Slashdot Mirror
Linux/Unix Tops Charts for Vulnerabilities in 2005
BeanBunny writes "I realize that this topic is almost as volatile around here as Intelligent Design, but I think this is interesting nonetheless. US-CERT has released their year-end vulnerability summary. According to InformationWeek.com, Linux/Unix (including Mac OS) had almost three times the number of OS-specific vulnerabilities reported last year compared to Microsoft Windows. Obviously, statistics are meaningless without the proper conjecture, speculation, and opinionation, so let the debate begin again over which OS is really more secure."
Who knows how many Windows vulnerabilities there are known to Microsoft? Can you say "Vested Interest"? They certainly have tried to have divulging them criminalized as an act against national security, never mind warning customers of all sizes that they may have been compromised while Microsoft fiddled away at a patch for the past six months.
I take this sort of revelation with a grain of salt and give it as much weight.
many eyes only make for strong code when the code can be seen
A feeling of having made the same mistake before: Deja Foobar
It may be a volatile topic, but where better to discuss the reality, validity, etc., of these purported vulnerabilities?
Get your education here (hopefully) so you can address the confrontations at work, from your friends, etc. when they accuse you of evangelizing an OS more vulnerable than Windows!
Look for answers to:
I'm sure this is a partial list, and I don't know the answers to these points, but I'd like to.
In other words, these findings are absolutely useless.
Also, even if they DID filter out updates and break out individual vulnerabilities, you would still have to know for how many days each vulnerability remained unpatched to have any useful information.
As this oh-so-well-written website told me the first time I clicked on this story, "Nothing to see here. Move along."
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
That they listed a few PHP apps that work on all 3 OS's as only on Linux. Hmmm
...they really should take into account severity, time until a fix was avaliable (from the time of discovery and not just disclosure to the public) and if the vulnrability was actually IN the OS or whether it was a third party app. Then perhaps the total numbers will start being a little more helpful.
Silly rabbit
Sigh. The statistics were flawed the first time they were posted to /., no need to repeat that bag of bad science.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
This is old news. PJ has done a pretty thorough job debunking this one on Groklaw.
Nothing new here that was not reported on slashdot four days ago.. Move along. or repost your incitefule or insightful comment. or someone elses if you karma whore.
Some drink at the fountain of knowledge. Others just gargle.
In the Microsoft section there could be an entire block for : "Clueless user -- installed malware X which caused the propagation of virus Y"
In the Linux section there would be a similar block for : "Clueless user -- caused hard drive format"
Yeah. That was wanton. Sure, okay. I agree. It's probably true that most OSS vulns are reported to public forums while most MS vulns probably get identified in house and rolled into a patch. Maybe. In 6 months or so after the devs have had fun with it for a while.
fast as fast can be. you'll never catch me.
If you read the actual list, a lot of the vulnerabilities are listed multiple times with an (updated) notation. So the 2,328 number isn't exactly "correct".
The theory of relativity doesn't work right in Arkansas.
Don't become a regular here, you will become retarded. -- Yoda the Retard
It would be interesting to compare the number of different versions of software and applications this covers. Windows XP has not evolved tremendously in the last several years. Certainly Microsoft has shown a renewed (if not a completely successful) focus on security lately. But I think Microsoft benefits in this survey from a more stately release cycle.
Author of Enyo: Up and Running from O'Reilly Media
Let me put this into context.
Linux (Red Hat to be specific) reported AND HAD ALREADY fixed similar JPG/GIF/PNG flaws more than 2 years before microsoft ACKNOWLEDGED that they had similar flaws. It may have been the same bug, or not, but still, similar bugs, FAR different timetables. And these are both companies right? One did base itself on code that it didn't try to lynch you for viewing, modifying or making your own. Hint: it wasn't microsoft.
--------------
What does it take for open source (being open to all) to report a flaw?
Finding it of course.
What does it take for a huge software house with stock to shill... errrr.. sell (since product sales do not a stock value raise anymore).
Reporting few security flaws. "Proving" successful implementations are the norm... (via bought studies of course, and occasional true stories, if they ever are unbiased).
