Linux/Unix Tops Charts for Vulnerabilities in 2005

BeanBunny writes "I realize that this topic is almost as volatile around here as Intelligent Design, but I think this is interesting nonetheless. US-CERT has released their year-end vulnerability summary. According to InformationWeek.com, Linux/Unix (including Mac OS) had almost three times the number of OS-specific vulnerabilities reported last year compared to Microsoft Windows. Obviously, statistics are meaningless without the proper conjecture, speculation, and opinionation, so let the debate begin again over which OS is really more secure."

One Take

[ackthpt]

It's because most *ix vulnerabilities are reported (and usually fixed rather quickly, particularly in the case of Linux distros.)

Who knows how many Windows vulnerabilities there are known to Microsoft? Can you say "Vested Interest"? They certainly have tried to have divulging them criminalized as an act against national security, never mind warning customers of all sizes that they may have been compromised while Microsoft fiddled away at a patch for the past six months.

I take this sort of revelation with a grain of salt and give it as much weight.

many eyes only make for strong code when the code can be seen

Re:One Take

[skraps]

You feel that sting, big boy, huh? That's pride fuckin' with you!

(source)

perfect place to discuss, though!

[yagu]

It may be a volatile topic, but where better to discuss the reality, validity, etc., of these purported vulnerabilities?

Get your education here (hopefully) so you can address the confrontations at work, from your friends, etc. when they accuse you of evangelizing an OS more vulnerable than Windows!

Look for answers to:

• how these vulnerabilities are reported (the article is painfully light on this)
• what the vulnerabilities were and how serious they were
• whether or not there is redundancy in the reporting mechanisms
• what association and influence Microsoft has over this reporting process
• how quickly vulnerabilities are fixed and how soon working patches are made available to the public
• who is the author of this article? (Gregg Keizer), and what is his slant/bias?

I'm sure this is a partial list, and I don't know the answers to these points, but I'd like to.

From the FA:

[drinkypoo]

The end-of-year vulnerability score should be taken with a grain of salt, however, since US-CERT doesn't filter out updates (so one actual vulnerability can be counted numerous times) nor does it break out individual vulnerabilities from warnings that cover multiple bugs (as in the many Mac OS X vulnerability listings).

In other words, these findings are absolutely useless.

Also, even if they DID filter out updates and break out individual vulnerabilities, you would still have to know for how many days each vulnerability remained unpatched to have any useful information.

As this oh-so-well-written website told me the first time I clicked on this story, "Nothing to see here. Move along."

Along with the total numbers...

[Jane_Dozey]

...they really should take into account severity, time until a fix was avaliable (from the time of discovery and not just disclosure to the public) and if the vulnrability was actually IN the OS or whether it was a third party app. Then perhaps the total numbers will start being a little more helpful.

Re:Along with the total numbers...

[LnxAddct]

Not only do they not take into account severity, a large portion of the vulnerabilites in the Linux list are tagged with "update" meaning that a large portion are just updates to previously filed bugs, but worst of all, their lists are just plain wrong. A huge chunk of the open source projects listed under *nix are not listed under Windows, yet they run on Windows and the vulnerabilities affected windows. There are Apache, Gaim, PHP, Zope, Clam AV, Vim, Emacs,Perl, MySql and many more vulnerabilities listed just under *nix, yet equally affect Windows. Even worse, Windows has 1 firefox vulnerability listed, yet *nix has 153 firefox vulnerabilities listed (including the couple of tens of updates) but every vulnerability I saw listed equally affected Windows. This list is separating vulnerabilities by pretty much whether its open source or not (for the most part, say 90%), not by what platform it runs on, yet the latter is how they are categorized. This whole list is a big giant piece of misinformation and someone needs to correct it.

It's also not intelligent to group together all Unix derived operating systems, as they all follow completely different security structures, development paradigms, and grouping them is simply serving to inflate already misleading numbers. The fact is that the only thing this list clearly shows is that open source projects are much better at following up on security problems(noting all of the updates), and that there are far more applications that run under *nix than under Windows once you account for all of the at least semi-popular open source projects.
Regards,
Steve

Already hashed over in depth on GrokLaw

[jmac880n]

This is old news. PJ has done a pretty thorough job debunking this one on Groklaw.

