Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security IT

Linux/Unix Tops Charts for Vulnerabilities in 2005 438

BeanBunny writes "I realize that this topic is almost as volatile around here as Intelligent Design, but I think this is interesting nonetheless. US-CERT has released their year-end vulnerability summary. According to InformationWeek.com, Linux/Unix (including Mac OS) had almost three times the number of OS-specific vulnerabilities reported last year compared to Microsoft Windows. Obviously, statistics are meaningless without the proper conjecture, speculation, and opinionation, so let the debate begin again over which OS is really more secure."
This discussion has been archived. No new comments can be posted.

Linux/Unix Tops Charts for Vulnerabilities in 2005

Comments Filter:
  • One Take (Score:5, Insightful)

    by ackthpt ( 218170 ) * on Wednesday January 04, 2006 @08:02PM (#14397215) Homepage Journal
    It's because most *ix vulnerabilities are reported (and usually fixed rather quickly, particularly in the case of Linux distros.)

    Who knows how many Windows vulnerabilities there are known to Microsoft? Can you say "Vested Interest"? They certainly have tried to have divulging them criminalized as an act against national security, never mind warning customers of all sizes that they may have been compromised while Microsoft fiddled away at a patch for the past six months.

    I take this sort of revelation with a grain of salt and give it as much weight.

    many eyes only make for strong code when the code can be seen

    • Yes, indeed. (Score:5, Insightful)

      by DaedalusHKX ( 660194 ) on Wednesday January 04, 2006 @08:08PM (#14397269) Journal
      Let me put this into context.

      Linux (Red Hat to be specific) reported AND HAD ALREADY fixed similar JPG/GIF/PNG flaws more than 2 years before microsoft ACKNOWLEDGED that they had similar flaws. It may have been the same bug, or not, but still, similar bugs, FAR different timetables. And these are both companies right? One did base itself on code that it didn't try to lynch you for viewing, modifying or making your own. Hint: it wasn't microsoft.

      --------------

      What does it take for open source (being open to all) to report a flaw?

      Finding it of course.

      What does it take for a huge software house with stock to shill... errrr.. sell (since product sales do not a stock value raise anymore).

      Reporting few security flaws. "Proving" successful implementations are the norm... (via bought studies of course, and occasional true stories, if they ever are unbiased).

      --------------

      And of course, having worked inside an IT house, I'm quite familiar with how they work... especially M$ partners. I've never seen a SINGLE one ever report a vulnerability... whether our fault or the customer's or anyone's. Until it was fixed, or exploited, we NEVER EVER reported them... standard policy.

      ~D
      • by Anonymous Coward on Wednesday January 04, 2006 @09:00PM (#14397568)
        and submitting something like this (just as the parent and GP have pointed out), that lumps every *NIX OS vs. MS Windows is perhaps the dumbest thing I've ever seen on /.. I wish I could mod submissions.
    • by Anonymous Coward on Wednesday January 04, 2006 @08:08PM (#14397270)
      They're lumping Linux, UNIX, BSD, and OS X together and saying they together had more vulnerabilities than any single version of windows...

      I'm sure all the GM, Toyota and Honda cars between 1970 and 1990 put together had more design flaws than the Ford Pinto, but this comparison is not relevant.
      • by molnarcs ( 675885 ) <csabamolnar@@@gmail...com> on Wednesday January 04, 2006 @08:26PM (#14397409) Homepage Journal
        Yeah, I agree.

        In other words:

        There are at least 12 distinct operating systems in their list - Solaris, Cisco, SCO Unixware, OpenBSD, FreeBSD, NetBSD, HP-UX, AIX, HP Tru64, MacOS X, Linux variants like SuSE, Debian, Gentoo, RedHat (I counted Linux as one, even though most of the vulns. are found in their specific configuration/management tools). Add an arbitrary number of applications: KDE and GNOME, that in itself has more apps that are counted for Windows, every free SQL database server, mail server, (LotusDomino for Christ's sake!), imap client, ftp client, ftp server, etc...

        Now we have a comparison of a single operating system (Windows) + apps running on it with at least 12 distinct operating systems + 10x the number of apps that was counted for windows. The result is rather surprising: there are JUST 4x more bugs in 12 operating systems + 10x more apps than in windows + windows apps alone! This result is much more unfavorable for Microsoft than to any Unix/Linux OS!

        Of course, the fallacy of the comparison is that it suggests that Linux or Unix is an Operating System. For someone who does not look at the details, it might seem that installing a specific Linux or Unix operating system is more risky - hey, there are more bugs found in Linux/Unix, that's what the article says! In fact, the opposite is true, if you look at the details.

        Not that the comparison is useful in any way - why are Safari bugs counted at all? Safari runs on OS X only, so you can't just dump safari bugs into linux/unix bugs category (how retarded is that?). Why are bugs found in SuSE YAST counted as Linux bugs? They have nothing to do with linux or unix - they are specific to one operating system: SuSE linux (the same applies for all the bugs counted in Debian, RedHat, Gentoo, etc.) Not to mention the duplications: Eric Raymonds "Fetchmail POP3 Client Buffer Overflow" is counted 5 times for linux and BSDs. There are duplications for windows as well though. In other words, this list or comparison is pretty much unusable.

        • by Vicissidude ( 878310 ) on Wednesday January 04, 2006 @09:42PM (#14397750)
          Now we have a comparison of a single operating system (Windows) + apps running on it with at least 12 distinct operating systems + 10x the number of apps that was counted for windows. The result is rather surprising: there are JUST 4x more bugs in 12 operating systems + 10x more apps than in windows + windows apps alone! This result is much more unfavorable for Microsoft than to any Unix/Linux OS!

          To be fair, Windows is not the monolithic program you suggest. Windows NT is different from Windows 98. Windows 98 is different from Windows ME. ME is different from 2000. 2000 is different from XP. XP is different from 2003. Each has a similar, but different, code base with their own bugs.

          To Microsoft's advantage, Window's code similarity means that a bug found in Windows 2003 can be traced and squashed in Windows 2000 and XP. This results in the bug being removed in all flavors of Windows simultaneously. However, that would be impossible with the various *nixes.