--------------
And of course, having worked inside an IT house, I'm quite familiar with how they work... especially M$ partners. I've never seen a SINGLE one ever report a vulnerability... whether our fault or the customer's or anyone's. Until it was fixed, or exploited, we NEVER EVER reported them... standard policy.
~D
" What luck for rulers that men do not think" - Adolf Hitler
They're lumping Linux, UNIX, BSD, and OS X together and saying they together had more vulnerabilities than any single version of windows...
I'm sure all the GM, Toyota and Honda cars between 1970 and 1990 put together had more design flaws than the Ford Pinto, but this comparison is not relevant.
"so let the debate begin again over which OS is really more secure."
How about we don't and just say we did, better yet, whichever side you agree with, it won the debate.
Web Developers: Celebrate to our roots! Animated Gifs and Tiled Backgrounds, dont let our history die!
The title: Linux/Unix Tops Charts for Vulnerabilities in 2005
This is beyond any doubt, very very true. But before you call me a Microsoft Shill (I'm not, I use Debian myself), allow me to explain:
If one goes to www.linux.org, and searches for all GNU/Linux distros without a filter, they will see that there are 370 distributions. If that includes unmaintained ones, that number grows to 417. And that does not include all of the other Unixes, such as the BSD group, and, like the article pointed out, Mac OSX.
Now compare that to the Microsoft Windows operating system. Let's see, Windows 98 (I doubt people use anything worse than this), ME, 2000, XP, and even Vista. 5 operating systems. 370 / 5 = 74. Now the article claims that there were 3 times as many vulnerabilities. 74/3 = 24 and 2/3.
Unix/Linux is approximately 25 times better than Windows!
Well, the "windows" ones are "Windows Operating Systems"
And the "linux" and "osx" ones are "Unix/ Linux Operating Systems"
Seeing as "windows" ones are Windows and "linux" and "osx" are Linus, OS X, Solaris, IRIX, AIX, HPUX, Tru64, *BSD, SCO, etc., etc., I think 3x is not too bad as there are more than 3x the number of distinct operating systems.
That's without even looking at what might be classified as "application" versus "os" vulnerabilities in each category.
It is worth discussing OS security in terms of exploitable holes found. And before the detractors start coming out in droves saying "the real question is how many days a vulnerability remains unpatched," that's not the real question. That's a question, and it's certainly an important one. But it's not the only important criteria in determining the quality of an OS.
Even if a vulnerability is reported and then fixed quickly, the fact remains that it could've been used for dozens or hundreds (or more) exploits *before* it was reported.
It's not just a matter of "see, look how quickly we can bail water out of the boat." There's also the question of how many holes were in the hull to begin with.
I'm not saying that any particular platform is put together better than any other, just that it is a topic worth discussing.
I currently have no clever signature witicism to add here.
I'm offended by the latest comparison of and . The linked article offers no measurable insight, and is exactly the kind of flamebait that bores the
Please change your editorial practices to fit my tastes better.
ComplaintGen (R) - 2006
Another issue is that most Linux distro's ship a LOT of application code, like 2000 to 6000 packages, which is waaaay more than Microsoft ships with Windows. That there is an "OS" vulnerability for some rarely used application in a large Linux distro is just not comparable to the smaller set of code that Microsoft is willing to take responsibility for.
It is just irresponsible for CERT to be publishing distored numbers like this.
Crispin
Volatile is an understatement.
Anyway, I've used a number of different operating systems and I've realized something. Computer security isn't so much the operating system you select, it's how diligent you are in keeping it secure. If you keep the system patched, behind a decent firewall, are careful with the software you run, and don't use the root/Administrator account for normal usage, you'll probably not have any issues with your computer. Granted, there are plenty of examples otherwise, but I'm referring to the standard user or sysadmin.
The problem comes in for users that don't understand that they need to keep their system protected more than it is out of the box. Some linux distros and Windows get it right by having automatic updates (if you need to disable these, you can easily enough).
Overall, there ARE good things and bad things about each operating system, but not much matters if the user isn't going to take some type of responsibility to keep their own system updated and protected.
