Linux/Unix Vulnerabilities Outnumber Windows' 3 To 1

Quote:

---

Quoted from TechWeb:

Tallies kept by the U.S. government's computer security group show that Linux and Unix operating systems faced nearly three times the number of vulnerabilities in 2005 than did Microsoft's often-maligned Windows.

In the US-CERT (United Stated Computer Emergency Readiness Team) year-end vulnerability summary, Linux/Unix accounted for a whopping 2,328 vulnerabilities, about 45 percent of the 5,198 total.

Windows, on the other hand, sported just 812 vulnerabilities during the year, said US-CERT, or 16 percent of the total.

---

My guess for this is that most of the Linux vulnerabilities are pretty small, whereas in Windows' case they are larger ones like the WMF Exploit - but I haven't really had time to look at CERT's end of year report.

Any observations are welcome :D

-jk

For reference, previous discussion around similar stats that kinda went leftfield... http://www.antionline.com/showthread...hreadid=273013

EDIT: haha my bad... here is the actual link:

http://www.antionline.com/showthread...hreadid=272975

I'm not entirely crazy... just mostly.

Quote:

---

The end-of-year vulnerability score should be taken with a grain of salt, however, since US-CERT doesn't filter out updates (so one actual vulnerability can be counted numerous times) nor does it break out individual vulnerabilities from warnings that cover multiple bugs (as in the many Mac OS X vulnerability listings). http://www.informationweek.com/

---

That could help explain a bit of why.

As for the end of the year report, that's sure a heck of a lot of reading!

alleyCat - You've linked back to this thread... ;)

[edit] Did you mean this thread (although it is over 2 years old): http://www.antionline.com/showthread...hreadid=238446

Haha, yep, that cat sure did.

is there a big difference between a small exploit and a large exploit??

yea things like the WMF exploit are huge and easily exploitable... but against a skilled attacker.. i dont see how it would matter between a small exploit or a large one

doesnt keep me from feeling linux is better... not saying it IS..

just my thoughts

As for the end of the year report, that's sure a heck of a lot of reading!

Yep it is! That's why I think I'll carry on writing an article I'm working on instead... Oh, and thanks for that quote - helps clarify the topic a bit, but I still think it's a bit odd.

hex - I agree, but for the bunch of skiddies out there it is easier to exploit something as large as the WMF than a vulnerability in a remote service, for example. Oh, and don't get me wrong - just because this report has said that Linux has more vulnerabilities isn't going to change what I think about it either. :)

[edit] Where did Relyt's post go? :p

:D I posted a .bmp as an attachment, displaying MS as one of the sponsors of the site and it must have been too big because it got lost in the shuffle, so I went chasing it. Seems it dissappeared. Bill Gates conspiracy son of gun....lol. He stole my .bmp. I had completed some pretttty creative editing in paint as well.

Oh well, so it goes.

cheers

Wow... If I see one more of these threads I'm gonna flip... I'm not even going to state my oppinion on the matter because you can find what I've posted on 100's of these threads just by searching for them... Not to mention a big argument and flame war usually follows... I think nihil remembers that thread :)... The windows vs mac/linux thread I think it was...

...how much spyware/malware/virii are there for Linux? Is it in the hundreds of thousands yet?

Relyt, I'm sure he did steal your .bmp and is browsing these forums like crazy trying to get you... Or, maybe he's become one of us :eek: Betrayal from within! ;)

The Duck - I'm not trying to start a flame war at all, or a long debate. I was just curious as to why Linux has more vulnerabilities that Windows (and so many more!) - although I guess Linux is only a part of what it says, because all the *nix OSes are put into the same category.

brokencow - Good question...anyone know the answer? :)

Hey The Duck I certainly do! and this report has been discussed in another thread recently ;)

My comments, as in the past, are based on the statistical validity of these reports. My major premise is that we just don't have sufficient data to compute really cutting edge stats here.

The CERT report, if you look at the detail in the tables, mainly includes third party commercial software that just happens to run on that operating system. This provides the first major logical problem, in that Microsoft have a lot of software and embedded software at that.

So, are all the IE, office, etc. vulnerabilities to be classed as Microsoft, even though versions can be found that run on other platforms?

Furthermore, there is no accounting for exposure here. Say I write a Linux application with 1,000 vulnerabilities in it, that is used by 500 people Worldwide; that will clock up 1,000 Linux vulnerabilities. Yet, a single Windows vulnerability clocks up a score of 1 and may affect 50,000,000 users.

Again, there is no allowance for "core vulnerabilities" as opposed to "optional vulnerabilities". Here, I consider a "core vulnerability" to be one that is essential to the operating system, and comes "out of the box", so to speak, optional ones you install yourself. I do not install all the Microsoft patches and upgrades on my machines because I don't have the relevant software or I never use that particular facility.