Yes, indeed.

[DaedalusHKX]

Let me put this into context.

Linux (Red Hat to be specific) reported AND HAD ALREADY fixed similar JPG/GIF/PNG flaws more than 2 years before microsoft ACKNOWLEDGED that they had similar flaws. It may have been the same bug, or not, but still, similar bugs, FAR different timetables. And these are both companies right? One did base itself on code that it didn't try to lynch you for viewing, modifying or making your own. Hint: it wasn't microsoft.

--------------

What does it take for open source (being open to all) to report a flaw?

Finding it of course.

What does it take for a huge software house with stock to shill... errrr.. sell (since product sales do not a stock value raise anymore).

Reporting few security flaws. "Proving" successful implementations are the norm... (via bought studies of course, and occasional true stories, if they ever are unbiased).

--------------

And of course, having worked inside an IT house, I'm quite familiar with how they work... especially M$ partners. I've never seen a SINGLE one ever report a vulnerability... whether our fault or the customer's or anyone's. Until it was fixed, or exploited, we NEVER EVER reported them... standard policy.

~D

How about pointing out...

They're lumping Linux, UNIX, BSD, and OS X together and saying they together had more vulnerabilities than any single version of windows...

I'm sure all the GM, Toyota and Honda cars between 1970 and 1990 put together had more design flaws than the Ford Pinto, but this comparison is not relevant.

Re:How about pointing out...

[molnarcs]

Yeah, I agree.

In other words:

There are at least 12 distinct operating systems in their list - Solaris, Cisco, SCO Unixware, OpenBSD, FreeBSD, NetBSD, HP-UX, AIX, HP Tru64, MacOS X, Linux variants like SuSE, Debian, Gentoo, RedHat (I counted Linux as one, even though most of the vulns. are found in their specific configuration/management tools). Add an arbitrary number of applications: KDE and GNOME, that in itself has more apps that are counted for Windows, every free SQL database server, mail server, (LotusDomino for Christ's sake!), imap client, ftp client, ftp server, etc...

Now we have a comparison of a single operating system (Windows) + apps running on it with at least 12 distinct operating systems + 10x the number of apps that was counted for windows. The result is rather surprising: there are JUST 4x more bugs in 12 operating systems + 10x more apps than in windows + windows apps alone! This result is much more unfavorable for Microsoft than to any Unix/Linux OS!

Of course, the fallacy of the comparison is that it suggests that Linux or Unix is an Operating System. For someone who does not look at the details, it might seem that installing a specific Linux or Unix operating system is more risky - hey, there are more bugs found in Linux/Unix, that's what the article says! In fact, the opposite is true, if you look at the details.

Not that the comparison is useful in any way - why are Safari bugs counted at all? Safari runs on OS X only, so you can't just dump safari bugs into linux/unix bugs category (how retarded is that?). Why are bugs found in SuSE YAST counted as Linux bugs? They have nothing to do with linux or unix - they are specific to one operating system: SuSE linux (the same applies for all the bugs counted in Debian, RedHat, Gentoo, etc.) Not to mention the duplications: Eric Raymonds "Fetchmail POP3 Client Buffer Overflow" is counted 5 times for linux and BSDs. There are duplications for windows as well though. In other words, this list or comparison is pretty much unusable.

Re:How about pointing out...

[Pollardito]

it's even worse than that, here's some of the UNIX vulnerabilities :

# Adobe Acrobat Reader mailListIsPdf() Buffer Overflow (Updated)
# Adobe Acrobat Reader mailListIsPdf() Buffer Overflow (Updated)
# Adobe Acrobat Reader UnixAppOpenFilePerform Buffer Overflow
# Adobe Acrobat Reader UnixAppOpenFilePerform Buffer Overflow (Updated)
# Adobe Reader / Acrobat Arbitrary Code Execution & Elevated Privileges
# Adobe Reader For Unix Local File Disclosure
# Andrew Church IRC Services LISTLINKS Information Disclosure

this isn't a list of OS vulnerabilities, it's a list of application vulnerabilities sorted by OS

Re:How about pointing out...

