Slashdot Mirror
Linux/Unix Tops Charts for Vulnerabilities in 2005
BeanBunny writes "I realize that this topic is almost as volatile around here as Intelligent Design, but I think this is interesting nonetheless. US-CERT has released their year-end vulnerability summary. According to InformationWeek.com, Linux/Unix (including Mac OS) had almost three times the number of OS-specific vulnerabilities reported last year compared to Microsoft Windows. Obviously, statistics are meaningless without the proper conjecture, speculation, and opinionation, so let the debate begin again over which OS is really more secure."
Who knows how many Windows vulnerabilities there are known to Microsoft? Can you say "Vested Interest"? They certainly have tried to have divulging them criminalized as an act against national security, never mind warning customers of all sizes that they may have been compromised while Microsoft fiddled away at a patch for the past six months.
I take this sort of revelation with a grain of salt and give it as much weight.
many eyes only make for strong code when the code can be seen
A feeling of having made the same mistake before: Deja Foobar
It may be a volatile topic, but where better to discuss the reality, validity, etc., of these purported vulnerabilities?
Get your education here (hopefully) so you can address the confrontations at work, from your friends, etc. when they accuse you of evangelizing an OS more vulnerable than Windows!
Look for answers to:
I'm sure this is a partial list, and I don't know the answers to these points, but I'd like to.
In other words, these findings are absolutely useless.
Also, even if they DID filter out updates and break out individual vulnerabilities, you would still have to know for how many days each vulnerability remained unpatched to have any useful information.
As this oh-so-well-written website told me the first time I clicked on this story, "Nothing to see here. Move along."
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Anything new compared to the earlier article in the Washington Post?
That they listed a few PHP apps that work on all 3 OS's as only on Linux. Hmmm
...they really should take into account severity, time until a fix was avaliable (from the time of discovery and not just disclosure to the public) and if the vulnrability was actually IN the OS or whether it was a third party app. Then perhaps the total numbers will start being a little more helpful.
Silly rabbit
Sigh. The statistics were flawed the first time they were posted to /., no need to repeat that bag of bad science.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
This is old news. PJ has done a pretty thorough job debunking this one on Groklaw.
Nothing new here that was not reported on slashdot four days ago.. Move along. or repost your incitefule or insightful comment. or someone elses if you karma whore.
Some drink at the fountain of knowledge. Others just gargle.
In the Microsoft section there could be an entire block for : "Clueless user -- installed malware X which caused the propagation of virus Y"
In the Linux section there would be a similar block for : "Clueless user -- caused hard drive format"
Yeah. That was wanton. Sure, okay. I agree. It's probably true that most OSS vulns are reported to public forums while most MS vulns probably get identified in house and rolled into a patch. Maybe. In 6 months or so after the devs have had fun with it for a while.
fast as fast can be. you'll never catch me.
If you read the actual list, a lot of the vulnerabilities are listed multiple times with an (updated) notation. So the 2,328 number isn't exactly "correct".
The theory of relativity doesn't work right in Arkansas.
Don't become a regular here, you will become retarded. -- Yoda the Retard
It would be interesting to compare the number of different versions of software and applications this covers. Windows XP has not evolved tremendously in the last several years. Certainly Microsoft has shown a renewed (if not a completely successful) focus on security lately. But I think Microsoft benefits in this survey from a more stately release cycle.
Author of Enyo: Up and Running from O'Reilly Media
Let me put this into context.
Linux (Red Hat to be specific) reported AND HAD ALREADY fixed similar JPG/GIF/PNG flaws more than 2 years before microsoft ACKNOWLEDGED that they had similar flaws. It may have been the same bug, or not, but still, similar bugs, FAR different timetables. And these are both companies right? One did base itself on code that it didn't try to lynch you for viewing, modifying or making your own. Hint: it wasn't microsoft.
--------------
What does it take for open source (being open to all) to report a flaw?
Finding it of course.
What does it take for a huge software house with stock to shill... errrr.. sell (since product sales do not a stock value raise anymore).
Reporting few security flaws. "Proving" successful implementations are the norm... (via bought studies of course, and occasional true stories, if they ever are unbiased).
--------------
And of course, having worked inside an IT house, I'm quite familiar with how they work... especially M$ partners. I've never seen a SINGLE one ever report a vulnerability... whether our fault or the customer's or anyone's. Until it was fixed, or exploited, we NEVER EVER reported them... standard policy.
~D
" What luck for rulers that men do not think" - Adolf Hitler
They're lumping Linux, UNIX, BSD, and OS X together and saying they together had more vulnerabilities than any single version of windows...
I'm sure all the GM, Toyota and Honda cars between 1970 and 1990 put together had more design flaws than the Ford Pinto, but this comparison is not relevant.
"so let the debate begin again over which OS is really more secure."
How about we don't and just say we did, better yet, whichever side you agree with, it won the debate.
Web Developers: Celebrate to our roots! Animated Gifs and Tiled Backgrounds, dont let our history die!
If you read TFA, it also mentioned not to put too much into ththe data recorded about the vulnerabilities: as not all of the vulnerabilities reported were distinct incidents (and some were 1 vulnerability for multiple bugs).
.. how can you say that *ix is more / less safe than Windows, especially considering that not all vulnerabilities affected all platforms.
Also, with as many DIFFERENCES as there are between, say Apple, Sun, SCO, Linux
If you wanted to be more specific, then add up vulnerabilities for EACH os (not just *ix all in one lump sum), and compare them to Windows (and to be fair, put all versions seperately).
The thing we all need to realize is this: No computer hoooked to a network (including the Internet) is safe. Period.
= Grow a brain...
so let the debate begin again over which OS is really more secure.
/sarcasm>
Ha... Don't you mean "let the debate continue?"
Is it really then a good water mark? Windows seems to suffer far more attacks. Mac seems one of the safest in practice and Linux seems to suffer few attacks. IS the real reason numbers, as in there are more users so more attacks? Or is it the type of flaws? Or are the attackers more inclined to attack Windows for personal reasons? There's abviously a reason and simple numbers aren't proving to be a accurate measure. Does anyone in the know go with Windows for security?
or kernel patches? Because Linux is a damned kernel and Redhat/Suse/whatever's patches for say curl, wget, apache, etc are not OS level patches.
This guy is way out there
The *nix vulnerabilities listed are more numerous because there are more programs for *nix, more kernel-level and library developers for *nix, and generally more eyes looking at the code. However, the high and critical severity vulnerabilities are extremely rare, for these same reasons. And also, because the *nix users are miles and miles ahead of Windows users in being aware of the security issues that affect what they are doing.
I think 3-1 is pretty damn good when you consider that the "Unix/Linux" category contains more than 5 Operating Systems!
Just breezing through the list I see:
And i'd imagine there are probably more. I'd take those odds over Windows any day.
The title: Linux/Unix Tops Charts for Vulnerabilities in 2005
This is beyond any doubt, very very true. But before you call me a Microsoft Shill (I'm not, I use Debian myself), allow me to explain:
If one goes to www.linux.org, and searches for all GNU/Linux distros without a filter, they will see that there are 370 distributions. If that includes unmaintained ones, that number grows to 417. And that does not include all of the other Unixes, such as the BSD group, and, like the article pointed out, Mac OSX.
Now compare that to the Microsoft Windows operating system. Let's see, Windows 98 (I doubt people use anything worse than this), ME, 2000, XP, and even Vista. 5 operating systems. 370 / 5 = 74. Now the article claims that there were 3 times as many vulnerabilities. 74/3 = 24 and 2/3.
Unix/Linux is approximately 25 times better than Windows!
Well, the "windows" ones are "Windows Operating Systems"
And the "linux" and "osx" ones are "Unix/ Linux Operating Systems"
Seeing as "windows" ones are Windows and "linux" and "osx" are Linus, OS X, Solaris, IRIX, AIX, HPUX, Tru64, *BSD, SCO, etc., etc., I think 3x is not too bad as there are more than 3x the number of distinct operating systems.
That's without even looking at what might be classified as "application" versus "os" vulnerabilities in each category.
Sure, I love my free operating systems. But I'm going to take this as confirmation that Microsoft really has started to take security seriously. I can't see a downside to companies producing better software.
It's also worthwhile to acknowledge that Linux has issues. Since it's not a single suite of software but a collection from multiple sources, that's no great wonder. A computer populated with software from many different sources, with most of it developed by unrelated teams, is going to have a hard time competing on the security front with a computer populated by software that came from a single source, with all of the developers working fairly closely. That's why the BSD operating systems show up with fewer security vulnerabilities than Linux in all it's forms.
Besides, the fact that people are actively targeting security problems in UNIX based systems means that people are taking the stuff seriously. That's got to be a good thing.
Easy Online Role Playing Campaign Management
It is worth discussing OS security in terms of exploitable holes found. And before the detractors start coming out in droves saying "the real question is how many days a vulnerability remains unpatched," that's not the real question. That's a question, and it's certainly an important one. But it's not the only important criteria in determining the quality of an OS.
Even if a vulnerability is reported and then fixed quickly, the fact remains that it could've been used for dozens or hundreds (or more) exploits *before* it was reported.
It's not just a matter of "see, look how quickly we can bail water out of the boat." There's also the question of how many holes were in the hull to begin with.
I'm not saying that any particular platform is put together better than any other, just that it is a topic worth discussing.
I currently have no clever signature witicism to add here.
I'm not going to spend the hours it would take to check all the "Updated" entries in the list, but I picked one at random and looked at the original and two of the updates, and the only changes between was the addition of links to distribution-specific patches. Looks like they're counting individual exploits multiple times.
Sheesh, evil *and* a jerk. -- Jade
You mean like how Windows XP before and after Service Pack 2 are lumped together (firewall, security, etc)? Or how Windows 95, 98, and XP are lumped together (system stability, BSOD)?
