WinInformant Says Windows More Secure Than Linux 935
nihilist_1137 excerpts from this WinInformant article, which reads in part: "For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet. ... A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux." I wonder how many sysadmins (Windows or Linux) would agree with this conclusion. Update: 02/04 16:54 GMT by T : Looks like the WinInfo site has gone down since the story was submitted, so you may have to content yourself in the meantime with the Bugtraq numbers. Update: 02/04 19:30 GMT by T :Several readers have pointed out that the conclusions WinInformant makes based on the Bugtraq data are not those of SecurityFocus; the headline has been changed accordingly.
Actually, to be fair... (Score:4, Informative)
I can't get to the article right now, so I'm not sure exactly what their argument is, but while I can remember hearing about quite a few major security holes in the unixes (I think everyone was bitten at least once by ptrace race conditions) I can't think of any similar issues in win2k.
XP, on the other hand... but we're not talking about XP here.
Hey look at that (Score:2, Informative)
Anyway, before anyone gets on a high horse here. It needs to be said that it's the code. Not the features that allow users to do stupid things. Most of what's out there choking MS-Based networks is becuase of the ease of which users can execute attached scripts and executables. Oh, and a hole in IIS, but that was mentioned in the article.
Yes, MS is a monopoly. Yes, they're trying to squeeze more cash out of their consumers (Stupid WPA). But, damn, they do produce some of the most solid code out there, as well as some of the most feature-rich, usable applications. Alas, that's just my opinion, and considering that I use mostly MS apps, I might be slightly biassed.
There is No Science Here. (Score:5, Informative)
However, the conclusion being drawn here is invalid. The SecurityFocus vulnerability survey is interesting, but it is not itself a reasonable methodology to generate security metrics between operating systems.
I could pick nits at this ad hoc study for hours, but the biggest problems are also the most obvious:
First: the study associates third-party software with the operating system, and aggregates all the distributions together into a meaningless "Linux" category. This study is literally just pattern matching against advisories.
Second: there is no notion of "severity" or "impact" in the study. This is a shame, because SecurityFocus has actually put some real effort into deriving a taxonomy of vulnerabilities from their (enormous) vulnerability database. There is no way to determine whether the N Linux vulnerabilities were equivalent to the K NT vulnerabilities.
Third: the study compares a kit of open-source software, which has received extensive peer review, to a closed-source product. It should surprise nobody that Linux has more documented problems than Windows: it's actually possible to go find vulnerabilities on Linux. Finding Windows vulnerabilities requires black-box reverse engineering.
Finally, both Linux and Windows do a reasonable job of locking down server configurations out of the box. What IT people need to know is vulnerability breakdown by operating system and by deployed configuration. This study does nothing to inform us of whether a Linux web server is at more risk than a Windows web server, or whether it's safer to expose a Linux print server or a Windows print server. Organizations that deploy homogenous Apache+NFS+ssh server farms don't care about XFree vulnerabilities or Samba problems.
I don't think SecurityFocus is actually trying to make claims about the relative security of Linux and Windows. I think they've been a bit careless with this report though; it's a reasonable thing to try to generate from their database, but more thought should have gone into presentation.
SecurityFocus has the on-staff expertise to publish some real conclusions about the distribution of vulnerabilities between Linux and Windows. Before this database report is misconstrued by the trade press, it would be enormously helpful if they could publish a statement about the conclusions that can be legitimately drawn from it. It'd be good press for them, too.
Re:Simply put, (Score:5, Informative)
Actually, there aren't SO MANY MORE windows servers on the internet than *nix boxes.
Please see this fine article http://slashdot.org/article.pl?sid=01/07/13/124025 7&mode=thread [slashdot.org] which tries to compare the number of windows systems vs unix systems on the internet.
Here are a couple of their conclusions:
Even taking the statistics most favorable to Microsoft, they had almost twice as many IPs on the public internet than Linux did in 1999. However, during that same period, there were many more than twice as many expoits, viruses, etc. that attacked windows vs unix.
Linux has far too many installations on the public internet to be dismissed as too rare to interest hackers.
Re:but which were more severe? (Score:1, Informative)
Most and nearly all DoS attacks come from hacked *nix boxes. Want to talk about clogging up the internet? Theres a much more important example.