[Dolda2000]

Now we have a comparison of a single operating system (Windows) + apps running on it with at least 12 distinct operating systems + 10x the number of apps that was counted for windows. The result is rather surprising: there are JUST 4x more bugs in 12 operating systems + 10x more apps than in windows + windows apps alone! This result is much more unfavorable for Microsoft than to any Unix/Linux OS!

Actually, it's far worse than that. If you filter out the "Updated" entries for each vulnerability, it lands on 672 for Windows and 892 for the so called "Unix/Linux" category, which means a mere 32% more vulnerabilities for 12 systems + 10x more apps than in Windows + Windows apps alone!

Re:How about pointing out...

[jrockway]

The security holes don't even have anything to do with the OS. When there's a Windows hole, it's a hole that allows you to take over the OS. These "linux holes" are holes in shitty php scripts that happen to run on Linux. This just in... you can write shitty, insecure software that runs on Linux. Duh!

If you look at all holes in the Linux kernel and base GNU utils vs. all holes in the Windows kernel and in the Windows core OS, you'll notice that Windows has many, many more. And the ones that Linux has are things like "temporary file permissions vulnerability" whereas Windows has ones like "arbitrary user from the network can flash your bios with the byte sequence 'lolololol pwnd'". Personally, I'd rather have someone read my sudoers file than hose my BIOS, but hey... at least windows has cool games or something.

Re:How about pointing out...

[LnxAddct]

So out of curiosity, I removed all (Updated) lines from the results,and all blatantly duplicate exploits, and also any non-linux exploits, just to see how they matched up. Keep in mind that I kept alot of the php, apache , and other exploits in the list but did not add them to windows despite that these also affect windows and should be included. The numbers I got were 784 to 672, Linux to Windows. Then, because in the windows list they strictly kept to vulnerabilities that only affected windows and not multiple platforms, I took out any vulnerabilties from the linux list that would 100% for certain be cross-platform and affect Windows as well. The list reduced to 669, which is right on par with Windows (keeping in mind that I left some exploits in the list because I was only say 80% or 90% sure and so I gave Windows the benefit of the doubt). Just out of curiosity, I then tookout any linux vulnerabilities that were specific to one vendor(i.e. Red Hat, Suse, Gentoo, Debian) for a number of reasons which I won't get into. This brought it down to 639. That last number doesn't really represent anything other than a curiosity of mine.

I was originally going to have a disclaimer stating that these numbers are accurate probably to within +-30, but since they were so close, I don't think it's necessary. One observation I've noted is that the Linux vulnerabilities are spread over a far greater variety of applications. Another thing worth noting is that it looks like Windows can not easily be effectively secured as long as security updates are done as they are currently. Most linux distros (Red Hat/Fedora, Suse, Debian, Gentoo, etc.. off the top of my head) provide a central repository that will update everything on your system for you. This appears to be a much more optimal method of applying updates. If nothing else, these results show that not just core functionality, but also supporting functionalities must be kept up to date and are just as much of a security problem, if not more so. Linux distributions support such update methodolgies natively, Windows does not.

It appears that Linux is the winner here no matter how you look at it, and we didn't even begin to look at severity or the time from disclosure to time patched (which isn't available using the information in the report, but my inclination is to say that open source wins hands down here, call me biased if you will). For the files that I referenced and modified to get these numbers, you can get the windows list here and the first linux list here (the one with 784 exploits, not 669). These lists are not 100% accurate as I'm sure the regexs I used missed some things, or were too greedy in other cases. I also did some manual pruning that wasnt appropriate to be done with regexs, which I'm sure wasn't 100% accurate either, but these lists are close.
Regards,
Steve

Dear Slashdot,

[hellomynameisclinton]

Dear Slashdot,

I'm offended by the latest comparison of

Linux

and

Windows

. The linked article offers no measurable insight, and is exactly the kind of flamebait that bores the /. community. It goes without saying that I did not read the article, but I know enough about

operating systems

that it is incorrect, and insight-free.

Please change your editorial practices to fit my tastes better.

