The Annual US-CERT FUD Festival

Joe Barr writes "Joe Brockmeier and I have teamed up in a story on NewsForge to point out how the mainstream and trade press misrepresent the annual summary of vulnerabilities from US-CERT. They're doing it again this year to make it appear as if it is more secure than UNIX/Linux. Pamela Jones did a similar report at Groklaw over the weekend." From the article: "One figure represents the vulnerabilities found in Windows operating systems: XP, NT, 98, and so on. The other represents a total figure not just for Solaris, AIX, HP-UX, the BSDs, and Linux, but for a hundred different versions of Linux. The sum of all the unique vulnerabilities from all the Linux distros does not equate to the sum of vulnerabilities in any single Linux distro, and one could say the same about the various versions of Windows. That's why it is a completely meaningless exercise to discuss those totals as if they present an accurate picture of the relative security of Windows and Linux. " We've reported on the US-CERT list already this year. NewsForge is a sister site to Slashdot.org, both of whom are owned by OSTG.

Downright Disingenuous

[TripMaster+Monkey]

The act of contrasting the vulnerabilities found in the few Windows operating systems with the vulnerabilities found in hundreds of Linux/Unix is bad enough, but when you consider that the Unix/Linux list contains duplicate items, it becomes positively shameful.

From the Groklaw article:

Second, the Unix/Linux list duplicates items, counting a vulnerability more than once in the list. For an example, note that it lists Eric Raymond Fetchmail POP3 Client Buffer Overflow (Updated). However, the same vulnerability is listed, under the same title, four times. That's because it was reported in the week of August 10-15, again in the week of August 17-23, in September 6-13, and the week of November 9-16. Worse, for any comparison purposes, the same vulnerability is also reported as Fetchmail POP3 Client Buffer Overflow, so in reality one vulnerability is listed 5 times, making the total of 2328 meaningless unless you carefully comb through it to weed out duplications.

I honestly expected better from the CERT folks. I don't know why, but I really did.

Re:Downright Disingenuous

[User+956]

The act of contrasting the vulnerabilities found in the few Windows operating systems with the vulnerabilities found in hundreds of Linux/Unix is bad enough, but when you consider that the Unix/Linux list contains duplicate items, it becomes positively shameful.

It looks like we both posted at the same time. At any rate, you have a point to a certain degree. My post here shows that if you go through the list and subtract out all the items with "updated" after them, Subtract OSX and Solaris, the Linux/Unix group category is about par with windows, not 3x worse.

Whether "different" OSes should be lumped together is another discussion entirely (how "different" are they if they have the same kernel?)

Re:Downright Disingenuous

[winterlong]

I would have expected better *if* CERT was still in the hands of a university. I wouldn't trust a government analysis as far as I could throw a CRAY.

Re:Downright Disingenuous

[MindStalker]

And yes I did just search the internet for a 1U or 2U cray for you to throw. Can't find any yet... I'll let you know when I do.

Re:Downright Disingenuous

[MindStalker]

Whats worse is the fact that a POP3 Client Buffer Overflow on Windows would not be included at all as one doesn't ship with Windows. Linux distros generally ship with thousands of clients and servers while Windows ships with the bare minimum. To do a true security comparion you would have to compare either just kernel exploits with OS exploits, then compare all popular software for windows with all popular software for Linux side by side in a catagory basis (POP3 clients being a catagory)

Re:Downright Disingenuous

[MyDixieWrecked]

Whether "different" OSes should be lumped together is another discussion entirely (how "different" are they if they have the same kernel?)

then you need to consider the fact that x86 linux has a different kernel than PPC linux. And what about all the people running 2.4.x versus 2.6.x versus everyone still running older versions, still?

What about the fact that if a version of apache has some flaw that it [generally] affects the entire Apache installbase of that version. Whether it's BSD, Linux, OSX, Windows or BeOS. I say "generally" because some flaws may only affect x86 versions or PPC versions exclusively due to endian issues and ways that the kernels handle the stack and whatnot.

There really is no fair way of gauging and quantifying the number of flaws found in computers per-OS unless you go by installation package. Make lists of XP, make lists of win2k, make lists for OSX (10.2, 10.3 and 10.4 as well as server), make a list for each distro and every installation type for each of the lastest couple of versions. Sure it's a lot of work... but at least it'll be more accurate.

Should Compare A Single Version Of Windows Too

It's equally unfair to lump Windows 98, NT, 2000, XP all together. They could be looked at as different "distros" of Windows. Should pick the best or latest OS from each group with the least vulnerabilities to compare.

Re:Should Compare A Single Version Of Windows Too

[MyDixieWrecked]

It's equally unfair to lump Windows 98, NT, 2000, XP all together.

well... you're half right. I'd say it's better to lump 95/98 together and NT/2000/XP together since most of the later versions of windows are pretty much the same thing on the inside...

however, it's really unfair to quantify the vulnerabilities for any OS as a whole. There are so many facets of any computer system that many vulnerabilities don't affect most people.

