Is Linux as vulnerable as Windows?

The open source community sometimes claims that vulnerabilities are "more serious" in Windows, but I don't know of an objective way to measure that. And lacking a generally accepted method, all we are left with are the raw numbers. Microsoft rates vulnerabilities when it publishes a patch, but we need a comparable way to rate Linux/Unix bugs if we're going to compare the seriousness of the patches released for these platforms. It's useful to look at incidents as well as confirmed vulnerabilities (advisories). Although this isn't exactly the same as measuring how serious a vulnerability is, it provides a good way for those in the security business to judge how many attacks are taking place, or at least how many are being reported. According to the Aberdeen report, "In 1995 the incidents reported by CERT numbered 2,412. However, incidents tracked by CERT skyrocketed from 21,756 in 2000 to 52,658 in 2001, and then to 73,359 for the first nine months of 2002. Clearly, the trend in incidents and advisories is going up, and at an alarming rate." However, we should always take incident statistics with a grain of salt. After all, vulnerabilities are easy to count, but who knows how many attacks go unreported? Microsoft has recently announced a new policy for rating vulnerabilities. The company says this was due to customer complaints about far too many "critical" warnings, which compelled administrators to patch vulnerabilities even when the critical rating was not warranted by the actual risk. According to Microsoft's director of security assistance, Steve Lipner, the new rating system will expand the old Critical-Moderate-Low reporting scale to include Important, which will fall between Critical and Moderate. Most of the old Critical vulnerabilities will now be labeled Important, including threats that could lead to system penetration and file compromise. The Critical rating will be reserved for Internet threats (e.g., major disasters of the Code Red variety). A new two-tier security bulletin system with a less technical bulletin service will also be hosted at http://www.microsoft.com/security/ to supplement the current one, which many users found simply too technical. A recent report brings yet another aspect of this subject to the forefront by pointing out that White House Cybersecurity Tsar, Richard Clarke, has called for mandatory vulnerability reporting to a central federal government office. This would require any security firm discovering a new vulnerability to report it with the goal of forcing vendors to respond more quickly to new threats. Others feel this may lead to premature disclosure of vulnerabilities, which happened in the past when the FBI's National Infrastructure Protection Center attempted to coordinate reports with various vendors. The newly organized (Sept. 26, 2002) Organization for Internet Safety is also developing a proposed set of guidelines for timely and safe reporting of vulnerabilities. OIS founders include Microsoft, @stake, Symantec, Caldera, Network Associates, BindView, and Oracle, so there may be some muscle behind these guidelines. Final word We will probably always be comparing apples and oranges when we try to see how the number and severity of vulnerabilities found in the major competing platforms match up. But this really doesn't matter in the real world. The bottom line is that if a vulnerability leads to intrusions on your network, it's a problem, and it doesn't matter whether the vulnerability was a "high" risk or a "low" risk, only whether it cost you time and money to deal with it. Most of us are supporting legacy systems and always will be. Only new companies have the luxury of selecting a platform based only on security, performance, and initial cost. That's further limited to only new companies that have an expert IT staff in place to advise the company founders before they buy a single computer. It's far more likely that a platform decision will be based on the experience of the founders, the vendor who gets there first with the best proposal, or, most likely of all, which platform runs a line-of-business application that the company needs. The Aberdeen Report concludes that the reduction in Microsoft vulnerabilities is the result of the company's much-touted new security initiative. It may be too early to determine that, but it is a relief to see that no major viruses have besieged Windows in 2002. As for Microsoft's new security labeling system, I think it is useful. It makes sense to reserve the Critical rating for those dangerous global threats that can spread around the world quickly and temporarily threaten the integrity of corporate systems.

For a weekly round-up of the enterprise IT news, sign up for the Enterprise newsletter. Tell us what you think in the Enterprise Mailroom.

« Previous
1
2
Next »

Talkback

As stated in the article, this does seem to be a M$ sponsored report. I can count the number or reports of attacks on UNIX systems on one hand in the last few months, while there have been a plethora of CERTs sent to my email box regarding another Windows related exploit.

Admittedly, if there is any weakness on the UNIX/Linux front, I would have to say it's probably on the Linux side. This is because as far as numbers goes, UNIX is run on a multitude of processors/platforms while Linux is primarily an Intel processor domain. (Please no boos and hisses - i'm running Linux on UltraSparc II based Ultra 5.) That is real reason viruses and the like have not spawn a huge following for the UNIX world. At the machine level its very difficult (though, not entirely impossible) to write code that will run or mutate to run on dissimilar architectures.

Also, UNIX OSes were designed in a manner that is only recently being copied/mimmicked by Windows developers as far security and the access.

Windows users have far too much access to core functionality of their OSes. Regular users under UNIX normally only have access only to user level function and files. It's nearly impossiblefor a regular UNIX user to infect or corrupt the system they are logged into to the level a user on Windows could. If a Unix user does happen to get infected, its typically his/her own files and user space that are compromised.

It would be interesting to see a real report that follows the uptime of businesses servers world-wide, web-based or not and see the differences between UNIX/Linux servers versus Windows servers. If anyone knows of such a report please let me know.

via Facebook 14 August, 2003 04:33

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

ZDNet UK Live

I also installed the KDE version; I also will probably try out razorqt since I really haven't had a chance to before. I'm looking forward to the...

3 hours ago by Thomas Gellhaus via Facebook on Mageia 2 Released

Acquiring when reinvention/cannibalization is too challenging for a large organization can be an excellent strategy- still, so many mergers stumble...

5 hours ago by francisabigail on Ariba buy parks SAP on Oracle's cloud turf

All of the feedback regarding using a touch monitor for a desktop PC is right on. Several months ago, we installed a "demo" multitouch all-in-one...

11 hours ago by apexwm on Windows 8 could speed multi-monitor uptake

anyone wanting to triple boot *their* own Mac

12 hours ago by 191706 on xTreme Triple Booting: Linux, Mac & Windows

Cont.. Biggest Bugbear: Win7's stop-animate-go approach to work, you develop a staggered (not in the above alchohol sense of the word) approach to...

12 hours ago by SoapyTablet on Windows 8 could speed multi-monitor uptake

Ah the joys of Windows 8 Consumer Preview... If Windows 7 was 'Vista with Lipstick', whats Windows 8? Vista with Lipstick, the morning after?...

12 hours ago by SoapyTablet on Windows 8 could speed multi-monitor uptake

Though the metro look is quite cool on the windows mobile platform I think that think that microsoft ARE MESSING THINGS UP because what has they...

13 hours ago by daveveej on Windows 8 could speed multi-monitor uptake

I agree, we have a few touch screen monitors in work but as Windows7 and the applications we use are not touch screen friendly (the size of the...

13 hours ago by Custonian on Windows 8 could speed multi-monitor uptake

I find it amusing that Microsoft added the mouse, which was deemed awkward, but people were forced to use it so it stuck, and now they're saying,...

15 hours ago by archerthom on Windows 8 could speed multi-monitor uptake

Agree with other comments. Nobody's going to start reaching out to start tapping their desktop monitors with their fingers. Their arms would tire...

24 hours ago by BrownieBoy on Windows 8 could speed multi-monitor uptake

The only way a touch monitor would be any good is if it were horizontal on the desk, with a virtual keyboard so you could do away with that as well...

1 day ago by Random_Error on Windows 8 could speed multi-monitor uptake

This is just dumb! Forget that I think Windows 8 will bomb, but really, people are going to go out and buy touch Monitors now??? Just pretend...

1 day ago by JBDragon on Windows 8 could speed multi-monitor uptake