Forgot your password?
typodupeerror
Security

WinInformant Says Windows More Secure Than Linux 935

Posted by timothy
from the ho-hum dept.
nihilist_1137 excerpts from this WinInformant article, which reads in part: "For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet. ... A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux." I wonder how many sysadmins (Windows or Linux) would agree with this conclusion. Update: 02/04 16:54 GMT by T : Looks like the WinInfo site has gone down since the story was submitted, so you may have to content yourself in the meantime with the Bugtraq numbers. Update: 02/04 19:30 GMT by T :Several readers have pointed out that the conclusions WinInformant makes based on the Bugtraq data are not those of SecurityFocus; the headline has been changed accordingly.
This discussion has been archived. No new comments can be posted.

WinInformant Says Windows More Secure Than Linux

Comments Filter:
  • by cperciva (102828) on Monday February 04, 2002 @12:44PM (#2950635) Homepage
    I can't remember hearing about many *new* security holes in win2K recently.

    I can't get to the article right now, so I'm not sure exactly what their argument is, but while I can remember hearing about quite a few major security holes in the unixes (I think everyone was bitten at least once by ptrace race conditions) I can't think of any similar issues in win2k.

    XP, on the other hand... but we're not talking about XP here.
  • Hey look at that (Score:2, Informative)

    by Archanagor (303653) on Monday February 04, 2002 @12:48PM (#2950669) Homepage Journal
    I sent a similar article, but was rejected. Peh, guess I need to work on my editorial skills.

    Anyway, before anyone gets on a high horse here. It needs to be said that it's the code. Not the features that allow users to do stupid things. Most of what's out there choking MS-Based networks is becuase of the ease of which users can execute attached scripts and executables. Oh, and a hole in IIS, but that was mentioned in the article.

    Yes, MS is a monopoly. Yes, they're trying to squeeze more cash out of their consumers (Stupid WPA). But, damn, they do produce some of the most solid code out there, as well as some of the most feature-rich, usable applications. Alas, that's just my opinion, and considering that I use mostly MS apps, I might be slightly biassed.
  • by tqbf (59350) on Monday February 04, 2002 @12:59PM (#2950788) Homepage
    I like SecurityFocus. The people in charge of SecurityFocus are with-it and honest. I am completely confident that this work was done in good faith.

    However, the conclusion being drawn here is invalid. The SecurityFocus vulnerability survey is interesting, but it is not itself a reasonable methodology to generate security metrics between operating systems.

    I could pick nits at this ad hoc study for hours, but the biggest problems are also the most obvious:

    First: the study associates third-party software with the operating system, and aggregates all the distributions together into a meaningless "Linux" category. This study is literally just pattern matching against advisories.

    Second: there is no notion of "severity" or "impact" in the study. This is a shame, because SecurityFocus has actually put some real effort into deriving a taxonomy of vulnerabilities from their (enormous) vulnerability database. There is no way to determine whether the N Linux vulnerabilities were equivalent to the K NT vulnerabilities.

    Third: the study compares a kit of open-source software, which has received extensive peer review, to a closed-source product. It should surprise nobody that Linux has more documented problems than Windows: it's actually possible to go find vulnerabilities on Linux. Finding Windows vulnerabilities requires black-box reverse engineering.

    Finally, both Linux and Windows do a reasonable job of locking down server configurations out of the box. What IT people need to know is vulnerability breakdown by operating system and by deployed configuration. This study does nothing to inform us of whether a Linux web server is at more risk than a Windows web server, or whether it's safer to expose a Linux print server or a Windows print server. Organizations that deploy homogenous Apache+NFS+ssh server farms don't care about XFree vulnerabilities or Samba problems.

    I don't think SecurityFocus is actually trying to make claims about the relative security of Linux and Windows. I think they've been a bit careless with this report though; it's a reasonable thing to try to generate from their database, but more thought should have gone into presentation.

    SecurityFocus has the on-staff expertise to publish some real conclusions about the distribution of vulnerabilities between Linux and Windows. Before this database report is misconstrued by the trade press, it would be enormously helpful if they could publish a statement about the conclusions that can be legitimately drawn from it. It'd be good press for them, too.

  • Re:Simply put, (Score:5, Informative)

    by joshtimmons (241649) on Monday February 04, 2002 @01:05PM (#2950838) Homepage

    Actually, there aren't SO MANY MORE windows servers on the internet than *nix boxes.

    Please see this fine article http://slashdot.org/article.pl?sid=01/07/13/124025 7&mode=thread [slashdot.org] which tries to compare the number of windows systems vs unix systems on the internet.

    Here are a couple of their conclusions:

    1. GNU/Linux is the #2 web serving operating system on the public Internet (counting by IP address), according to a study surveying March and June 2001
    2. GNU/Linux is the #1 server operating system on the public Internet (counting by domain name), according to a 1999 survey of primarily European and educational sites.
    3. GNU/Linux is the #2 server operating system sold in 1999 and 2000, and is the fastest-growing.

    Even taking the statistics most favorable to Microsoft, they had almost twice as many IPs on the public internet than Linux did in 1999. However, during that same period, there were many more than twice as many expoits, viruses, etc. that attacked windows vs unix.

    Linux has far too many installations on the public internet to be dismissed as too rare to interest hackers.