ComplaintGen (R) - 2006

Re:Dear Slashdot,

[Linker3000]

Slashdot EeziPost (TM) MK 1.1.01

#NB: For obvious reasons, the first option is ENABLED by default - remember to turn off if you are NOT responding to a dupe

[ ] Another: [ ] Dupe [ ] Slashvertisment [X ] WTF [ ] $editor is a dork

[ ] Frist psot [ ] $link_to_GNAA [ ] $link_to_goatse [ ] $random_drivel

[ ] I Haven't RTFA, but... $random_self_opinionated_comment

[ ] [$Slashdot_reader] writes, "[$pundit] wrote an article about [$Technology_we're_not_currently_fond_of], based on conjecture and personal opinion. Does this mean that [$Technology_flavor_of_the_month] is taking over?

[ ] Slashdotted already!. I bet their server runs on $topic_item too!

[ ] I am not qualified to respond to this article, but I will give you my insight anyway..

[ ] Here's a plug for my blog / Web site disguised as an insightful comment (I need the ad revenue)

[ ] Next they'll be patenting 'A method of replying to a Slashdot posts using a form containing pre-defined response options'

[X] Mod Parent [X] up [ ] Down

[ ] Fsck: [ ] Sony [ ] SCO [ ] Micro$oft [ ] DMCA [ ] DRM [ ] MPAA [ ] RIAA [ ] Google [ ] Bush [ ] You all

[ ] I for one welcome our new $topic_item overlords

[ ] Imagine a beowulf cluster of those

[ ] In Soviet Russia, $topic_item owns you!

[ ] Meh!

[ ] You must be new here!

[ ] Netcraft confirms $topic_item is: [ ] dead [ ] dying

[ ] But have the inventors thought of what will happen if $random_amateur_insight

[ ] You insensitive clod

[ ] Torrent, anyone?

[ ] Here's a link to a patch: $random_linux_distro_url

[ ] "Yeah, but does it run Linux?"; if($summary has 'linux') add " Oh, wait..."

[ ] Profit!!

[ ] Tinfoil hat at the ready

[ ] Still no cure for cancer

[X] "()*%£^" No Carrier

Re:perfect place to discuss, though

[tomhudson]

Since this is a dupe debate (it happens ALL the time) why not just link to the previous list of comments? I'm not even going to read TFA, because these useless debates have gotten to be a waste of time. There's no winning this debate - we're all losers for having editors who think that this is "news".

"OS Vulnerability" vs "Application Vulnerability"

[javaxman]

There are more than one problem here, but something which must not be ignored is that a large number of the listed 'vulnerabilities' are very application-specific.

Want one example? The CM Cyrus IMAP server sure as heck isn't installed on my Mac OS X system, and I doubt I'd ever install it. I don't think I'd install it on my Linux box, either. If I did install it, and there was a bug in it, I sure as hell wouldn't consider that bug an "OS" problem, would you ?

And I'd be willing to make the same distinction for Microsoft, as well, at least so long as the application error isn't in a default-installed DLL or in an always-installed application, like... oh, Internet Explorer, for example. I'm not so sure I should fault Windows because the Eternal Lines web server has some sort of issue. There's the OS, then there are the apps that run on top of the OS.

So really, the counting and analysis are so broken that it's hard to even discuss. Call me back when individual distros and specific OS kernel builds are broken out into separate counts. Call me back when non-default-installed or at least not-commonly-used applications are broken out ( i.e. I'll give you web servers and browsers normally used with any platform as part of the OS ), but I don't think Linux in general is less secure because Joe's Custom Server has a bug in it. I'd like to see some *useful* summary of this information, please...

Here's a quick answer:

[khasim]

TFA says that there were 2,328 reported vulnerabilities for *nix.

I counted the lines and there are 2,329 lines.

Here's an example of 10 of them:
# BZip2 File Permission Modification
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)
# BZip2 File Permission Modification (Updated)

Yep. BZip2 is listed 10 times, but the reference to each of them reads the same:

A vulnerability has been reported when an archive is extracted into a world or group writeable directory, which could let a malicious user modify file permissions of target files.

And then they list 10 different distributions. Hmmmmm ..... it looks like the old "multiple reporting" problem.

So, one problem in BZip2 == 10 counts of "problems".