Re:but which were more severe? (Score:3, Informative)
Re:This, of course, will be ignored and ridiculed (Score:5, Informative)
I can't read the original article, It's been Slashdotted to death. But I think I can make a pretty good guess as to what happened.
First off, we host Bugtraq, not NTBugtraq, which is Russ Cooper's list. (Any chance we can get that fixed in the story intro? Anyone know if the same mistake is in the original article?)
Secondly, I'm constantly amazed at how people mis-read our stats page. The Linux aggregate stats are the total of all unique bugs across all the various distributions we track. It's supposed to answer the question "How many Linux-related bugs were there that year." It's based on things like which distro ships a particular package, and when that package is found to have a hole, it also gets attached to the distro. This is so you can look up your distro, and see what bugs you might need to patch.
Take a look at the top of the page, our script hasn't been running since August, when we switched from Roxen to Apache. So, we're missing the whole last quarter of 2001 stats.
Regardless of anything else, using these number to declare that one thing is more secure than another is a mistake. Based on our numbers, why didn't they declare that everyone should run MacOS for security? Or that if you want to be more secure, run Debian instead of Win2K?
Quit freaking out, it is obviously flawed (Score:2, Informative)
If you look at the charts yourself, you see that Win2k had 42 exploits in 2001. In comparison, SuSe had 21. Redhat had 54. OpenBSD had 14. The figures also are not focused on a particular release. I would expect that the numbers would be substantially lower if it only look into account the current releases. Suprise, SuSE still publishes security announcements for 6.x in addition to 7.x, and those are counted.
THe author of the atricle need to look up Aggregate [dictionary.com] and try writing an article again.
And I quote: (Score:2, Informative)
Re:Less because MS doesnt tell (Score:3, Informative)
The thing about linux is that if you don't know how to set it up you can unknowingly install LOTS of services, most of which are unnecessary for a home user and many of which can be compromised. Redhat's "everything" install sounds pretty neat, but you probably don't want to run an FTP server, DNS server, SQL server, etc. if you don't absolutely need it (and know how to configure it). Mandrake (at least the older versions) has better security setup, allowing you to check off a security level during install that does a decent job of hardening the OS. Of course, not knowing that you are installing file shares on a cable modem with no firewall could be even easier to compromise :)
Re:Unfair comparison, uninformed journalist. (Score:5, Informative)
So worry for the thing on Win9x/3.x + WinNT/2000.
So they are talking of Server OSes. So Win9x/3.x do not account as such.
What you say is that, of course, they do not include duplicates of the same vulnerability. But then there's no such program as rsync-2.07-3.i386.rpm on Debian 2.2 . Can you see it?
Also, why it is strangely coincidental de number of bugs for Red Hat Linux 6.2 for Alpha and Sparc? See:
For 2001, we see:
RedHat Linux 6.2 sparc - 18
RedHat Linux 6.2 alpha - 18
Debian Linux 2.2 sparc - 18
Debian Linux 2.2 arm - 18
Debian Linux 2.2 alpha - 18
Debian Linux 2.2 68k - 18
Coincidental? See it yourselves at SecurityFocus WebSite [securityfocus.com]
Maybe is a cross-architechture bug? Will this mean that, in fact, it is the same bug?
Then the numbers for Mandrake, Red Hat and Debian are waaay too similar (2001) to be just a coincidence (Mandrake 7.1, Red Hat 7.0 and Debian 2.2 can be thought as "equal distributions" by means of timeline, packets versions and such):
RedHat Linux 7.0 - 28
MandrakeSoft Linux Mandrake 7.1 - 27
Debian Linux 2.2 - 26
Then, on 2001, we can assume that Red Hat 6.2, Mandrake 6.0 and 6.1 have the same package versions :
RedHat Linux 6.2 i386 - 20
MandrakeSoft Linux Mandrake 6.1 - 20
MandrakeSoft Linux Mandrake 6.0 - 20
And those numbers are also very very close to the ones for Red Hat Linux 6.2 on different architectures.
Maybe, just maybe... they are the same bugs?
Then, on previous years, the trend is the same.
With all the respects, I am no FUDing here. I post my comments to some piece of news that was flawled.
And I tried to explain why it was flawed. And I was vry carefull to not to blame conspiracy theories.