  • by Anonymous Coward on Monday February 04, 2002 @01:11PM (#2950864)
    *sigh* you guys aren't looking at both sides.
    Most and nearly all DoS attacks come from hacked *nix boxes. Want to talk about clogging up the internet? Theres a much more important example.
  • by Afrosheen (42464) on Monday February 04, 2002 @01:13PM (#2950875)
    Linux has a greater server marketshare (apache, etc.) in some organizations so I believe your point is moot.
  • by ryanr (30917) <ryan@thievco.com> on Monday February 04, 2002 @01:14PM (#2950886) Homepage Journal
    Sigh...

    I can't read the original article, It's been Slashdotted to death. But I think I can make a pretty good guess as to what happened.

    First off, we host Bugtraq, not NTBugtraq, which is Russ Cooper's list. (Any chance we can get that fixed in the story intro? Anyone know if the same mistake is in the original article?)

    Secondly, I'm constantly amazed at how people mis-read our stats page. The Linux aggregate stats are the total of all unique bugs across all the various distributions we track. It's supposed to answer the question "How many Linux-related bugs were there that year." It's based on things like which distro ships a particular package, and when that package is found to have a hole, it also gets attached to the distro. This is so you can look up your distro, and see what bugs you might need to patch.

    Take a look at the top of the page, our script hasn't been running since August, when we switched from Roxen to Apache. So, we're missing the whole last quarter of 2001 stats.

    Regardless of anything else, using these number to declare that one thing is more secure than another is a mistake. Based on our numbers, why didn't they declare that everyone should run MacOS for security? Or that if you want to be more secure, run Debian instead of Win2K?
  • by Squash (2258) on Monday February 04, 2002 @01:16PM (#2950898) Homepage
    The moron at wininformant added all exploits for all linux distributions together. Image the obvious scenerio, where bind8.x.x has a root compromise. This would only count as a single exploit, however the article counts it once for eash distribution that acknowledged it.
    If you look at the charts yourself, you see that Win2k had 42 exploits in 2001. In comparison, SuSe had 21. Redhat had 54. OpenBSD had 14. The figures also are not focused on a particular release. I would expect that the numbers would be substantially lower if it only look into account the current releases. Suprise, SuSE still publishes security announcements for 6.x in addition to 7.x, and those are counted.

    THe author of the atricle need to look up Aggregate [dictionary.com] and try writing an article again.
  • And I quote: (Score:2, Informative)

    by JoeGee (85189) on Monday February 04, 2002 @01:21PM (#2950937)
    "These vulnerability statistics have not been calculated since August due to a site migration issue. We are working on the issue and as soon as it is fixed, this message will disappear. Thank you for your understanding."

    Since August we have had these recent problems [microsoft.com]. The universal plug n play bug was even on /.'s front page. Partial numbers for a year don't tell the whole story.

    I subscribe to both bugtraq and ntbugtraq, and I must say the general quality and quantity of ntbugtraq submissions has decreased considerably in the past year. Most bug-related Windows traffic seems to be appearing over on bugtraq. While I certainly admire Russ Cooper's knowledge, I am not certain that his list is any longer a completely accurate source for information regarding Windows-related security issues, and I question any numbers based on ntbugtraq submissions.

    Some security issues must be significant enough for Microsoft to release a 17 MB "security rollup package" [microsoft.com] for Windows 2000 on January 30th, 2002.
  • by Col. Panic (90528) on Monday February 04, 2002 @01:42PM (#2951106) Homepage Journal
    Im not saying that linux is more secure

    The thing about linux is that if you don't know how to set it up you can unknowingly install LOTS of services, most of which are unnecessary for a home user and many of which can be compromised. Redhat's "everything" install sounds pretty neat, but you probably don't want to run an FTP server, DNS server, SQL server, etc. if you don't absolutely need it (and know how to configure it). Mandrake (at least the older versions) has better security setup, allowing you to check off a security level during install that does a decent job of hardening the OS. Of course, not knowing that you are installing file shares on a cable modem with no firewall could be even easier to compromise :)

  • by opkool (231966) on Monday February 04, 2002 @01:45PM (#2951121) Homepage
    What I read was the original article before it went down by /.

    So worry for the thing on Win9x/3.x + WinNT/2000.

    So they are talking of Server OSes. So Win9x/3.x do not account as such.

    What you say is that, of course, they do not include duplicates of the same vulnerability. But then there's no such program as rsync-2.07-3.i386.rpm on Debian 2.2 . Can you see it?

    Also, why it is strangely coincidental de number of bugs for Red Hat Linux 6.2 for Alpha and Sparc? See:

    For 2001, we see:
    RedHat Linux 6.2 sparc - 18
    RedHat Linux 6.2 alpha - 18
    Debian Linux 2.2 sparc - 18
    Debian Linux 2.2 arm - 18
    Debian Linux 2.2 alpha - 18
    Debian Linux 2.2 68k - 18

    Coincidental? See it yourselves at SecurityFocus WebSite [securityfocus.com]

    Maybe is a cross-architechture bug? Will this mean that, in fact, it is the same bug?

    Then the numbers for Mandrake, Red Hat and Debian are waaay too similar (2001) to be just a coincidence (Mandrake 7.1, Red Hat 7.0 and Debian 2.2 can be thought as "equal distributions" by means of timeline, packets versions and such):

    RedHat Linux 7.0 - 28
    MandrakeSoft Linux Mandrake 7.1 - 27
    Debian Linux 2.2 - 26

    Then, on 2001, we can assume that Red Hat 6.2, Mandrake 6.0 and 6.1 have the same package versions :

    RedHat Linux 6.2 i386 - 20
    MandrakeSoft Linux Mandrake 6.1 - 20
    MandrakeSoft Linux Mandrake 6.0 - 20

    And those numbers are also very very close to the ones for Red Hat Linux 6.2 on different architectures.

