permission Modification (Updated)

    Yep. BZip2 is listed 10 times, but the reference to each of them reads the same:
    A vulnerability has been reported when an archive is extracted into a world or group writeable directory, which could let a malicious user modify file permissions of target files.


    And then they list 10 different distributions. Hmmmmm ..... it looks like the old "multiple reporting" problem.

    So, one problem in BZip2 == 10 counts of "problems".
    1. Re:Here's a quick answer: by OdieWan · · Score: 5, Interesting

      Removing the duplicate lines is enlightening;
      cat usoft.txt| sed -e 's/(U|updated)//g' | sort | uniq | wc
          747 lines
      cat unix.txt| sed -e 's/ *(Updated) *//g' | sort | uniq | wc
          1050 lines

      That brings them almost in line with each other. Of course, we could do a half-assed job of cutting things down to just the OS to remove concerns about all the bundled apps;

      cat usoft.txt| grep Microsoft | sed -e 's/(U|updated)//g' | sort | uniq | wc
          160 lines
      cat unix.txt| egrep '((K|k)ernel)|(GNU)|(XFree86)' | sed -e 's/ *(Updated) *//g' | sort | uniq | wc # GNU/Linux, not Linux!
          167 lines

      Of course, any of this would be far too much work for the author of the article.

  3. OFF TOPIC -- Good suggestion here, CowboyNeal! by Dystopian+Rebel · · Score: 4, Interesting
    I wish I could mod submissions.


    Why not make this one of a subscriber's privileges?
    --
    Rich And Stupid is not so bad as Working For Rich And Stupid.
    1. Re:OFF TOPIC -- Good suggestion here, CowboyNeal! by DrMorris · · Score: 4, Interesting

      What about modding the editors? I would especially like a button [decrease karma for posting a dupe... again] :-)