I'm no Microsoft apologist, but it takes a certain combination of arrogance and ignorance to assume that your side is absolutely right, and the other side is absolutely wrong (both in terms of opinions, and how the opinions are presented). Everyone has a valid point to make. All that matters is how the points are interpreted.
UNIX: A computer user is defined as a programmer. WINDOWS: A computer user is defined as a consumer.
I'm offended by the latest comparison of and . The linked article offers no measurable insight, and is exactly the kind of flamebait that bores the
Please change your editorial practices to fit my tastes better.
ComplaintGen (R) - 2006
I would agree with this.
Most companies are in the habit of finding security flaws in their products. Some even fix them. But most don't make a substantial effort to share what isn't already public. (Some do!)
Linux, on the otherhand, has only the public mechanism for identifying and resolving security issues. So any flaw that is identified is likely to be public.
And, these numbers don't tell the whole story... you need to take in account severity too.
If you had read the article you would assume that the exploits mentioned were for the actual operating system (and indeed there were some OS exploits were). However many of the bugs were to do with end user system software that wasn't developed by microsoft or by the Unix kernel maintainers/developers.
So blaming, say, microsoft or linus for third party software is quite deceptive.
Another issue is that most Linux distro's ship a LOT of application code, like 2000 to 6000 packages, which is waaaay more than Microsoft ships with Windows. That there is an "OS" vulnerability for some rarely used application in a large Linux distro is just not comparable to the smaller set of code that Microsoft is willing to take responsibility for.
It is just irresponsible for CERT to be publishing distored numbers like this.
Crispin
Volatile is an understatement.
Anyway, I've used a number of different operating systems and I've realized something. Computer security isn't so much the operating system you select, it's how diligent you are in keeping it secure. If you keep the system patched, behind a decent firewall, are careful with the software you run, and don't use the root/Administrator account for normal usage, you'll probably not have any issues with your computer. Granted, there are plenty of examples otherwise, but I'm referring to the standard user or sysadmin.
The problem comes in for users that don't understand that they need to keep their system protected more than it is out of the box. Some linux distros and Windows get it right by having automatic updates (if you need to disable these, you can easily enough).
Overall, there ARE good things and bad things about each operating system, but not much matters if the user isn't going to take some type of responsibility to keep their own system updated and protected.
You have enemies? Good. That means you've stood up for something, sometime in your life. --Winston Churchill
I opened up the page and the first thing I notice is that both show vulnerabilities of not only the OS but the applications that run on it. Its really not fair to say that an iTunes vulnerabilities makes Windows less secure since Microsoft has no control over it. It also seems that the say this is done is Windows v All(Linux, Mac, all *nix OSs). Not to mention that there are still numerous vulnerabilities on windows that are going unpatched(wmf anyone?).
1. More *nix problems have been fixed then with windows this year. Windows still has the large amount of bugs it has last year, while linux and other open source softwarte projects has much less then even before.
2. Windows is even more insecure then *nix now then ever before by virtue of these *nix bugs being reported, fixed, and the software further secured.
3. Windows bugs are not reported like linux bugs. They are more public thus there will be more to add to this list, as it would be impossable for them to add internal Microsoft bugs to this list in full.
4. People in the linux camp can not *add* security problems to Microsoft internal code, while Microsoft People have the motive (job security and company loyalty), Ability (They would not be working for Microsoft if they did not know at least basic programming), and Freedom (As per the GPL) to sabotage Open Source Software projects. And it would not be illegal to do so, since there are no restrictions against it in the GPL that would make it a crime for Microsoft-freindly and Anti-Linux parties to do such evil deeds.
- d
The statistics referenced do not seem operating system specific. For instance, an "Apache mod_include Buffer Overflow" may be severe but it hardly seems fair to count this as a mark against the *nix operating systems. Likewise there are several exploits on the windows list specific to software vendors.
Additionally, I would add that there are fundamental differences between open and commercial software:
*In commercial development it is reasonable to release software after several phases of development and testing have been completed. Also, as another user stated, closed source makes it harder to discover vulnerabilities.
*In open software the resources and time of an individual are greatly limited compared to commercial development. Releases are made frequently so that patches can quickly follow as a result of community support.
This article attempts to ignite the hackneyed flame war of windows vs. Linux. However the underlying fact here is that as software and operating systems become more complex it becomes impossible to develop exploit free code.
-Lanimilbus
than ALL unix/linux operating systems combined.
This proves nothing.
And why are Mozilla vulnerabilities listed under unix/linux but not under Microsoft Windows? Last I checked, Mozilla ran on Windows too.
Groklaw has comments about this like:
Second, the Unix/Linux list duplicates items, counting a vulnerability more than once in the list. For an example, note that it lists Eric Raymond Fetchmail POP3 Client Buffer Overflow (Updated). However, the same vulnerability is listed, under the same title, four times. That's because it was reported in the week of August 10-15, again in the week of August 17-23, in September 6-13, and the week of November 9-16. Worse, for any comparison purposes, the same vulnerability is also reported as Fetchmail POP3 Client Buffer Overflow, so in reality one vulnerability is listed 5 times, making the total of 2328 meaningless unless you carefully comb through it to weed out duplications.
Kind of makes a numerical count of reported security problems pointless. (BEGIN SARCASM) Of course, the Linux/Unix security holes are much more serious than are Windows security holes because automated worms. viruses, etc. attack Linux/Unix machines but not Windows computers.(END SARCASM)
Probably stated above already - but that number is meaningless unless you look at the percentage of those vulnerabilities that were fixed within the same year! I'm sure more of these were patched within let's say a month of them being announced. Also, just because more are announced doesn't mean there are more - just that more were found... Open Source has more eyes looking for vulnerabilities, which some may say would make it more secure to begin with!
========
77 77 77 2e 6d 65 6c 76 69 6e 73 2e 63 6f 6d
This is all out of context unless you look at the impact of the vulnerability, and how it is exploited. I didn't RTFA, admittidly, but I do know that the main reason for the exploit of vulnerabilities (both technology speaking, as well as the handling of these topics by the media) is largely because of the volume of Windows users in the world.
These articles only make the majority of the public even dumber.
It makes me think of the line from Billy Madison where the teacher proclaims "...At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it..."
I think I just heard the sound of flood gates opening in the distance, followed by the rushing and roaring of what is surely a massive volume of water.
Or maybe that was the sound of thousands of Slashdotter keyboards blazing...
At any rate, this is interesting because it once again prompts the lot of us to dig up the tired old argument, "Just because more vulnerabilities are being found doesn't mean the system is less secure." As I'm certain others before me have already stated countless millions upon billions of times, the fact that the vulnerabilities are being found and repaired in a timely manner and in a much higher number is probably the reason UNIX and Linux are more secure, not less. Windows, on the other hand... vulnerabilities are slowly found, but nobody can fix them except for - you guessed it - Microsoft. (Or, in some rare cases like the recent unofficial patch for the latest Windows security hole, or should I say chasm, by some concerned programmer out there who thinks the problem is serious enough to warrant them going out of their way to figure out how to fix it without having source code on hand.)
I personally feel a lot better knowing people are actually finding security holes in software I use, and fixing them on the spot. More holes doesn't mean worse software, it means better oversight. Depending upon how successfully the vulnerabilities in an operating system or application are repaired and how quickly that is accomplished, more holes found just might equate into better security overall.
That won't, however, save us from the hordes of pro-proprietary blowhards boasting that closed source commercialware is always more secure, waving these numbers like a flag. Brace yourselves for the bullshit.
You mean like how Microsoft product before and after Service Pack 2 are lumped together (firewall, security, etc)? Or how Microsoft product, Microsoft product, and Microsoft product are lumped together (system stability, BSOD)?
The difference is that those versions of Windows are all products of one company: Microsoft Corporation. In addition, Microsoft aims for binary compatibility across its line of Windows operating systems, which collapses them into two products at most (Windows 95/98/ME and Windows 2000/XP/2003).
On the other hand, GNU/Linux, Solaris, and Mac OS X are completely separate product lines published by different companies: FSF/OSDL, Sun, and Apple. Just because all three systems make more than a token effort to implement POSIX, a source code compatibility layer, doesn't make them the same product.
Seems there was something about Microsoft and bugtraq a couple years back. The flurry of bugs reported was uncomplimentary, to say the least. Damning to say the most. Microsoft pulled out of any involvement in the venture.
A feeling of having made the same mistake before: Deja Foobar
Not to mention that the majority of those vulnerabilities only affect a limited number of installations, sometimes so small as to make virus-style transmission difficult.
And of course there's the issue that for the average computer user who don't have any blackhats after them, Linux, BSD or OS X is going to a lot more secure in a practical sense just because they aren't the main target. I'm the first to admit that the most popular OS is going to get a lot more security scrutiny, but I don't really care which OS is more secure in theory. I only care that I'm not getting infected on a regular basis.
Anyway, believe whatever source you want. All I know is that while IT departments across the country raced through their holiday "vacations" to roll out unofficial patches to fix the WMF vulnerability, I sat at home drinking egg nog and watching South Park.
By the way, we need a better lexicon. "Vulnerability" sounds too bad and too good at the same time. A DoS that crashes gtk-gnutella is one thing, and needs a much softer word to describe it - perhaps "imperfection". A design flaw that gives remote root to anyone who shows you an image through any program needs something harsher. How about "sucking death wound"?
I'll take 2500 imperfections over 800 sucking death wounds any time.