    Maybe, just maybe... they are the same bugs?

    Then, on previous years, the trend is the same.

    With all the respects, I am no FUDing here. I post my comments to some piece of news that was flawled.

    And I tried to explain why it was flawed. And I was vry carefull to not to blame conspiracy theories.

    Then, again, I'm human. And I make mistakes. Like the Win0x/3.x and Win2000/NT of my previous post.

    But this does not invalidate at all my message.
  • by jdavidb (449077) on Monday February 04, 2002 @01:48PM (#2951134) Homepage Journal

    Long gone are the Slackware days where you'd download a minimal kernel/utilities package and then compile only the apps you need, by yourself, and understand everything.



    Wrong. I entered those days quite recently, with Linux From Scratch [linuxfromscratch.org]. LFS isn't exactly a "security solution," but it's hard to break into a machine when there's nothing running on any port except ssh.

  • by aslagle (441969) on Monday February 04, 2002 @02:42PM (#2951295)
    >> So the statistics don't support what you groundlessly believe to be fact. Therefore the statistics are wrong. Get a life.

    No, that's not what I said.

    Let's look at the methodology behind these statistics - and why it 'skews' the results.
    1. Each 'bug' is treated as the same, whatever the severity.
    2. The individual reports from the distros are combined to form a 'linux' category that doesn't exist in real life.
    3. 'Linux' actually refers to a kernel, not the entirety of the programs included in a distribution.
    4. The 'Windows' category does not include programs by MS that would need to be included to make the comparison valid vis-a-vis the programs included in the Linux distros.
    5. The comparison includes 'reported' bugs. So, we're comparing reports from a host of people who do this for linux, versus a 'closed' company like MS who seems to believe in 'security through obscurity'.

    As a result, even though this may not have been intentionally skewed in Microsoft's favor, it certainly gives the appearance of same.

    This is why the adages about statistics exist. You can collect your numbers and publish them, but if you compare apples to oranges, your numbers are invalid by definition.

    This has nothing to do with whether I use MS or Linux. In fact, I use Opera instead of IE, but if you look inside my house, you won't find an installed distro of Linux anywhere.

    So you thought you saw bias and assumed it was fact. Therefore it was. Get a life yourself.
  • by Mr Z (6791) on Monday February 04, 2002 @02:53PM (#2951357) Homepage Journal
    Or maybe the Slashdot regulars (not the people who hang out at 0 and -1) will look at the piece calmly and discover other very valid flaws with the study.

    You mean, like this? The NTBugTraq site itself says (emphasis mine):

    There is a distinct difference in the way that vulnerabilities are counted for Microsoft Windows and other operating systems. For instance, applications for Linux and BSD are often grouped in as subcomponents with the operating systems that they are shipped with. For Windows, applications and subcomponents such as Explorer often have their own packages that are considered vulnerable or not vulnerable outside of Windows and therefore may not be included in the count. This may skew numbers.

    So, while there may be a stack of Outlook vulnerabilities, those won't get lumped in with Windows. But sendmail vulnerabilities might get lumped in with RedHat. They go on to say (emphasis theirs):

    The numbers presented below should not be considered a metric by which an accurate comparison of the vulnerability of one operating system versus another can be made.

    Further, the numbers themselves do not support the conjecture that Windows 2000/NT had fewer reported vulnerabilities reported over the 5-year period. Let's compare RedHat (the Linux distro for which the largest number of vulnerabilities was reported) vs. Windows 2000/NT from their data:

    • 1997: RedHat 6, Win2K/NT 10
    • 1998: RedHat 10, Win2K/NT 8
    • 1999: RedHat 47, Win2K/NT 78
    • 2000: RedHat 95, Win2K/NT 97
    • 2001: RedHat 54, Win2K/NT 42
    • Total RedHat 212, Win2K/NT 235

    So even though the numbers are potentially skewed against Linux, the totals still come up less for RedHat than for Win2000/NT.

    What the other article must be doing (I haven't read it yet, since I wasn't able load it) is totalling across all distributions, which is wrong. One FTPD vulnerability would get multiplied by all the vendors that ship that FTPD, which isn't quite fair.

    --Joe
  • by Anonymous Coward on Monday February 04, 2002 @02:55PM (#2951374)
    Hmm - the only "hide" entry in that file on my W2K box is "imagevue". Doesn't sound like that will uninstall IE for me.

    Besides, as pointed out by the federal courts, IE is "comingled" into the base install. Even if the program icon or iexplorer.exe is removed, an "IE" vulnurability is most likely in the base libraries and will affect other software.
  • by ryanr (30917) <ryan@thievco.com> on Monday February 04, 2002 @03:02PM (#2951440) Homepage Journal
    The incompetence of the author writing this story, and of the Security Focus editorial staff for letting it through, is staggering. With this kind of security "expertise" is it any wonder at all that Nimda worms and the like run rampent across the net?

    We didn't write the article in question, nor are we hosting, nor did we have any opportunity to see it ahead of time. (Or now... still can't see it.) Sadly, we have very little editorial control over other people's websites.
  • by sheldon (2322) on Monday February 04, 2002 @03:04PM (#2951457)
    Screw securityfocus, let's look at bulletins released by manufacturers.

