Linux/Unix Vulnerabilities Outnumber Windows' 3 To 1

[MS_Security]

i think this report is an excellent reflection not on the quality of either the windows or linux operating systems but the uselessness of aggregate reporting. the vulnerability definitions and set definitions are so informal the border on non-existent.

a service/daemon flaw that allows an authenticated local user to execute arbitrary code as a guest/nobody user is viewed the same as a remote icmp flaw that binds a shell as administrator/root. a vulnerability that requires the system to be configured in a manner dramatically different from both the default and industry best practice is viewed the same as one present in the universally agreed upon most secure configuration.

all of this without even considering factors already addressed such as scope of use.

the only vulnerabilities worth indexing are those found in the given operating system's security enforcement mechanisms and for true comparison the date when the vulnerability must be recorded along with its discovery. until this is done there can be no effective comparisons since the scope and duration of vulnerabilities remain unknown.

once this data can be reviewed with iso15408 evaluations and access control model expressiveness mappings true universally agreed upon comparisons of operating systems will be a reality.

[dalek]

Interestingly, most of the flaws listed by US-CERT are application bugs rather than security holes in the underlying OS. This is likely due to the more stringent QA testing that operating systems undergo before release. Not all vulnerabilities are created equal, either. Chances are, this remote DoS security flaw caused problems for few, if any users. On the other hand, the entries from the SANS Top 20 Internet Security Vulnerabilities list have the potential to make life miserable for any number of users.

The operative word here is QA, the earlier boxes went out with less testing methods being performed on them.....an ananology is todays media reporting of crime, everybody thinks crime is on the rise, yet the facts will tell you different, it's just that certain types of crime which may not have been covered in the past, is now getting more exposure..thus skewing the data for a complete picture...

What does it all mean? For one thing, finding and reporting bugs is big business for security companies. By being the first on the block to trumpet the discovery of an obscure buffer overflow attack that exists only as a proof of concept, these companies hope to gain credibility and create a market for their services. Finding and exploiting bugs is also big business for malware writers. While there are still script kiddies looking to "pwn your b0xen," malware writers are more interested in making money. Zombie armies of compromised PCs can sell for thousands of dollars, which makes the hunt for easily exploited bugs potentially very lucrative.

This is the other aspect of this data being produced, a lot of businesses have agendas to increase their business, so they will try to beef up their discoveries, how many of these so called AV/Antispyware companies include false positives in their reporting, even MS's Antispyware will pick up false positives, so all of this data is subjective, and should be carefully scrutinised before labelling one OS as better then the other......


Source

[rapier57]

Originally posted here by dalek
... it's just that certain types of crime which may not have been covered in the past, is now getting more exposure..thus skewing the data for a complete picture...

I don't think it skews the data so much as warps the public perceptions. That is probably where most of the damage is done. Also, remember that news media reports based on the corporate agenda, not necessarily on what is "news."

As MS_Security pointed out, standards based reporting and statistics would go a long way toward helping us get a handle on just what it all means.

[ACL_Jackal]

I find all of this very suprising. Every security expert I talk to says that Linux is the safest bet. I am not denying this, but I question its truth now.

What do you think?

[ACL_Jackal]

I am sorry if my last post made the wrong impression. My point is why is that Linux is praised? I will still use Linux... dont get me wrong.

[rapier57]

Apply the appropriate OS or application to the task at hand. Not all OS's or applications are right for all tasks. Just make sure you have the information necessary to maintain and secure the solution you've chosen.

How's that fer dancin'?

[J_K9]

I think Jeremy's blog post on this sums what we've all been talking about pretty well.

rapier - Yup, this is exactly the kind of misinformation which causes the public to be wary of Linux. Not only may some of them think that changing OS would be too much trouble (although it isn't easy moving to a completely different OS), but now they may even think that there's no point because it's three times less secure than Windows

ACL - That's the kind of post which will start an OS/flame war here. As you may have noticed, we're trying to avoid that...

[edit] Sorry ACL, I may have misunderstood you - but just keep in mind that an OS is only as secure as its admin makes it.

[rahhabb]

ACL - That's the kind of post which will start an OS/flame war here. As you may have noticed, we're trying to avoid that...

[edit] Sorry ACL, I may have misunderstood you - but just keep in mind that an OS is only as secure as its admin makes it.

J_K9 - sorry mate - but the title of your post suggests the premise of the exact thing you wish to avoid. It is only after actually reading beyond the title do we, as your audience, expect perhaps something different; which it was. I just find it surprising that an IT person or group of IT persons would ever not want to engage in a "holy" OS flame war... if nothing else, than just for the sake of doing it.

On the quoted material - TechWeb makes the title sound nefarious towards Linux but as ThePastorGang pointed out - the information shouldn't be taken whole heartedly - as the information has not been filtered. So what was the actual point of the article... maybe to start an OS flame war?!? See-see J_K9 - you can't avoid it! Bwah-hah-hah-hah!

Cya fleshbags.

[J_K9]

Originally posted here by rahhabb
I just find it surprising that an IT person or group of IT persons would ever not want to engage in a "holy" OS flame war... if nothing else, than just for the sake of doing it.

I think you'll find there are already plenty of the OS war threads on AO - just use the search tool. You possibly have not been on these forums long enough to understand why OS wars are now avoided?

On another note, it appears that some members may not have liked my comment that "an OS is only as secure as its admin makes it" - in which case I apologise, and please see MsMittens' post a while ago which is where I quoted it from.

-jk

[cabby80]

I had a look at our records of the patches that apply to my work environment today, that is those patches that were released for vulnerabilities that affected my organisation results are below.

Approximately 190 patches since April 2005, the breakdown of the platforms affected are:

SuSE - 70
RedHat - 51
Microsoft - 30
Sun - 14
Other - 14
Cisco - 6
IBM - 3
Oracle - 3

My first comment to my colleague here was: "These results are somewhat misleading because they measure # patches not # vulnerabilities". For example in an IE patch, there can be a number of vulnerabilities patched. Oracle is a particular example, they have a quarterly release cycle, and there is one "Critical Patch" but this may patch 20+ vulnerabilities.

Linux as a general rule release a patch as soon as a vulnerability is found, so instead of having 1 patch in a month for your web browser that patches 10 vulnerabilities, you may have 10 patches for those 10 vulnerabilities - therefore results are skewed.

As has been noted previously in this thread that it is very difficult to compare the OS's because they have totally different security response strategies and development strategies, so comparing on patches is difficult.

how much spyware/malware/virii are there for Linux? Is it in the hundreds of thousands yet?

Probably a fair question but again I think it is difficult to say which is more secure based on these figures because the people that write the crap want to infect as many machines as possible - that is generally their aim and realistically they get their best returns by targeting Microsoft because that is where the majority of users are.

I use Linux and Windows, I like them both and honestly I don't really think to much about which OS is more secure, I agree with the point that has been made in this thread and others that security really depends on the administrator, I think my Windows box is just as secure (or more) as my Linux box, not because the OS is better or worse but because I have more experience securing and using Windows machines.