Then, again, I'm human. And I make mistakes. Like the Win0x/3.x and Win2000/NT of my previous post.
But this does not invalidate at all my message.
Re:Why is this automatically false? (Score:4, Informative)
Long gone are the Slackware days where you'd download a minimal kernel/utilities package and then compile only the apps you need, by yourself, and understand everything.
Wrong. I entered those days quite recently, with Linux From Scratch [linuxfromscratch.org]. LFS isn't exactly a "security solution," but it's hard to break into a machine when there's nothing running on any port except ssh.
Re:Oh, boy. Just another example... (Score:3, Informative)
No, that's not what I said.
Let's look at the methodology behind these statistics - and why it 'skews' the results.
1. Each 'bug' is treated as the same, whatever the severity.
2. The individual reports from the distros are combined to form a 'linux' category that doesn't exist in real life.
3. 'Linux' actually refers to a kernel, not the entirety of the programs included in a distribution.
4. The 'Windows' category does not include programs by MS that would need to be included to make the comparison valid vis-a-vis the programs included in the Linux distros.
5. The comparison includes 'reported' bugs. So, we're comparing reports from a host of people who do this for linux, versus a 'closed' company like MS who seems to believe in 'security through obscurity'.
As a result, even though this may not have been intentionally skewed in Microsoft's favor, it certainly gives the appearance of same.
This is why the adages about statistics exist. You can collect your numbers and publish them, but if you compare apples to oranges, your numbers are invalid by definition.
This has nothing to do with whether I use MS or Linux. In fact, I use Opera instead of IE, but if you look inside my house, you won't find an installed distro of Linux anywhere.
So you thought you saw bias and assumed it was fact. Therefore it was. Get a life yourself.
Re:This, of course, will be ignored and ridiculed (Score:5, Informative)
You mean, like this? The NTBugTraq site itself says (emphasis mine):
So, while there may be a stack of Outlook vulnerabilities, those won't get lumped in with Windows. But sendmail vulnerabilities might get lumped in with RedHat. They go on to say (emphasis theirs):
Further, the numbers themselves do not support the conjecture that Windows 2000/NT had fewer reported vulnerabilities reported over the 5-year period. Let's compare RedHat (the Linux distro for which the largest number of vulnerabilities was reported) vs. Windows 2000/NT from their data:
So even though the numbers are potentially skewed against Linux, the totals still come up less for RedHat than for Win2000/NT.
What the other article must be doing (I haven't read it yet, since I wasn't able load it) is totalling across all distributions, which is wrong. One FTPD vulnerability would get multiplied by all the vendors that ship that FTPD, which isn't quite fair.
--JoeRe:Actually, to be fair... (Score:1, Informative)
Besides, as pointed out by the federal courts, IE is "comingled" into the base install. Even if the program icon or iexplorer.exe is removed, an "IE" vulnurability is most likely in the base libraries and will affect other software.
Re:Exactly (it deserves to be rediculed and ignore (Score:5, Informative)
We didn't write the article in question, nor are we hosting, nor did we have any opportunity to see it ahead of time. (Or now... still can't see it.) Sadly, we have very little editorial control over other people's websites.
More interesting statistics... (Score:4, Informative)
Microsoft security bulletins released in 2002:
MS02-001
Redhat security bulletins released in 2002:
2002-018
2002-015
2002-014
2002-012
2002-011
2002-009
2002-007
2002-004
2002-005
2002-003
2002-002
2001-171
2001-168
2001-165
And if you look at 2001 results you'll see a somewhat similar trend, although not near as pronounced. Somethink like 80 versus 60.
Are these statistics meaningful? Of course not. If you have read Paul's columns you would know he reported this tongue and cheek. It was a slow news day, he noticed this, had to make fun of it.
What makes this story interesting, and why Paul reported it is because if the numbers had been reversed you would be assured that would be the headline of the day on slashdot, and if anybody questioned it they would be called Microsoftie apologists.
And look at the responses you see here. They're almost comical. Reminds me of the responses to the Mindcraft benchmark. Fear, Uncertainty and Denial.
Re:This, of course, will be ignored and ridiculed (Score:3, Informative)
If I recall from earlier today, the aggregate number was around 90. If you take all of the Linux distros on the page, and just add the numbers, you get 178.