Saying that a exploit for Apache affects the entire linux/unix/osx install base is an unfair statement. Desktop linux users probably don't have apache running or a bug in X11/xorg won't affect most *nix servers. Likewise, a bug in MSSQL or web services won't directly affect most XP users, although a bug in explorer will affect nearly every windows user (who's running an affected version of explorer).

You can't even really create lists of vulnerabilities that affect "server" versus "desktop" users, either, because just because something is a server doesn't mean they're necessarily running every server daemon they can.

There needs to be a list of servertypes (ie: web, email, file, database, etc exclusively) showing not only the quantity of vulnerabilities but also the severity of said vulnerabilities. Perhaps even a table separating different applications.

I mean, you shouldn't really lump every proftpd vulnerability with every other ftp server software. All it takes is one bad egg to poison the overal results.

Re:Should Compare A Single Version Of Windows Too

[GuyverDH]

It's valid, and yet invalid - all rolled into one.

No they aren't many different distros, only 2.

Windows 1.x -> ME are all different versions of windows management systems based on MSDOS.

Windows NT 3.x -> 2003 are all different versions of windows management systems based on NT.

So only 2 distros, with lots of versions.

Now Linux has had how many distros? I've read as high as 90, and no, I haven't done the research myself to come up with my own answer, but I know personally of at least 20.

Add to that the BSD distros, of which I know of 3 personally.

Then they lumped in 4 completely different Operating systems - not even distributions.
AIX, Solaris, HP-UX and MacOSX - all of these are true UNIX operating systems - not the complete list by far - Tru-64, Centix, C-TIX, the pre-caldera UNIXWare, OpenServer, Xenix, UNIX, etc...

Remember, Linux ISN'T UNIX. So why the hell would they lump them together. Here's why - it's the only way they could get the numbers to add up to anything close to a large margin above the count from the 2 distros of Windows.

Skewed? Oh yeah...

[fak3r]

Considering Linux is a Kernel, to say there were 1000s of bugs again Linux is silly. Let's see how many were against the Linux kernel vs all the userland apps that don't touch anything system level. Now I'll admit bugs show up, and I think that's Open Source's strength; there's constantly ppl combing over the code finding f'd up stuff that no one would think to look at. This is only achieved through constant gazing at the source code, whereas with Windows a bug is usually found out after it's a vuln. Also, I'm happy that MS patched the issue so quickly, even if they were beaten to the punch, perhaps they'll take things (security) more seriously now that they're pushing 'trusted computing'. Not that I care that much, I'm sold on Linux, OS X on the desk and freeBSD on the server, but I did play with ReactOS the other night, and see a future for x-Windows folks who don't want to lose Windows compat when XP support goes away...

The numbers are unimportant

[Billosaur]

Shouldn't we be asking the more pertinent question: why do all the various operating systems have so many vulnerabilities? When it comes to such things, this shouldn't be a competition. OS builders should be striving for zero tolerance to vulnerabilities and there shouldn't be an quibbling over the number that exist.

Re:The numbers are unimportant

[jdunn14]

That sounds great and all, but do you have any idea of the complexity, and therefore cost involved? Ever tried to debug something consisting of 10000 lines, let alone something the size of an OS? No bugs is just not realistic, and truly a better goal is to ensure that when bugs are found they have minimal impact (like ensure users aren't running as root) and patch them in reasonable time (days to weeks, not months to years).

Now on the topic of this bug counting, if windows is lumped together then linux should be to some degree too, but on the same order of magnitude. A half dozen distros, maybe even mirror the windows counting a little more and make some of those distros be older but still supported ones. Also, the various unixes and linux are entirely different beasts. Just because they try and present a somewhat compatible user interface and APIs doesn't mean that they should be grouped into one object when counting bugs.

Re:Well..

[theonlyholle]

But that's not the same - we're talking about basically one Windows product with its associated unique vulnerabilities, but when we talk about Linux distros, we talk about several different ones that have the *same* vulnerability counted multiple times because it exists in multiple distros. Just one look at the CERT list and you will see all the duplicates in there. And then of course, even if you remove the duplicates, you are still left with vulnerabilities that were only present in one distribution, but got counted against "Linux/Unix" although 99% of the distros were never affected.

the thing about the list...

[User+956]

Part of the contention is the repeat entries with the "updated" notation. So if you throw out all 141 "updated" occurrences in the Microsoft section, that leaves 671 (812-141=671).

If you throw out all 1437 "updated" occurences in the linux/unix secion, that leaves 891 (2328-1437=891). Subtracting Apple OS X (130) and Sun Solaris (77), Linux/Unix ends up with 13 more vulnerabilities than Windows (891-130-77=684), but it's for more operating systems, so it may be fair to divide that 684 further.

Patch Time

[ndtechnologies]

Good point and I'd like to add, What about the time length between when vulnerabilities are found, and then patched? Surely, they thought about that. Linux and Unix can continue to have more "reported" vulnerabilities than Windows, but if they are patched faster than Windows, doesn't that count for something?

