*nix 'had more vulnerabilities than Windows'

[trisyin8]

The government (which is never wrong) says Linux is more vulnerable than Windows. Anyone have any comments as to the validity of this?

http://news.zdnet.co.uk/0,39020330,39245873,00.htm

The US Government has reported that fewer vulnerabilities were found in Windows than in Linux/Unix operating systems in 2005.

Linux/Unix-based operating systems — a set that includes Mac OS X, as well as the various Linux distributions and flavours of Unix — had over twice as many vulnerabilities as Windows, according to the United States Computer Emergency Readiness Team (US-CERT), which is part of the US Department of Homeland Security.... [more]

[serz]

bleh.. I've seen articles like this one lots of times.. I don't really give a damn

[HughA]

Yes, I belive that the tooth fairy has also weighed into the debate, and she has also uneqivocally stated that Windows is far more secure than *nix could ever hope to be.

Seriously though, does anyone with experience of these matters give any credence at all to such reports? I have read recently that Microsoft are in the habit of lumping a number of vulnerabilities together and reporting them as one. Of course, it is not surprising that an organisation that can't code can't count.

Hugh

[rocketpcguy]

http://trends.newsforge.com/trends/0.../1627242.shtml

Quote:

One figure represents the vulnerabilities found in Windows operating systems: XP, NT, 98, and so on. The other represents a total figure not just for Solaris, AIX, HP-UX, the BSDs, and Linux, but for a hundred different versions of Linux. The sum of all the unique vulnerabilities from all the Linux distros does not equate to the sum of vulnerabilities in any single Linux distro

[cybertron]

Quote:

Originally Posted by rocketpcguy

http://trends.newsforge.com/trends/0.../1627242.shtml

QFT.

When you think about it the numbers make a lot of sense when you group basically all non-Windows OS's together. Besides the fact that Windows still had the worst vulnerabilities, regardless of number.

[enshum]

I guess what really counts is how maney Linux/Unix machines died from swallowing the poison pill. I do know of one xp machine hard drive that had to be wiped clean multiple times to rid it of whatever it had digested. That computer ran more like a pinball machine then a computer before it was repaired.

ed

[LNXchd]

I don't think anyone could ever make software or an O/S that is 100% vulnerability-free. Leave someone alone with it long enough and a hole will be found. More importantly, is what is the corporation's response to those holes. Just ignore it and hope it goes away, or provide support to their users, and issue the fixes as quickly as possible. I guess that could work the opposite way also. If a public statement was made about a security flaw, those with bad intentions could exploit them faster and more often before a fix could be made. Kind of a catch-22 really. Damned if you do, damned if you don't. My opinion, only.

Chad

[bwkaz]

How many Linux systems were vulnerable to this one?

http://secunia.com/advisories/18255/

Exactly.

You need to look at more than just "the number of vulnerabilities". You also need to look at some measure of the severity, and some measure of how fast a patch was issued.

(By the way: I would like to thank Microsoft for actually getting off their rear ends and producing a patch, even though it was out of cycle. At least they recognized the severity of this particular issue. But I'd also like to note how it took them a week and a half to do it. Or, some would say that it took them approximately 5 years to do it, since this code was only ever in Windows for backwards compatibility with 3.1; IMO it should have been removed way back in either NT 4 or 2000 SP4. But that's another issue; if you still have users running programs written for 3.1, you need to get them to upgrade, not keep providing the back-compat hacks that Microsoft does. This would also be much easier if they didn't have to pay for their programs, like we usually don't.)

I've been watching Secunia for most of the last year; I can say that on average (for whatever an average is worth), the Linux vulnerabilities were about 2 or 2.5 out of 5 for severity. The Linux kernel vulnerabilities were never above 2; the average on those was closer to 1.5 or so. None of the kernel vulnerabilities were remotely exploitable, and most were mere DoSes. A few allowed information leakage, but not data manipulation.

(The rest of the "Linux vulnerabilities" were programs or libraries or languages; but note that the majority of these programs also run on Windows, and so do all the languages. A few of the libraries do as well.)

The Windows ones (including IE, which often fixed about 5 vulnerabilities with one patch, see above about lumping and Microsoft's inability to count) averaged at least 3. Some of this was because they were being lumped together, and Secunia's rating was for the worst vulnerability of the lot. But even taken individually, the average wouldn't be below 3.

All in all, this isn't surprising when you realize who pays tons of money to ZDnet: Yes, you guessed it, Microsoft.

[spechackers]

Quote:

Originally Posted by trisyin8

The government (which is never wrong) says Linux is more vulnerable than Windows. Anyone have any comments as to the validity of this?

http://news.zdnet.co.uk/0,39020330,39245873,00.htm

The US Government has reported that fewer vulnerabilities were found in Windows than in Linux/Unix operating systems in 2005.

Linux/Unix-based operating systems — a set that includes Mac OS X, as well as the various Linux distributions and flavours of Unix — had over twice as many vulnerabilities as Windows, according to the United States Computer Emergency Readiness Team (US-CERT), which is part of the US Department of Homeland Security.... [more]

I agree with it, coz linux has its own advantages, but an DDOS attacks under linux is very easy, see entering an linux system would be easy for hacker if he is an linux geek coz the source code is opensource.

well there may be attacks with windows too, but i say linux could be attacked easily.

[bwkaz]

Quote:

Originally Posted by spechackers

but an DDOS attacks under linux is very easy,

Easy to perpetrate a DDoS using Linux, or easy to attack Linux with a DDoS? The target operating system matters not one bit when you're doing a DDoS -- because all you're doing is taking up all the target's available bandwidth. That type of attack has nothing to do with an operating system's level of security.

Quote:

see entering an linux system would be easy for hacker if he is an linux geek coz the source code is opensource.

Wrong.

First, see http://linuxmafia.com/~rick/faq/inde...e=virus#virus4 -- this is specifically discussing viruses, but it's still relevant to security holes: the same logic applies.

Second, if what you're saying is true (that being open-source is less secure than being closed-source), then Apache should be easier to break into than IIS. Yet, it's not -- how many IIS boxes have been defaced (or worse, just broken into quietly), compared to Apache boxes? If you believe Microsoft's hype about IIS 6 being secure, then you should see this page too: http://www.zone-h.org/en/defacements/view/id=2531794/

Your comment also betrays a lack of understanding of how attackers find security holes in programs. They don't need the source code, although if it's available it does sometimes get used. All they're looking for is a certain pattern of code -- those patterns appear in both the source code and the compiled binary. They're different patterns, but they're just as obvious in the end binary as they are in the source. Source does not make finding bugs easier. It does, however, make fixing them easier, and this is (part of) why Linux is better.

Security holes will show up no matter what software you're using. What you need to do is use software that (1) gets fixed faster, and (2) has fewer high-severity holes to begin with. That's open-source stuff. (1) is true because anyone can see the source, and the bug is very often "shallow" (i.e. obvious" to someone. (2) is true because knowing that lots of people will be able to see your code, and know it's your code, makes authors more careful to begin with. So when there are issues, they're (usually, though not always) less major.