    Microsoft security bulletins released in 2002:
    MS02-001

    Redhat security bulletins released in 2002:
    2002-018
    2002-015
    2002-014
    2002-012
    2002-011
    2002-009
    2002-007
    2002-004
    2002-005
    2002-003
    2002-002
    2001-171
    2001-168
    2001-165

    And if you look at 2001 results you'll see a somewhat similar trend, although not near as pronounced. Somethink like 80 versus 60.

    Are these statistics meaningful? Of course not. If you have read Paul's columns you would know he reported this tongue and cheek. It was a slow news day, he noticed this, had to make fun of it.

    What makes this story interesting, and why Paul reported it is because if the numbers had been reversed you would be assured that would be the headline of the day on slashdot, and if anybody questioned it they would be called Microsoftie apologists.

    And look at the responses you see here. They're almost comical. Reminds me of the responses to the Mindcraft benchmark. Fear, Uncertainty and Denial. :)
  • by ryanr (30917) <ryan@thievco.com> on Monday February 04, 2002 @03:10PM (#2951495) Homepage Journal
    Looks like the Linux aggregate has just been pulled from our site, probably since that has been the source of a lot of confusion in the past. But, to answer your question: Yes, the Linux aggregate is done in such a way as to keep the same bug from being counter once per distro.

    If I recall from earlier today, the aggregate number was around 90. If you take all of the Linux distros on the page, and just add the numbers, you get 178.
  • by ryanr (30917) <ryan@thievco.com> on Monday February 04, 2002 @03:15PM (#2951526) Homepage Journal
    We used to have comments on the page that reflected those concernss. Unfortunately, it seems that they got replaced with the message that indicated the stats weren't being updated at present.

    Similar wording has been re-added, and the aggregate number has been pulled (to help keep people from jumping to conclusions.)
  • Own up to it. (Score:3, Informative)

    by tqbf (59350) on Monday February 04, 2002 @03:19PM (#2951551) Homepage
    Secondly, I'm constantly amazed at how people mis-read our stats page. The Linux aggregate stats are the total of all unique bugs across all the various distributions we track. It's supposed to answer the question "How many Linux-related bugs were there that year." It's based on things like which distro ships a particular package, and when that package is found to have a hole, it also gets attached to the distro. This is so you can look up your distro, and see what bugs you might need to patch.

    Easy.

    Because you didn't say so.

    We know who SecurityFocus is. It's Alfred Huger and Oliver Friedrichs and Art Wong, the Secure Networks, Inc. crew.

    Secure Networks dealt with exactly the same problem we're talking about now: the trade press doesn't know a damn thing about technology and software engineering. Everything in the trade press is based off of newswire press releases and superficial articles. Alf and Art and Oli had to deal with this problem constantly as their competitors made bogus claims about SNI and their products.

    Towards the end of their work on the Ballista product, Alf had gotten pretty good about educating the trade press about the issues, or at least at swaying them towards his way of thinking.

    Alf and Oli and Elias are scrupulous guys, and they know how the world works. It is simply an embarassing oversight that there aren't loud disclaimers on the vulnerability report at your site explaining how to interpret the results. You all know how the page is going to be interpreted. You just saw Slashdot interpret it the wrong way. Slashdot is dumb, but InfoWorld is a million times dumber.

    You could fix this problem right away, and pre-empt unethical use of your data, by releasing a statement explaining that the numbers on the page aren't a legitimate security metric. It won't cost you anything and it will help (us, and you!),

    Or you could act like Russ Cooper and try to use the polarizing effect of the unexplained numbers to generate controversy, page hits, and press.

    It's all a question of how much your credibility means to you.

  • by lesinator (459276) on Monday February 04, 2002 @03:29PM (#2951609)
    NTBugtraq [ntbugtraq.com] is actually part of TruSecure [trusecure.com], not SecurityFocus [securityfocus.com]. What SecurityFocus has in a separate list called BugTraq [securityfocus.com]. Very confusing...
  • by RMSIsAnIdiot (556315) on Monday February 04, 2002 @04:14PM (#2951908) Homepage
    Ugh. Why am I replying to this. You are obbious a Pro-Linux kiddie. I will now go on to explain why your thinking is flawed.

    I think it is important to note that 99% of "linux vulnerabilities" are not linux vulnerabilities, but actually non-essential, third party programs. These programs have nothing to do with linux, but do run on the OS. DNS, sendmail, rsync etc are not a part of the OS but have vulnerabilites. We should say that any os that these utilities/services run on has the vulnerability.

    So, by that theory, we shouldn't include any IIS vulnerabilities in the NT exploits either. Because, of course, "IIS has nothing to do with NT, but it runs on the OS." After all, it's an optional component.

    Bullshit.

    Why are you not including BIND and sendmail? Hello? Most Linux servers are either web, DNS, or mail servers... NT, Novell, and Sun far outnumber them as file servers. So, if we can't include BIND, nor sendmail, then we can't include IIS or Exchange/Outlook. Cause, after all, they are "nonessential third-party programs." Oh wait, heh, they were written by "M$" (using obligatory dollar sign so the author of the parent post can understand who I'm talking about) so I guess they're not thrid-party. But then again, it's not Linux either, it's GNU/Linux. So I guess we can only count kernel exploits. Hmmm. Maybe that means we can only count NT kernel exploits (go ahead, count them.)