          Either way, I agree with Mark Twain. There are lies, damned lies, and statistics.
          • It may be impossible for the various kernels, but I would bet that it's actually easier to patch a lot of things in *nix than in windows because the *nix kernels doesn't throw things like a web browser or a window manager into the kernel.
            If there is a security hole with Konquror browsing files on KDE then KDE issues a patch and it should mostly work on all of the various systems it runs on.
          • ok granted. however, if you're going to count each windows OS as a separate OS, you also, in maintaining fairness, have to count each linux distro as a separate OS. maybe the same with OSX, I'm not familiar with the platform so I don't know how different the 4 versions have been. in any case, if you break it out that far, you're dealing with several hundred unix/linux OS's with 10 times (at least) as many apps, vs just a handful of windows OS's.
        • by Dolda2000 ( 759023 ) <fredrik@dolda2 0 0 0 .com> on Wednesday January 04, 2006 @10:40PM (#14398027) Homepage
          Now we have a comparison of a single operating system (Windows) + apps running on it with at least 12 distinct operating systems + 10x the number of apps that was counted for windows. The result is rather surprising: there are JUST 4x more bugs in 12 operating systems + 10x more apps than in windows + windows apps alone! This result is much more unfavorable for Microsoft than to any Unix/Linux OS!
          Actually, it's far worse than that. If you filter out the "Updated" entries for each vulnerability, it lands on 672 for Windows and 892 for the so called "Unix/Linux" category, which means a mere 32% more vulnerabilities for 12 systems + 10x more apps than in Windows + Windows apps alone!
      • Worse than that (Score:3, Informative)

        by Lifewish ( 724999 )
        If I recall correctly, they're actually double-counting some vulnerabilities in common software - once for Linux, once for OS/X, once for Sun Solaris etc (I think that was right - can anyone confirm?). None of this was malicious - this survey was never intended to be rigorous and the people doing the counting made that quite clear. However, it does mean that any attempts to judge the relative merits of the various operating systems are somewhat fruitless.
      • by Pollardito ( 781263 ) on Wednesday January 04, 2006 @10:33PM (#14397996)
        it's even worse than that, here's some of the UNIX vulnerabilities :
        # Adobe Acrobat Reader mailListIsPdf() Buffer Overflow (Updated)
        # Adobe Acrobat Reader mailListIsPdf() Buffer Overflow (Updated)
        # Adobe Acrobat Reader UnixAppOpenFilePerform Buffer Overflow
        # Adobe Acrobat Reader UnixAppOpenFilePerform Buffer Overflow (Updated)
        # Adobe Reader / Acrobat Arbitrary Code Execution & Elevated Privileges
        # Adobe Reader For Unix Local File Disclosure
        # Andrew Church IRC Services LISTLINKS Information Disclosure
        this isn't a list of OS vulnerabilities, it's a list of application vulnerabilities sorted by OS
      • by jrockway ( 229604 ) * <jon-nospam@jrock.us> on Wednesday January 04, 2006 @11:31PM (#14398226) Homepage Journal
        The security holes don't even have anything to do with the OS. When there's a Windows hole, it's a hole that allows you to take over the OS. These "linux holes" are holes in shitty php scripts that happen to run on Linux. This just in... you can write shitty, insecure software that runs on Linux. Duh!

        If you look at all holes in the Linux kernel and base GNU utils vs. all holes in the Windows kernel and in the Windows core OS, you'll notice that Windows has many, many more. And the ones that Linux has are things like "temporary file permissions vulnerability" whereas Windows has ones like "arbitrary user from the network can flash your bios with the byte sequence 'lolololol pwnd'". Personally, I'd rather have someone read my sudoers file than hose my BIOS, but hey... at least windows has cool games or something.
        • Well, a hole in a php app could exist on windows too.. Apache and PHP can easily be installed on windows. Infact there are many such vulnerabilities..
          There are also some, like the shell:// vuln that was attributed to firefox, but was actually a vulnerability in the core windows os and therefore wasn't exploitable through firefox on any other platform.
      • by LnxAddct ( 679316 ) <sgk25@drexel.edu> on Thursday January 05, 2006 @12:41AM (#14398476)
        So out of curiosity, I removed all (Updated) lines from the results,and all blatantly duplicate exploits, and also any non-linux exploits, just to see how they matched up. Keep in mind that I kept alot of the php, apache , and other exploits in the list but did not add them to windows despite that these also affect windows and should be included. The numbers I got were 784 to 672, Linux to Windows. Then, because in the windows list they strictly kept to vulnerabilities that only affected windows and not multiple platforms, I took out any vulnerabilties from the linux list that would 100% for certain be cross-platform and affect Windows as well. The list reduced to 669, which is right on par with Windows (keeping in mind that I left some exploits in the list because I was only say 80% or 90% sure and so I gave Windows the benefit of the doubt). Just out of curiosity, I then tookout any linux vulnerabilities that were specific to one vendor(i.e. Red Hat, Suse, Gentoo, Debian) for a number of reasons which I won't get into. This brought it down to 639. That last number doesn't really represent anything other than a curiosity of mine.

        I was originally going to have a disclaimer stating that these numbers are accurate probably to within +-30, but since they were so close, I don't think it's necessary. One observation I've noted is that the Linux vulnerabilities are spread over a far greater variety of applications. Another thing worth noting is that it looks like Windows can not easily be effectively secured as long as security updates are done as they are currently. Most linux distros (Red Hat/Fedora, Suse, Debian, Gentoo, etc.. off the top of my head) provide a central repository that will update everything on your system for you. This appears to be a much more optimal method of applying updates. If nothing else, these results show that not just core functionality, but also supporting functionalities must be kept up to date and are just as much of a security problem, if not more so. Linux distributions support such update methodolgies natively, Windows does not.