Re:Perhaps you could put that on the stats page? (Score:3, Informative)
Similar wording has been re-added, and the aggregate number has been pulled (to help keep people from jumping to conclusions.)
Own up to it. (Score:3, Informative)
Easy.
Because you didn't say so.
We know who SecurityFocus is. It's Alfred Huger and Oliver Friedrichs and Art Wong, the Secure Networks, Inc. crew.
Secure Networks dealt with exactly the same problem we're talking about now: the trade press doesn't know a damn thing about technology and software engineering. Everything in the trade press is based off of newswire press releases and superficial articles. Alf and Art and Oli had to deal with this problem constantly as their competitors made bogus claims about SNI and their products.
Towards the end of their work on the Ballista product, Alf had gotten pretty good about educating the trade press about the issues, or at least at swaying them towards his way of thinking.
Alf and Oli and Elias are scrupulous guys, and they know how the world works. It is simply an embarassing oversight that there aren't loud disclaimers on the vulnerability report at your site explaining how to interpret the results. You all know how the page is going to be interpreted. You just saw Slashdot interpret it the wrong way. Slashdot is dumb, but InfoWorld is a million times dumber.
You could fix this problem right away, and pre-empt unethical use of your data, by releasing a statement explaining that the numbers on the page aren't a legitimate security metric. It won't cost you anything and it will help (us, and you!),
Or you could act like Russ Cooper and try to use the polarizing effect of the unexplained numbers to generate controversy, page hits, and press.
It's all a question of how much your credibility means to you.
TruSecure not SecurityFocus (Score:2, Informative)
Re:This, of course, will be ignored and ridiculed (Score:3, Informative)
I think it is important to note that 99% of "linux vulnerabilities" are not linux vulnerabilities, but actually non-essential, third party programs. These programs have nothing to do with linux, but do run on the OS. DNS, sendmail, rsync etc are not a part of the OS but have vulnerabilites. We should say that any os that these utilities/services run on has the vulnerability.
So, by that theory, we shouldn't include any IIS vulnerabilities in the NT exploits either. Because, of course, "IIS has nothing to do with NT, but it runs on the OS." After all, it's an optional component.
Bullshit.
Why are you not including BIND and sendmail? Hello? Most Linux servers are either web, DNS, or mail servers... NT, Novell, and Sun far outnumber them as file servers. So, if we can't include BIND, nor sendmail, then we can't include IIS or Exchange/Outlook. Cause, after all, they are "nonessential third-party programs." Oh wait, heh, they were written by "M$" (using obligatory dollar sign so the author of the parent post can understand who I'm talking about) so I guess they're not thrid-party. But then again, it's not Linux either, it's GNU/Linux. So I guess we can only count kernel exploits. Hmmm. Maybe that means we can only count NT kernel exploits (go ahead, count them.)
I dare you to root an NT file/print server that isn't running any other services. You can't (or at least, not on any easier level than you could root a Linux or Sun box... heh Sun and their automountd... heheheheh). Anyway, I hope you understand where I'm coming from. Your thinking is flawed.
But then again, what should I expect? This is Slashdot. It's kind of like going to the Democratic convention and shouting "Gore sucks! Dubya forever!" I didn't really expect too many pro-Microsoft replies here.
Re:This, of course, will be ignored and ridiculed (Score:3, Informative)
That is a consequence of the C2 standard which was written by the military for the US govt in the days before networking.
C2 was obsolete before the Web existed. Back in 1993 when I was asked to do a security audit of the Web standards against the Orange book I concluded that the standard was no help at all.
The other reason that C2 is not very useful is that the main concern in Orange book is partitioning multiple users data on the same machine. These days each user has their own machine, a one person computer that does not meet C2 mandatory access control requirements can be perfectly secure - look at a Palm or Pocket PC or a smartcard.
Re:bias (Score:2, Informative)
"For instance, applications for Linux and BSD are often grouped in as subcomponents with the operating systems that they are shipped with. For Windows, applications and subcomponents such as Explorer often have their own packages that are considered vulnerable or not vulnerable outside of Windows and therefore may not be included in the count. This may skew numbers."
It sounds to me like vulnerbilities on 3rd party apps included with linux distros are counted, but vulnerbilities in things like outlook, ie, and iss are not... i don't see how anyone who considers themselves a news organization can take , as serious data, any site which even says their numbers might be skewed...