Take a deep breath and count to ten...

[pieterh]

They're doing it again this year to make it appear as if it is more secure than UNIX/Linux.

What is "it"? Slight tinge of paranoia here, maybe?

Let's review the score here:

  - It does not matter what material is published, the fact of the matter is that every Windows PC in the world regularly has visible and non-trivial security issues, while on Linux and OS/X these issues are generally theoretical.

  - People's perceptions of Windows are very simple: it's a piece of crap that they use because it came with the box and everyone else uses it.

  - The relative security of Windows vs. the World is not a deciding factor in most people's use of Windows. It's largely a captive, neutered market.

  - For people who actually do care, no amount of statistics can change the visible and perceived situation. When I choose to ban Windows in my company, it's not because I read some website or article. It's because I'm sick and tired of removing spyware from people's PCs.

Complaining about these statistics is to give them credibility. Those who chose on the basis of security will ignore this data, and those who chose on other criteria won't care about this data.

Take what the CERT says with a grain of salt...

[dpmccoy]

I'm an automation officer in the U.S. Army, and I know for a fact that we're full of Microsoft shills and contractors with Microsoft loyalties. We don't employ Unix/Linux in an enterprise manner; the government sold its soul to Microsoft years ago. Unix is used on some Army tactical platforms, though. Food for thought.

From the article.... anti-FUD stats

[CodeShark]

Not intending to "karma whore" here, but look at the stats from an already done analysis:

• 22 Technical Cyber Security Alerts were issued in 2005
  • 11 of those alerts were for Windows platforms
  • 3 were for Oracle products
  • 2 were for Cisco products
  • 1 was for Mac OS X
  • None were for Linux
  , and secondarily look at this quote
• "Here's more of the same. US-CERT's list of current vulnerabilities contains a total of 11 vulnerabilities, six of which mention Windows by name, and none of which mentions Linux.

Folks, as other /. posters have already discussed better than I can, most of the supposed Linux bugs are either duplicates or in user- space software. That would be akin to saying a Firefox browser vulnerability is a Windows OS security problem,as opposed to an underlying OS vulnerability that would affect any and all software on the platform.

My Own Research

[vjmurphy]

Using the patent-pending method of determining worth by comparing terms plugged into Google, I get the following:

Search for "Windows Bugs": 45,800
Search for "Linux Bugs": 23,400
Search for "Bunny Bugs": 31,100

From this method, I can determine that I should NOT watch Looney Tunes cartoons on my Windows Media Center PC. Or drink while posting.

Re:Skewed? Oh yeah...

Considering Linux is a Kernel, to say there were 1000s of bugs again Linux is silly.

It would be interesting to see all of the Windows application vendors lumped into the "Microsoft security flaws" category in a similar manner. I've seen quite a few Windows applications from all sorts of software vendors with issues this last year and noticed they weren't listed. While one might argue at first that this would be unfair because of all of the commercial products available for Windows, I'm not sure Windows wouldn't still have an advantage. Just go to sourceforge.net and start counting up all the projects available there that could be lumped into Linux "security flaws."

Looking just at core operating system applications, Fetchmail doesn't make the cut. In fact, it's inappropriate to include GCC in there since I'm certain they didn't include Microsoft development environment tools in the Microsoft count. An apples-to-apples comparison isn't appropriate and perhaps for those uneducated technical journalists that like to make comparison stories, a kernel-to-kernel, browser-to-browser (e.g. IE vs. Mozilla vs. Opera), office suite to office suite, and other category-based comparison is the only appropriate approach.

Not true.

[fireboy1919]

They've got Apache vulnerabilities listed on the Linux side, but not on the Windows side - vulnerabilities that affected both places, I might add.

This is true of most of the *nix vulnerabilities, actually.

So what we're really seeing is Windows-only vulnerabilities being compared to ones that are OS neutral. Not that its very suprising, though. Its 2006.
With the exception of software written specifically for Windows, most software is cross-platform.

This is the only really meaningful way to do this kind of a report because of this characteristic. The important thing to keep in mind in that, though, is that Windows has all of its own vulnerabilities AND most of the others. :)

Agreed!

[Medievalist]

Let's settle on ONE (1) linux distribution....You brought this on yourselves with appix, bppix, cppix, and so on....

I vote for the "solves-my-problem-but-not-yours" distribution, which is clearly the best.

Incidentally, I am also in favor of settling on ONE (1) tool for all mechanical uses.
I favor the two-handed hewing axe, but I might be persuaded to vote for the claw hammer.

FALSE.

[WindBourne]

Umm, I looked at the list and they weren't counting the same vulnerability multiple times.

Very false. just look for Larry Wall Perl Insecure Temporary File Creation (Updated). Three instances of the exact same item. And only in *nix even though ActiveState perl for Windows had the same issue. So, there are LOTS of issue with this report. Cert is more SNAFU, than not.