Lastly, Microsoft et al, have an inbuilt advantage over open source providers. If you look at the box that the third party software comes in, it has a little Microsoft logo (seal of approval) on it. That is because it is a closed, patented operating system.

All the open source suppliers can do is patent their particular distribution. They have no control over third party applications vendors.

Unfortunately, we do not have any "hardcore" statistics to enable us to determine true "exposure" to threats, vulnerabilities and the like.

Just my warped opinions :)

EDIT:

Quote:

---

brokencow - Good question...anyone know the answer?

---

Once again, the statistics are corrupt. Some AV firms claim to detect 250,000 malwares, others far less. It depends if they use a generic or a specific identification methodology?

Anyways, it is a fallacy, aren't the guys in FOP#1 going to get more incoming than those in GHQ? :D

Quote:

---

Originally posted here by nihil
Furthermore, there is no accounting for exposure here. Say I write a Linux application with 1,000 vulnerabilities in it, that is used by 500 people Worldwide; that will clock up 1,000 Linux vulnerabilities. Yet, a single Windows vulnerability clocks up a score of 1 and may affect 50,000,000 users.

---

Good point - and there are so many of the same OSS apps that it's no wonder CERT have found so many vulnerabilities.
Heck the whole post's good - but I can't give you any APs because I've got to 'spread them around' first :rolleyes:

Hey J_K9

Quote:

---

I can't give you any APs because I've got to 'spread them around' first

---

Don't worry about that, it is very refreshing to have this kind of discussion without the usual "My OS/distro is better than your OS/distro" type argument?

I think that the IT industry is very "flat" in its analysis at the moment. Personally, I see this as a multivariate analysis situation, which really boils down to a risk/vulnerability modelling exercise.

I have messed around with that sort of thing from a project management viewpoint for a good few years (built tools in Access 2.0 :eek: ) but my problem has always been, whilst you can identify parameters, how do you quantify and enumerate the values?

There are so many versions around, so many patches that have been applied or not? it is a statistician's nightmare!

Take Linux for example, SuSE has a vulnerability, so does Red Hat..............does that count as 2 or as 1?...................how many machines are in that situation?.............it goes on and on........?

I am afraid to mention pirate copies, as they complicate things even further...........

It is a very inexact science at the moment, so I get a bit miffed by people putting out interpretations of the meagre statistics that we have as if they were some religious tract :mad:

:D

Quote:

---

Originally posted here by nihil
Take Linux for example, SuSE has a vulnerability, so does Red Hat..............does that count as 2 or as 1?...................how many machines are in that situation?.............it goes on and on........?

---

I see what you mean - counting them really would be statistical hell! You see the same thing with AV scanners; some have 65000 signatures whereas others have hundreds of thousands - because some count the variants while others don't. :rolleyes:

So, CERT's results should just be taken with a pinch of salt then, eh? :D

-jk

Hi J_K9

Quote:

---

So, CERT's results should just be taken with a pinch of salt then, eh?

---

NO!!! that is my point, or a part of it..............CERT did not particulatly comment on the results, so in statistical terms I would consider it "raw data". It is the subsequent "interpretation" by partisans and hack journalists (who feed off partisans) that causes the confusion.

I have every confidence in CERT, and can claim to have been a subscriber to their bulletins well back into the last century............hey, millenium even :D But, you have to read all the small print about the statistics, and what they were based on. If you are prepared to read the whole lot, they do tell you.

My problem with the statistics is their problem, is our problem. We just do not have enough data to present a plausible risk model.

My gut feel is that most operating systems are capable of being secured. Another variable there being "out of the box" or after expert tuning?.............which leads on to "how expert, is your expert"?

Might I suggest that you just take a quick scroll through those CERT lists and ask yourself, how many of these have I ever even heard of let alone encountered in real life? :D

Cheers

nihil - Ok. So CERT's report is correct except that as the number of computers vulnerable to a certain vuln are not taken into account, the report can be interpreted in the wrong way?

I looked at the report, and there tons of apps I have never heard of - for example, "Jim Faulkner Newspost". :D

Quote:

---

My gut feel is that most operating systems are capable of being secured.

---

Yes, and as MsM says - an OS is only as secure as the admin makes it. (or something like that ;)).

:D

J_K9 absolutely!!!

It is a question of how we choose to interpret this "raw data" and how it is collected. Like CERT have to rely upon information received? Unfortunately, there is no "absolute" method of data collection.

My point is that we do not have a realistic risk model; only some opinionated interpretations.

I have often wondered if it would be worthwhile writing an "other tutorial" on the subject of reviews and statistics? it might help stop a few flame wars?

I do hope that our initial discussions will prevent your thread being hijacked into the usual flamewar ;)

Otherwise my comment is "what about VMS then?..........how many vulnerabilities, exploits and malwares can you detail ".................that is usually a good opener :D

Quote:

---

Originally posted here by nihil
I have often wondered if it would be worthwhile writing an "other tutorial" on the subject of reviews and statistics? it might help stop a few flame wars?