Dewey, what part of this looks like authorities should be involved?
microsoft was intelligently designed from above by a corporate structure. linux evolved from many disparate cooperating independent parties. so of course microsoft is superior, it is grdained By god
meanwhile linux is an nihilistic meaningless ramble. do you think god plays dice with operating systems? i for one do not
one day armageddeon will come and flood the internet with worms and virii and kill the babel of linux nodes. vista will record two copies of every software package, beta and release, and release it upon the world when the sea of worms and virii recede, so that win32 packages may propagate the internet again, cleansed of the faithless emptiness of the linux babel
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Since this is a dupe debate (it happens ALL the time) why not just link to the previous list of comments? I'm not even going to read TFA, because these useless debates have gotten to be a waste of time. There's no winning this debate - we're all losers for having editors who think that this is "news".
Want one example? The CM Cyrus IMAP server sure as heck isn't installed on my Mac OS X system, and I doubt I'd ever install it. I don't think I'd install it on my Linux box, either. If I did install it, and there was a bug in it, I sure as hell wouldn't consider that bug an "OS" problem, would you ?
And I'd be willing to make the same distinction for Microsoft, as well, at least so long as the application error isn't in a default-installed DLL or in an always-installed application, like... oh, Internet Explorer, for example. I'm not so sure I should fault Windows because the Eternal Lines web server has some sort of issue. There's the OS, then there are the apps that run on top of the OS.
So really, the counting and analysis are so broken that it's hard to even discuss. Call me back when individual distros and specific OS kernel builds are broken out into separate counts. Call me back when non-default-installed or at least not-commonly-used applications are broken out ( i.e. I'll give you web servers and browsers normally used with any platform as part of the OS ), but I don't think Linux in general is less secure because Joe's Custom Server has a bug in it. I'd like to see some *useful* summary of this information, please...
Move along.
Human being (n.): A genetically human, genetically distinct, functioning organism.
If you want a secure enviornment you should be running Atari 2600's
How come is a PHP hole only a Unix hole? ... This "Vulnerability Summary" is bullsh*t.
We suffer more in our imagination than in reality. - Seneca
I counted the lines and there are 2,329 lines.
Here's an example of 10 of them:
# BZip2 File Permission Modification
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
Yep. BZip2 is listed 10 times, but the reference to each of them reads the same:
And then they list 10 different distributions. Hmmmmm
So, one problem in BZip2 == 10 counts of "problems".
>Strangely, negative Windows articles don't get questioned.
That's because they are true.
my password really is 'stinkypants'
Look for apache. The only entry is *nix. They imply that Apache is not vunerable on MS. You know that Apache on Windows had the same errors. Basically, they are trying to equate the Windows OS flaws to all the flaws in a *nix distro.
I almost think that that *nix should do the windows approach and come with 2multiple "sets"; the base OS CD and then one or more types of apps CD (as a different thing).
Sadly, I think that posts from groups like CERT like this does as much damage to cert's reputation as it does to security overall.
I prefer the "u" in honour as it seems to be missing these days.
*nix had the most total number of vulnerabilities, however I believe that if you look at the severity of windows vulnerabilities, you will find them to be more severe and longer lived in nature...
Plus, when the hell are people going to stop grouping ALL distrubutions of Linux into one category... how many major distrubutions by different vendors are out there? 18 or somthing like that, and hundreds of smaller distros... There is only ONE Microsoft. Compare Windows to any single distribution... and then we will see what kind of leg it has to stand on...
*This post written by an avid Microsoft Windows user who does not even know or understand Linux, yet wishes he did*
The Code Ninja is swift with his tool, precise in his delivery, and deadly accurate in his execution.
At least one if you include yourself.
it's open source? Everyone can look at the Linux source and report a new bug, where as they cannot with Windows. This doesn't mean *nix actually has more than Windows, it means more where found, reported, and fixed.
The end-of-year vulnerability score should be taken with a grain of salt, however, since US-CERT doesn't filter out updates (so one actual vulnerability can be counted numerous times) nor does it break out individual vulnerabilities from warnings that cover multiple bugs (as in the many Mac OS X vulnerability listings).
In effect: This information is completely useless for comparing operating systems.
Only to idiots, are orders laws.
-- Henning von Tresckow
Take, for instance, the wget vulnerabilities listed in TFA. There's eight of them. Open them up, and you'll see that they're all the same pair of CVEs (CAN-2004-1487 and CAN-2004-1488) -- just updated every time a new distro releases a patch. That's a lot of redundancy -- the equivalent of reporting a bug in Windows Media Player separately for Windows 98, Windows Me, Windows 2000, Windows XP, Windows Server 2003, etc.
I have to wonder about the purpose of this article, as it ought to be fairly easy to run "grep -vi update" on the list and get more accurate numbers.
There is one (1) operating system with only one (1) local vulnerability (in older releases) and only one (1) denial of service (all releases): VMS . Certainly outstanding! But, I bet the media will not notice.
That means the "UNIX/Linux" category is at least 10 OSes. On top of that, there is this gem:
The end-of-year vulnerability score should be taken with a grain of salt, however, since US-CERT doesn't filter out updates (so one actual vulnerability can be counted numerous times) nor does it break out individual vulnerabilities from warnings that cover multiple bugs (as in the many Mac OS X vulnerability listings).
Yep. Another bullshit number designed only to spread FUD.
___
If you think big enough, you'll never have to do it.
Because as they've shown time and time again, they know everything and you know nothing.
Others have said this better in this thread: This study is garbage.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
From what I have seen, the Unix/Linux list contains security pertaining to:
FreeBSD
Debian
OS X
Apache
Adobe Acrobat
Freeciv (???????)
Gentoo
Gnome
Emacs
xine
Together with AIX, HP-UX, KDE, Mozilla, and a whole bunch of others.
Tell me, What is the point of this list if it shoves AIX, HP-UX, OS X, Solaris and a number of variants of Linux together? Just this short list constains 4+ operating systems developed by separate companies. Not to mention all the applications as well.
So a single, closed-source OS had fewer vulnerabilities publicised than a -class- of who-knows-how-many open-source OS's. Any given individual probably makes fewer mistakes than all the other people in the world combined, too. Like, *shock*!
Unpleasantries.
so let the debate begin again over which OS is really more secure.
I hear this junk all the time and can't believe people can say an OS is secure / insecure by the "applications" running on it. How is "Adobe Acrobat Reader" a reflection of how "insecure" Linux is? Or a problem with "Apache mod_install"? These are all applications which run on top of Linux. They are NOT the Linux OS by any means. The same goes for Windows with "Adobe Acrobat Reader" and "IBM Websphere". I would argue this is a garbage comparison.
Now compare what IS inside the OS. Windows cannot function without IE (according to Bill Gates). It's been incorporated deeply into the OS. Security problems with IE would qualify as a problem with the OS (for example). If it's something part of the OS then I would buy it as a security problem. Linux issues IMO would include problems such as say iptables, Linux Kernel Race Condition / Buffer Overflow and maybe Gnome/KDE (to name a few)
I understand I may be just a little picky about this but I think I've demonstrated my argument.
Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
I mean c'mon, like this one:
Windows:
A Denial of Service vulnerability exists in the parsing of ANI files. A remote user can cause the target user's system to hang or crash. A remote user can create a specially crafted Windows animated cursor file (ANI file) that, when loaded by the target user, will cause the target system to crash. The malicious file can be loaded via HTML, for example.
Risk: LOW
link
Its also easy to notice that most of the unix/linux (say, why not throw a few others in that bunch as well, huh ?) are marked as high risk.
Is there any file format that you cant infect or use to otherwise totally break/hang the system on windows ?
TXT files dont count.
Here's one simple example: MySQL and PostgreSQL account for 26 different listings under UNIX/Linux, but they are alternative products, not complementary. Why do they list both? What percentage of non-experimental Linux machines have both PostgreSQL and MySQL installed?
Here's another: Notice that a big chunk of the vulnerabilities listed have a platform by their name; Debian, OpenServer, Solaris, Apple. Why do those get counted multiple times as "*nix" but a vulnerability on Windows XP Home, Windows XP Office, and Windows 2003 only gets counted once?
Here's another: Notice the number of apps like SpamAssassin, Sylpheed, and Squid that are counted for *nix. I haven't done the numbers, but I'll bet there are a ton more freaky little apps like that listed for *nix than for Windows. Why? Because there's a lot more freaky little applications like that available for *nix. Does that mean *nix is less secure? Of course not.
And that isn't even delving into the questions of severity and windows of vulnerability.
Compile a list of the vulnerabilities related to the core operating system, compare them on severity and time to patch, then maybe there's something to talk about. Attempting to infer something by blindly counting this hodge-podge is stupid.
Stop-Prism.org: Opt Out of Surveillance
2,328 is a whole lot more than 812. that means that *nix et al are 1,516 fixes ahead of the competition.
and submitting something like this (just as the parent and GP have pointed out), that lumps every *NIX OS vs. MS Windows is perhaps the dumbest thing I've ever seen on /.. I wish I could mod submissions.
The slashdot story indicates that unix vulnerabilities accounded for 3 times as many as windows.
krappie:~/tmp$ cat winvulns.txt | wc -l
812
krappie:~/tmp$ cat unixvulns.txt | wc -l
2330
Even without taking into account how these number are completely meaningless, this is even completely wrong. If you look, most every title has "(Updated)" after it under unix.
krappie:~/tmp$ cat winvulns.txt | sed 's/ *(updated\?)\?//i' | uniq | wc -l
679
krappie:~/tmp$ cat unixvulns.txt | sed 's/ *(updated\?)\?//i' | uniq | wc -l
1046
And dont forget this counts all flavors of unix and even mac os.
Seriously, is there some way to mark the posted article as flamebait?
US-CERT is virtually worthless. Hell, they still consider Mac OSX to be part of Unix. Whats worse is that they list the **same freakin vulnerabilites numerous times**. I'm not going to say much more... anything I would say would be a repeat of the OSVDB blog at http://www.osvdb.org/blog/?p=79 which addresses this issue.
