The Annual US-CERT FUD Festival

Joe Barr writes "Joe Brockmeier and I have teamed up in a story on NewsForge to point out how the mainstream and trade press misrepresent the annual summary of vulnerabilities from US-CERT. They're doing it again this year to make it appear as if it is more secure than UNIX/Linux. Pamela Jones did a similar report at Groklaw over the weekend." From the article: "One figure represents the vulnerabilities found in Windows operating systems: XP, NT, 98, and so on. The other represents a total figure not just for Solaris, AIX, HP-UX, the BSDs, and Linux, but for a hundred different versions of Linux. The sum of all the unique vulnerabilities from all the Linux distros does not equate to the sum of vulnerabilities in any single Linux distro, and one could say the same about the various versions of Windows. That's why it is a completely meaningless exercise to discuss those totals as if they present an accurate picture of the relative security of Windows and Linux. " We've reported on the US-CERT list already this year. NewsForge is a sister site to Slashdot.org, both of whom are owned by OSTG.

Re:Downright Disingenuous

[User+956]

The act of contrasting the vulnerabilities found in the few Windows operating systems with the vulnerabilities found in hundreds of Linux/Unix is bad enough, but when you consider that the Unix/Linux list contains duplicate items, it becomes positively shameful.

It looks like we both posted at the same time. At any rate, you have a point to a certain degree. My post here shows that if you go through the list and subtract out all the items with "updated" after them, Subtract OSX and Solaris, the Linux/Unix group category is about par with windows, not 3x worse.

Whether "different" OSes should be lumped together is another discussion entirely (how "different" are they if they have the same kernel?)

From the article.... anti-FUD stats

[CodeShark]

Not intending to "karma whore" here, but look at the stats from an already done analysis:

• 22 Technical Cyber Security Alerts were issued in 2005
  • 11 of those alerts were for Windows platforms
  • 3 were for Oracle products
  • 2 were for Cisco products
  • 1 was for Mac OS X
  • None were for Linux
  , and secondarily look at this quote
• "Here's more of the same. US-CERT's list of current vulnerabilities contains a total of 11 vulnerabilities, six of which mention Windows by name, and none of which mentions Linux.

Folks, as other /. posters have already discussed better than I can, most of the supposed Linux bugs are either duplicates or in user- space software. That would be akin to saying a Firefox browser vulnerability is a Windows OS security problem,as opposed to an underlying OS vulnerability that would affect any and all software on the platform.

FALSE.

[WindBourne]

Umm, I looked at the list and they weren't counting the same vulnerability multiple times.

Very false. just look for Larry Wall Perl Insecure Temporary File Creation (Updated). Three instances of the exact same item. And only in *nix even though ActiveState perl for Windows had the same issue. So, there are LOTS of issue with this report. Cert is more SNAFU, than not.