Re:Less because MS doesnt tell (Score:1, Informative)
Right - at least with the RedHat installer, you can see that "Everything" includes bind, sendmail and so on.
Windows 2000 had a neat issue where if you installed IIS, it automatically configured Internet Printing over HTTP. Which of course had security problems. So you asked for a webserver and got a printserver. It's that kind of braindamage that gives MS the reputation they've got.
(Another obvious example is the Index Server filter exploit used by Code Red. Nobody uses it, so wtf is it registered by default?)
Linux Aggregate removed from the list (Score:2, Informative)
Re:In Other News (Score:2, Informative)
Hope that helps those unable to get through to the site.
RagManX
This is a sham. Relevant snippits: (Score:3, Informative)
Excellent satire.
One only needs to look at the SecurityFocus stats referenced to find holes in most (if not all) statements made by Paul's article. An example:
"A look at the previous 5 years [there were only four previous years reported on - tsmith]--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux..."
Lets take a look at the previous "five" years, starting with 2000. Redhat Linux 6.2 i386, listed as the most vulnerable of the linux flavors with 65 vulns, is bested outright by MS Windows NT with a whopping 71 vulnerabilities. To compare apples to apples requires adding in MS IIS 4.0, with 29 reported vulns, for a total of 100 vulns, or over %50 more vulnerabilities than the _buggiest_ distribution of linux. Even the combination of the lowly, four-years-on-the-market, mature Windows95 with IIS (if such a combination were possible - it matters not, because if not then W95 cannot honestly be compared to RHL) results in 64 vulns. Note that Win95 had the least vulns reported (at 35) of all the Wins. Also not that despite it being out a solid 3 years longer than RHL, it can only best the mark by 1 vuln. Not quite what I'd describe as "far fewer".
Paul's statement is even more humorous in light of the data from 1999. In that year, Microsoft's products fill the top of the list almost exclusively, with the exception of Solaris 7.0 having slightly more vulnerabilities than IIS and NT4.0SP5. That's right folks, IIS _alone_ had more vulns than any flavor of Linux and most of the Solari. NT4.0 without a service pack? 75 vulns.
1998 is the only year during which Paul may have a contention regarding NT besting Linux. 8 vulns vs RHL's 10. Note, however, that this is not including bugs from IIS, and is akin to comparing apples to oranges. In any case a difference of two is not what I would consider "far fewer". The comparison of RHL to Win95 is laughable in this case - what does a count of security vulnerabilities show in a system which has virtually no security?
Once again in 1997, RHL's 6 bests WinNT's 10.
Paul, how exactly are we to interpret the phrases "five", "each year", and "far fewer"? Perhaps as "four", "maybe one year", and "a little bit"? I suppose your wording was close enough though - I mean, it _is_ just your journalistic integrity on the line, right?
"Win2K had fewer vulnerabilities than RedHat Linux 7.0 or MandrakeSoft Mandrake Linux 7.2"
Note that niether BO nor IIS are reported on in the 2001 tables, thus no conclusion may be drawn.
"...despite the fact that Windows is deployed on a far wider basis than any version of Linux"
Excellent heresay. Well un-supported by reliable references. After reading the prior claims in your article, I'll be sure to give this little tidbit all the credit it deserves (incidentally, none).
Thanks again for the good laugh Paul! What's next week? "WinXP Embedded Has Smaller Footprint Than vxWork? Yepppp!" I can almost imagine you shaking your pom-poms in the air.
Re:Only through August (Score:2, Informative)
Lots of misinformation going on around here. (Score:3, Informative)
It seems that the site(s) are back up, I've appended the meat of both in case they go down again. The good deal of the posts I'm reading stat the stats are invalid because it is an aggregate of all linux distros in comparison to windows 2k. This is not true, the stats make a clear distinction between distro's and count them separately, for example Redhat 7.2 had 28 exploits in 2001 where Win2k had 24.
Which is what this article was attempted to exploit itself. Its very clear that the original article (as shown below) is a blatant attempted to drum of a flame war between linux and windows supporters. With a headline like 'Windows More Secure Than Linux? Yep!' it doesn't try to hide that fact either. The entire basis is of the article is a 4 "exploit" difference between Redhat linux and win2k within the last year. Of course the severity of these exploits are not detailed.