Navicula hydraulica plena anguilarum est. Omnes castelli tuus nostri sunt. Ed elli avea del cul fatto trombetta.
Fair and balanced does not equal fairly retarded. If you do not question the methods by which these statistics were arranged to favor an OS renowned for its flaws over a whole group that have a great reputation for security then you are fairly judged as being retarded.
Distributions ship with a hell of a lot more than just a kernel and basic command-line tools. Windows, on the other hand, has quite a few. The data shown is really unclear on how an OS is defined. It would be much more interesting taking a standard Windows desktop installation as a base and pairing that with an open source OS that meets the same level of functionality - then doing the test.
And people tend to forget during a security debate that with proprietary products you're working on the assumption that the source code is never released. I think that's a rather dangerous assumption, given the history of this occuring.
The careful reader will note that one problem is that both "tcp dump"[sic] and "TCPDump"[sic] have a "BGP Decoding Routines Denial of Service". Of course, WinDump isn't listed there, even though it has the same decoder, although, as it doesn't come with Windows, perhaps it isn't counted as a Windows vulnerability.
It would also be worth checking to see whether, as noted, any of the updates really deserve to be treated as separate vulnerabilities (regardless of whether they're UN*X vulnerabilities or Windows vulnerabilities). As far as I can tell, the updates for the tcpdump BGP decoding DOS just either say "oh, this OS also has it" or "oh, this OS also has a fix" - there are a small number of those you can get for Windows, but a larger number for "Unix/Linux" vulnerabilities, given that there several major Linux distributions, four major BSD/386 descendants, and several "commercial UNIXes".
This happens everytime a fucked up article hit slashdot. I'm not even sure why this is news either. All the article does is say that for all *nix operating systems there are more vulnerabilities for windows and these numbers aren't definitive because it counts repeated submisions the same as the fist report.
Linux is *Only The Kernel*, everything is the distro!
By saying everything in a distro that has a reported bug is a flaw in Linux is like saying every piece of Freeware, Shareware, Commercial software for Windows that has a reported bug is a bug with Windows.
Remember as well: "There are Lies, Damn Lies, and then Statistics!"
ttyl
Farrell
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
Points not mentioned :
... etc. etc.
-amount of risk caused by vulnerability
-percentage of high-risk vulnerabilities per OS
-time taken to patch vulnerability
-whether the vulnerability is in some tiny obscure piece of shareware or in a VERY common software (such as MSIE)
Statistics aren't so useful with such lack of completeness.
Of course that page isn't there to be a useful guide for statistics on vulernabilities, but the Slashdot article seems to be portraying it as such...
There is no such thing as a completely secure OS. As well, whether this is full of hot air or not, Micro$oft will never get a fair hearing in this place.
The thing is, I see most people here actually analyzing the data and seeing the flaws within it. But many many computer users will simply see the headlines and start telling everyone that there are these things called "Linux" and "Mac" that are really insecure, so everyone should use Windows.
Semper Fi
The only intelligence there is in regards to windows is that of marketing... market it no matter what condition it is in. If "Intelligent Design" was more popular you can be sure MS would market Windows in a manner to ride off that, as they do everything else they can. I mean Hey, they got the singularity OS....(rolls eyes)
I think everyone knows how out of context the article is, which only shows the deceiptful intent of those responsible for it being written.
Taking things out of context is a known action of those having intent to deceive.
Now if there were laws against such that applied to marketing.... We'd all have better things in life, cept for the deceptive.
But for those of us who do know to see past the BS... we are better off, depending on how deep the BS goes, and sometimes its gets rather deep.
Perhaps someday they'll get me, but I have never had to re-install, or fix my Linux system because of a virus or other malware. I do know of six Windows users that have told me their particuler virus woes (so reported to me anyway.. who knows about those too ashamed to admit it).. So I conclude from this, that Windows is at least six times more likely to have a virus..
waiting for ad.doubleclick.net
Windows CE ME NT.
It's not the 'quantity' of security vulnerabilities that counts, it's the 'quality' i mean, some obscure buffer overflow that _might_ enable a short string of random code to be run as 'user apache' when you combine apache with 7 modules (6 of which are common) is not the same thing as a 'integrated file browser/web browser' that will auto execute any exe that has the right wmf 'play assist' headers on it. and will run that executable as 'administrator' level privaledges...
https://www.gnu.org/philosophy/free-sw.html
If I recall correctly, they're actually double-counting some vulnerabilities in common software - once for Linux, once for OS/X, once for Sun Solaris etc (I think that was right - can anyone confirm?). None of this was malicious - this survey was never intended to be rigorous and the people doing the counting made that quite clear. However, it does mean that any attempts to judge the relative merits of the various operating systems are somewhat fruitless.
For the love of God, please learn to spell "ridiculous"!!!
While I am a big fan of Linux and open-source in general, I think it is safe to say that if a vulnerability is never found then it doesn't matter that it is there or how severe it is. Now, if it's found by one evil hacker and no one else, then it is a problem, but if nobody ever finds it, then good for it.
Stop Global Warming!
Just say no to irreversible processes!
1. Windows is ONE OS. Unix mentioned is more than one, there's SuSE, RH, Debian, *BSD... its not fair to compare one OS to many.
2. It's not just how MANY vulnerabilities there are, also how much chaos they cause and how much money they cost.
3. With OSS, finding problems is not as bad a deal, that just means someone will come up with a patch soon enough. With windows that means someone will come out with an exploit soon enough. It therefore means different things on different systems.
Given enough eyes all systems become perfected. The difference with Windows and Unix is the path to that perfection. Windows is obviously a longer painfull path.
I love humanity, it is people I hate
So 3 os's, at least, so BSD, Linux and OSX have more vulnerabilities that one single operating system?
Do the math.
BS.
Anyone with half a clue and experience with both OSes in a production environment already knows the truth, but there's some points for those who actually believe some of the shit that seems to be deemed newsworthy...
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
I copied the list to a file ran 'uniq' and 'grep -v "(Updated)' on it to remove any duplicates and rows contaning the string 'Updated'.
Only turned up 813 lines.
This article in a TLA : WTF ?..
Go compare "Linux Kernel" vulnerabilities (9 unique) vs "Microsoft Windows" vulnerabilities (46 unique). Even that isn't apples to apples, but it's a lot more indicative than the random counts of vulnerabilities for every piece of software shipped with an OS.
Why are people putting so much thought into these numbers? I know my opinion has probably already been made above, but I just had to add to the millions that logically understand the meaning of these numbers. I know someone already said, who the hell knows how many M$ security threats exist that aren't made public. This is true. They only release the information when an exploit or worm is making use of them, or they release the information once a month to say they are "working hard on patches". Two hundred minor security flaws is less of a threat to me than one M$ flaw that is EXTREMELY DANGEROUS to my system or network. M$ may have less, but am I wrong in saying that majority of their flaws are WAY MORE dangerous??? And these are just what we find out publically. Isn't fast, publically made reporting of flaws, bugs and vulnerabilies the best part about Linux security? In that those flaws can be quickly dissected by the community and patched quickly? This isn't a competition to see who can make a product with the perfect security record. Only OpenBSD is capable of that! (snicker) This is a competition to see who has the best response and is open to the public. As well as the capability for the IT world to do their own investigations into the source code of their systems that run their mission critical services and applications.
...Dupe posting tops the SlashDot vulnerability list for the 8th year in a row.
When are we going to hear from the people responsible about getting this vulnerability fixed?
This space for rent. Call 1-800-STEAK4U
Funny!
Windows shows less bugs than Linux/Unix! I was always shure that Micro$osft is the best.
No Office suite exploits... It should be secure, now!
And, however, even kids knows that "A known bug is a dead bug"!
(same kids knows that "Bugs enter from open Windows")
What? WMF? Still unpatched since 3 months? But is a bug related to a feature coming from 1990, it's not a real bug...
What? Is a *deadly* bug?
But a company that depict his logo on my keyboard can't be wrong!
Please provide direct evidence to support your claim - that they can Tap dance in the first place.
Read it:
I totally find this hard to believe. I've been using Linux for 10 years. At any point in time I can install windows on one of my computers and get infected by spyware, virus's, or hackers. I've run my Linux box on the net without a firewall for months at a time with all the services turned off. No security breach. I'm wondering who funded that study.
Also just because there are more security holes found doesn't mean anything. Its easier to find security holes when you have the code available to you. But thats as much a strength as it is a weekness.
I guess that if I compile gzip natively on windows, any vulnerabilities that plague the linux / unix version just magically disappear, right?
Who the hell's running the show, anyway?
Coderz 4 Life
If you believe your Windows security best practices are up to snuff, you may paste this link into your browser to initiate a self test:
tinyurl.com/b8oqu
Disclaimer: Do not under any circumstances do that from a computer that's running any version of Windows, no matter what your precautions are. Unpleasantness will occur. You were warned.
Help stamp out iliturcy.
Vulnerabilities in KDE are counted as vulnerabilities. Vulnerabilities in GNOME are coutned as vulnerabilities. Separate vulnerabilities in Gentoo, Red Hat, and all other distros are counted as separate vulnerabilities. Even MacOSX vulnerabilities are considered Linux/Unix vulnerabilities. That doesn't seem like a fair comparison. After all, you can't run Linux on both KDE and GNOME at the same time...
Here's what I find most interesting...
Its nearly unanimous amoung this community that MS OS's (whatever flavor) are by far inferior to Unix (whatever flavor) and that not a one will apparently consider that there is any validity to the story or statistics.
Now I am not saying that I agree with the article, but I will say that our community is severely biased. To believe that there is not a shred of truth to the article is absurd.
-STankyG
People are always blaming their circumstances for what they are. I don't believe in circumstances...
Multiple versions of course, yet one OS.