    I dare you to root an NT file/print server that isn't running any other services. You can't (or at least, not on any easier level than you could root a Linux or Sun box... heh Sun and their automountd... heheheheh). Anyway, I hope you understand where I'm coming from. Your thinking is flawed.

    But then again, what should I expect? This is Slashdot. It's kind of like going to the Democratic convention and shouting "Gore sucks! Dubya forever!" I didn't really expect too many pro-Microsoft replies here.

  • by Zeinfeld (263942) on Monday February 04, 2002 @04:25PM (#2951978) Homepage
    In order to meet C2, the NT box can't be connected to a network, a serial connection, or a modem. Well, you can, but you can't allow anybody access to it, same thing.

    That is a consequence of the C2 standard which was written by the military for the US govt in the days before networking.

    C2 was obsolete before the Web existed. Back in 1993 when I was asked to do a security audit of the Web standards against the Orange book I concluded that the standard was no help at all.

    The other reason that C2 is not very useful is that the main concern in Orange book is partitioning multiple users data on the same machine. These days each user has their own machine, a one person computer that does not meet C2 mandatory access control requirements can be perfectly secure - look at a Palm or Pocket PC or a smartcard.

  • Re:bias (Score:2, Informative)

    by ryusen (245792) on Monday February 04, 2002 @04:50PM (#2952107) Homepage
    This is taken from the security focus site:
    "For instance, applications for Linux and BSD are often grouped in as subcomponents with the operating systems that they are shipped with. For Windows, applications and subcomponents such as Explorer often have their own packages that are considered vulnerable or not vulnerable outside of Windows and therefore may not be included in the count. This may skew numbers."
    It sounds to me like vulnerbilities on 3rd party apps included with linux distros are counted, but vulnerbilities in things like outlook, ie, and iss are not... i don't see how anyone who considers themselves a news organization can take , as serious data, any site which even says their numbers might be skewed...
  • by Anonymous Coward on Monday February 04, 2002 @04:56PM (#2952132)
    "Very often the options added in Windows* are poorly documented"

    Right - at least with the RedHat installer, you can see that "Everything" includes bind, sendmail and so on.

    Windows 2000 had a neat issue where if you installed IIS, it automatically configured Internet Printing over HTTP. Which of course had security problems. So you asked for a webserver and got a printserver. It's that kind of braindamage that gives MS the reputation they've got.

    (Another obvious example is the Index Server filter exploit used by Code Red. Nobody uses it, so wtf is it registered by default?)
  • by p7 (245321) on Monday February 04, 2002 @05:07PM (#2952180)
    I was just at the Security Focus Vulnerabilities page and the page has had the linux aggregate stat removed from the list, sometime between 9am pdt and 12:30pm pdt. I guess some good came out of the article.
  • Re:In Other News (Score:2, Informative)

    by RagManX (258563) <ragmanx AT gamerdemos DOT com> on Monday February 04, 2002 @05:49PM (#2952397) Homepage Journal
    Replying to an early post just to make sure this gets seen. Apparently some people are having trouble getting to the article in question. Following is the full text of the relevant article on the page linked in the story.

    Windows More Secure Than Linux? Yep!

    Thanks to David Byrne for this tip: For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet. (The company's 2001 statistics are available only through August 2001 for the time being.) According to NTBugTraq, Windows 2000 Server had less than half as many security vulnerabilities as Linux during the reported period. When you break the numbers down by Linux distribution, Win2K had fewer vulnerabilities than RedHat Linux 7.0 or MandrakeSoft Mandrake Linux 7.2, and it tied with UNIX-leader Sun Microsystems Solaris 8.0 and 7.0. A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux. So once again, folks, you have to ask yourselves: Is Windows really less secure than Linux? Or is this one of those incredible perception issues? For more information and the complete stats, visit the SecurityFocus Web site. I'll check back on this story to see how all of 2001 shapes up.

    Hope that helps those unable to get through to the site.

    RagManX
  • by fR0993R-on-Atari-520 (60152) on Monday February 04, 2002 @06:23PM (#2952554)
    [Here's what I posted to the comments section of wininformant.com. Doubtful they'll display it.]

    Excellent satire.

    One only needs to look at the SecurityFocus stats referenced to find holes in most (if not all) statements made by Paul's article. An example:

    "A look at the previous 5 years [there were only four previous years reported on - tsmith]--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux..."

    Lets take a look at the previous "five" years, starting with 2000. Redhat Linux 6.2 i386, listed as the most vulnerable of the linux flavors with 65 vulns, is bested outright by MS Windows NT with a whopping 71 vulnerabilities. To compare apples to apples requires adding in MS IIS 4.0, with 29 reported vulns, for a total of 100 vulns, or over %50 more vulnerabilities than the _buggiest_ distribution of linux. Even the combination of the lowly, four-years-on-the-market, mature Windows95 with IIS (if such a combination were possible - it matters not, because if not then W95 cannot honestly be compared to RHL) results in 64 vulns. Note that Win95 had the least vulns reported (at 35) of all the Wins. Also not that despite it being out a solid 3 years longer than RHL, it can only best the mark by 1 vuln. Not quite what I'd describe as "far fewer".

    Paul's statement is even more humorous in light of the data from 1999. In that year, Microsoft's products fill the top of the list almost exclusively, with the exception of Solaris 7.0 having slightly more vulnerabilities than IIS and NT4.0SP5. That's right folks, IIS _alone_ had more vulns than any flavor of Linux and most of the Solari. NT4.0 without a service pack? 75 vulns.