Considering that windows has dramatically improved its numbers from the previous years I think a more accurate headline would have been "Windows security much improved from previous years"
As many people has said far my eloquently them myself, these statistics do nothing to prove or disprove a superiority between linux and windows security, as there are so many problems with even trying to prove such a thing.
-Jon
below is the full text of the article and the stats from Security Focus.
------------------- WinInfo artical ------------------
Thanks to David Byrne for this tip: For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet. (The company's 2001 statistics are available only through August 2001 for the time being.) According to NTBugTraq, Windows 2000 Server had less than half as many security vulnerabilities as Linux during the reported period. When you break the numbers down by Linux distribution, Win2K had fewer vulnerabilities than RedHat Linux 7.0 or MandrakeSoft Mandrake Linux 7.2, and it tied with UNIX-leader Sun Microsystems Solaris 8.0 and 7.0. A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux. So once again, folks, you have to ask yourselves: Is Windows really less secure than Linux? Or is this one of those incredible perception issues? For more information and the complete stats, visit the SecurityFocus Web site. I'll check back on this story to see how all of 2001 shapes up.
-------------------SecurityFocus Stats -------------
Number of OS Vulnerabilities by Year
OS 1997 1998 1999 2000 2001
AIX 21 38 10 15 6
BSD/OS 7 5 4 1 3
BeOS 0 0 0 5 1
Caldera 4 3 14 28 27
Connectiva 0 0 0 0 0
Debian 3 2 31 55 28
FreeBSD 5 2 17 36 17
HP-UX 9 5 11 26 16
IRIX 28 15 9 14 7
MacOS 0 1 5 1 4
MacOS X Server 0 0 1 0 0
Mandrake 0 0 2 46 36
NetBSD 2 4 10 20 9
Netware 1 0 4 3 1
OpenBSD 1 2 4 17 14
RedHat 6 10 47 95 54
SCO Unix 3 3 10 2 21
Slackware 4 8 11 11 10
Solaris 24 33 34 22 33
SuSE 0 1 23 31 21
TurboLinux 0 0 2 20 2
Unixware 2 3 14 4 9
Windows 3.1x/95/98 3 1 46 40 14
Windows NT/2000 10 8 78 97 42
Top Vulnerable Packages 2001
Packages # Vulns
MandrakeSoft Linux Mandrake 7.2 33
RedHat Linux 7.0 28
MandrakeSoft Linux Mandrake 7.1 27
Debian Linux 2.2 26
Sun Solaris 8.0 24
Sun Solaris 7.0 24
Microsoft Windows 2000 24
MandrakeSoft Linux Mandrake 7.0 22
SCO Open Server 5.0.6 21
RedHat Linux 6.2 i386 20
MandrakeSoft Linux Mandrake 6.1 20
MandrakeSoft Linux Mandrake 6.0 20
Wirex Immunix OS 7.0-Beta 19
Sun Solaris 2.6 19
RedHat Linux 6.2 sparc 18
RedHat Linux 6.2 alpha 18
Debian Linux 2.2 sparc 18
Debian Linux 2.2 arm 18
Debian Linux 2.2 alpha 18
Debian Linux 2.2 68k 18
Top Vulnerable Packages 2000
Packages # Vulns
Microsoft Windows NT 4.0 71
RedHat Linux 6.2 i386 65
RedHat Linux 6.2 sparc 53
RedHat Linux 6.2 alpha 53
Microsoft Windows 2000 52
Debian Linux 2.2 48
RedHat Linux 6.1 i386 47
Microsoft Windows 98 40
RedHat Linux 6.1 sparc 39
RedHat Linux 6.1 alpha 39
MandrakeSoft Linux Mandrake 7.0 37
Microsoft Windows 95 35
RedHat Linux 6.0 i386 33
Microsoft IIS 4.0 29
Microsoft BackOffice 4.5 29