---

Great idea! Imagine how much of everyone's bandwidth that would save in the long-run! :D

Oh well, I'm off to see why my nmap scan has been going on for half an hour and still hasn't finished - when the nessus scan finished about 15 mins ago... :rolleyes:

Here's another thing to consider which I'm surprised no one caught on to. The total *nix vulnerabilities list is about 10 different operating systems. There's OS X, AIX, HP-UX, OpenBSD, SCO Unixware, Solaris, FreeBSD and others.

Of course your going to have a higher number of vulnerabilities if you lump a bunch of different OS's together against 1 OS. Also, alot of those vulnerabilities are duplicates that were updated somehow.

Also, they didn't count certain vulnerabilities against Microsoft. IIRC, there have been few if any mozilla firefox vulnerabilities that only effected the linux platform. They effected about everyone. So why am I seeing 5 mozilla firefox lines under the *nix section and only 1 under the Microsoft section.

The raw data is good, but I don't understand the logic behind some of this. They should have seperated the different OS vulnerabilities.

i think this report is an excellent reflection not on the quality of either the windows or linux operating systems but the uselessness of aggregate reporting. the vulnerability definitions and set definitions are so informal the border on non-existent.

a service/daemon flaw that allows an authenticated local user to execute arbitrary code as a guest/nobody user is viewed the same as a remote icmp flaw that binds a shell as administrator/root. a vulnerability that requires the system to be configured in a manner dramatically different from both the default and industry best practice is viewed the same as one present in the universally agreed upon most secure configuration.

all of this without even considering factors already addressed such as scope of use.

the only vulnerabilities worth indexing are those found in the given operating system's security enforcement mechanisms and for true comparison the date when the vulnerability must be recorded along with its discovery. until this is done there can be no effective comparisons since the scope and duration of vulnerabilities remain unknown.

once this data can be reviewed with iso15408 evaluations and access control model expressiveness mappings true universally agreed upon comparisons of operating systems will be a reality.

Quote:

---

Interestingly, most of the flaws listed by US-CERT are application bugs rather than security holes in the underlying OS. This is likely due to the more stringent QA testing that operating systems undergo before release. Not all vulnerabilities are created equal, either. Chances are, this remote DoS security flaw caused problems for few, if any users. On the other hand, the entries from the SANS Top 20 Internet Security Vulnerabilities list have the potential to make life miserable for any number of users.

---

The operative word here is QA, the earlier boxes went out with less testing methods being performed on them.....an ananology is todays media reporting of crime, everybody thinks crime is on the rise, yet the facts will tell you different, it's just that certain types of crime which may not have been covered in the past, is now getting more exposure..thus skewing the data for a complete picture...

Quote:

---

What does it all mean? For one thing, finding and reporting bugs is big business for security companies. By being the first on the block to trumpet the discovery of an obscure buffer overflow attack that exists only as a proof of concept, these companies hope to gain credibility and create a market for their services. Finding and exploiting bugs is also big business for malware writers. While there are still script kiddies looking to "pwn your b0xen," malware writers are more interested in making money. Zombie armies of compromised PCs can sell for thousands of dollars, which makes the hunt for easily exploited bugs potentially very lucrative.

---

This is the other aspect of this data being produced, a lot of businesses have agendas to increase their business, so they will try to beef up their discoveries, how many of these so called AV/Antispyware companies include false positives in their reporting, even MS's Antispyware will pick up false positives, so all of this data is subjective, and should be carefully scrutinised before labelling one OS as better then the other......


Source

Quote:

---

Originally posted here by dalek
... it's just that certain types of crime which may not have been covered in the past, is now getting more exposure..thus skewing the data for a complete picture...

---

I don't think it skews the data so much as warps the public perceptions. That is probably where most of the damage is done. Also, remember that news media reports based on the corporate agenda, not necessarily on what is "news."

As MS_Security pointed out, standards based reporting and statistics would go a long way toward helping us get a handle on just what it all means.

I find all of this very suprising. Every security expert I talk to says that Linux is the safest bet. I am not denying this, but I question its truth now.

What do you think?

I am sorry if my last post made the wrong impression. My point is why is that Linux is praised? I will still use Linux... dont get me wrong. :D

Apply the appropriate OS or application to the task at hand. Not all OS's or applications are right for all tasks. Just make sure you have the information necessary to maintain and secure the solution you've chosen.

How's that fer dancin'?
;)

I think Jeremy's blog post on this sums what we've all been talking about pretty well.

rapier - Yup, this is exactly the kind of misinformation which causes the public to be wary of Linux. Not only may some of them think that changing OS would be too much trouble (although it isn't easy moving to a completely different OS), but now they may even think that there's no point because it's three times less secure than Windows :rolleyes:

ACL - That's the kind of post which will start an OS/flame war here. As you may have noticed, we're trying to avoid that... :D

[edit] Sorry ACL, I may have misunderstood you - but just keep in mind that an OS is only as secure as its admin makes it. ;)

Quote:

---

ACL - That's the kind of post which will start an OS/flame war here. As you may have noticed, we're trying to avoid that...

[edit] Sorry ACL, I may have misunderstood you - but just keep in mind that an OS is only as secure as its admin makes it.

---

J_K9 - sorry mate - but the title of your post suggests the premise of the exact thing you wish to avoid. It is only after actually reading beyond the title do we, as your audience, expect perhaps something different; which it was. I just find it surprising that an IT person or group of IT persons would ever not want to engage in a "holy" OS flame war... if nothing else, than just for the sake of doing it.

On the quoted material - TechWeb makes the title sound nefarious towards Linux but as ThePastorGang pointed out - the information shouldn't be taken whole heartedly - as the information has not been filtered. So what was the actual point of the article... maybe to start an OS flame war?!? See-see J_K9 - you can't avoid it! Bwah-hah-hah-hah!

Cya fleshbags.

Quote:

---

Originally posted here by rahhabb
I just find it surprising that an IT person or group of IT persons would ever not want to engage in a "holy" OS flame war... if nothing else, than just for the sake of doing it.

---

I think you'll find there are already plenty of the OS war threads on AO - just use the search tool. You possibly have not been on these forums long enough to understand why OS wars are now avoided?

On another note, it appears that some members may not have liked my comment that "an OS is only as secure as its admin makes it" - in which case I apologise, and please see MsMittens' post a while ago which is where I quoted it from.

-jk :)

I had a look at our records of the patches that apply to my work environment today, that is those patches that were released for vulnerabilities that affected my organisation results are below.

Approximately 190 patches since April 2005, the breakdown of the platforms affected are:

SuSE - 70
RedHat - 51
Microsoft - 30
Sun - 14
Other - 14
Cisco - 6
IBM - 3
Oracle - 3

My first comment to my colleague here was: "These results are somewhat misleading because they measure # patches not # vulnerabilities". For example in an IE patch, there can be a number of vulnerabilities patched. Oracle is a particular example, they have a quarterly release cycle, and there is one "Critical Patch" but this may patch 20+ vulnerabilities.

Linux as a general rule release a patch as soon as a vulnerability is found, so instead of having 1 patch in a month for your web browser that patches 10 vulnerabilities, you may have 10 patches for those 10 vulnerabilities - therefore results are skewed.

As has been noted previously in this thread that it is very difficult to compare the OS's because they have totally different security response strategies and development strategies, so comparing on patches is difficult.

Quote:

---

how much spyware/malware/virii are there for Linux? Is it in the hundreds of thousands yet?

---

Probably a fair question but again I think it is difficult to say which is more secure based on these figures because the people that write the crap want to infect as many machines as possible - that is generally their aim and realistically they get their best returns by targeting Microsoft because that is where the majority of users are.

I use Linux and Windows, I like them both and honestly I don't really think to much about which OS is more secure, I agree with the point that has been made in this thread and others that security really depends on the administrator, I think my Windows box is just as secure (or more) as my Linux box, not because the OS is better or worse but because I have more experience securing and using Windows machines.

There is an interesting post on Bugtraq from Steve Christey, CVE Editor titled

Quote:

---

Open Letter on the Interpretation of "Vulnerability Statistics"

---

See:

http://www.securityfocus.com/archive.../30/0/threaded

An update which also confirms almost everything we've discussed in this thread:

Experts question Windows win in flaw tally

The article also quotes a few important people from companies like Secunia and Red Hat - so overall it is a nice read as a companion to this topic.

Over and out. :)

Also remember Linux is a much more flexible setup. Its not like windows where the backbone is the same in everything and theres just 3rd party software trying to cover it up.

Quote:

---

Also remember Linux is a much more flexible setup. Its not like windows where the backbone is the same in everything and theres just 3rd party software trying to cover it up.

---

Hi neoific,
I'm not quite sure what you're getting at. Believe me, I like Linux :) But what specifically do you mean when you say "Linux is a much more flexible setup"?

Thanks.

I think he means that there is so much variation from one distribution to another that it is, in some cases, very difficult for malware to affect a broad range of Linux distributions. I agree with this, to a certain extent - although, it does not have that much of an effect when there is a specific service being exploited.

See this post: http://jeremy.linuxquestions.org/blo...5/1603140.html

And, I'd just like to point something out.. neoific - please read the FAQ. This thread is over five months old! Please do not reply to posts with flashing dates (see the FAQ for a more complete explanation).

Cheers,

-jk