        It appears that Linux is the winner here no matter how you look at it, and we didn't even begin to look at severity or the time from disclosure to time patched (which isn't available using the information in the report, but my inclination is to say that open source wins hands down here, call me biased if you will). For the files that I referenced and modified to get these numbers, you can get the windows list here [krenzel.info] and the first linux list here [krenzel.info] (the one with 784 exploits, not 669). These lists are not 100% accurate as I'm sure the regexs I used missed some things, or were too greedy in other cases. I also did some manual pruning that wasnt appropriate to be done with regexs, which I'm sure wasn't 100% accurate either, but these lists are close.
        Regards,
        Steve
    • Re:One Take (Score:3, Interesting)

      Not only that; the comparison is Linux/Unix including MacOS... How many kernels are we talking about here? There's the Linux kernel, 3 different BSD kernels, the MacOS kernel based on BSD (I assume it's different enough to count as a separate kernel, don't really know), HP-UX, AIX, SCO Unixware, Solaris (just check the vulnerability list) and probably some other Unix variants I forgot to mention compared against one OS. Yeah, sure, there's different Windows versions out there, but all Windows XP "distros"

    • Re:One Take (Score:5, Funny)

      by skraps ( 650379 ) on Wednesday January 04, 2006 @09:08PM (#14397602)
      You feel that sting, big boy, huh? That's pride fuckin' with you!

      (source) [imdb.com]
    • At first glance it looks like the groupings have MS as a better OS in terms of CERT warnings, but not even that, look at how the bins are made which group the numbers together.

      Basically UNIX (BSD, Solaris, AIX, IRIX, SCO, OS X), and ALL LINUX distributions are counts as ONE (1) bin, against MS Windows!!! So, have basically EVERY popular mainstream operating system other then Windows in one bin and windows in another, and you are trying to toute THAT as a stat that Windows has less flaws then Unix/Linux? S

  • by yagu ( 721525 ) * <yayaguNO@SPAMgmail.com> on Wednesday January 04, 2006 @08:03PM (#14397223) Journal

    It may be a volatile topic, but where better to discuss the reality, validity, etc., of these purported vulnerabilities?

    Get your education here (hopefully) so you can address the confrontations at work, from your friends, etc. when they accuse you of evangelizing an OS more vulnerable than Windows!

    Look for answers to:

    • how these vulnerabilities are reported (the article is painfully light on this)
    • what the vulnerabilities were and how serious they were
    • whether or not there is redundancy in the reporting mechanisms
    • what association and influence Microsoft has over this reporting process
    • how quickly vulnerabilities are fixed and how soon working patches are made available to the public
    • who is the author of this article? (Gregg Keizer), and what is his slant/bias?

    I'm sure this is a partial list, and I don't know the answers to these points, but I'd like to.

    • "so let the debate begin again over which OS is really more secure."

      How about we don't and just say we did, better yet, whichever side you agree with, it won the debate.
    • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Wednesday January 04, 2006 @08:42PM (#14397492)
      TFA says that there were 2,328 reported vulnerabilities for *nix.

      I counted the lines and there are 2,329 lines.

      Here's an example of 10 of them:
      # BZip2 File Permission Modification
      # BZip2 File Permission Modification (Updated)
      # BZip2 File Permission Modification (Updated)
      # BZip2 File Permission Modification (Updated)
      # BZip2 File Permission Modification (Updated)
      # BZip2 File Permission Modification (Updated)
      # BZip2 File Permission Modification (Updated)
      # BZip2 File Permission Modification (Updated)
      # BZip2 File Permission Modification (Updated)
      # BZip2 File Permission Modification (Updated)

      Yep. BZip2 is listed 10 times, but the reference to each of them reads the same:
      A vulnerability has been reported when an archive is extracted into a world or group writeable directory, which could let a malicious user modify file permissions of target files.


      And then they list 10 different distributions. Hmmmmm ..... it looks like the old "multiple reporting" problem.

      So, one problem in BZip2 == 10 counts of "problems".
      • by OdieWan ( 757584 ) on Wednesday January 04, 2006 @09:33PM (#14397711)
        Removing the duplicate lines is enlightening;
        cat usoft.txt| sed -e 's/(U|updated)//g' | sort | uniq | wc
            747 lines
        cat unix.txt| sed -e 's/ *(Updated) *//g' | sort | uniq | wc
            1050 lines

        That brings them almost in line with each other. Of course, we could do a half-assed job of cutting things down to just the OS to remove concerns about all the bundled apps;

        cat usoft.txt| grep Microsoft | sed -e 's/(U|updated)//g' | sort | uniq | wc
            160 lines
        cat unix.txt| egrep '((K|k)ernel)|(GNU)|(XFree86)' | sed -e 's/ *(Updated) *//g' | sort | uniq | wc # GNU/Linux, not Linux!
            167 lines

        Of course, any of this would be far too much work for the author of the article.
  • From the FA: (Score:5, Insightful)

    by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Wednesday January 04, 2006 @08:03PM (#14397233) Homepage Journal

    The end-of-year vulnerability score should be taken with a grain of salt, however, since US-CERT doesn't filter out updates (so one actual vulnerability can be counted numerous times) nor does it break out individual vulnerabilities from warnings that cover multiple bugs (as in the many Mac OS X vulnerability listings).

    In other words, these findings are absolutely useless.

    Also, even if they DID filter out updates and break out individual vulnerabilities, you would still have to know for how many days each vulnerability remained unpatched to have any useful information.

    As this oh-so-well-written website told me the first time I clicked on this story, "Nothing to see here. Move along."

  • Anything new compared to the earlier article in the Washington Post [slashdot.org]?

  • Whats funny is (Score:2, Insightful)

    by Anonymous Coward
    That they listed a few PHP apps that work on all 3 OS's as only on Linux. Hmmm
    • I don't know for sure but, it's probably something that isn't available for windows, say for instance GD's gif library for php (i'm just speculating with no research, maybe it does exist?). Regardless, it's the only way I can think of for this to happen.
  • by Jane_Dozey ( 759010 ) on Wednesday January 04, 2006 @08:05PM (#14397244)
    ...they really should take into account severity, time until a fix was avaliable (from the time of discovery and not just disclosure to the public) and if the vulnrability was actually IN the OS or whether it was a third party app. Then perhaps the total numbers will start being a little more helpful.
    • I'd have to agree with you. It doesn't really help, when they say Windows vulnerabilities and then list security issues in Semantic software. At that point its not the OS its the virus or firewall provided by a 3rd party.