Microsoft BackOffice 4.0 29
RedHat Linux 7.0 28
MandrakeSoft Linux Mandrake 7.1 26
RedHat Linux 6.0 alpha 25
Conectiva Linux 5.1 25
Top Vulnerable Packages 1999
Packages # Vulns
Microsoft Windows NT 4.0 75
Microsoft Windows 98 44
Microsoft Windows 95 40
Microsoft Windows NT 4.0SP3 33
Microsoft Windows NT 4.0SP1 32
Microsoft Windows NT 4.0SP2 31
Microsoft Windows NT 4.0SP4 30
Microsoft Internet Explorer 5.0 for Windows 98 29
Microsoft Internet Explorer 5.0 for Windows NT 4.0 28
Microsoft Internet Explorer 5.0 for Windows 95 28
Microsoft BackOffice 4.0 28
Microsoft BackOffice 4.5 27
Sun Solaris 7.0 26
Microsoft IIS 4.0 25
Microsoft Windows NT 4.0SP5 23
RedHat Linux 5.2 i386 22
Sun Solaris 7.0_x86 21
Sun Solaris 2.6_x86 21
Sun Solaris 2.6 21
RedHat Linux 6.0 i386 21
Top Vulnerable Packages 1998
Packages # Vulns
IBM AIX 4.3 36
IBM AIX 4.2.1 29
IBM AIX 4.2 29
Sun Solaris 2.6 28
Sun Solaris 2.6_x86 25
IBM AIX 4.1 25
IBM AIX 4.1.5 24
IBM AIX 4.1.4 24
IBM AIX 4.1.3 24
IBM AIX 4.1.2 24
IBM AIX 4.1.1 24
Sun Solaris 2.5.1_x86 23
Sun Solaris 2.5.1 23
Sun Solaris 2.5_x86 22
Sun Solaris 2.5 21
Sun Solaris 2.4 18
Sun Solaris 2.4_x86 17
Sun Solaris 2.3 13
Sun Solaris 2.5.1_ppc 10
SGI IRIX 6.4 10
Top Vulnerable Packages 1997
Packages # Vulns
SGI IRIX 6.2 25
Sun Solaris 2.5.1 23
Sun Solaris 2.5 23
SGI IRIX 5.3 23
Sun Solaris 2.5_x86 22
Sun Solaris 2.5.1_x86 22
Sun Solaris 2.4 22
Sun Solaris 2.4_x86 21
SGI IRIX 6.3 20
IBM AIX 4.1 19
Sun Solaris 2.3 18
SGI IRIX 6.1 18
IBM AIX 4.2 17
SGI IRIX 5.2 15
SGI IRIX 6.4 14
IBM AIX 4.1.5 14
IBM AIX 4.1.4 14
IBM AIX 4.1.3 14
IBM AIX 4.1.1 14
Sun Solaris 2.5.1_ppc 13
Privacy Statement
Copyright © 1999-2001 SecurityFocus
Apples anyone, or how about some tasty Oranges? (Score:4, Informative)
The trouble with comparing Linux distros to Windows lies in the fact that Linux distros include so many different applications. I just did a count of installed packages on a RedHat box I am using, and I got 780 installed packages. I'd like to see a comparison of the number of exploits between the RedHat distro and Windows installed with 700 of the most common applications for it. That might be a more useful comparison. Also, I will readily acknowledge the weakness and lack of true usefulness of the numbers below, so no need to flame me for the lack of usability...I'm only posting the info I found, so no need to stone the messenger.
Windows
4336 Windows NT
1070 Windows 2000
2 Windows 95
5408 Windows total
All UNIX and Like
1185 Linux Red Hat
999 Linux unknown distributions
36 Linux Connectiva
23 Linux Debian
17 Linux Cobalt
17 Linux SuSE
13 Linux ALZZA
12 Linux Mandrake
1 Linux Slackware
2304 Linux total
485 Solaris & Sun OS (1)
267 IRIX
163 FreeBSD
121 BSDI
44 SCO
28 Generic UNIX
18 Compaq Tru64 UNIX
9 AIX
7 HPUX HP
4 Digital UNIX DG
3 OpenBSD
2 NetBSD
1 PowerBSD
1 Digital OSF1
1153 UNIX & Like total
3457 UNIXs & Linux
8865 Total Windows and all UNIX
Other
2 Mac OS
1 Netware
63 unidentified
Where's your heads? (Score:2, Informative)
1: Linux is a kernel. Name the last security hole in the kernel.
