The US Government has reported that fewer vulnerabilities were found in Windows than in Linux/Unix operating systems in 2005.
Linux/Unix-based operating systems — a set that includes Mac OS X, as well as the various Linux distributions and flavours of Unix — had over twice as many vulnerabilities as Windows, according to the United States Computer Emergency Readiness Team (US-CERT), which is part of the US Department of Homeland Security.
The report — Cyber Security Bulletin 2005 — was published last week and found that out of 5,198 reported vulnerabilities, 812 were Windows operating system vulnerabilities, while 2,328 were Unix/Linux operating vulnerabilities. 2,058 were multiple operating system vulnerabilities.
However, the popularity of Windows means it is still much more likely to be attacked than Linux, according to security firm McAfee.
"In the Windows vs Unix debate, the number of vulnerabilities is less relevant than the amount that are turned into successful attacks. We see far more successful attacks against Windows, because it's the most common environment," Greg Day, security analyst at McAfee, told ZDNet UK.
"As Linux becomes more common, we'll see more attacks against it," Day added.
McAfee recommended firms look more at the probability of attack, rather than whether an attack is possible.
CERT's report did not include figures for how quickly vulnerabilities are patched once they are discovered. According to security firm Secunia, 124 of its security advisories relate to flaws in Windows XP Professional, of which 29 are unpatched — which gives it a lands Microsoft's operating system with a "Highly Critical" security rating.
In contrast, Red Hat 9 is affected by 99 Secunia warnings, but only one of these flaws has not been patched by Red Hat. SuSE Linux Enterprise Server 9 is covered in 91 advisories, but every one has been patched by the vendor. Both products get a 'Not Critical' rating.
Talkback
These statistics mean nothing - one of the biggest funders of the US govt. and in particular the bush campaign is Microsoft - all this represents is Microsoft buying their own statistics and touting them through channels like ZD. I expect we will see more of this in the run up to Vista launch and MS try to convince the world to upgrade yet again.
Both Linux and Unix (and flavours thereof like OSX) are fantastically more secure than windows, not only that, you can try some of them out for free to see for yourself.
If you read that then read this too.
http://trends.newsforge.com/article.pl?sid=06/01/05/1627242&from=rss
Can't reporters do MATH???? Geez, they're supposed to be skeptical and question everything.
The same vulnerability is being counted multiple times. Plus, there's no analysis of how many of these vulnerabilities remain unpatched. As a result, this list is beyond meaningless - it's a pretty set of numbers, Sir Billy can give it a nice frame and stick it up on his wall as decoration.
What matters isn't the amount of vulnerabilities, nor how many have been patched, nor how many have exploits in the wild.
What matters is how critical these vulnerabilities are, and Windows vulnerabilites are usually far more critical than those of any other OS.
I'd rather be using a system with 200 vulnerabilities, 150 of them having an exploit in the wild, and all of them being rated as not critical, than a system with 3 vulnerabilities, with only 1 having an exploit in the wild, and being rated as highly critical.
So ALL UNIX like operating systems combined had about three times the vulnerabilities than Windows. That means that Windows has about 50 times more vulnerabilities compared to ONE flavor of Unix/Linux.
Do the math, and quit with the deliberatly misleading sensationlistic headlines. It destroy's your credability.
So you count Mandriva, Red Hat, Debian, Ubuntu, Gentoo,& Linspire separately. Soumds like more M$
FUD. Why not count windows 3.0, 3.1, 95, 98, 98SE,
ETC. as there are people still using these. Unpatched
vulnerabilities for the older OS's would be too many
to count.
I don't know why any self-respecting journalist would allow him or herself to return to the security through obscurity argument. All I need to wsay is IIS vs Apache. Those who know what I'm talking about, already know why those three words completely destroy the security through obscurity argument.
OS, Web Server and Hosting History for www.us-cert.gov
OS Server
Last changed
IP address
Netblock Owner
Linux
Apache
27-May-2005
192.88.209.49
Software Engineering Institute
Linux
Apache
3-Oct-2003
192.88.209.25
Software Engineering Institute
What the article fails to mention that anytime new applications come out that there will be chances for vulnerabilities to be found cause the likely hood of those vulnerabilities to be tested will be zero.
it sounds to me as if windows is getting better. It certainly cost more to protect Windows OS than it does for any given Unix OS. I will still won't buy windows just because of that factor and that windows are the most heaviest of all the OS's that are TARGET'd for those vulnerabilities.
But companies still should test for those regardless. There should be standard tool kits to test those type of vulnerabilities.