Hey NoStop, stop and take time to read the latest Secunia Vulnerabilities
Summary Listing:
It has 4 new entries for Windows and more than 40 for Linux.
The plain fact is that UNIX/Linux systems are no more secure then Windows.
After Ubuntu (the flavor of the month) fades what will be the next great
product, maybe they will name it Linzux - Raw or Cooked.
Flaw #1 in your reasoning: Microsoft has a secrecy policy regarding
vulnerabilities. Security researchers who don't cooperate with that policy
will find essential future cooperation cut off. All you're comparing here
is *reported* vulnerabilities for two operating systems, one of which
tries to exercise tight control over reports of vulnerabilties and the
other of which is very forthcoming.
http://www.securius.com/newsletters/Windows_EXPloitable.html
"While reputable computer security practitioners would be likely to
agree that publishing exploit code is irresponsible, Microsoft is
interested in suppressing any public discussions of vulnerabilities.
The company is now pushing for embargoes on third party security alerts
in order to provide time for fixes. Microsoft's certified security
partners must agree to not disclose vulnerabilities they discover."
This is actually a well-balanced article and explains the reasons for
Microsoft's policy. Though I personally disagree with
security-by-obscurity, it's at least possible for others to make the
argument that Microsoft's reasons are good. But nevertheless, this policy
makes a comparison of publicly-ported Linux and Windows vulnerabilities
one-sided and meaningless.
Flaw #2 in you reasoning: Being open-source makes it easy for anyone in
the world to scour Linux source code for vulnerabilities. *Most*
vulnerabilities in Linux were discovered in the laboratory and fixed
before they could be used in the real world.
Flaw #3 in you reasoning: Linux vulnerabilities are often reported
multiple times, once for each distribution containing it. For example
today's Secunia report lists the same identical vulnerability three
times - once each for Mandrake, RedHat, and Debian.
Flaw #4 in your reasoning: Linux users and developers are more paranoid
than their Windows counterparts. Minor vulnerabilities that only
get a shrug out of Windows, would send Linux users into a tizzy. Security
reports reflect this greater sensitivity.
Here's a pretty good article on some Windows-vs-Linux security myths:
http://www.theregister.co.uk/2004/10/22/linux_v_windows_security/
This article deals with three myths:
Myth: Windows only gets attacked most because it's such a big target,
and if Linux use (or indeed OS X use) grew then so would the number of
attacks.
Myth: Open Source Software is inherently dangerous because its source
code is widely available, whereas Windows 'blueprints' are carefully
guarded by Microsoft.
Myth: Statistics 'prove' that Windows has fewer, less serious security
issues than Linux, that Windows issues are always fixed, and that they
are fixed faster.
One quote from the article:
"This aside, simply claiming that Windows is more secure than Linux
because the time from discovery of vulnerability to release of patch is
greater for Linux skips consideration of the importance of what gets
fixed. A comparison of 40 recent security patches with reference to
Windows Server 2003 and Red Hat Advanced Server AS v3 shows that
Windows experienced the most severe security holes, while Red Hat had
only a handful (four) which rated as critical. It is also arguable that
Microsoft understates vulnerabilities in Windows Server, because some
flaws are deemed not critical for Server on the basis of system
defaults which are in many operational scenarios impossible to adhere
to. For Red Hat, on the other hand, there is an argument that in
Petrelely's analysis we have overstated the extent of critical
vulnerabilities (Red Hat does not assign severity levels), and very few
of them would allow a malicious hacker to perform mischief at
administrator level."