You have enemies? Good. That means you've stood up for something, sometime in your life. --Winston Churchill
Groklaw has comments about this like:
Second, the Unix/Linux list duplicates items, counting a vulnerability more than once in the list. For an example, note that it lists Eric Raymond Fetchmail POP3 Client Buffer Overflow (Updated). However, the same vulnerability is listed, under the same title, four times. That's because it was reported in the week of August 10-15, again in the week of August 17-23, in September 6-13, and the week of November 9-16. Worse, for any comparison purposes, the same vulnerability is also reported as Fetchmail POP3 Client Buffer Overflow, so in reality one vulnerability is listed 5 times, making the total of 2328 meaningless unless you carefully comb through it to weed out duplications.
Kind of makes a numerical count of reported security problems pointless. (BEGIN SARCASM) Of course, the Linux/Unix security holes are much more serious than are Windows security holes because automated worms. viruses, etc. attack Linux/Unix machines but not Windows computers.(END SARCASM)
This is all out of context unless you look at the impact of the vulnerability, and how it is exploited. I didn't RTFA, admittidly, but I do know that the main reason for the exploit of vulnerabilities (both technology speaking, as well as the handling of these topics by the media) is largely because of the volume of Windows users in the world.
These articles only make the majority of the public even dumber.
It makes me think of the line from Billy Madison where the teacher proclaims "...At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it..."
Since this is a dupe debate (it happens ALL the time) why not just link to the previous list of comments? I'm not even going to read TFA, because these useless debates have gotten to be a waste of time. There's no winning this debate - we're all losers for having editors who think that this is "news".
Want one example? The CM Cyrus IMAP server sure as heck isn't installed on my Mac OS X system, and I doubt I'd ever install it. I don't think I'd install it on my Linux box, either. If I did install it, and there was a bug in it, I sure as hell wouldn't consider that bug an "OS" problem, would you ?
And I'd be willing to make the same distinction for Microsoft, as well, at least so long as the application error isn't in a default-installed DLL or in an always-installed application, like... oh, Internet Explorer, for example. I'm not so sure I should fault Windows because the Eternal Lines web server has some sort of issue. There's the OS, then there are the apps that run on top of the OS.
So really, the counting and analysis are so broken that it's hard to even discuss. Call me back when individual distros and specific OS kernel builds are broken out into separate counts. Call me back when non-default-installed or at least not-commonly-used applications are broken out ( i.e. I'll give you web servers and browsers normally used with any platform as part of the OS ), but I don't think Linux in general is less secure because Joe's Custom Server has a bug in it. I'd like to see some *useful* summary of this information, please...
I counted the lines and there are 2,329 lines.
Here's an example of 10 of them:
# BZip2 File Permission Modification
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
Yep. BZip2 is listed 10 times, but the reference to each of them reads the same:
And then they list 10 different distributions. Hmmmmm
So, one problem in BZip2 == 10 counts of "problems".
The end-of-year vulnerability score should be taken with a grain of salt, however, since US-CERT doesn't filter out updates (so one actual vulnerability can be counted numerous times) nor does it break out individual vulnerabilities from warnings that cover multiple bugs (as in the many Mac OS X vulnerability listings).
In effect: This information is completely useless for comparing operating systems.
Only to idiots, are orders laws.
-- Henning von Tresckow
so let the debate begin again over which OS is really more secure.
I hear this junk all the time and can't believe people can say an OS is secure / insecure by the "applications" running on it. How is "Adobe Acrobat Reader" a reflection of how "insecure" Linux is? Or a problem with "Apache mod_install"? These are all applications which run on top of Linux. They are NOT the Linux OS by any means. The same goes for Windows with "Adobe Acrobat Reader" and "IBM Websphere". I would argue this is a garbage comparison.
Now compare what IS inside the OS. Windows cannot function without IE (according to Bill Gates). It's been incorporated deeply into the OS. Security problems with IE would qualify as a problem with the OS (for example). If it's something part of the OS then I would buy it as a security problem. Linux issues IMO would include problems such as say iptables, Linux Kernel Race Condition / Buffer Overflow and maybe Gnome/KDE (to name a few)
I understand I may be just a little picky about this but I think I've demonstrated my argument.
Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
2,328 is a whole lot more than 812. that means that *nix et al are 1,516 fixes ahead of the competition.
and submitting something like this (just as the parent and GP have pointed out), that lumps every *NIX OS vs. MS Windows is perhaps the dumbest thing I've ever seen on /.. I wish I could mod submissions.
