February 8th, 2002, 04:26 PM
145 unique vulnerabilities in linux in 2001
Today I read this on : http://lwn.net/
I thought you might like to know this...
Whew. That is a total of 290 updates for 145 unique vulnerabilities. It would seem that the vnunet article actually underestimated the problem. A quick look at the totals suggests that Turbolinux is the most secure distribution with only 28 updates, while Debian and Mandrake top the list at 81. It must be time to put out a press release. That is, of course, complete nonsense. Why do the different distributors have different numbers of updates? Here's a few reasons: Not all distributors ship the same packages. Debian, due to its size, is almost guaranteed to have more issues than any other distribution. Very few others ship packages like cfingerd or xtel. Distributors sometimes combine multiple fixes into a single update - especially if they are running behind. The number of updates puts a lower bound on the number of security problems fixed, but doesn't tell much more than that. Some distributors are rather better at getting updates out than others. All distributions, for example, were vulnerable to the latest glibc buffer overflow problem. Debian's update came out in January, and thus didn't quite make the 2001 table. Turbolinux has yet to issue an update for that problem, and for many others. If you simply count and compare updates, you will penalize the distributions that are more serious about security. In other words, we are not yet at a point where we can make meaningful comparisons even between Linux distributions. Trying to compare Linux with Windows seems like a waste of time. In the end, there is only so much to be learned about the security of an operating system by counting its published vulnerabilities. One has to look at the seriousness of each, how it was discovered (internal audit or external exploit), how long users had to wait for a fix, and how many users were actually compromised as a result of the problem. We need better ways of understanding and comparing security response; simply counting vulnerabilities is not sufficient.
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio
the best station for C64 Remixes !
February 8th, 2002, 05:56 PM
pays to stay on top of this ....
February 8th, 2002, 06:37 PM
Nice article jinx, I had read it before and noticed that a lot of the vulnerabilities were distribution specific. In other words there might have been 20 vulnerabilities in mandrake, but they wouldnt work on redhat. Another thing I noticed was that the vulnerabilities were on older distributions. The comparison was between win2000/NT and all distros of linux and all versions of those distros. This is an unfair comparison. Thats like comparing Mandrake 8.1 and redhat 7.2 against Win98, Me, NT(all versions), XP, 95, 3.1, DOS, and all the others.
Wine maketh merry: but money answereth all things.
February 8th, 2002, 09:33 PM
Technically, the subject is incorrect. These vulnerabilities are part of packages that come with distributions (as Preacher mentioned), NOT vulnerabilities in linux itself.
As Preacher mentioned, the list is rather distribution specific. What would be more interesting in my eyes is the difference in patch time between Windows and linux. Most frequently, I've found that patches for linux-based software are available within a day or two of the flaw being discovered, whereas with Microsoft's system, it can take weeks.
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
February 8th, 2002, 11:51 PM
Good post JinX .
ThePreacher is right. If this would be a "fair" comparison between MS and Linux they should have compared it by dists and vulnerabilitie level not by all vulnerabilities found. I read a similiar comparison with RH 7.2 and Win but I seem to have displaced the article.
February 9th, 2002, 01:33 AM
would add somethng to chsh's comment. Many times the patch or fix in msoft not only takes weeks but often months or not at all. They say to get the upgrade more often than not.
this has several consequences:
you are kept in the upgrade chain, thus paying to ensure more error prone items for release
they don't expend resources to fix the problem
they remove the product from active support, thereby renouncing their effective liability
they then launch an "information session" where their product evangelists (I hate that term)
go a preach the new snakeoil
They can claim to be offering new goods when often it is just repackaged
I hope this does not depress anyone.