.15 vulnerabilities for the average *nix distro for every 1 vulnerability in Windows. That changes the numbers dramatically. Showing a 6.66 to 1 (Oh, my - the number of the beast - how'd that get in there - could it by Bill Satan perhaps?) ratio of Windows vulnerabilities to 1 *nix variant.
HP-UX, AIX, Solaris, Mac OSX, OpenBSD, FreeBSD, NetBSD and the 4 score and 7 variants of Linux, even, dare I say it, some SCO stuff added into the mix.
Hmmm - somewhere on the neighborhood of let's pick a good round number, say 20 *nix variants, versus 1 os.
20 to 1, and only 3 times the number of vulnerabilities - that's approximately
Interesting how numbers can be skewed now, isn't it.
Who is general failure, and why is he reading my hard drive?
The article is correct - I am quite certain *Nix's may have more OS vulnerabilities than Windows. Possibly many more OS vulnerabilities.
What the article doesn't bother mentioning, hooray for bad journalism everywhere, is that Microsoft's Internet Explorer is completely riddled with vulnerabilities. And it's integrated with the OS in such a way that the IE vulnerabilities can really mess up the whole OS. And the browser cannot be uninstalled or removed completely.
Furthermore, Linux and UNIX and company still enjoy very strong security through obscurity. Scriptkiddies are simply not interested in these systems and so very few vulnerabilities are actively exploited.
I am government man, come from the government. The government has sent me. -- G.I.R.
Huh? What does this mean? I don't understand.
Furthermore, is this where they got all their information? Where did the Windows vulnerabilities come from? Open source? Can't be!
Of course you can find the vulnerabilities in the source, if it's open. Is this how they found the Windows vulnerabilities, or in some report? Looking at the source? I'd like to view the source myself. Maybe Linus would like to see it too.
This is our government!!!
bob@media:~/projects/ryu/software/build$ cat ~/nixvuln.txt | egrep -vi 'Updated|Apple|FreeBSD|Gentoo|HP-UX|IBM AIX|OpenBSD|Red ?Hat|SCO |SGI IRIX|Solaris|SuSE' | wc
737 5484 41307
bob@media:~/projects/ryu/software/build$ cat ~/winvuln.txt | egrep -vi 'Updated|Apple|FreeBSD|Gentoo|HP-UX|IBM AIX|OpenBSD|Red ?Hat|SCO |SGI IRIX|Solaris|SuSE' | wc
668 4985 39090
Updates don't imply increased vulnerability. I removed all but one distro (Debian, the one I use). That gets it down to 737 versus 668.
That's without removing competing software like MySQL/PostgreSQL and KDE/Gnome, without removing platform specific software that isn't listed by OS, without accounting for the higher disclosure rate of *nix, and without considering time-to-patch and severity. 737 versus 668 is still a meaningless comparison without looking at those factors, but at least the blatant stupidity of multiple counting is largely mitigated.
Stop-Prism.org: Opt Out of Surveillance
The idea of a security score card is good but the way they did it is meaningless. The ranking should be more like:
Number of bugs +
Number of bugs with known exploits x 5 +
Number of bugs with known exploits x the number of days the exploit was in the wild before the bug was patched.
Then multiply the whole thing by an risk factor (1-5) based on how much harm it can do.
No lumping multiple OSs. Each one should get it's own card. Lumping applications bundled with the OS is reasonable but skews things too. For an accurate comparison, only bugs in features common to all platforms and bugs in non-optional components should be counted.
The way the current ranking they use works you could have 50 non-exploitable, local user only, file permission modifying bugs in 100 different Lunix distributions and it would count as 5,000 bugs. Similarly you could have one remote attack that completely takes over a Windows box with known exploits which remained unpatched for 100 days and it would count as 1 bug. The score would be 5,000 to 1 in favor of Windows which is about opposite from what it should be in this example. These are completely meaningless numbers.
I don't know how the OSs would stack up given an accurate reporting but I would be interested to see.
set softtabstop=4 shiftwidth=4 expandtab nocp worlddomination
I don't buy that argument for a second. What percentage of discovered bugs do you think are actually found by looking at the source code of a program?
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
...how many vulns would be found if anywhere near the number of people used (i.e., cared) about OSX as they do Windows.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Utter rubbish! This is comparing one operating system with two varieties to a dozen different Unix and Unix-like operating systems with hundreds of variants, distributions and versions.
How about comparing just ONE operating system to ONE other operating system? Like Windows XP to Solaris/SPARC? Or Windows Server to FreeBSD 5.x branch?
Don't blame me, I didn't vote for either of them!
If GNU/Linux with 3rd party software bugs be counted as whole Linux/Unix bug, then cygwin with same 3rd party softwares on Windows should be counted as "Windows bug" + "Linux/Unix bug".
Therefore Windows should carry over its own bugs and Linux/Unix bugs. It's not only logical, but it's factual.
To me it seems, US-CERT just collected data and published junk stat. Perhaps it's time for US-CERT to raise the bar a bit more than half critical thinking skill level of a baboon for employee/employer.
"Don't let fools fool you. They are the clever ones."
Basically UNIX (BSD, Solaris, AIX, IRIX, SCO, OS X), and ALL LINUX distributions are counts as ONE (1) bin, against MS Windows!!! So, have basically EVERY popular mainstream operating system other then Windows in one bin and windows in another, and you are trying to toute THAT as a stat that Windows has less flaws then Unix/Linux? Sure, it does when you count ALL VERSIONS OF UNIX AND LINUX TOGETHER AND ADD UP ALL THE VULNERBILITIES FOUND IN ALL THE DIFFERENT VERSIONS!!!!!
THEN there is the fact that different CERT warnings appear multiple times! For instance, Eric Raymond Fetchmail POP3 Client Buffer Overflow (Updated) is counted at least 4 times under the SAME NAME, and at least 1 more time under a different name, but it is still the same vulnerbility!!!
See http://www.groklaw.net/article.php?story=200512311 42317870 for more details.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
It's interesting that they lumped the information that way. Actually, it makes the Linux/Unix side look pretty good that they ADDED together all Linux, MacOS, various BSDs, Solaris, Irix, AIX, gods know what, etc. including every Linux distro big or small, together and only found 3 times as many vulnerabilities as Windows.
Of course it's all worthless even if split out per OS since they also lumped in (on both sides of the equasion) 3rd party apps. I don't use windows, so I can't comment there, but on the Linux/Unix side they included things like Acrobat reader (does anyone with Linux actually use that?), some backup software I've never heard of (I use rsync myself) IRC clients galore (Is anything on IRC secure? Never IRC as root boys and girls!), shar utils (I remember shar! I think I used it a couple times in the '90s), Opera, etc. These (other than IRC clients) are not apps you'll find in most Linux distros (if any). Certainly the many 3rd party apps for Windows don't come on the Windows install disk. So, even when split out, the worthwhile figure is drowning in noise.
Of course, rt-11 is superior to all of those because there were no vunlerabilities found in it at all last year. :-)
While Windows hadn't brought out anything new for trhe OS except security patches and bug fixes while *nix's have had numerous new versions of almost every single part os the OS and think of it as a percentage, it would probaly be Unix 5% Windows 90%
How many of these Linux/UNIX vulnerabilities allowed remote execution of arbitrairy code as a superuser...
Also, note that PER-vendor Microsoft far outwieghed the competition.
These aggregate numbers are meaningless. That being said, US-CERT made pretty clear that this was simply a list of reported vulnerabilities, not any sort of analysis, so I blame the news sites with taking the meaningless numbers and trying to create a news story that will get Windows and Linux/UNIX/MacOS X fans all excited to read and post (and generate ad revenue).
:-)
) were more useful, because they at least made it clear which issues were high risk, and which application or OS each vulnerability was associated with, and they avoided the misleading totals. Let's hope that next year they at least go back to the 2004 report format, even if they don't bother to do any meaningful analysis.
Why do I say that the aggregate numbers are meaningless?
1) They count "updates" to vulnerability reports as vulnerabilities, so there are many vulnerabilities that appear to be counted 5-10 times in the "UNIX" list, and 2 times in the "Windows" list. My guess is that these "updates" are individual OS reports, meaning that a single vulnerability in a cross-platform application would be reported as 2 Windows vulnerabilities and 10 UNIX vulnerabilities. CERT should break out each OS into its own counts in order to correct for this. Eliminating duplicate reports isn't good enough, because there are many OS-specific reports, and it doesn't make much sense to count vulnerabilities specific to Solaris AND Mac OS X AND Linux AND HPUX etc., in a single number, since you run only one OS as a time.
2) They count reports of multiple vulnerabilities as a single vulnerability, which means that OS's that release fewer updates, each of which patch multiple vulnerabilities (e.g. Apple, Microsoft) as having far fewer vulnerabilities than OS's that release specific patches for each vulnerability. Strangely, this punishes OS vendors that rapidly address and release patches for vulnerabilities, and reports vendors that are less responsive. CERT should count a single announcement that covers multiple vulnerabilities as if each vulnerability were reported individually.
3) They include third-party application vulnerabilities in the counts, and the number of those reports dwarfs the number of actual OS vulnerabilities (90-95% of the vulnerabilities listed aren't in the OS's). CERT should separate bugs in the OS's from optional third-party application bugs. Many of the vulnerabilities are in extremely obscure applications, and while uses of those applications might want to know about these issues, it's hardly a reflection on the OS' security if there's a 'Wojtek Kaniewski EKG Insecure Temporary File Creation & SQL Injection' in some project's "contrib" directory, which is hardly comparable to 'Sun Solaris ARP Handling Remote Denial of Service' or 'Microsoft DirectX DirectShow Arbitrary Code Execution'.
4) Their OS coverage is quite spotty. For example, if an application runs on all OS's (e.g. Mozilla, bzip) and has a vulnerability that applies to all OS's, sometimes they're reported only for Windows, sometimes only for UNIX, sometimes for both, sometimes with many repetitions and sometimes only once. While this would require CERT to do some analysis (i.e. actually read the reports), they should consistently recognize cross-OS issues and remove them from the OS-specific lists and report them in the multiple operating system list.
Since each of these issues appears to introduce error rates that are an order of magnitude larger than the useful data, there's nothing meaningful data left.
Of course, people have pointed these problems out about these CERT reports for many years. Still, since we have these same pointless discussions every year, CERT should make some basic changes to make these reports somewhat meaningful. Their previous years' list (http://www.us-cert.gov/cas/bulletins/SB2004.html
Enable 3D printed prosthetics!
There is a difference between a vulnerability and an exploit. A vulnerability is just a potential weakness, a chink in the armor so to speak, but potential weaknesses cannot be taken advantage of unless it is exploited. It is thus the number of exploits that is the primary consideration when speaking of security.
Of course, Linux will have a large number of visible vulnerabilities! It is open source and anybody with two eyes and a passing knowledge of C should be able to find vulnerabilities almost everywhere. However, are those vulnerabilities actually exploitable? In most cases, Linux security alerts consist entirely of possible vulnerabilities and in most cases also, those vulnerabilities are quickly patched up and repaired; well before any practical exploits are written for it.
The case is not the same with Microsoft Windows. Because Windows is closed-source, the only way to demonstrate a vulnerability in Windows is to actually write an exploit for it! Thus, whenever a vulnerability has been discovered for windows, you can bet your Momma's last penny that there is a very good chance of the existence of a working exploit for it.
How many vulnerabilities are there in Windows we do not know of because we cannot examine the source? Judging from the number of exploits (written by people without access to Windows source code, by the way) we can infer with good accuracy that the total number of vulnerabilities in windows should be several times that of the number of exploits. I am too lazy to make a count but perhaps someone with the inclination can create a matrix showing Vulnerabilities vs exploit vis a vis Windows vs Linux. If we assume that the ratio of exploits to vulnerabilities is the same for both operating systems, what would be the estimate of the number of vulnerabilities in windows? If we further include the fact that Linux is open source while Windows is not, what would be the estimated number of exploits in Windows?
That would make an interesting study.
It is Linux's open-source nature that gives it the disadvantage when a simple-minded count of the security alerts for Windows versus the number of security alerts for Linux is made. But keep in mind that almost all security alerts for windows are not of vulnerabilities but of practical, demonstrably working, and potentially already widespread exploits. Most security alerts for Linux are of vulnerabilities.
In any discussion of security between Linux and Windows, the crucial distinction between vulnerability and exploit should be clearly enunciated.
What do Adobe Acrobat Reader bugs have to do with 'Linux'.
Perhaps the best measure of security would include the number of vulnerabilities, their priority, and the avg time to fix them once discovered. That might get us a nice measure for open source OSes where the vulnerabilites can be found by inspection, but it wouldn't help much with Windows.
It also might be good to take into consideration the number of users affected. Because of it's market dominance, every Windows vulnerability affects a far greater population than a vulnerability in any other OS, thus all those vulnerabilities have a higher overall cost to the computing population.
-All that is gold does not glitter - Tolkien
www.ra
Windows is more secure than Mac OSX, all of UNIX and all of Linux combined. But Windows is not more secure than any of those individual operating systems, only when you add them together does math work out.
So, there ya have it folks. I think we can all agree now, Windows truely is the most secure and trusted computing OS available. It has the best TCO, everyone knows this, and is virtually open source. So just buy Windows. I mean, what choice have ya got?
If they are lumping all the *nix OS's together, why do they bother distinguishing between UNIX and Linux? Even when they are fucking something up they can't get it right.
The Admin and the Engineer
Tabulate the data on how many of them were critical and the whole argument against *nix breaks down.
My last sig was ridiculed
compare only os vulnerabilities.
release the source code so thousands of people can review for vulnerabilities.
if that is all that was found on the nix os's and app's with the number of people reviewing the code, in the whole year of 2005 who can complain that its insecure.
and that list is across all releases.
I wonder what would happen if ms and just about every vendor of ms platform software releasesed thier sources to the world for review.
Personally, I will never ever run any Win* on any of my systems ever again. However, I think we need to keep in mind "expansion = problems".
I think the argument that there are more Win* vulnerabilities than there are *nix vulnerabilities because Win* runs on 99% of desktops is valid. It only makes sense. Why would a malicious author write something that effects 1% versus 99%?
With the rise in popularity, and in my estimation, the continued winning of desktops by linux, I think the *nix community should stop whining about unfair comparisons/studies and really take a serious look at the actual basis of the comparisons.
In order to maintain momentum in winning desktop space from Win*, *nix developers/distros/companies need to continue the good work fixing vulnerabilities or eliminating them prior to realeases of distros/apps/updates etc...
Statistics can say anything you want them to say. However, since perception is reality for most people, the *nix community has to be impressive and secure in the minds of consumers.
Only then will the momentum remain sustainable.
Just my 2 cents
"Given enough eyes, all bugs are shallow"
Didn't Infoweek read the (long) list at all ?
1 2210&tid=172
Part of the list:
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
There are MANY vulnerabilities with updates counted as different and there are many containing with the word "multiple vulnerabilities" in their name.
I cleaned the list removing the updates and the correct amount for Windowses is 672 (not 812) and Unixes and all the rest OS's 1034 (not 2328).
It's yet stupid and misleading to combine all Windows OS'es in one pile and the rest in the other. And even more stupid is to count pathced and unpatched vulnerabilities together!
See the http://secunia.com/product/ for clearly categorized advisories.
The amounts "Unpatched" of "Total advisories"
25 109 Microsoft Windows XP Home Edition
29 124 Microsoft Windows XP Professional
14 63 Linux Kernel 2.6.x
0 2 Ubuntu Linux 5.10
1 182 Debian GNU/Linux 3.1
0 84 Fedora Core 4
0 230 Mandrakelinux 10.1
0 63 Apple Macintosh OS X
Notice that some OS-versions are older than others. (The total count should be divided with the time.)
Of course the criticality should be counted too.
I checked Linux Kernel 2.6 unpatched vulnerabilities and none of them can be used remotely, 7 (of 14) was DoS and 7 where the local user could potentially escalate privileges or get sensitive information.
Of the Win XP Home Ed I unpatched vulnerabilities 11 out (of 25 total unpatched) could be remotely exploited.
Based on the above I come to the conclusion that Brian Krebs is either spreading FUD intentionally or plain stupidity. But what is the reason for Slashdot to do it ?
BTW The story is duplicate:
http://it.slashdot.org/article.pl?sid=05/12/31/08
There's bound to be a major fuckup in the ratio. I'll be willing to bet that those that run *nix and are getting virii are either deliberately doing it, or are Class-A noobs that don't know you NEVER run as root, thus giving you the full priviledges as Windows would give you to the OS while running as Administrator. How much you wanna bet they didn't fully include that fuckup factor into their equation/statistic?
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
The guy who wrote the infoweek article in question got PAID for such an obvious distortion. It's clear the article has nothing but flaws and really illogical assumptions and associations as people have pointed out. I wonder what his motivation was; the conspiracy theory says m$ partially funds or is in some way associated with infoweek.. the humorous theory is that one of our beloved slashdot trolls finally got a REAL JOB and is now trolling and getting paid for it.
Anyhow I sent out an email that basically pointed out all the flaws that have been mentioned here and "accidentally" cc'd most of the listed editorial staff. It would be nice if morons like that got fired for stupidity.. but he'll probably just get a bonus for actually driving some traffic to that POS site.
Ah well.
Um, that's really great news isn't it ? These geesers had to start countin' Several Seperately Maintained Linux Distributions AND Several Classic Unicexs AND Several Releases of Mac OsX to get a 3 to 1 ratio compared to just One Version of Microsoft Windows
People, the wind is certainly blowin' in the right direction here !
free dom(inion) - free energy - free your mind - whee!
There are several other issues here that are important to note, How many of the vulnerabilities can be remotely exploited, taking that on board how many of them have exploits in the wild, and then how many of those vulnerabilities are Operating system specific,. When I read down the list i See several web applications that are reported as vulnerable. But they are not platform specific. for example I can install phpBB on a windows or linux system with little to no difference.
This survey lumps "UNIX" in together, meaning solaris, linux, *BSD, AIX, IRIX, Tru64, OSX and whatever else.. Some of these OS's are abandoned by their vendors (IRIX, Tru64) and aren't undergoing much active development..
A much fairer comparison would be between actual off-the-shelf distributions of a given OS, instead of lumping everything together.. And it should also take into account the amount of bundled software (more bundled software, more chance of a vulnerability) and possibly do a comparison between each OS with all the optional components removed (baseline vulnerabilities)
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
We need more eunuch programmers.
I think you mean "UNIX" programmers.
Oh. *pause*. If the company nurse comes around, tell her I said 'Never mind'.
M$ may have 1000 times more bugs, but they are not always reported
When all is said and done, nothing changes...
The question is not what vulnerabilities are found. The question is what happens.
No security system = no vulnerabilities. Of course all systems need a proper security review. Here also a role of the governments can be observed: Review code.
In the field of Open source a formal documentation of security reviews leaves a lot of room for improvements. The situation improved over the use of profiling tools but automatic detection of vulnerabilities and problems can still be improved. Test cases for code reviews, safer programming styles and languages, and time and review are key to ultimate security. Software does not get worse.
It has been my observation that Microsoft takes security vulnerability to a whole new level. Microsoft Internet Explorer has had the most extremely serious vulnerabilities of any software I've seen.
