Linux: More Vulnerable Than Windows?

Printable View

June 5th, 2003, 08:51 PM
theuser

Linux: More Vulnerable Than Windows?

According to a recent articles by www.geek.com, the number of linux vulnerabilties has surpased the number of windows vulnerabilties. They cite research performed by a UK firm called MI2G.

Quote:

Linux users worldwide are in for a rude shock. For the first time ever, the number of Linux vulnerabilities, attacks, and exploits has exceeded that of Microsoft Windows according to U.K. security research firm and integrator MI2G. MI2G collects data on hacker activity across the globe and covers every operating system in existence--and it's been doing it since 1995. The company has released prior reports that indicated Linux attacks were on the rise, but Windows exploits remained at the top of the list. The threat to Linux has been growing, though, and the war with Iraq apparently brought hackers of all shapes and sizes out in force. Between March and May MI2G recorded 19,208 successful attacks against Linux-based servers, whereas there were only 3,801 successful attacks against Windows servers.

They go on to say that the likely cause of this is not only due to the Linux operating system. They indicate that the users of less-expensive or free (oh-yeah) software likely have less money to secure their systems than a Fortune 500 company.

Quote:

Despite what Linux mavens may want to think, the ultimate utility and security of a server has very little to do with what OS you're running. It has much, much more to do with whom is running the server.

I think the lesson here, is that it doesn't really matter what OS you use if the user is careless.

-Enough Said,
theuser
June 5th, 2003, 09:02 PM
thehorse13

This issues has been debated on just about every technical message board on the internet. Some may even say that it is nothing more than flame bait.....

However, as OSes offer more features and enhancements, securing the said OS becomes more complex. So, the question and/or statement regarding which OS is more secure or which has more security holes is not really the appropriate question to ask. What should be looked at is the technical competence of the people responsible for administering the resource. I have to say that in my experience, 7 out of 10 vulnerabilities are caused by dumdums behind the wheel and not the OS itself. Again, this debate will go on forever and the "official" vulnerability count will hop from OS to OS as time goes on.

--TH13
June 5th, 2003, 09:16 PM
theuser

I couldn't agree more with you. Its kind of like the saying, "A chain is only as strong as its weakest link."
June 5th, 2003, 09:49 PM
bballad

This amy also be a sign of reporting. MS has shown over and over that they try to obfuscat Vulnerabilities until a patch is ready, and occasionaly the yjsut hide it and don't bother with a patch.

I worry less about properly handeled vulns then 0 day exploites that the company tries to deny.
June 5th, 2003, 09:58 PM
w0rm3y

nothing is more vulnerable then the ID8 operator behind the screen :) - IMHO

-w0rm3y
June 6th, 2003, 04:19 PM
mohaughn

Here is the report from zone-h which is where mi2g got their data. They were not looking at vulnerabilities perse, atleast mi2g wasn't, but rather hacks against systems.

http://www.zone-h.org/winvslinux

I wonder if they people who just laugh about the new microsoft strategy to improve security on their systems will admit that they may have been wrong. The linux community is in for a rude awakening as MS will just continue to tighthen up their products, albeit with even more hotfixes(ugh!).

The computer community as a whole is more aware of security issues. So I think MS will think twice about doing someting insecure for the sake of ease, when they know they can now get away with saying, "It works like that because it is more secure like that." Just look at how many people complained about the new outlook security features, and now everybody just deals with having to save files to disk before opening them.
June 6th, 2003, 08:58 PM
doc crontab

"Linux users worldwide are in for a rude shock. For the first time ever,
the number of Linux vulnerabilities, attacks, and exploits has exceeded
that of Microsoft"

A rude shock? I don't think the number of Linux vs Windows security issues
is even close when were talking about M$ let's not forget their software
is vunerable to some estimated 64,000+ known virus's (ok my number is
way out of date) trojans/ worms and other nasties oh & vunerabuilities
reported to bugtraq and other lists aren't the whole picture there's
a gigantic number of known Windows vunerabuilities that aren't
talked about by Hackers who find them and keep it to themselves
for either research reasons or malicious reasons (future attacks hacks)
Linux is a young operating system it's going to go through growing
pains and within time the bugs will be worked out just like the
BSD's but it's not anywhere near vunerable as Windows.

Just my 2 cents

Doc
June 6th, 2003, 09:12 PM
bballad

Quote:

Originally posted here by mohaughn
Here is the report from zone-h which is where mi2g got their data. They were not looking at vulnerabilities perse, atleast mi2g wasn't, but rather hacks against systems.

http://www.zone-h.org/winvslinux

I wonder if they people who just laugh about the new microsoft strategy to improve security on their systems will admit that they may have been wrong. The linux community is in for a rude awakening as MS will just continue to tighthen up their products, albeit with even more hotfixes(ugh!).

The computer community as a whole is more aware of security issues. So I think MS will think twice about doing someting insecure for the sake of ease, when they know they can now get away with saying, "It works like that because it is more secure like that." Just look at how many people complained about the new outlook security features, and now everybody just deals with having to save files to disk before opening them.

Seeing a discription of how the most recent passport falw workd I seriously doubt that MS is "waking up" to security.
MS being insecure is a much worse then a bug in code, it s a coperate culture thing and thats very hard to change without changeing the people in charge of the corperation.
June 6th, 2003, 10:02 PM
NeuTron

Quote:

Originally posted here by doc crontab
Linux is a young operating system it's going to go through growing
pains and within time the bugs will be worked out just like the
BSD's but it's not anywhere near vunerable as Windows.

