Another Study of Linux vs Windowsa on Security
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Another Study of Linux vs Windowsa on Security

  1. #1
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126

    Another Study of Linux vs Windows on Security

    Companies face greater risks if they run their Web sites on Linux rather than Windows, a Microsoft-funded study has concluded.

    Last year, Web servers based on Windows Server 2003 had fewer flaws to fix than those based on Red Hat Enterprise Linux ES 3 in a standard open-source configuration, researchers said in a paper released on Tuesday.

    Moreover, the study indicated that the Microsoft-based Web server had far fewer "days of risk"--a measure of the number of days that each vulnerability is known, but unpatched--than the open-source rival.

    "All this study can do is give people pause, to say they shouldn't go with common wisdom over which platform has more security," said Herbert Thompson, one of the three authors of the paper and the director of research and training at Security Innovations, a security applications company. The common belief is that Linux is more secure that Windows.

    The paper has already caused controversy, as some details were presented at the RSA Conference last month. Previous studies comparing measures of security in Windows and Linux have also caused heated discussion.

    "We believe there to be inaccuracies," Mark Cox, the leader of Red Hat's security response team, wrote about the recent study in a blog posted to the software company's Web site on Tuesday. He said that the study did not separate "critical" vulnerabilities from less serious ones, a comparison that would favor Red Hat.

    Red Hat did not otherwise comment on the paper and referred requests for comment to the blog.

    Counting the holes
    For the study, researchers counted the fixes published for flaws in each Web server setup in 2004. In addition, they tallied days of risk, the cumulative number of days between the time information on a flaw is publicly released and the time the software developer patches that vulnerability.

    A server using Red Hat Enterprise Linux ES 3 had more than 12,000 days of risk, while a Microsoft configuration had about 1,600, they said.

    As for flaws, a Red Hat-based Web server with open-source Apache Web server software, MySQL database and the PHP scripting language had to deal with 174 holes in its default configuration, the study found. A Web server based on Microsoft Server 2003, Internet Information Server 6, Microsoft SQL Server 2000 and ASP.Net had 52 vulnerabilities in the default configuration.

    The researchers also studied Red Hat and Windows Web servers in minimal configurations, taking out of consideration applications that are not needed for serving Web pages. Even in that case, Microsoft still handily beat Red Hat, with only 52 flaws, compared with 132 for the Linux software.

    Red Hat's Cox countered the findings in his blog posting.

    "There were only eight flaws in Red Hat Enterprise Linux 3 that would be classed as 'critical' by either the Microsoft or the Red Hat severity scales," he wrote. "Of those, three-quarters were fixed in a day, and the average was eight days."

    Critical flaws are generally those that allow an attacker to remotely take control of a computer system. The study did break vulnerabilities down into "high," "medium" and "low" severity ratings. Flaws graded as high severity include Red Hat and Microsoft's critical classifications and flaws that allow local users to gain access to system functions. Microsoft had far fewer high-severity flaws in both the default and minimal configurations, according to the paper.

    Microsoft did fund the study, the researchers acknowledged. The software giant released a statement on Tuesday that indicated the report was part of Microsoft's "Get the Facts" campaign aimed at highlighting the benefits of Windows software.

    "When Security Innovations submitted a proposal to Microsoft to research ways to measure vendor software security, we evaluated the proposal and determined that this type of analysis would be useful for our customers and funded their research," the company said in the statement. "We encourage customers to review and evaluate the data in the context of their own computing environments."

    Richard Ford, a computer science professor at the Florida Institute of Technology, and Fabien Casteran, a security test engineer at Security Innovations, were the authors of the report alongside Thompson. The researchers hope to stave off criticism by publishing their methods as part of the report.

    "The methodology was designed to allow others to validate it for themselves--it has to be quantitative and repeatable," Thompson said. "We didn't just want to hand people the cake; we wanted to give them a recipe as well."

    While both days of risk and vulnerability counts aren't true measures of security, Thompson said that they wanted to focus on a metric that mattered to system administrators. The cumulative time they had to wait for patches is a reasonable measure, he argued.

    Thompson admitted, however, that security largely depends on the expertise of the administrator.

    "I think either (operating system) is infinitely securable by a skilled Jedi administrator," Thompson said. "If I have a Linux guru, then I want that guy to do the Linux web server. I am more of a Window guru, so I would use Windows."
    Source : http://news.zdnet.com/2100-1009_22-5...ml?tag=st.next

    What you think of that study? True or just another marketing hit?
    -Simon \"SDK\"
    Share on Google+

  2. #2
    AFLAAACKKK!!
    Join Date
    Apr 2004
    Posts
    1,066
    security largely depends on the expertise of the administrator.
    End of discussion.
    I am the uber duck!!1
    Proxy Tools
    Share on Google+

  3. #3
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    For someone who talks **** about me saying how I get APs for making fun of Windows you sure got some balls making this post and then spilling the proverbial gas on the ground with "What you think of that study? True or just another marketing hit?"....