Below is something I wrote for customers about this week's astounding Microsoft vulnerability. Microsoft customers of any version of Microsoft Windows after Windows 3.1 can lose control over their computers just by visiting a web page. Security experts are saying it is the worst security vulnerability they have ever seen.
It's been there for 7 years. How many countries have secret police or espionage departments that have used this vulnerability?
Microsoft is taking a leisurely approach to fixing the problem. The company plans to release a patch on January 10. Part of the problem is that there is an ENORMOUS conflict of interest. Many customers, when they discover that their computer has become slow, don't realize that it is infected. They buy another computer. They don't want to spend the money to learn another operating system, so the new computer has another copy of Windows. So Microsoft profits from security vulnerabilities. Corporations are usually a group of generally moral people, but it has somehow been established that the corporation can be allowed to be immoral.
I wrote the instructions below for those of my customers who are interested in protecting their home computers, and have the minimal technical ability required. These instructions and the explanation will help them understand the importance of the work we do for them, and the problems we face in helping them.
________________
New, Very Severe Security Vulnerability In Windows
There are big problems now with a new, very severe security vulnerability In Windows. You can become infected even if you merely visit a malicious web site. See the articles linked below.
The vulnerability exists in all versions of Microsoft Windows, including Windows 98, except Windows NT. Macintosh and Linux computers are not affected.
NEVER follow instructions like those here unless you verify they are correct by reading an official source! In this case, you can see the instructions in the Microsoft article linked below. To see the instructions, load the article in a browser, click on "Suggested Actions", click on "Workarounds", and click on "Un-register the Windows Picture and Fax Viewer".
Temporary Fix -- Here is the temporary, incomplete fix given in the Microsoft article linked below. This adjustment does not make a computer secure, it just makes it more secure:
regsvr32 -u %windir%\system32\shimgvw.dll
This command, un-installation, will disable the automatic loading of graphics files in Microsoft Picture and Fax Viewer. That is better than risking infection of your computer with viruses, spyware, and other malware.
After un-installation, you will need to open a graphics program to view photos and other graphics. You can use Microsoft Paint, for example: Start/ Programs/ Accessories/ Paint. However, be careful to open only image files from trusted sources. If you view an infected graphic with Microsoft Paint, your computer will be infected.
Graphics in email programs like Mozilla and Thunderbird and Opera will display normally after un-installation.
Before the un-install, if your computer is about to be infected, you will see a pop-up message from those three em
Why not make this one of a subscriber's privileges?
Rich And Stupid is not so bad as Working For Rich And Stupid.
That just might be because they are comparing a group of systems (the entire Unix world) with one system (windos, though there are several flavours, one might count it as actually two systems - those NT based and those win32 based).
Then there's the whole issue of assigning issues, especially with applications. Yadayada.
Then there's the whole issue of configuration. It's a well-known fact that windos systems can be made reliable and secure, if you can find one of the rare really good windos admins. Unix admins, on the other hand, are better on average, though the real pros are just as hard to find. But it's easier to set up well, so with better admins and better default settings it tends to be more secure on average, but that's due to secondary factors, not higher code quality.
In the end, you arrive at one conclusion: These things are sufficiently different that they are hard to compare. Whatever you do, you have to make some assumptions, and if your assumptions are wrong, your results are worthless.
Speaking strictly for me personally: I'd much rather entrust data worth $1 mio. to a Unix system - any unix system - than data worth $100,000 to a windos box. Call it prejudice or experience, I don't care, I've been proven right often enough to know that's a good rule-of-thumb.
Assorted stuff I do sometimes: Lemuria.org
True for most cases, however I would like to make one exception:
If an application error allows an attacker to gain root (Admin on windos) on the vulnerable system, the problem becomes an OS vulnerability.
In other words: It very well is the job of the OS to ensure that applications can not hurt the system. Both windos and most Unixes do a pretty shabby job at that, though stuff like privilege seperation have pushed Unix ahead in the game.
The real solution to this, SELinux, Trusted Solaris, etc. - the whole RBAC/MAC area, is currently still too much in development and too complex for the average admin to get mainstream acceptance.
Assorted stuff I do sometimes: Lemuria.org
But many linux distributions blur the distinction between third party and core OS...
Linux distributions come with a large wealth of software, while windows comes with a comparatively minimal set. How would a linux distribution fare when stripped down to the same level as windows? and not to mention the fact that virtually anything can be removed from a given linux distro, whereas windows has lots of components which can't be removed/replaced.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Infoweek:
"The end-of-year vulnerability score should be taken with a grain of salt, however, since US-CERT doesn't filter out updates (so one actual vulnerability can be counted numerous times) nor does it break out individual vulnerabilities from warnings that cover multiple bugs (as in the many Mac OS X vulnerability listings)."
Ya gotta love CYA jargon and short disclaimers, the white wash for troll reporting.
Some days it's just not worth
chewing through my restraints.
So much Linux distros are out there. The Gentoo developers, for example, do not even fix a blocking bug (marked as minor) for mplayer since weeks.... although it is extremely obvious how to do that...
Having worked maintenance-coder in a past life, I can tell you that on review of code to add some new functionality or to tweak some bit of code, bugs and flaws are discovered that (almost) never would have been discovered by users ... while not a daily occurence, I suspect that every maintenance coder has found flaws in just this manner...
If you think imaginary property and real property are the same, when does your house become public domain?
I read this list and I was shocked at the ridiculousness of the categories. First, a lot of the vulnerabilities listed are due to third-party software, so you can hardly attribute those flaws to the platform itself. (If I install an add-on to my car that makes it easier for people to break in, is Honda responsible?) Second, the Linux/Unix category is beyond absurd. In addition to covering many different Linux distributions, it also includes multiple flavors of BSD, HP-UX, AIX, and OS X among others. To make it even worst, the Linux/Unix category includes software which should definitely go under the multiple operating systems category. SquirrelMail? Apache? Come on.
This list makes about as much sense as saying: “This Ford car has fewer flaws than this Honda, Toyota, Kia, and this microwave oven combined! Great job Ford!” I suppose someone over at CERN is on the Microsoft pay role. And Slashdot bought into it. Silly.
Join Tor today!
If you bare your ass to the world (linux) everyone is able to count the pimples. If you keep it covered, how does anyone ever really know?
Join the Slashcott! Feb 10 thru Feb 17!
...to the point where finding them while attending is almost a Hallowed Tradition now.
Got time? Spend some of it coding or testing
Vulnerabilties on the *nix platform aren't going down. Regardless of how easy it is to retrieve and install patches/updates, one is seemingly bombarded with the need to update. One hears the Linux zealots, for example, brag how fast the response to bug/exploit reports are and how quickly (this varies from vendor to vendor) the bugs/exploits are fixed. Great. While the response and ability to band-aid is admirable (very much so!), where is the quick response to improving software processes to help prevent all these potential exploits? Where is the quick response to fix the root causes?
Every time these articles get posted there always seems to be a great deal of deflection of discussion from the root cause. I wish articles like these fostered dicussion of possible paths to solution and/or how people can help protect themselves in light of all these vulnerable, bundled, applications.
We all know how responsive the *nix community is, in particular the GNU/Linux platform, what a lot of us don't know is how we can stop this problem or at least more significantly mitigate the effects.
All this list means is that more are reported. Doesn't mean that Unux is less secure, and by saying that let me qualify it by saying 'When used correctly'. There are many Windows admins who can make a windows machine more secure than a bad Unix guy, and there are Unix guys who will make a machine impregnable next to a well patched windows machine. It's all about Difficulty and Severity. Let me qualify that:
I think the real question is two fold:
#1 - If you get compremised, how bad is the damage?
#2 - How much of the exploit is really your fault and not the developer?
-- As a Unix admin, if you install a copy of a program, leave it for a few years and then turn on a bunch of useless protocols that were beta to begin with, you didn't read the manual -- who is at fault? The development team or the admin who didn't take the risk into effect? In this case, a default install on Windows might actually end up being more secure than your dumb self.
-- Now as a Windows admin, all you can do is wait and feed off the microsoft trough. If something breaks, you can't exactly go debug the code and fix it. You're only lucky if someone writes a workaround, such as this recent wmv exploit. But in general, the tools aren't usually bad for working, and if you're really good you can problably find a workaround, or go delve into the registry for that particularly sticky key some developer left in there for you to find. Obviously for the smart Unix admin, finding settings is a 'man' call away even for a mediocre admin.
SO:
And Like so many have mentioned, this is all about reported bugs. And the difference is, when you report a bug to an open source team, they take it personally and complete it at any cost. When you report a bug to Microsoft, they look at it and figure out how much it'll cost them before they even acknowledge it. They are a company, that's just how it works. I would say don't get pissed about it, just realize the consequences and do the best you can.
And for gods sakes, pick a good d4mn root/Administrator password.
- Brett
A chap named Chris MacDonald at the University of WA does it routinely.
But he's the only one I know.
The bits and pieces in MS-Windows are all heavily tied together not so much for technical as for marketing reasons. If everything is one great hairball, it's easier to argue that it can't be split. If you still have MSIE lurking even after you "uninstall" it, it will eventually work its way back to being used as a browser again. If MSIE "cheats" and uses little-known APIs to speed its operation, then other browsers look slow and clumsy on the same system. But most importantly, everything on the system is a kind of sales link to everything else on the system. As soon as one gets a foot in the door, the others get dragged in as dependencies.
Developers, developers, developers my ass. It's all about sales, sales, sales.
Got time? Spend some of it coding or testing
Come on, does anybody even report MS vulnerabilities anymore? Wouldn't that be like the meteorologists reporting that tomorrow the sky will be blue?
Does anyone else find it pretty absurd that the list of vulnerabilities is that long anyway? All statistical concerns (and as a student of that discipline, I have many) and OS opinions (I run Gentoo) aside, I think it's rather telling about the state of the industry, and consequently rather depressing, that there are literally thousands of reasonably major holes in the machines we've imbued with as much trust as the sum of all the Linux/UNIX and Windows boxes out there. Being a programmer, I know expecting perfect code out of the box is irrational, but maybe it's time for some paradigm shift.