Points not mentioned :
... etc. etc.
-amount of risk caused by vulnerability
-percentage of high-risk vulnerabilities per OS
-time taken to patch vulnerability
-whether the vulnerability is in some tiny obscure piece of shareware or in a VERY common software (such as MSIE)
Statistics aren't so useful with such lack of completeness.
Of course that page isn't there to be a useful guide for statistics on vulernabilities, but the Slashdot article seems to be portraying it as such...
The thing is, I see most people here actually analyzing the data and seeing the flaws within it. But many many computer users will simply see the headlines and start telling everyone that there are these things called "Linux" and "Mac" that are really insecure, so everyone should use Windows.
Semper Fi
The only intelligence there is in regards to windows is that of marketing... market it no matter what condition it is in. If "Intelligent Design" was more popular you can be sure MS would market Windows in a manner to ride off that, as they do everything else they can. I mean Hey, they got the singularity OS....(rolls eyes)
I think everyone knows how out of context the article is, which only shows the deceiptful intent of those responsible for it being written.
Taking things out of context is a known action of those having intent to deceive.
Now if there were laws against such that applied to marketing.... We'd all have better things in life, cept for the deceptive.
But for those of us who do know to see past the BS... we are better off, depending on how deep the BS goes, and sometimes its gets rather deep.
If I recall correctly, they're actually double-counting some vulnerabilities in common software - once for Linux, once for OS/X, once for Sun Solaris etc (I think that was right - can anyone confirm?). None of this was malicious - this survey was never intended to be rigorous and the people doing the counting made that quite clear. However, it does mean that any attempts to judge the relative merits of the various operating systems are somewhat fruitless.
For the love of God, please learn to spell "ridiculous"!!!
Anyone with half a clue and experience with both OSes in a production environment already knows the truth, but there's some points for those who actually believe some of the shit that seems to be deemed newsworthy...
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
I copied the list to a file ran 'uniq' and 'grep -v "(Updated)' on it to remove any duplicates and rows contaning the string 'Updated'.
Only turned up 813 lines.
This article in a TLA : WTF ?..
Go compare "Linux Kernel" vulnerabilities (9 unique) vs "Microsoft Windows" vulnerabilities (46 unique). Even that isn't apples to apples, but it's a lot more indicative than the random counts of vulnerabilities for every piece of software shipped with an OS.
Funny!
Windows shows less bugs than Linux/Unix! I was always shure that Micro$osft is the best.
No Office suite exploits... It should be secure, now!
And, however, even kids knows that "A known bug is a dead bug"!
(same kids knows that "Bugs enter from open Windows")
What? WMF? Still unpatched since 3 months? But is a bug related to a feature coming from 1990, it's not a real bug...
What? Is a *deadly* bug?
But a company that depict his logo on my keyboard can't be wrong!
The idea of a security score card is good but the way they did it is meaningless. The ranking should be more like:
Number of bugs +
Number of bugs with known exploits x 5 +
Number of bugs with known exploits x the number of days the exploit was in the wild before the bug was patched.
Then multiply the whole thing by an risk factor (1-5) based on how much harm it can do.
No lumping multiple OSs. Each one should get it's own card. Lumping applications bundled with the OS is reasonable but skews things too. For an accurate comparison, only bugs in features common to all platforms and bugs in non-optional components should be counted.
The way the current ranking they use works you could have 50 non-exploitable, local user only, file permission modifying bugs in 100 different Lunix distributions and it would count as 5,000 bugs. Similarly you could have one remote attack that completely takes over a Windows box with known exploits which remained unpatched for 100 days and it would count as 1 bug. The score would be 5,000 to 1 in favor of Windows which is about opposite from what it should be in this example. These are completely meaningless numbers.
I don't know how the OSs would stack up given an accurate reporting but I would be interested to see.
set softtabstop=4 shiftwidth=4 expandtab nocp worlddomination
What percentage of discovered bugs do you think are actually found by looking at the source code of a program?
All of them?
I know your point: that the INITIAL discovery and exploit is not typically found by looking at the code. But to fix vulnerable code, one must FIND and edit it. The point is, once an exploit is discovered, there are many people who can locate the faulty code and fix it fast.