Re:Here's a quick answer:

[OdieWan]

Removing the duplicate lines is enlightening;
cat usoft.txt| sed -e 's/(U|updated)//g' | sort | uniq | wc
    747 lines
cat unix.txt| sed -e 's/ *(Updated) *//g' | sort | uniq | wc
    1050 lines

That brings them almost in line with each other. Of course, we could do a half-assed job of cutting things down to just the OS to remove concerns about all the bundled apps;

cat usoft.txt| grep Microsoft | sed -e 's/(U|updated)//g' | sort | uniq | wc
    160 lines
cat unix.txt| egrep '((K|k)ernel)|(GNU)|(XFree86)' | sed -e 's/ *(Updated) *//g' | sort | uniq | wc # GNU/Linux, not Linux!
    167 lines

Of course, any of this would be far too much work for the author of the article.

TFA sums it up:

[Savage-Rabbit]

The end-of-year vulnerability score should be taken with a grain of salt, however, since US-CERT doesn't filter out updates (so one actual vulnerability can be counted numerous times) nor does it break out individual vulnerabilities from warnings that cover multiple bugs (as in the many Mac OS X vulnerability listings).

In effect: This information is completely useless for comparing operating systems.

2,328 bugs found is 2,328 bugs fixed.

[Stuupid]

2,328 is a whole lot more than 812. that means that *nix et al are 1,516 fixes ahead of the competition.

BeanBunny is a known troll

and submitting something like this (just as the parent and GP have pointed out), that lumps every *NIX OS vs. MS Windows is perhaps the dumbest thing I've ever seen on /.. I wish I could mod submissions.

Re:BeanBunny is a known troll

[MECC]

Actually, it wasen't BeanBunny that lumped the various 'Nixes and 'Nix-like OSes into one catageory - it was CERT. Also, the CERT list include all vulnerabilities for all software running on an OS, not just the os themselves. Also , its only a list - no mention of how severe a given vulnerability is.

To really get a picture of how the OSes themselves stack up in comparison to one another with respect to vulnerabilities, try Secunia. They list vulnerabilities, and how severe a vulneraiblity is, and why a given vulnerability is a problem, along with other interesting and relavent info about vulnerabilities.

Important points not mentioned

[necro2607]

Points not mentioned :

-amount of risk caused by vulnerability
-percentage of high-risk vulnerabilities per OS
-time taken to patch vulnerability
-whether the vulnerability is in some tiny obscure piece of shareware or in a VERY common software (such as MSIE) ... etc. etc.

Statistics aren't so useful with such lack of completeness.

Of course that page isn't there to be a useful guide for statistics on vulernabilities, but the Slashdot article seems to be portraying it as such...

Puh-lease

[MattW]

Go compare "Linux Kernel" vulnerabilities (9 unique) vs "Microsoft Windows" vulnerabilities (46 unique). Even that isn't apples to apples, but it's a lot more indicative than the random counts of vulnerabilities for every piece of software shipped with an OS.

Re:Suuuuure

[dsci]

What percentage of discovered bugs do you think are actually found by looking at the source code of a program?

All of them?

I know your point: that the INITIAL discovery and exploit is not typically found by looking at the code. But to fix vulnerable code, one must FIND and edit it. The point is, once an exploit is discovered, there are many people who can locate the faulty code and fix it fast.

Open Source is a good thing. Really, what is the down side of source code availability?

Re:Suuuuure

[stevey]

All the bugs I find and report which result in Advisories are as a result of source code auditing.

It looks like I made the CERT list a couple of times, e.g. uw-imapproxy.

But these bugs are trivial things in applications which are either "extra", or not typically installed.

Fixing bugs in programs is important, but having a list of 500 simple buffer overflows in rarely used games (for example) on Linux says nothing about the relative security of Linux vs. Windows.

The worlds are too different, comparing every application included in Debian, say, against Windows would only make sense if you installed every single shareware/freeware/optional piece of software on the windows machine - and that clearly isn't a real world scenario.

OFF TOPIC -- Good suggestion here, CowboyNeal!

[Dystopian+Rebel]

I wish I could mod submissions.

Why not make this one of a subscriber's privileges?

Re:OFF TOPIC -- Good suggestion here, CowboyNeal!

[DrMorris]

What about modding the editors? I would especially like a button [decrease karma for posting a dupe... again] :-)