      Severity would also help. It would be good to know which were local exploits vs remote exploits and if the exploit was because of a certain option turned on or off. I know there are several OS exploits in FreeBSD, but if your are not running bind or ssh you wont be affected.

      Talking ab

    • by LnxAddct ( 679316 ) <sgk25@drexel.edu> on Wednesday January 04, 2006 @08:54PM (#14397545)
      Not only do they not take into account severity, a large portion of the vulnerabilites in the Linux list are tagged with "update" meaning that a large portion are just updates to previously filed bugs, but worst of all, their lists are just plain wrong. A huge chunk of the open source projects listed under *nix are not listed under Windows, yet they run on Windows and the vulnerabilities affected windows. There are Apache, Gaim, PHP, Zope, Clam AV, Vim, Emacs,Perl, MySql and many more vulnerabilities listed just under *nix, yet equally affect Windows. Even worse, Windows has 1 firefox vulnerability listed, yet *nix has 153 firefox vulnerabilities listed (including the couple of tens of updates) but every vulnerability I saw listed equally affected Windows. This list is separating vulnerabilities by pretty much whether its open source or not (for the most part, say 90%), not by what platform it runs on, yet the latter is how they are categorized. This whole list is a big giant piece of misinformation and someone needs to correct it.

      It's also not intelligent to group together all Unix derived operating systems, as they all follow completely different security structures, development paradigms, and grouping them is simply serving to inflate already misleading numbers. The fact is that the only thing this list clearly shows is that open source projects are much better at following up on security problems(noting all of the updates), and that there are far more applications that run under *nix than under Windows once you account for all of the at least semi-popular open source projects.
      Regards,
      Steve
  • Dupe (Score:3, Informative)

    by A beautiful mind ( 821714 ) on Wednesday January 04, 2006 @08:05PM (#14397248)
    Sigh. The statistics were flawed the first time they were posted to /., no need to repeat that bag of bad science.
  • by jmac880n ( 659699 ) on Wednesday January 04, 2006 @08:05PM (#14397249)

    This is old news. PJ has done a pretty thorough job debunking this one on Groklaw [groklaw.net].

  • by SilverspurG ( 844751 ) * on Wednesday January 04, 2006 @08:06PM (#14397254) Homepage Journal
    In the Microsoft section there could be an entire block for : "Clueless user -- installed malware X which caused the propagation of virus Y"

    In the Linux section there would be a similar block for : "Clueless user -- caused hard drive format"

    Yeah. That was wanton. Sure, okay. I agree. It's probably true that most OSS vulns are reported to public forums while most MS vulns probably get identified in house and rolled into a patch. Maybe. In 6 months or so after the devs have had fun with it for a while.
  • by User 956 ( 568564 ) on Wednesday January 04, 2006 @08:07PM (#14397263) Homepage
    If you read the actual list [us-cert.gov], a lot of the vulnerabilities are listed multiple times with an (updated) notation. So the 2,328 number isn't exactly "correct".
    • But they do the same in the Microsoft section. As I was scanning the list I threw that point out as moot after scanning it the second or third time. "The same thing seems to happen in both sections. That's not really arguable."
      • But they do the same in the Microsoft section. As I was scanning the list I threw that point out as moot after scanning it the second or third time.

        Ok, so if you throw out all 141 "updated" occurrences in the Microsoft section, that leaves 671 (812-141=671). If you throw out all 1437 "updated" occurences in the linux/unix secion, that leaves 891 (2328-1437=891). Subtracting Apple OS X (130) and Sun Solaris (77), Linux/Unix ends up with less vulnerabilities than Windows (891-130-77=684).
    • Okay I "uniqued" it by removing the (Updated)'d and it came out to 1048 - I know this isn't a good # because I didn't review if these were multiple platforms, or if they were seperate incidents within a software package...

      Top 10 by bugs listed -
      * GNU GZip Directory Traversal 13
      * Multiple Vendors LibXPM Bitmap_unit Integer Overflow 13
      * Multiple Vendors Linux Kernel Multiple Vulnerabilities 13
  • by aggieben ( 620937 ) <<aggieben> <at> <gmail.com>> on Wednesday January 04, 2006 @08:08PM (#14397265) Homepage Journal
    go troll somewhere else. This has been discussed repeatedly everywhere on the internet, and the it only only ever proves two things:
    • is that everyone is already has an opinion on the issue and isn't going to change it.
    • these opinions are hardly ever based on emperical evidence
  • One possible take (Score:2, Insightful)

    by El Royo ( 907295 )
    It would be interesting to compare the number of different versions of software and applications this covers. Windows XP has not evolved tremendously in the last several years. Certainly Microsoft has shown a renewed (if not a completely successful) focus on security lately. But I think Microsoft benefits in this survey from a more stately release cycle.
  • by robpoe ( 578975 )
    If you read TFA, it also mentioned not to put too much into ththe data recorded about the vulnerabilities: as not all of the vulnerabilities reported were distinct incidents (and some were 1 vulnerability for multiple bugs).

    Also, with as many DIFFERENCES as there are between, say Apple, Sun, SCO, Linux .. how can you say that *ix is more / less safe than Windows, especially considering that not all vulnerabilities affected all platforms.

