Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux/Unix Tops Charts for Vulnerabilities in 2005

Posted by samzenpus on from the better-safe-than-sorry dept.

BeanBunny writes "I realize that this topic is almost as volatile around here as Intelligent Design, but I think this is interesting nonetheless. US-CERT has released their year-end vulnerability summary. According to InformationWeek.com, Linux/Unix (including Mac OS) had almost three times the number of OS-specific vulnerabilities reported last year compared to Microsoft Windows. Obviously, statistics are meaningless without the proper conjecture, speculation, and opinionation, so let the debate begin again over which OS is really more secure."

2 of 438 comments (clear)

  1. Here's a quick answer: by khasim · · Score: 5, Interesting
    TFA says that there were 2,328 reported vulnerabilities for *nix.

    I counted the lines and there are 2,329 lines.

    Here's an example of 10 of them:
    # BZip2 File Permission Modification
    # BZip2 File Permission Modification (Updated)
    # BZip2 File Permission Modification (Updated)
    # BZip2 File Permission Modification (Updated)
    # BZip2 File Permission Modification (Updated)
    # BZip2 File Permission Modification (Updated)
    # BZip2 File Permission Modification (Updated)
    # BZip2 File Permission Modification (Updated)
    # BZip2 File Permission Modification (Updated)
    # BZip2 File Permission Modification (Updated)

    Yep. BZip2 is listed 10 times, but the reference to each of them reads the same:
    A vulnerability has been reported when an archive is extracted into a world or group writeable directory, which could let a malicious user modify file permissions of target files.


    And then they list 10 different distributions. Hmmmmm ..... it looks like the old "multiple reporting" problem.

    So, one problem in BZip2 == 10 counts of "problems".
    1. Re:Here's a quick answer: by OdieWan · · Score: 5, Interesting

      Removing the duplicate lines is enlightening;
      cat usoft.txt| sed -e 's/(U|updated)//g' | sort | uniq | wc
          747 lines
      cat unix.txt| sed -e 's/ *(Updated) *//g' | sort | uniq | wc
          1050 lines

      That brings them almost in line with each other. Of course, we could do a half-assed job of cutting things down to just the OS to remove concerns about all the bundled apps;

      cat usoft.txt| grep Microsoft | sed -e 's/(U|updated)//g' | sort | uniq | wc
          160 lines
      cat unix.txt| egrep '((K|k)ernel)|(GNU)|(XFree86)' | sed -e 's/ *(Updated) *//g' | sort | uniq | wc # GNU/Linux, not Linux!
          167 lines

      Of course, any of this would be far too much work for the author of the article.