Open Source is a good thing. Really, what is the down side of source code availability?
Computational Chemistry products and services.
Utter rubbish! This is comparing one operating system with two varieties to a dozen different Unix and Unix-like operating systems with hundreds of variants, distributions and versions.
How about comparing just ONE operating system to ONE other operating system? Like Windows XP to Solaris/SPARC? Or Windows Server to FreeBSD 5.x branch?
Don't blame me, I didn't vote for either of them!
Basically UNIX (BSD, Solaris, AIX, IRIX, SCO, OS X), and ALL LINUX distributions are counts as ONE (1) bin, against MS Windows!!! So, have basically EVERY popular mainstream operating system other then Windows in one bin and windows in another, and you are trying to toute THAT as a stat that Windows has less flaws then Unix/Linux? Sure, it does when you count ALL VERSIONS OF UNIX AND LINUX TOGETHER AND ADD UP ALL THE VULNERBILITIES FOUND IN ALL THE DIFFERENT VERSIONS!!!!!
THEN there is the fact that different CERT warnings appear multiple times! For instance, Eric Raymond Fetchmail POP3 Client Buffer Overflow (Updated) is counted at least 4 times under the SAME NAME, and at least 1 more time under a different name, but it is still the same vulnerbility!!!
See http://www.groklaw.net/article.php?story=200512311 42317870 for more details.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
These aggregate numbers are meaningless. That being said, US-CERT made pretty clear that this was simply a list of reported vulnerabilities, not any sort of analysis, so I blame the news sites with taking the meaningless numbers and trying to create a news story that will get Windows and Linux/UNIX/MacOS X fans all excited to read and post (and generate ad revenue).
:-)
) were more useful, because they at least made it clear which issues were high risk, and which application or OS each vulnerability was associated with, and they avoided the misleading totals. Let's hope that next year they at least go back to the 2004 report format, even if they don't bother to do any meaningful analysis.
Why do I say that the aggregate numbers are meaningless?
1) They count "updates" to vulnerability reports as vulnerabilities, so there are many vulnerabilities that appear to be counted 5-10 times in the "UNIX" list, and 2 times in the "Windows" list. My guess is that these "updates" are individual OS reports, meaning that a single vulnerability in a cross-platform application would be reported as 2 Windows vulnerabilities and 10 UNIX vulnerabilities. CERT should break out each OS into its own counts in order to correct for this. Eliminating duplicate reports isn't good enough, because there are many OS-specific reports, and it doesn't make much sense to count vulnerabilities specific to Solaris AND Mac OS X AND Linux AND HPUX etc., in a single number, since you run only one OS as a time.
2) They count reports of multiple vulnerabilities as a single vulnerability, which means that OS's that release fewer updates, each of which patch multiple vulnerabilities (e.g. Apple, Microsoft) as having far fewer vulnerabilities than OS's that release specific patches for each vulnerability. Strangely, this punishes OS vendors that rapidly address and release patches for vulnerabilities, and reports vendors that are less responsive. CERT should count a single announcement that covers multiple vulnerabilities as if each vulnerability were reported individually.
3) They include third-party application vulnerabilities in the counts, and the number of those reports dwarfs the number of actual OS vulnerabilities (90-95% of the vulnerabilities listed aren't in the OS's). CERT should separate bugs in the OS's from optional third-party application bugs. Many of the vulnerabilities are in extremely obscure applications, and while uses of those applications might want to know about these issues, it's hardly a reflection on the OS' security if there's a 'Wojtek Kaniewski EKG Insecure Temporary File Creation & SQL Injection' in some project's "contrib" directory, which is hardly comparable to 'Sun Solaris ARP Handling Remote Denial of Service' or 'Microsoft DirectX DirectShow Arbitrary Code Execution'.
4) Their OS coverage is quite spotty. For example, if an application runs on all OS's (e.g. Mozilla, bzip) and has a vulnerability that applies to all OS's, sometimes they're reported only for Windows, sometimes only for UNIX, sometimes for both, sometimes with many repetitions and sometimes only once. While this would require CERT to do some analysis (i.e. actually read the reports), they should consistently recognize cross-OS issues and remove them from the OS-specific lists and report them in the multiple operating system list.