    If you wanted to be more specific, then add up vulnerabilities for EACH
  • Is it really then a good water mark? Windows seems to suffer far more attacks. Mac seems one of the safest in practice and Linux seems to suffer few attacks. IS the real reason numbers, as in there are more users so more attacks? Or is it the type of flaws? Or are the attackers more inclined to attack Windows for personal reasons? There's abviously a reason and simple numbers aren't proving to be a accurate measure. Does anyone in the know go with Windows for security?
  • or kernel patches? Because Linux is a damned kernel and Redhat/Suse/whatever's patches for say curl, wget, apache, etc are not OS level patches.
    • Distribution. It counts bugs in (for example) Windows' handling of metafiles, too. Besides, what with both Linux and Windows heading towards greater support of user-mode drivers, distinguishing between kernel and non-kernel security holes is an idea which is rapidly losing usefulness.
  • The title: Linux/Unix Tops Charts for Vulnerabilities in 2005

    This is beyond any doubt, very very true. But before you call me a Microsoft Shill (I'm not, I use Debian myself), allow me to explain:

    If one goes to www.linux.org, and searches for all GNU/Linux distros without a filter, they will see that there are 370 distributions. If that includes unmaintained ones, that number grows to 417. And that does not include all of the other Unixes, such as the BSD group, and, like the article pointed out, Mac OSX.

    No
  • only 3x ? (Score:2, Insightful)

    by DaveCar ( 189300 )
    Well, the "windows" ones are "Windows Operating Systems"

    And the "linux" and "osx" ones are "Unix/ Linux Operating Systems"

    Seeing as "windows" ones are Windows and "linux" and "osx" are Linus, OS X, Solaris, IRIX, AIX, HPUX, Tru64, *BSD, SCO, etc., etc., I think 3x is not too bad as there are more than 3x the number of distinct operating systems.

    That's without even looking at what might be classified as "application" versus "os" vulnerabilities in each category.

    • That was a good starting point but then, in the interest of honest debating, one could cede the consideration that this may be a comparison of the MS standards of writing an OS with the systems which are more closely aligned with the POSIX standards. Not that it makes it perfect, but one could give the MS people the point on that just to be nice.

      So looking at the data set what other inconsistencies do you see which don't line up with the actual reality of the situation?
  • by daVinci1980 ( 73174 ) on Wednesday January 04, 2006 @08:13PM (#14397310) Homepage
    It is worth discussing OS security in terms of exploitable holes found. And before the detractors start coming out in droves saying "the real question is how many days a vulnerability remains unpatched," that's not the real question. That's a question, and it's certainly an important one. But it's not the only important criteria in determining the quality of an OS.

    Even if a vulnerability is reported and then fixed quickly, the fact remains that it could've been used for dozens or hundreds (or more) exploits *before* it was reported.

    It's not just a matter of "see, look how quickly we can bail water out of the boat." There's also the question of how many holes were in the hull to begin with.

    I'm not saying that any particular platform is put together better than any other, just that it is a topic worth discussing.
  • I'm not going to spend the hours it would take to check all the "Updated" entries in the list, but I picked one at random and looked at the original and two of the updates, and the only changes between was the addition of links to distribution-specific patches. Looks like they're counting individual exploits multiple times.
  • by hellomynameisclinton ( 796928 ) on Wednesday January 04, 2006 @08:13PM (#14397317)
    Dear Slashdot,

    I'm offended by the latest comparison of
    Linux
    and
    Windows
    . The linked article offers no measurable insight, and is exactly the kind of flamebait that bores the /. community. It goes without saying that I did not read the article, but I know enough about
    operating systems
    that it is incorrect, and insight-free.

    Please change your editorial practices to fit my tastes better.

    ComplaintGen (R) - 2006
    • by Linker3000 ( 626634 ) on Wednesday January 04, 2006 @08:39PM (#14397480) Journal

      Slashdot EeziPost (TM) MK 1.1.01

      #NB: For obvious reasons, the first option is ENABLED by default - remember to turn off if you are NOT responding to a dupe

      [ ] Another: [ ] Dupe [ ] Slashvertisment [X ] WTF [ ] $editor is a dork

      [ ] Frist psot [ ] $link_to_GNAA [ ] $link_to_goatse [ ] $random_drivel

      [ ] I Haven't RTFA, but... $random_self_opinionated_comment

      [ ] [$Slashdot_reader] writes, "[$pundit] wrote an article about [$Technology_we're_not_currently_fond_of], based on conjecture and personal opinion. Does this mean that [$Technology_flavor_of_the_month] is taking over?

      [ ] Slashdotted already!. I bet their server runs on $topic_item too!

      [ ] I am not qualified to respond to this article, but I will give you my insight anyway..

      [ ] Here's a plug for my blog / Web site disguised as an insightful comment (I need the ad revenue)

      [ ] Next they'll be patenting 'A method of replying to a Slashdot posts using a form containing pre-defined response options'

      [X] Mod Parent [X] up [ ] Down

      [ ] Fsck: [ ] Sony [ ] SCO [ ] Micro$oft [ ] DMCA [ ] DRM [ ] MPAA [ ] RIAA [ ] Google [ ] Bush [ ] You all

      [ ] I for one welcome our new $topic_item overlords

      [ ] Imagine a beowulf cluster of those

      [ ] In Soviet Russia, $topic_item owns you!

      [ ] Meh!

      [ ] You must be new here!

      [ ] Netcraft confirms $topic_item is: [ ] dead [ ] dying

      [ ] But have the inventors thought of what will happen if $random_amateur_insight

      [ ] You insensitive clod

      [ ] Torrent, anyone?

      [ ] Here's a link to a patch: $random_linux_distro_url

      [ ] "Yeah, but does it run Linux?"; if($summary has 'linux') add " Oh, wait..."

      [ ] Profit!!

      [ ] Tinfoil hat at the ready

      [ ] Still no cure for cancer

      [X] "()*%£^" No Carrier

  • by Crispin Cowan ( 20238 ) <(crispin) (at) (crispincowan.com)> on Wednesday January 04, 2006 @08:15PM (#14397331) Homepage
    The reason the numbers are so different is that they are apples and grapes: different sized units. Lumping all of Linux and UNIX together into a single category distorts the data. The fact that Solaris or AIX had some defect does not affect Linux and *BSD systems. Putting all their union set of vulnerabilities into a single bucket makes the UNIX/Linux crowd look much more vulnerable than it is. FUD FUD FUD.

    Another issue is that most Linux distro's ship a LOT of application code, like 2000 to 6000 packages, which is waaaay more than Microsoft ships with Windows. That there is an "OS" vulnerability for some rarely used application in a large Linux distro is just not comparable to the smaller set of code that Microsoft is willing to take responsibility for.