2: There are TONS of Linux distributions. Hundreds. There's also gobs of software includd in your standard Windows distribution. If you count ALL of their security vulnerabilities from ALL DISTRIBUTIONS and ALL SOFTWARE PACKAGES, I'm not surprised it's a bit higher than the number of holes in the *core Windows OS*.
3: The rate of release of Linux is much faster.
4: Linux distributors are still relying on the wrong software (sendmail/bind/inetd).
Re:In Other News (Score:3, Informative)
* These numbers are dated; the collection and calculation of data stopped in early August 2001 due to a site migration issue. We are currently working on this issue and should have it resolved in the near future.
[This means that the windows2000 numbers don't include the last half of 2001, the time frame in which W2K was attacked by at least a dozen viruses and worms]
* There is a distinct difference in the way that vulnerabilities are counted for Microsoft Windows and other operating systems. For instance, applications for Linux and BSD are often grouped in as subcomponents with the operating systems that they are shipped with. For Windows, applications and subcomponents such as Explorer often have their own packages that are considered vulnerable or not vulnerable outside of Windows and therefore may not be included in the count. This may skew numbers.
[This means that to total up the W2K vulnerabilites you have to add W2K, the web browser, office, the web server and the sql server. Whereas a Linux distribution with 6000 software packages is all added together, wheather most people even install a particular program or not.]
* This is a simple raw count of the vulnerabilities in our database that are associated directly with an operating system. The factors mentioned above were not taken into consideration when generating these graphs.
[This means that you should actually go back into their database and look at what would have been installed and running at your site to support your needs and total the number of vulnerabilities that would have happened depending on what packages you would have had turned on to meet your needs. Then do a personalized report based on your site under various OS senarios.]
* The numbers presented below should not be considered a metric by which an accurate comparison of the vulnerability of one operating system versus another can be made.
[ This means, don't compare them like that guy did, or like I am about to do.
33 MandrakeSoft Linux Mandrake 7.2
28 RedHat Linux 7.0
27 MandrakeSoft Linux Mandrake 7.1
24 Debian Linux 2.226 Sun Solaris 8.0
24 Sun Solaris 7.0
24 Microsoft Windows 2000
22 MandrakeSoft Linux Mandrake 7.0
21 SCO Open Server 5.0.6
20 RedHat Linux 6.2 i386
20 MandrakeSoft Linux Mandrake 6.1
20 MandrakeSoft Linux Mandrake 6.0
19 Wirex Immunix OS 7.0-Beta
19 Sun Solaris 2.6
18 RedHat Linux 6.2 sparc
18 RedHat Linux 6.2 alpha
18 Debian Linux 2.2 sparc
18 Debian Linux 2.2 arm
18 Debian Linux 2.2 alpha
18 Debian Linux 2.2 68k
Looking at the above numbers it appears that there are at least a half dozen linux distributions that have fewer vulnerabilties than Windows. And only 3 that have more.
And what about all the distributions that aren't even on list because this is a list of the worst offenders. Slackware only had about 10 vulnerabilities, and turbo linux only had 2.
Lets look at the last year for which they had complete statistics, 2000.
71 Microsoft Windows NT 4.0
29 Microsoft IIS 4.0
29 Microsoft BackOffice
--
129 total
52 Microsoft Windows 2000
29 Microsoft IIS 4.0
29 Microsoft BackOffice
--
110 total
65 RedHat Linux 6.2 i386
53 RedHat Linux 6.2 sparc
53 RedHat Linux 6.2 alpha
48 Debian Linux 2.2
47 RedHat Linux 6.1 i386
40 Microsoft Windows 98
39 RedHat Linux 6.1 sparc
39 RedHat Linux 6.1 alpha
37 MandrakeSoft Linux Mandrake 7.0
35 Microsoft Windows 95
33 RedHat Linux 6.0 i386
28 RedHat Linux 7.0
26 MandrakeSoft Linux Mandrake 7.1
25 RedHat Linux 6.0 alpha
25 Conectiva Linux 5.1
** Explorer and outlook had a few bugs too which aren't added to the totals.
If you could compare them this way, which security focus says not to, then windows has 2-3 times the number of security flaws than any single windows distribution. While containing at least an order of magnitude more software. Linux distributions come with at least 4 web server and a half dozen databases. Linux distributions come with at least a dozen different web browsers and 2 dozen email clients.