Since each of these issues appears to introduce error rates that are an order of magnitude larger than the useful data, there's nothing meaningful data left.
Of course, people have pointed these problems out about these CERT reports for many years. Still, since we have these same pointless discussions every year, CERT should make some basic changes to make these reports somewhat meaningful. Their previous years' list (http://www.us-cert.gov/cas/bulletins/SB2004.html
Enable 3D printed prosthetics!
I never said open source was a bad thing, or there was a downside. Just that that particular 'benefit' is overrated. Firefox bugs are certainly fixed faster than IE bugs - but according to my logs half of firefox users who hit my website still run vulnerable versions.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
There is a difference between a vulnerability and an exploit. A vulnerability is just a potential weakness, a chink in the armor so to speak, but potential weaknesses cannot be taken advantage of unless it is exploited. It is thus the number of exploits that is the primary consideration when speaking of security.
Of course, Linux will have a large number of visible vulnerabilities! It is open source and anybody with two eyes and a passing knowledge of C should be able to find vulnerabilities almost everywhere. However, are those vulnerabilities actually exploitable? In most cases, Linux security alerts consist entirely of possible vulnerabilities and in most cases also, those vulnerabilities are quickly patched up and repaired; well before any practical exploits are written for it.
The case is not the same with Microsoft Windows. Because Windows is closed-source, the only way to demonstrate a vulnerability in Windows is to actually write an exploit for it! Thus, whenever a vulnerability has been discovered for windows, you can bet your Momma's last penny that there is a very good chance of the existence of a working exploit for it.
How many vulnerabilities are there in Windows we do not know of because we cannot examine the source? Judging from the number of exploits (written by people without access to Windows source code, by the way) we can infer with good accuracy that the total number of vulnerabilities in windows should be several times that of the number of exploits. I am too lazy to make a count but perhaps someone with the inclination can create a matrix showing Vulnerabilities vs exploit vis a vis Windows vs Linux. If we assume that the ratio of exploits to vulnerabilities is the same for both operating systems, what would be the estimate of the number of vulnerabilities in windows? If we further include the fact that Linux is open source while Windows is not, what would be the estimated number of exploits in Windows?
That would make an interesting study.
It is Linux's open-source nature that gives it the disadvantage when a simple-minded count of the security alerts for Windows versus the number of security alerts for Linux is made. But keep in mind that almost all security alerts for windows are not of vulnerabilities but of practical, demonstrably working, and potentially already widespread exploits. Most security alerts for Linux are of vulnerabilities.
In any discussion of security between Linux and Windows, the crucial distinction between vulnerability and exploit should be clearly enunciated.
All the bugs I find and report which result in Advisories are as a result of source code auditing.
It looks like I made the CERT list a couple of times, e.g. uw-imapproxy.
But these bugs are trivial things in applications which are either "extra", or not typically installed.
Fixing bugs in programs is important, but having a list of 500 simple buffer overflows in rarely used games (for example) on Linux says nothing about the relative security of Linux vs. Windows.
The worlds are too different, comparing every application included in Debian, say, against Windows would only make sense if you installed every single shareware/freeware/optional piece of software on the windows machine - and that clearly isn't a real world scenario.
That article is from last year.
=)
It's not offtopic, dumbass. It's orthogonal.
You should look at the list. http://www.us-cert.gov/cas/bulletins/SB2005.html Hardly any are "rarely used games", unless "Multiple Vendors Linux Kernel Asynchronous Input/Output Local Denial Of Service" is the latest FPS...
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
It's easy to find a crash-scenario without the sourcecode, but to actually determine if the vulnerability is exploitable or not takes a lot longer, and is much easier to find in the sourcecode.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Well there's the diversity among unixes..
A single worm is unlikely to affect such a large proportion of users, since they will be spread out among different unixes and different distributions of linux etc..
Windows on the other hand, has a few distinct versions which are easily identifiable and easy to target in exploits.. The dcom worms for instance, differentiated between XP and 2000 and used appropriate parameters.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Why not make this one of a subscriber's privileges?
Rich And Stupid is not so bad as Working For Rich And Stupid.
what is the down side of source code availability?
The inability to maintain a monopoly by using scare tactics?
Write boring code, not shiny code!