    It is just irresponsible for CERT to be publishing distored numbers like this.

    Crispin

  • by TheFlyingGoat ( 161967 ) on Wednesday January 04, 2006 @08:16PM (#14397338) Homepage Journal
    Volatile is an understatement.

    Anyway, I've used a number of different operating systems and I've realized something. Computer security isn't so much the operating system you select, it's how diligent you are in keeping it secure. If you keep the system patched, behind a decent firewall, are careful with the software you run, and don't use the root/Administrator account for normal usage, you'll probably not have any issues with your computer. Granted, there are plenty of examples otherwise, but I'm referring to the standard user or sysadmin.

    The problem comes in for users that don't understand that they need to keep their system protected more than it is out of the box. Some linux distros and Windows get it right by having automatic updates (if you need to disable these, you can easily enough).

    Overall, there ARE good things and bad things about each operating system, but not much matters if the user isn't going to take some type of responsibility to keep their own system updated and protected.
  • I opened up the page and the first thing I notice is that both show vulnerabilities of not only the OS but the applications that run on it. Its really not fair to say that an iTunes vulnerabilities makes Windows less secure since Microsoft has no control over it. It also seems that the say this is done is Windows v All(Linux, Mac, all *nix OSs). Not to mention that there are still numerous vulnerabilities on windows that are going unpatched(wmf anyone?).
  • than ALL unix/linux operating systems combined.

    This proves nothing.

    And why are Mozilla vulnerabilities listed under unix/linux but not under Microsoft Windows? Last I checked, Mozilla ran on Windows too.
  • Groklaw commentsx (Score:3, Informative)

    by Phragmen-Lindelof ( 246056 ) on Wednesday January 04, 2006 @08:17PM (#14397355)
    Groklaw [groklaw.net] has comments about this like:
    Second, the Unix/Linux list duplicates items, counting a vulnerability more than once in the list. For an example, note that it lists Eric Raymond Fetchmail POP3 Client Buffer Overflow (Updated). However, the same vulnerability is listed, under the same title, four times. That's because it was reported in the week of August 10-15, again in the week of August 17-23, in September 6-13, and the week of November 9-16. Worse, for any comparison purposes, the same vulnerability is also reported as Fetchmail POP3 Client Buffer Overflow, so in reality one vulnerability is listed 5 times, making the total of 2328 meaningless unless you carefully comb through it to weed out duplications.
    Kind of makes a numerical count of reported security problems pointless. (BEGIN SARCASM) Of course, the Linux/Unix security holes are much more serious than are Windows security holes because automated worms. viruses, etc. attack Linux/Unix machines but not Windows computers.(END SARCASM)
  • Probably stated above already - but that number is meaningless unless you look at the percentage of those vulnerabilities that were fixed within the same year! I'm sure more of these were patched within let's say a month of them being announced. Also, just because more are announced doesn't mean there are more - just that more were found... Open Source has more eyes looking for vulnerabilities, which some may say would make it more secure to begin with!
  • This is all out of context unless you look at the impact of the vulnerability, and how it is exploited. I didn't RTFA, admittidly, but I do know that the main reason for the exploit of vulnerabilities (both technology speaking, as well as the handling of these topics by the media) is largely because of the volume of Windows users in the world.

    These articles only make the majority of the public even dumber.

    It makes me think of the line from Billy Madison where the teacher proclaims "...At no point in y
  • I think I just heard the sound of flood gates opening in the distance, followed by the rushing and roaring of what is surely a massive volume of water.

    Or maybe that was the sound of thousands of Slashdotter keyboards blazing...

    At any rate, this is interesting because it once again prompts the lot of us to dig up the tired old argument, "Just because more vulnerabilities are being found doesn't mean the system is less secure." As I'm certain others before me have already stated countless millions upon billio
    • I've been trying to maintain a level position on this. Suppose a few things: The list is complete. The list is objective. The list treats similar reports in similar ways (ie. some vulns get multiple listings as happens in both lists). This really truly is just MS vs. just Linux.

      So given those suppositions to remove all the usual tired arguments... what's left? What else can we say about the data aggregated in the list?

      The best I could come up with was that public reporting is a basic tent of OSS so it
  • Yeah, dupe, OK, we got it.

    Anyway, believe whatever source you want. All I know is that while IT departments across the country raced through their holiday "vacations" to roll out unofficial patches to fix the WMF vulnerability, I sat at home drinking egg nog and watching South Park.

    By the way, we need a better lexicon. "Vulnerability" sounds too bad and too good at the same time. A DoS that crashes gtk-gnutella is one thing, and needs a much softer word to describe it - perhaps "imperfection". A des

  • microsoft was intelligently designed from above by a corporate structure. linux evolved from many disparate cooperating independent parties. so of course microsoft is superior, it is grdained By god

    meanwhile linux is an nihilistic meaningless ramble. do you think god plays dice with operating systems? i for one do not

    one day armageddeon will come and flood the internet with worms and virii and kill the babel of linux nodes. vista will record two copies of every software package, beta and release, and releas
  • by javaxman ( 705658 ) on Wednesday January 04, 2006 @08:38PM (#14397470) Journal
    There are more than one problem here, but something which must not be ignored is that a large number of the listed 'vulnerabilities' are very application-specific.

    Want one example? The CM Cyrus IMAP server [us-cert.gov] sure as heck isn't installed on my Mac OS X system, and I doubt I'd ever install it. I don't think I'd install it on my Linux box, either. If I did install it, and there was a bug in it, I sure as hell wouldn't consider that bug an "OS" problem, would you ?

    And I'd be willing to make the same distinction for Microsoft, as well, at least so long as the application error isn't in a default-installed DLL or in an always-installed application, like... oh, Internet Explorer, for example. I'm not so sure I should fault Windows because the Eternal Lines web server has some sort of issue. There's the OS, then there are the apps that run on top of the OS.