    1998 is the only year during which Paul may have a contention regarding NT besting Linux. 8 vulns vs RHL's 10. Note, however, that this is not including bugs from IIS, and is akin to comparing apples to oranges. In any case a difference of two is not what I would consider "far fewer". The comparison of RHL to Win95 is laughable in this case - what does a count of security vulnerabilities show in a system which has virtually no security?

    Once again in 1997, RHL's 6 bests WinNT's 10.

    Paul, how exactly are we to interpret the phrases "five", "each year", and "far fewer"? Perhaps as "four", "maybe one year", and "a little bit"? I suppose your wording was close enough though - I mean, it _is_ just your journalistic integrity on the line, right?

    "Win2K had fewer vulnerabilities than RedHat Linux 7.0 or MandrakeSoft Mandrake Linux 7.2"
    Note that niether BO nor IIS are reported on in the 2001 tables, thus no conclusion may be drawn.

    "...despite the fact that Windows is deployed on a far wider basis than any version of Linux"
    Excellent heresay. Well un-supported by reliable references. After reading the prior claims in your article, I'll be sure to give this little tidbit all the credit it deserves (incidentally, none).

    Thanks again for the good laugh Paul! What's next week? "WinXP Embedded Has Smaller Footprint Than vxWork? Yepppp!" I can almost imagine you shaking your pom-poms in the air.
  • by Drestin (82768) on Monday February 04, 2002 @07:04PM (#2952707)
    Actually, there have been no new vulnerabilites for IIS since August and very few "nasty" ones at all for all of MS products since August. I think you'll find there are WAY more RedHat ones since then...
  • by jon_c (100593) on Monday February 04, 2002 @07:35PM (#2952820) Homepage
    Lots of misinformation going on around here.

    It seems that the site(s) are back up, I've appended the meat of both in case they go down again. The good deal of the posts I'm reading stat the stats are invalid because it is an aggregate of all linux distros in comparison to windows 2k. This is not true, the stats make a clear distinction between distro's and count them separately, for example Redhat 7.2 had 28 exploits in 2001 where Win2k had 24.

    Which is what this article was attempted to exploit itself. Its very clear that the original article (as shown below) is a blatant attempted to drum of a flame war between linux and windows supporters. With a headline like 'Windows More Secure Than Linux? Yep!' it doesn't try to hide that fact either. The entire basis is of the article is a 4 "exploit" difference between Redhat linux and win2k within the last year. Of course the severity of these exploits are not detailed.
    Considering that windows has dramatically improved its numbers from the previous years I think a more accurate headline would have been "Windows security much improved from previous years"
    As many people has said far my eloquently them myself, these statistics do nothing to prove or disprove a superiority between linux and windows security, as there are so many problems with even trying to prove such a thing.
    -Jon

    below is the full text of the article and the stats from Security Focus.
    ------------------- WinInfo artical ------------------
    Thanks to David Byrne for this tip: For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet. (The company's 2001 statistics are available only through August 2001 for the time being.) According to NTBugTraq, Windows 2000 Server had less than half as many security vulnerabilities as Linux during the reported period. When you break the numbers down by Linux distribution, Win2K had fewer vulnerabilities than RedHat Linux 7.0 or MandrakeSoft Mandrake Linux 7.2, and it tied with UNIX-leader Sun Microsystems Solaris 8.0 and 7.0. A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux. So once again, folks, you have to ask yourselves: Is Windows really less secure than Linux? Or is this one of those incredible perception issues? For more information and the complete stats, visit the SecurityFocus Web site. I'll check back on this story to see how all of 2001 shapes up.

    -------------------SecurityFocus Stats -------------

    Number of OS Vulnerabilities by Year
    OS 1997 1998 1999 2000 2001
    AIX 21 38 10 15 6
    BSD/OS 7 5 4 1 3
    BeOS 0 0 0 5 1
    Caldera 4 3 14 28 27
    Connectiva 0 0 0 0 0
    Debian 3 2 31 55 28
    FreeBSD 5 2 17 36 17
    HP-UX 9 5 11 26 16
    IRIX 28 15 9 14 7
    MacOS 0 1 5 1 4
    MacOS X Server 0 0 1 0 0
    Mandrake 0 0 2 46 36
    NetBSD 2 4 10 20 9
    Netware 1 0 4 3 1
    OpenBSD 1 2 4 17 14
    RedHat 6 10 47 95 54
    SCO Unix 3 3 10 2 21
    Slackware 4 8 11 11 10
    Solaris 24 33 34 22 33
    SuSE 0 1 23 31 21
    TurboLinux 0 0 2 20 2
    Unixware 2 3 14 4 9
    Windows 3.1x/95/98 3 1 46 40 14
    Windows NT/2000 10 8 78 97 42

    Top Vulnerable Packages 2001
    Packages # Vulns
    MandrakeSoft Linux Mandrake 7.2 33
    RedHat Linux 7.0 28
    MandrakeSoft Linux Mandrake 7.1 27
    Debian Linux 2.2 26
    Sun Solaris 8.0 24
    Sun Solaris 7.0 24
    Microsoft Windows 2000 24
    MandrakeSoft Linux Mandrake 7.0 22
    SCO Open Server 5.0.6 21
    RedHat Linux 6.2 i386 20
    MandrakeSoft Linux Mandrake 6.1 20
    MandrakeSoft Linux Mandrake 6.0 20
    Wirex Immunix OS 7.0-Beta 19
    Sun Solaris 2.6 19
    RedHat Linux 6.2 sparc 18
    RedHat Linux 6.2 alpha 18
    Debian Linux 2.2 sparc 18
    Debian Linux 2.2 arm 18
    Debian Linux 2.2 alpha 18
    Debian Linux 2.2 68k 18