"My heart is in the work." - Andrew Carnegie
Quality vs Quantiy, a thousand little issues that are context specific does not mean as much as just one huge universal hole in an OS.
The WMF problem is public now, but has been with us since 1990, if anyone has known about this flaw for all those years Windows users may have been totaly owned for ages.
The nature of the WMF bug is such that it is not blocked well by generic security measures. Many of the small *nix issues are stopped by good security practices and generic measures.
Why don't people get it?
Some users here are forgetting that Windows by itself is not an OS. I can not go to the store and buy the Windows operating system. There is Media Center (basically XP), XP Home, XP Pro, XP 64, 2000 Pro, NT, CE, and so on. Same goes with the various distros of *nix. I like to use Fedora, Redhat 9 and Win XP. I say use whatever works for you. I do believe that since you have a company (Microsoft) with such a huge OS market share, more people are writing malicious code to screw with Microsoft. It's also easy for malicious code to take adavantage of a system where most users are working on their personal pc as the administrator. Every owner of a new microsoft os is the admin of their pc. You never see instructions included with a dell pc with xp stating that users should work with the least amount of privliges. I also believe that you have more computer intelligent users using the a *nix system. Given enough time, any OS can be exploited.
Pollardito (781263) sez: "this isn't a list of OS vulnerabilities, it's a list of application vulnerabilities sorted by OS"
From CERT: "Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information."
Meaning, of course, that the statement in the parent "According to InformationWeek.com, Linux/Unix (including Mac OS) had almost three times the number of OS-specific vulnerabilities reported last year compared to Microsoft Windows" is complete FUDcrap.
The difference between bias and ignorance is you treat one with the wide side of a clue by four, and the other with the narrow side, but it doesn't matter which is which. Corrective phrenology is not an exact science.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
When you group all OS specific vulnerabilities against Unix like operating systems into one large non-OS specific category, they out number the still OS specific windows category.
This is as useless as comparing apples to orange groves
When I talk to my boss about moving over to Linux for some of the servers, this is the type of article that he will throw in my face. As a matter of fact, before I saw this on slashdot, this article was already printed and sitting on my chair - with a smiley face drawn by my boss. It's hard to argue the obvious when crap like this circulates in the media. There is a reason open source is called open. When 10,000+ coders look at open source code, you find many more security holes that you plug up than if 1000 Microsoft programmers look at their own code. Microsoft programmers also face political issues. Imagine my friend, who works for MS. His partner wrote and released a piece of code. 2 days after it went into production, he discovered a bug. This was right before bonuses were handed out. Of course he held back on the info until after the bonus, and then he submitted the fix.
Intelligent Design
I think, as time progresses, we will hear more of this, that linux has more vunerabilities.
Not because it really does, but because linux is becoming more mainstream, adopted by more people. And as the user base becomes larger, the overall technical expertise of the user base lowers. And since linux gives the user complete control over the OS, its much easier for some one not in the know to expose their system and become susceptible to "vunerabilities"...
hope that makes sense lol...
On the eve of a major attack to the windoze OS you tell us other OS' are 3 times worse, yeah right buddy... http://www.theregister.co.uk/2006/01/05/secfocus_z eroday/
http://www.heise.de/english/newsticker/news/68019
http://www.google.ca/search?hl=en&q=Sober.Z+worm&b tnG=Google+Search&meta=
"Of course, as usual this vulnerability only affects Unix computers."
or when hell freezes over, whichever comes later.
For a variety of technical, social and corporate reasons the effects of Windows vulnerabilities are generally magnitudes more damaging than those found in Unix.
A simple bug-count can never give a real picture about what's what.
~ Better a freak than a sheep. ~
Windows had more vulnerabilities listed than Linux.
Then it would have been heralded as proof that Windows sux!
There is only 1 vendor providing Microsoft Windows, and there are several providing Linux and Unix operating systems. So on a per-vendor basis, it's clear that Windows has more vulnerabilities.
This doesn't surprise me. Look at it this way, your giving away the source code. Yes, the code is changed often and is highly secure for systems like Linux and Darwin but your're also giving hackers a road map as how to proceed in compromising a system. Staying proprietary has it's merits. There's just no denying it. On the flip side, you also have to remember that Microsoft's system runs on a high percentage of the worlds computers. And most of those computers are run by non-technical people who run as root user (Administator in Windows' case). This gives hackers a much larger and less secure target so it would appear that Windows has all the security problems (viruses, spyware, etc). Linux, users on the hand are more knowledgable users than their Windows counterparts and so this, in and of itself, leads to less commpromises. Linux users "get" the concept of running multiple, non-root accounts which, as we all know, is a much more secure way of running a system.
In 2003, the most stolen car was the 1995 Saturn SL, now does this mean a 1995 Saturn SL is an insecure car technically? Or could this mean that it's in car thieves' financial interest to steal this car? It's a Tech Vs. Economics question. I think it's all about perception and what people want to believe. All I can say is I've run some very secure Windows systems and never had a problem. As for the mom and dad Windows users, perhaps the next version of Windows will run as a non-root by default and I bet we'll all see less Windows compromises.
What we have from this is the indisputable fact that more *nix vulnerabilities were reported in the year than Windows vulnerability. This could mean a wide variety of things though...
For instance, this could just mean that the open source model is working as it was meant to and many eyes are finding more bugs. Windows could still have far more.
Also, consider that this does not go into detail on the severity of the codes. I am far more concerned about one serious vulnerability that would allow someone to readily get my sensitive information and control my pc than a dozen minor ones which may be exploitable only under uncommon circumstances or that allows only less severe exploits.
I find it interesting that they dump Macs, every linux distro, and unix into one category and windows into another. The main point being all of the linux distrobutions lumped together. These are ongoing projects with new versions coming out frequently. Counting XP SP2 and 2003 SP1 I believe windows had 2. This is the same thing as saying Ford, Chevy, and GM combined had higher crash ratings than toyota last year. The "No Duh!" response leads me to believe this is Objective reporting at its best.
What I want to know is a breakdown of how many vulnerabilities each OS, distribution, and version had reported. How many of these were cross platform, found in every version of a OS, and which were version specific. Add another column for the number of bugs that where reported by a 3rd party interest and how fast these bugs were patched. Then add the same column but for self-reported bugs. Lastly, too be fair to MS, give the current estimated market share.
Unix/Linux = Dozens of operating systems and hundreds of distros
Windows = One operating system and a handful of versions
Register the editry.
All are products of one company. The others are not. Period.
I'm no Microsoft apologist, but it takes a certain combination of arrogance and ignorance to assume that your side is absolutely right, and the other side is absolutely wrong (both in terms of opinions, and how the opinions are presented). Everyone has a valid point to make. All that matters is how the points are interpreted.
And you are a shining example of that combination. I took no sides, merely pointed out that it was unfair to lump together products from different companies.
My beliefs do not require that you agree with them.
Here's another example of what I was talking about above: Circumventing Group Policy as a Limited User.
Note the end of the article: "It's also important to note that the ability of limited users to override these settings is not due to a bug in Windows, but rather enabled by design decisions made by the Microsoft Group Policy team."
That's another example of Microsoft's mindset, in my opinion. It appears to me that Windows is deliberately weak. It's not an accident that Windows has low security.
wow, either M$ has joined forces with CERT, or has bribed them with some obscene amount of green stuff (which turned out to have cockroaches in it... all you M$ stuff is belong to BUGS) anyways... thought i'd troll some...
M$ is working on "In Soviet Russia, you annoy M$ bug!"
Flame away folks!
Is it just me or are all the open softwares under *nix? Don't ImageMagick vulnerabilities exist on Windows as well?
Atheism is a non-prophet organisation
Never mind that the majority of both lists are third-part applications anyway... yah, so exploited applications on *dos are much more dangerous than *nix - it is still harder to assign specific blame to microshaft, even if they made it easy to corrupt their platform.
Didn't anyone see the "sponsored by Microsoft" link on that site?
I'll agree to that. Privilege escalation should only be possible via system calls, and there shouldn't be holes that allow arbitrary escalation.
I'll still hold that I'm not terribly interested in counting some linux-specific IMAP server's security issues as a 'possible' OS X security issue when nobody is known to even have built that IMAP server on OS X, though, and vice versa. My main point is that the whole concept of grouping "Unix/Linux/MacOS" together stinks, as surely not all of those flaws affect all of those systems.
How many *nix admins have the patch managment in place to tacke the updates. In a windows shop your prepare and expect "ugly patch day" just like you do woth every OS. So, I don't care about the OS as long as it does the job when I need it to and when it breaks I can fix it without too much headache. Serriously stop crying, I will mahe a huge assumption that most slashdoters are computer enthusiasts and that we all know one thing, no matter the product or vendor, at some point youre gonna take it in the ass.
I agree with you - up to a point. If it does the job it's OK for me. If it breaks, I'll fix it - but I will not have a headache over it. And I'm most certainly not crying. I am a computer enthusiast and so like working with them - all of them. I know that all vendors make a mess of it on occasion and have grown accustomed to the idea that I have to clean up after them if I want my little corner of the IT world to continue to work. But "take it in the ass" no! If we get down to that level I rapidly develop "an attitude problem" and quickly demonstrate that I'm part of the "leave blood on the floor and hair on the walls" fraternity. There has to be limits and, if pushed, I'll impose one or two.
How many beans make five, anyhow ?
...but probably patented.
Got time? Spend some of it coding or testing
how about this, they found all of the bugs in windows like 2 years ago so they didn't find that many in 2005? :D It doesn't prove anything anyway...