    So really, the counting and analysis are so broken that it's hard to even discuss. Call me back when individual distros and specific OS kernel builds are broken out into separate counts. Call me back when non-default-installed or at least not-commonly-used applications are broken out ( i.e. I'll give you web servers and browsers normally used with any platform as part of the OS ), but I don't think Linux in general is less secure because Joe's Custom Server has a bug in it. I'd like to see some *useful* summary of this information, please...

  • There's no debate here, people; the most secure OS is Knoppix [knopper.net]. Or the old Commodore and Apple ][ OSes in ROM, with no network support.

    Move along.

  • How come is a PHP hole only a Unix hole? ... This "Vulnerability Summary" is bullsh*t.
  • Look for apache. The only entry is *nix. They imply that Apache is not vunerable on MS. You know that Apache on Windows had the same errors. Basically, they are trying to equate the Windows OS flaws to all the flaws in a *nix distro.

    I almost think that that *nix should do the windows approach and come with 2multiple "sets"; the base OS CD and then one or more types of apps CD (as a different thing).

    Sadly, I think that posts from groups like CERT like this does as much damage to cert's reputation as it doe
  • *nix had the most total number of vulnerabilities, however I believe that if you look at the severity of windows vulnerabilities, you will find them to be more severe and longer lived in nature...

    Plus, when the hell are people going to stop grouping ALL distrubutions of Linux into one category... how many major distrubutions by different vendors are out there? 18 or somthing like that, and hundreds of smaller distros... There is only ONE Microsoft. Compare Windows to any single distribution... and then we w
  • it's open source? Everyone can look at the Linux source and report a new bug, where as they cannot with Windows. This doesn't mean *nix actually has more than Windows, it means more where found, reported, and fixed.
  • Take, for instance, the wget vulnerabilities listed in TFA. There's eight of them. Open them up, and you'll see that they're all the same pair of CVEs (CAN-2004-1487 and CAN-2004-1488) -- just updated every time a new distro releases a patch. That's a lot of redundancy -- the equivalent of reporting a bug in Windows Media Player separately for Windows 98, Windows Me, Windows 2000, Windows XP, Windows Server 2003, etc.

    I have to wonder about the purpose of this article, as it ought to be fairly easy to run
  • There is one (1) operating system with only one (1) local vulnerability (in older releases) and only one (1) denial of service (all releases): VMS [hp.com] . Certainly outstanding! But, I bet the media will not notice.
  • by Stuupid ( 942726 ) on Wednesday January 04, 2006 @08:57PM (#14397556)
    2,328 is a whole lot more than 812. that means that *nix et al are 1,516 fixes ahead of the competition.
  • by necro2607 ( 771790 ) on Wednesday January 04, 2006 @09:17PM (#14397640)
    Points not mentioned :

    -amount of risk caused by vulnerability
    -percentage of high-risk vulnerabilities per OS
    -time taken to patch vulnerability
    -whether the vulnerability is in some tiny obscure piece of shareware or in a VERY common software (such as MSIE) ... etc. etc.

    Statistics aren't so useful with such lack of completeness.

    Of course that page isn't there to be a useful guide for statistics on vulernabilities, but the Slashdot article seems to be portraying it as such...
  • by 3seas ( 184403 ) on Wednesday January 04, 2006 @09:34PM (#14397715) Homepage Journal
    The only intelligence there is in regards to windows is that of marketing... market it no matter what condition it is in. If "Intelligent Design" was more popular you can be sure MS would market Windows in a manner to ride off that, as they do everything else they can. I mean Hey, they got the singularity OS....(rolls eyes)

    I think everyone knows how out of context the article is, which only shows the deceiptful intent of those responsible for it being written.

    Taking things out of context is a known action of those having intent to deceive.

    Now if there were laws against such that applied to marketing.... We'd all have better things in life, cept for the deceptive.

    But for those of us who do know to see past the BS... we are better off, depending on how deep the BS goes, and sometimes its gets rather deep.
  • by smash ( 1351 ) on Wednesday January 04, 2006 @10:03PM (#14397839) Homepage Journal
    OK, lets consider:

    1. Your typical linux distribution includes more applications than microsoft even produce
    2. choosing not to install, or uninstall specific components of a linux distribution is trivial. Try removing IE from Windows XP, without having to put your faith in a third party to help you hack the OS to do it. Then call microsoft for support :D
    3. "linux" encompasses more than 1 distribution

    Anyone with half a clue and experience with both OSes in a production environment already knows the truth, but there's some points for those who actually believe some of the shit that seems to be deemed newsworthy...

    smash.

  • Puh-lease (Score:5, Insightful)

    by MattW ( 97290 ) <matt@ender.com> on Wednesday January 04, 2006 @10:06PM (#14397848) Homepage
    Go compare "Linux Kernel" vulnerabilities (9 unique) vs "Microsoft Windows" vulnerabilities (46 unique). Even that isn't apples to apples, but it's a lot more indicative than the random counts of vulnerabilities for every piece of software shipped with an OS.
  • by egarland ( 120202 ) on Wednesday January 04, 2006 @10:47PM (#14398068)
    The idea of a security score card is good but the way they did it is meaningless. The ranking should be more like:

    Number of bugs +
    Number of bugs with known exploits x 5 +
    Number of bugs with known exploits x the number of days the exploit was in the wild before the bug was patched.

    Then multiply the whole thing by an risk factor (1-5) based on how much harm it can do.

    No lumping multiple OSs. Each one should get it's own card. Lumping applications bundled with the OS is reasonable but skews things too. For an accurate comparison, only bugs in features common to all platforms and bugs in non-optional components should be counted.

    The way the current ranking they use works you could have 50 non-exploitable, local user only, file permission modifying bugs in 100 different Lunix distributions and it would count as 5,000 bugs. Similarly you could have one remote attack that completely takes over a Windows box with known exploits which remained unpatched for 100 days and it would count as 1 bug. The score would be 5,000 to 1 in favor of Windows which is about opposite from what it should be in this example. These are completely meaningless numbers.