    Top Vulnerable Packages 2000
    Packages # Vulns
    Microsoft Windows NT 4.0 71
    RedHat Linux 6.2 i386 65
    RedHat Linux 6.2 sparc 53
    RedHat Linux 6.2 alpha 53
    Microsoft Windows 2000 52
    Debian Linux 2.2 48
    RedHat Linux 6.1 i386 47
    Microsoft Windows 98 40
    RedHat Linux 6.1 sparc 39
    RedHat Linux 6.1 alpha 39
    MandrakeSoft Linux Mandrake 7.0 37
    Microsoft Windows 95 35
    RedHat Linux 6.0 i386 33
    Microsoft IIS 4.0 29
    Microsoft BackOffice 4.5 29
    Microsoft BackOffice 4.0 29
    RedHat Linux 7.0 28
    MandrakeSoft Linux Mandrake 7.1 26
    RedHat Linux 6.0 alpha 25
    Conectiva Linux 5.1 25

    Top Vulnerable Packages 1999
    Packages # Vulns
    Microsoft Windows NT 4.0 75
    Microsoft Windows 98 44
    Microsoft Windows 95 40
    Microsoft Windows NT 4.0SP3 33
    Microsoft Windows NT 4.0SP1 32
    Microsoft Windows NT 4.0SP2 31
    Microsoft Windows NT 4.0SP4 30
    Microsoft Internet Explorer 5.0 for Windows 98 29
    Microsoft Internet Explorer 5.0 for Windows NT 4.0 28
    Microsoft Internet Explorer 5.0 for Windows 95 28
    Microsoft BackOffice 4.0 28
    Microsoft BackOffice 4.5 27
    Sun Solaris 7.0 26
    Microsoft IIS 4.0 25
    Microsoft Windows NT 4.0SP5 23
    RedHat Linux 5.2 i386 22
    Sun Solaris 7.0_x86 21
    Sun Solaris 2.6_x86 21
    Sun Solaris 2.6 21
    RedHat Linux 6.0 i386 21

    Top Vulnerable Packages 1998
    Packages # Vulns
    IBM AIX 4.3 36
    IBM AIX 4.2.1 29
    IBM AIX 4.2 29
    Sun Solaris 2.6 28
    Sun Solaris 2.6_x86 25
    IBM AIX 4.1 25
    IBM AIX 4.1.5 24
    IBM AIX 4.1.4 24
    IBM AIX 4.1.3 24
    IBM AIX 4.1.2 24
    IBM AIX 4.1.1 24
    Sun Solaris 2.5.1_x86 23
    Sun Solaris 2.5.1 23
    Sun Solaris 2.5_x86 22
    Sun Solaris 2.5 21
    Sun Solaris 2.4 18
    Sun Solaris 2.4_x86 17
    Sun Solaris 2.3 13
    Sun Solaris 2.5.1_ppc 10
    SGI IRIX 6.4 10

    Top Vulnerable Packages 1997
    Packages # Vulns
    SGI IRIX 6.2 25
    Sun Solaris 2.5.1 23
    Sun Solaris 2.5 23
    SGI IRIX 5.3 23
    Sun Solaris 2.5_x86 22
    Sun Solaris 2.5.1_x86 22
    Sun Solaris 2.4 22
    Sun Solaris 2.4_x86 21
    SGI IRIX 6.3 20
    IBM AIX 4.1 19
    Sun Solaris 2.3 18
    SGI IRIX 6.1 18
    IBM AIX 4.2 17
    SGI IRIX 5.2 15
    SGI IRIX 6.4 14
    IBM AIX 4.1.5 14
    IBM AIX 4.1.4 14
    IBM AIX 4.1.3 14
    IBM AIX 4.1.1 14
    Sun Solaris 2.5.1_ppc 13

    Privacy Statement
    Copyright © 1999-2001 SecurityFocus
  • by TheFlu (213162) on Monday February 04, 2002 @07:41PM (#2952838) Homepage
    How about some different numbers...everyone loves statistics. "The following numbers were obtained by counting web site defacements as listed at Attrition.org from June 2000 through May 2001:" Breakin Stats [geodsoft.com]


    The trouble with comparing Linux distros to Windows lies in the fact that Linux distros include so many different applications. I just did a count of installed packages on a RedHat box I am using, and I got 780 installed packages. I'd like to see a comparison of the number of exploits between the RedHat distro and Windows installed with 700 of the most common applications for it. That might be a more useful comparison. Also, I will readily acknowledge the weakness and lack of true usefulness of the numbers below, so no need to flame me for the lack of usability...I'm only posting the info I found, so no need to stone the messenger.


