[LINK] Linux riskier than Windows?
rchirgwin at ozemail.com.au
rchirgwin at ozemail.com.au
Thu Mar 24 18:43:41 EST 2005
Since we're using the inaccurate "how many vulnerabilities were patched"
(as well as many other inaccuracies we've beaten to death on Link),
here's a very straightforward debunk. The "most often vulnerable" OS,
according to queries to the CERT database, is Cisco IOS.
Now. If someone said "IOS is more vulnerable than Windows", Cisco would
rightly explain just how inaccurate the survey was. The same applies to
this sort of non-research.
Bernard Robertson-Dunn wrote:
>Linux riskier than Windows?
>By Robert Lemos
>Published on ZDNet News: March 22, 2005, 4:56 PM PT
>Companies face greater risks if they run their Web sites on Linux rather
>than Windows, a Microsoft-funded study has concluded.
>Last year, Web servers based on Windows Server 2003 had fewer flaws to
>fix than those based on Red Hat Enterprise Linux ES 3 in a standard
>open-source configuration, researchers said in a paper released on
>Moreover, the study indicated that the Microsoft-based Web server had
>far fewer "days of risk"--a measure of the number of days that each
>vulnerability is known, but unpatched--than the open-source rival.
>"All this study can do is give people pause, to say they shouldn't go
>with common wisdom over which platform has more security," said Herbert
>Thompson, one of the three authors of the paper and the director of
>research and training at Security Innovations, a security applications
>company. The common belief is that Linux is more secure that Windows.
>The paper has already caused controversy, as some details were presented
>at the RSA Conference last month. Previous studies comparing measures of
>security in Windows and Linux have also caused heated discussion.
>"We believe there to be inaccuracies," Mark Cox, the leader of Red Hat's
>security response team, wrote about the recent study in a blog posted to
>the software company's Web site on Tuesday. He said that the study did
>not separate "critical" vulnerabilities from less serious ones, a
>comparison that would favor Red Hat.
>Red Hat did not otherwise comment on the paper and referred requests for
>comment to the blog.
>Counting the holes
>For the study, researchers counted the fixes published for flaws in each
>Web server setup in 2004. In addition, they tallied days of risk, the
>cumulative number of days between the time information on a flaw is
>publicly released and the time the software developer patches that
>A server using Red Hat Enterprise Linux ES 3 had more than 12,000 days
>of risk, while a Microsoft configuration had about 1,600, they said.
>As for flaws, a Red Hat-based Web server with open-source Apache Web
>server software, MySQL database and the PHP scripting language had to
>deal with 174 holes in its default configuration, the study found. A Web
>server based on Microsoft Server 2003, Internet Information Server 6,
>Microsoft SQL Server 2000 and ASP.Net had 52 vulnerabilities in the
>The researchers also studied Red Hat and Windows Web servers in minimal
>configurations, taking out of consideration applications that are not
>needed for serving Web pages. Even in that case, Microsoft still handily
>beat Red Hat, with only 52 flaws, compared with 132 for the Linux
>Red Hat's Cox countered the findings in his blog posting.
>"There were only eight flaws in Red Hat Enterprise Linux 3 that would be
>classed as 'critical' by either the Microsoft or the Red Hat severity
>scales," he wrote. "Of those, three-quarters were fixed in a day, and
>the average was eight days."
>Critical flaws are generally those that allow an attacker to remotely
>take control of a computer system. The study did break vulnerabilities
>down into "high," "medium" and "low" severity ratings. Flaws graded as
>high severity include Red Hat and Microsoft's critical classifications
>and flaws that allow local users to gain access to system functions.
>Microsoft had far fewer high-severity flaws in both the default and
>minimal configurations, according to the paper.
>Microsoft did fund the study, the researchers acknowledged. The software
>giant released a statement on Tuesday that indicated the report was part
>of Microsoft's "Get the Facts" campaign aimed at highlighting the
>benefits of Windows software.
>"When Security Innovations submitted a proposal to Microsoft to research
>ways to measure vendor software security, we evaluated the proposal and
>determined that this type of analysis would be useful for our customers
>and funded their research," the company said in the statement. "We
>encourage customers to review and evaluate the data in the context of
>their own computing environments."
>Richard Ford, a computer science professor at the Florida Institute of
>Technology, and Fabien Casteran, a security test engineer at Security
>Innovations, were the authors of the report alongside Thompson. The
>researchers hope to stave off criticism by publishing their methods as
>part of the report.
>"The methodology was designed to allow others to validate it for
>themselves--it has to be quantitative and repeatable," Thompson said.
>"We didn't just want to hand people the cake; we wanted to give them a
>recipe as well."
>While both days of risk and vulnerability counts aren't true measures of
>security, Thompson said that they wanted to focus on a metric that
>mattered to system administrators. The cumulative time they had to wait
>for patches is a reasonable measure, he argued.
>Thompson admitted, however, that security largely depends on the
>expertise of the administrator.
>"I think either (operating system) is infinitely securable by a skilled
>Jedi administrator," Thompson said. "If I have a Linux guru, then I want
>that guy to do the Linux web server. I am more of a Window guru, so I
>would use Windows."
More information about the Link