    I don't know how the OSs would stack up given an accurate reporting but I would be interested to see.
  • Rubbish (Score:3, Informative)

    by Brandybuck ( 704397 ) on Wednesday January 04, 2006 @11:40PM (#14398262) Homepage Journal
    Utter rubbish! This is comparing one operating system with two varieties to a dozen different Unix and Unix-like operating systems with hundreds of variants, distributions and versions.

    How about comparing just ONE operating system to ONE other operating system? Like Windows XP to Solaris/SPARC? Or Windows Server to FreeBSD 5.x branch?
  • Meaningless numbers (Score:3, Interesting)

    by laird ( 2705 ) <lairdp&gmail,com> on Thursday January 05, 2006 @12:33AM (#14398452) Journal
    These aggregate numbers are meaningless. That being said, US-CERT made pretty clear that this was simply a list of reported vulnerabilities, not any sort of analysis, so I blame the news sites with taking the meaningless numbers and trying to create a news story that will get Windows and Linux/UNIX/MacOS X fans all excited to read and post (and generate ad revenue).

    Why do I say that the aggregate numbers are meaningless?
    1) They count "updates" to vulnerability reports as vulnerabilities, so there are many vulnerabilities that appear to be counted 5-10 times in the "UNIX" list, and 2 times in the "Windows" list. My guess is that these "updates" are individual OS reports, meaning that a single vulnerability in a cross-platform application would be reported as 2 Windows vulnerabilities and 10 UNIX vulnerabilities. CERT should break out each OS into its own counts in order to correct for this. Eliminating duplicate reports isn't good enough, because there are many OS-specific reports, and it doesn't make much sense to count vulnerabilities specific to Solaris AND Mac OS X AND Linux AND HPUX etc., in a single number, since you run only one OS as a time. :-)
    2) They count reports of multiple vulnerabilities as a single vulnerability, which means that OS's that release fewer updates, each of which patch multiple vulnerabilities (e.g. Apple, Microsoft) as having far fewer vulnerabilities than OS's that release specific patches for each vulnerability. Strangely, this punishes OS vendors that rapidly address and release patches for vulnerabilities, and reports vendors that are less responsive. CERT should count a single announcement that covers multiple vulnerabilities as if each vulnerability were reported individually.
    3) They include third-party application vulnerabilities in the counts, and the number of those reports dwarfs the number of actual OS vulnerabilities (90-95% of the vulnerabilities listed aren't in the OS's). CERT should separate bugs in the OS's from optional third-party application bugs. Many of the vulnerabilities are in extremely obscure applications, and while uses of those applications might want to know about these issues, it's hardly a reflection on the OS' security if there's a 'Wojtek Kaniewski EKG Insecure Temporary File Creation & SQL Injection' in some project's "contrib" directory, which is hardly comparable to 'Sun Solaris ARP Handling Remote Denial of Service' or 'Microsoft DirectX DirectShow Arbitrary Code Execution'.
    4) Their OS coverage is quite spotty. For example, if an application runs on all OS's (e.g. Mozilla, bzip) and has a vulnerability that applies to all OS's, sometimes they're reported only for Windows, sometimes only for UNIX, sometimes for both, sometimes with many repetitions and sometimes only once. While this would require CERT to do some analysis (i.e. actually read the reports), they should consistently recognize cross-OS issues and remove them from the OS-specific lists and report them in the multiple operating system list.

    Since each of these issues appears to introduce error rates that are an order of magnitude larger than the useful data, there's nothing meaningful data left.

    Of course, people have pointed these problems out about these CERT reports for many years. Still, since we have these same pointless discussions every year, CERT should make some basic changes to make these reports somewhat meaningful. Their previous years' list (http://www.us-cert.gov/cas/bulletins/SB2004.html [us-cert.gov]) were more useful, because they at least made it clear which issues were high risk, and which application or OS each vulnerability was associated with, and they avoided the misleading totals. Let's hope that next year they at least go back to the 2004 report format, even if they don't bother to do any meaningful analysis.
  • by yeOldeSkeptic ( 547343 ) on Thursday January 05, 2006 @12:41AM (#14398475)

    There is a difference between a vulnerability and an exploit. A vulnerability is just a potential weakness, a chink in the armor so to speak, but potential weaknesses cannot be taken advantage of unless it is exploited. It is thus the number of exploits that is the primary consideration when speaking of security.

    Of course, Linux will have a large number of visible vulnerabilities! It is open source and anybody with two eyes and a passing knowledge of C should be able to find vulnerabilities almost everywhere. However, are those vulnerabilities actually exploitable? In most cases, Linux security alerts consist entirely of possible vulnerabilities and in most cases also, those vulnerabilities are quickly patched up and repaired; well before any practical exploits are written for it.

    The case is not the same with Microsoft Windows. Because Windows is closed-source, the only way to demonstrate a vulnerability in Windows is to actually write an exploit for it! Thus, whenever a vulnerability has been discovered for windows, you can bet your Momma's last penny that there is a very good chance of the existence of a working exploit for it.

    How many vulnerabilities are there in Windows we do not know of because we cannot examine the source? Judging from the number of exploits (written by people without access to Windows source code, by the way) we can infer with good accuracy that the total number of vulnerabilities in windows should be several times that of the number of exploits. I am too lazy to make a count but perhaps someone with the inclination can create a matrix showing Vulnerabilities vs exploit vis a vis Windows vs Linux. If we assume that the ratio of exploits to vulnerabilities is the same for both operating systems, what would be the estimate of the number of vulnerabilities in windows? If we further include the fact that Linux is open source while Windows is not, what would be the estimated number of exploits in Windows?

    That would make an interesting study.

    It is Linux's open-source nature that gives it the disadvantage when a simple-minded count of the security alerts for Windows versus the number of security alerts for Linux is made. But keep in mind that almost all security alerts for windows are not of vulnerabilities but of practical, demonstrably working, and potentially already widespread exploits. Most security alerts for Linux are of vulnerabilities.

    In any discussion of security between Linux and Windows, the crucial distinction between vulnerability and exploit should be clearly enunciated.

Truly simple systems... require infinite testing. -- Norman Augustine

Working...