    And since I always have things I say taken the wrong way let me simplify this:

    If I made a post saying I read somewhere SUSE was proven more secure than Windows, you and 30 people would reply telling me I'm full of **** and so are the people who wrote that and a huge war would start and it would be just the same as..... Oh wait, that did happen. I posted someshit about NT and you took it seriously and bitched up a storm how I get points for making fun of Windows NT ..... God what is going on with this world.


    "Blah Blah Blah Windows has it's uses too!"

    "Blah blah blah UNIX sucks!"

    Blah blah blah you people have no sense of humor and don't think anyone has a right to their own opinion if it looks even somewhat against your own. Here is a little secret for the reply hell I'm probably about to get:

    I don't give a damn if someone hates me because I choose to use SUSE and I'm an elitist, and when NO ONE is willing to challenge what other people say, Misinformation spreads fast.

    For example, I'm going to tell that guy who did the study you're reporting he's a sack of **** who wants nothing more than hits to his dumb story.

    Read between the lines, what types of installs did they do? I know Linux comes with a **** LOAD more software than Windows does and that is default installs. Of course there are more patches, THERE IS MORE SOFTWARE. ****, install everything on windows that comes with Linux and THEN tell me there are more patches.

    I rarely believe the *******s who do these "reports" they are full of so many problems they need as many hot fixes as XP.... OHHHHHHH I made fun of something take me seriously and call me a **** head now!


    -Gore. who is carrying his Uncle's Casket tommorrow morning.
    Share on Google+

  4. #4
    Senior Member
    Join Date
    Feb 2005
    Posts
    149
    Great Reply Gore. Say what you have to say and be heard. I have seen and noticed that everyone hates it when you talk about SUSE. Anyway is SUSE pronounced SUZY or SOOS.
    Share on Google+

  5. #5
    Banned
    Join Date
    May 2003
    Posts
    1,004
    If security is that big of a concern, you wouldn't want to use Windows or Linux.

    As far as security goes, it's like comparing which would do better in a Grand Prix race, a Pinto or a Gremlin.

    cheers,

    catch
    Share on Google+

  6. #6
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    I'm betting on the Gremlin.
    I came in to the world with nothing. I still have most of it.
    Share on Google+

  7. #7
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Catch, SUSE got EAL4.
    Share on Google+

  8. #8
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    Windows 2000 is EAL4 also! Not Windows 2003 but Windows 2000 with IIS 5!

    Talk to me about the Windows vs Linux on a business point of view! I'm interesting to see your opinion on that.
    -Simon \"SDK\"
    Share on Google+

  9. #9
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Hmm, I guess I'd start with buying SUSE, then installing it on every machine, that should knock a few million off the cost, then saving time by being able to update everything and even do installs over a VPN or SSH on the servers, that means I get that job done as I do other jobs, again, that just dropped the prive of keeping me around. Then I uninstall everything Linux has except for the things Windows comes with which isn't much, and wow look at that this Microsoft funded pile of **** called news is no longer relevent.

    Wooo RedHat Enterprise has more security patches, hmm, how about NOT installing the gigs upon gigs of software it comes with and only installing the things Windows comes with. Looks like there is a flaw now. I can count on ONE hand the number of patches SUSE has had for packages that Windows comes with too.

    Just once I'd love to see one fo these ****ers load up a Windows box with the same types of software Linux comes with and tell me the **** has more patches. Just once. I've done it three times and I'm still counting more Windows patches. The only reason these drooling baboons can say RedHat had more patches is because they installed EVERYTHING. Thats a few gigs of software. What does Windows come with again? Note pad, Word Pad and windows MEdia Player and Worm spreader express? what does Linux come with again? Oh yea a full development environment, servers of all types, games which have more than solitair and those other card games Windows comes with and about 8 browsers. ... 20 editors?

    **** it I'm done counting, I have a funeral to go to. You start counting.
    Share on Google+

  10. #10
    Member
    Join Date
    Jun 2004
    Posts
    77
    Originally posted here by SDK
    Windows 2000 is EAL4 also! Not Windows 2003 but Windows 2000 with IIS 5!

    Talk to me about the Windows vs Linux on a business point of view! I'm interesting to see your opinion on that.
    IMHO,doesn't really matter if it's EAL4 or not. If the machine is put into a working environment, interconnected with many machines on the LAN and connected to the Internet, and being mishandled or misconfigured by an inexperienced administrator, it all doesn't matter anymore, whether it's EAL4 or not.

    btw, i don't believe those reports on Windows vs Linux. Each has their good and bad.
    Just my opinion :-)
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •