Windows more secure than Linux?

[jared_c]

Windows more secure than Linux?

Windows suffered fewer security vulnerabilities than Linux last year, according to figures released by vulnerability tracker SecurityFocus.
Although the statistics so far only go up to August 2001, aggregated distributions of the Linux operating system suffered 96 vulnerabilities while Windows NT/2000 suffered only 42.

Breaking the figures down by distribution, Mandrake Linux 7.2 notched up 33 vulnerabilities, Red Hat 7.0 suffered 28, Mandrake 7.1 had 27 and Debian 2.2 had 26.

Windows, on the other hand, shared fourth most vulnerable position with 24, alongside Sun Solaris 7.0 and 8.0.

Although in previous years Windows has suffered the most vulnerabilities when compared to individual distributions, against the Linux aggregate the Microsoft operating system has consistently come out looking better off than its open source brethren.

For five years straight, in fact, Windows has come out less scathed than Linux, with 2000 pinpointed as the most significant year when Linux suffered over 150 vulnerabilities and Windows fell just short of 100.

But when looking at the bigger picture, the number of vulnerabilities discovered has rocketed since the start of last year and now peaks 150 new security discoveries a month, revealing a lot of bug-hunting activity poking holes in the security of operating systems in general.

http://www.vnunet.com/News/1128907

[Vorlin]

This is one of the problems with open source code. Anyone can view it, improve it, and unfortunately, locate any holes and abuse it or write something else that'll abuse it. As for linux having more vulnerabilities, you're talking about several distributions which might slant the number a bit. Windows is relatively the same as far as base code for 95/98/98SE which is the predominant release out there, XP probably filling that rather fast. For vulnerabilities, the XP UPNP hole is about as big as Sun's grand + .rhost entry for root's profile by default.

There will always be people who look for holes and exploits, and there will always be people like me looking for holes to fix.

[the_JinX]

I didn't see slackware in the list though...
nor openBSD..

so it should be.. Newbie-focused linux distro's are less secure then windows-professional distro's

I don't think that is a fair comparisson, do u???

[proactive]

My first thought on this list was that it probably seperates the OS from the applications. And if I remember right, most of the vulnerabilites this year on the MS platform was located in IIS and IE. For a server you don't need IE, and you don't have to use IIS either. So all in all you can have a perfectly secure server running MS2000 Server and the Apache web-server (or Netscape or whatever).

From a programmers point of view, not using the IIS takes away the the whole point of using MS OS in the first place. I mean, if you think of using the .Net or Visual Studio features for web development, you have to use IIS as a web server. (As far as I know, correct me if I'm wrong). And if you want to use Java and PHP, you might as well go for some type of *nix. I actually haven't thought of using anything other than MS developing tools on the MS platform. Maybe that is something I should consider?

[Wickdgin]

Gotta love statistics- In the words of my 11th grade English Teacher:
"Statistics are like bikinis- while what they show is interesting, what they hide is even more intriguing"

I don't believe the sheer number of security holes discovered is a true determinant of a secure OS. There are many more factors to take into account.

I can have one operating system with a dozen remote vulnerabilities that allow root acces and another operating system with two dozen less severe vulnerabilities such as mail relaying - just because OS #2 has twice the # of vulnerabilites as OS #1 does not makeOS #2 less secure.

In addition - when a vulnerability is brought to the publics attention on an open source platform, a bug fix is out in no time at all (and even sooner if you know what you are doing). On a Microsoft product it could take a week or never at all for a fix - there was an example of a vulnerability in a MS service that was never fixed because Microsoft was phasing it out (I can't find that example though).

The point is you can't claim that WIndows is more secure that Linux on the sole number of vulnerabilities.

[Remote_Access_]

You all have made good points...
I think your OS is only as secure as the user.
You have the option to update your software
and install patches to fix the problems.
The holes are going to remain there untill
YOU fix them. Other wise you're not going
to learn untill something goes seriously wrong.
Even then some people still won't get it..
Your box/network is only as secure as you make it.

Remote_Access_

[the_g_nee]

Reading this post certainly surprised me, I have always been under the impression that Linux by and by has been more secure than Windoze. It would be interesting to look at the criteria that were used for comming to this conclusion.
Also Windoze NT uses the NTFS file system which is inherantly more secure than 98/XP.

[souleman]

You will also notice that normally, Windows is more secure that all linux combined, but not more secure then any one distrobution. (Not necessarilly true this year). Anyway, a security problem in one distro, may affect all the other distros also. So 1 security hole gets markes like 7 times for linux, wheras it would only get marked once in microsoft.

[ThePreacher]

This is very true souleman. The problem isnt the vulnerabilities, the true problem is the attitude that most windows users take towards security. Most windows users rarely update their OS to make sure that it remains secure, while I believe the linux user does whatever possible, including updating often, to keep their box safe. Linux users are what makes linux so much more secure.

btw jared_c, i just noticed that the distributions that are listed are running the old linux kernels. Many of these vulnerabilities have already been fixed in the newer versions of mandrake and redhat.

[{P²P}Apocalypse]

Originally posted by the_g_nee
Reading this post certainly surprised me, I have always been under the impression that Linux by and by has been more secure than Windoze. It would be interesting to look at the criteria that were used for comming to this conclusion.
Also Windoze NT uses the NTFS file system which is inherantly more secure than 98/XP.

Linux is more secure as far as /root access. It's mainly (as others have stated) the user that won't patch holes or apply hot fixs that cause problems. Besides. In my personal experiance. I have saw more Win32 machines broken into than Tux boxes. As far as the NT/98/XP thing. XP can be used with the NTFS file system as well. If it's the home version default is FAT 32. The Pro version is defaulted to NTFS. The upgrade defaults to whatever file system was in place. As well, the secure parts and some of the networking components were left out of the home version of XP. The Pro version offers NTFS as well as the EFS. The problem with XP that I have found is that most people login by default to the admin account on XP. This it what it does during instaltion and on first boot and most people don't chage it or create a user account. There by offering root access if broken in to. So that takes us back to, it is usualy the user that makes the system unsecure. Thats the first step in security. Educating the users. Most distibutions of Linux force a user account on instalation and first boot with the user account. Thats just my take on the lack of security in Windows.