    Windows
    4336 Windows NT
    1070 Windows 2000
    2 Windows 95
    5408 Windows total

    All UNIX and Like
    1185 Linux Red Hat
    999 Linux unknown distributions
    36 Linux Connectiva
    23 Linux Debian
    17 Linux Cobalt
    17 Linux SuSE
    13 Linux ALZZA
    12 Linux Mandrake
    1 Linux Slackware
    2304 Linux total

    485 Solaris & Sun OS (1)
    267 IRIX
    163 FreeBSD
    121 BSDI
    44 SCO
    28 Generic UNIX
    18 Compaq Tru64 UNIX
    9 AIX
    7 HPUX HP
    4 Digital UNIX DG
    3 OpenBSD
    2 NetBSD
    1 PowerBSD
    1 Digital OSF1
    1153 UNIX & Like total

    3457 UNIXs & Linux

    8865 Total Windows and all UNIX

    Other
    2 Mac OS
    1 Netware

    63 unidentified

  • Where's your heads? (Score:2, Informative)

    by ICMP_FRAGMENT (470294) on Monday February 04, 2002 @08:06PM (#2952966) Homepage
    I have a few points to make.

    1: Linux is a kernel. Name the last security hole in the kernel.

    2: There are TONS of Linux distributions. Hundreds. There's also gobs of software includd in your standard Windows distribution. If you count ALL of their security vulnerabilities from ALL DISTRIBUTIONS and ALL SOFTWARE PACKAGES, I'm not surprised it's a bit higher than the number of holes in the *core Windows OS*.

    3: The rate of release of Linux is much faster.

    4: Linux distributors are still relying on the wrong software (sendmail/bind/inetd).
  • Re:In Other News (Score:3, Informative)

    by buckrogers (136562) on Tuesday February 05, 2002 @09:56AM (#2954934) Homepage
    From the security focus site:

    * These numbers are dated; the collection and calculation of data stopped in early August 2001 due to a site migration issue. We are currently working on this issue and should have it resolved in the near future.

    [This means that the windows2000 numbers don't include the last half of 2001, the time frame in which W2K was attacked by at least a dozen viruses and worms]

    * There is a distinct difference in the way that vulnerabilities are counted for Microsoft Windows and other operating systems. For instance, applications for Linux and BSD are often grouped in as subcomponents with the operating systems that they are shipped with. For Windows, applications and subcomponents such as Explorer often have their own packages that are considered vulnerable or not vulnerable outside of Windows and therefore may not be included in the count. This may skew numbers.

    [This means that to total up the W2K vulnerabilites you have to add W2K, the web browser, office, the web server and the sql server. Whereas a Linux distribution with 6000 software packages is all added together, wheather most people even install a particular program or not.]

    * This is a simple raw count of the vulnerabilities in our database that are associated directly with an operating system. The factors mentioned above were not taken into consideration when generating these graphs.

    [This means that you should actually go back into their database and look at what would have been installed and running at your site to support your needs and total the number of vulnerabilities that would have happened depending on what packages you would have had turned on to meet your needs. Then do a personalized report based on your site under various OS senarios.]

    * The numbers presented below should not be considered a metric by which an accurate comparison of the vulnerability of one operating system versus another can be made.

    [ This means, don't compare them like that guy did, or like I am about to do. :)]

    33 MandrakeSoft Linux Mandrake 7.2
    28 RedHat Linux 7.0
    27 MandrakeSoft Linux Mandrake 7.1
    24 Debian Linux 2.226 Sun Solaris 8.0
    24 Sun Solaris 7.0
    24 Microsoft Windows 2000
    22 MandrakeSoft Linux Mandrake 7.0
    21 SCO Open Server 5.0.6
    20 RedHat Linux 6.2 i386
    20 MandrakeSoft Linux Mandrake 6.1
    20 MandrakeSoft Linux Mandrake 6.0
    19 Wirex Immunix OS 7.0-Beta
    19 Sun Solaris 2.6
    18 RedHat Linux 6.2 sparc
    18 RedHat Linux 6.2 alpha
    18 Debian Linux 2.2 sparc
    18 Debian Linux 2.2 arm
    18 Debian Linux 2.2 alpha
    18 Debian Linux 2.2 68k

    Looking at the above numbers it appears that there are at least a half dozen linux distributions that have fewer vulnerabilties than Windows. And only 3 that have more.

    And what about all the distributions that aren't even on list because this is a list of the worst offenders. Slackware only had about 10 vulnerabilities, and turbo linux only had 2.

    Lets look at the last year for which they had complete statistics, 2000.

    71 Microsoft Windows NT 4.0
    29 Microsoft IIS 4.0
    29 Microsoft BackOffice
    --
    129 total

    52 Microsoft Windows 2000
    29 Microsoft IIS 4.0
    29 Microsoft BackOffice
    --
    110 total

    65 RedHat Linux 6.2 i386
    53 RedHat Linux 6.2 sparc
    53 RedHat Linux 6.2 alpha
    48 Debian Linux 2.2
    47 RedHat Linux 6.1 i386
    40 Microsoft Windows 98
    39 RedHat Linux 6.1 sparc
    39 RedHat Linux 6.1 alpha
    37 MandrakeSoft Linux Mandrake 7.0
    35 Microsoft Windows 95
    33 RedHat Linux 6.0 i386
    28 RedHat Linux 7.0
    26 MandrakeSoft Linux Mandrake 7.1
    25 RedHat Linux 6.0 alpha
    25 Conectiva Linux 5.1

    ** Explorer and outlook had a few bugs too which aren't added to the totals.

    If you could compare them this way, which security focus says not to, then windows has 2-3 times the number of security flaws than any single windows distribution. While containing at least an order of magnitude more software. Linux distributions come with at least 4 web server and a half dozen databases. Linux distributions come with at least a dozen different web browsers and 2 dozen email clients.

Never test for an error condition you don't know how to handle. -- Steinbach

Working...