Linux, NEW!? Linux is nowhere near a new operating system. Any problems with the OS stem from the fact that the is designed not to make money. This makes it difficult to develope the OS further and further. However, a capable admin can lock down a linux server to a much higher degree than that of a an MS server. Forever, I hated Microsoft more than anything but these last two to three years, I am gaining some respect for their advances with domain controlling and network infrastructure. Don't get me wrong though, Linux is still my OS of choice but it's worth mentioning that Microsoft may be moving in the right direction...................... unfortunatley.........lol.
June 6th, 2003, 10:21 PM
Wickdgin

**Sigh**

Alright, this topic has come up plenty of times, and is far from old news...

First off, Linux is open source. By design open source will have more reported vulnerabilities than propriety software. The reason obviously is because the source code is available to the public eye, where testing closed source software is extremely difficult in comparison.

The number of vulnerabilities reported do not give a good metric to determine the security of a product. The more vulnerabilities reported, is also the more vulnerabilities fixed. This rule is even more applicable in an open source model, where bug fixes are often available almost immediatly. Propriety bug fixes are not only delayed much further, but sometimes never even come out (companies often drop support of older products).

Last is my rant on statistics - the mere number of vulnerabilities doesn't show the whole picture. There is no factor of how serious the vulnerabilities are, Microsoft could have 50 remotly exploitable vulnerabilities that allow a complete system compremise while Linux could have 100 minor local vulnerablities - which do you think is worse.

"Statistics are like a bikini. What they reveal is suggestive, what they conceal is vital."
--Aaron Levenstein
June 6th, 2003, 10:25 PM
NeuTron

Wickdgin-
You make some good points. I never thought abou the fact that the source code being available makes it tough to secure. :)
June 7th, 2003, 04:35 AM
sn4k3

sure, the statistics are going to be inaccurate in the great debate of which is the best os (m$ vs linux)
taking into consideration that the source is freely available for linux and you also need to take into account that because m$ has been so much more widely used, it is naturally going to be the most targeted.
i think that the recent change in the vulnerability ratio between the two oses is due largely to the indication that linux is gaining in popularity with the masses.
June 7th, 2003, 05:22 AM
NullDevice

well, linux holes get fixed in a very short span...advisories give enough data..and sometimes even tell how a normal user can do that without downloading any patch .. by modifying the code and recompiling..that the biggest adavtage the Linux community has ove windows..where the zero-day exploits are frequent..becoz M$ doesnt comes up with the patch in a day.. also linux is "strings free" OS .. it gives the user behind the screen enough ways to go around the problem...
June 7th, 2003, 01:20 PM
slarty

One other thing:

Have you seen how much software Linux distributions bundle these days? Is it surprising that there aren't more bugs, when you do tend to get a lot more packages in Linux than Windows.

My Debian came on 7 CDs.
June 9th, 2003, 06:06 PM
mohaughn

Quote:

Originally posted here by Wickdgin
**
The number of vulnerabilities reported do not give a good metric to determine the security of a product. The more vulnerabilities reported, is also the more vulnerabilities fixed. This rule is even more applicable in an open source model, where bug fixes are often available almost immediatly. Propriety bug fixes are not only delayed much further, but sometimes never even come out (companies often drop support of older products).

I'll say it again, this report was not written with the number of reported vulnerabilities. The data that was used was actual successful attacks.
June 9th, 2003, 06:36 PM
er0k

Re: Linux: More Vulnerable Than Windows?

Quote:

Originally posted here by theuser
According to a recent articles by www.geek.com, the number of linux vulnerabilties has surpased the number of windows vulnerabilties. They cite research performed by a UK firm called MI2G.

They go on to say that the likely cause of this is not only due to the Linux operating system. They indicate that the users of less-expensive or free (oh-yeah) software likely have less money to secure their systems than a Fortune 500 company.

I think the lesson here, is that it doesn't really matter what OS you use if the user is careless.

-Enough Said,
theuser

yes but they fail to tell you that the vulnerabilities in windows OS's (heh if you can call them such) were much more dangerous and more difficult to patch.

Stealing a quote from Bjarne Stroustrup and modifying it a bit for the climate: "Its hard to shoot yourself in the foot with windows, but when you do, you blow off your whole leg"

well maybe it isnt that difficult to shoot yourself in the foot with windows if you know what you are doing enough to make the mistakes.. but its a cool quote :P

Quote:

Originally posted here by slarty
One other thing:

Have you seen how much software Linux distributions bundle these days? Is it surprising that there aren't more bugs, when you do tend to get a lot more packages in Linux than Windows.

My Debian came on 7 CDs.

can i get a w00t ! :thumbsup:
June 10th, 2003, 01:11 PM
akhooja

Linux is more vulnerable , ahhhhhhhh , maybe or may not be

but one thing is sure windows vulnerablities are jst straight forward any script kiddie can do the stuff ;)

regards
June 10th, 2003, 02:24 PM
the_JinX

you know why linux is so vulnerable, becouse people are trying to make it installable by an idiot..

the easier it gets.. the more holes !!

so long for MHO
June 10th, 2003, 09:11 PM
Louie

Let's also take into account how much of the web is hosted by linux and how much is hosted by Windows.

If Linux makes up 75% of the arena(I am not sure what it is) and Winblows is 25% of course the hacks will be higher in Linux!
June 11th, 2003, 11:31 AM
er0k

Quote:

Originally posted here by the_JinX
you know why linux is so vulnerable, becouse people are trying to make it installable by an idiot..

the easier it gets.. the more holes !!

so long for MHO

yesssssiirrrr

/me still doesnt know what rh and mdk, suse, and other smaller linux distro's problems are... they are just trying to compete with windows now instead of being content with a general performance whoopass

at least we still have slack and gentoo!

theres also always the occasional bsd lurking in the options

I dont think slack, gentoo, or *bsd will ever convert over to a redhat or a suse....

If slack9 were i386 optimized it woul d be perfect, just be ready for PhoeNIX - Pretty much slack but compatible with i386/i586/i686