Windows Has Fewer Security Holes than Linux

by Preston Gralla

The conventional wisdom holds that Windows is a security sieve, while Linux is locked down tight. Then why does Linux have three times the number of security holes as Windows?



A 2005 year-end vulnerability summary by US-CERT (United Stated Computer Emergency Readiness Team) concludes that Linux/Unix accounted for an eye-opening 2,328 vulnerabilities, about 45 percent of the total of 5,198 vulnerabilities for the year.



Windows, by way of contrast, had only 812 vulnerabilities during the year, 16 percent of the total.



You need to be careful interpreting these numbers, because a single vulnerability may be counted as a number of separate holes, for example.



Still, though, the report should go at least a little way toward turning the conventional wisdom on its head.

What do you think about Linux versus Windows security?


17 Comments

marlowe
2006-01-11 14:25:24
US Cert Study Tremendously Flawed
I invite everyone to take a look at Brian Martin's take on the CERT's study and Steve Christey's take on comparing RVIs.


http://www.osvdb.org/blog/?p=79
http://www.osvdb.org/blog/?p=80


Then you can see that US CERT's study is mostly smoke and mirrors.


Patrick McDonald

christopher_roach
2006-01-11 14:25:56
Study just acedemic...
To be honest, the debate on which operating system has more security holes is purely academic. Its a nice debate topic, but that's about it. The fact of the matter is that in the real world, if I run Windows I'm plagued with viruses and spyware, but if I run Linux or OS X, I can run my computer without worry (well maybe not 100% without worry, but low enough that I don't mind taking the chance). The day may be coming when no matter what OS you run you have to look out for malware, but for the time being its just safer to run an OS that's not Windows.
petrilli
2006-01-11 14:27:19
If only
If only there were some actual methodology to the numbers. In many cases UPDATES to original bulletins were counted. For example, the 'Gedit Filename Format String' bulletin is counted 6 times, even though 5 of them are updates.


The value of this report is questionable, and in fact might actually demonstrate not that Linux is more vulnerable (with a very loose definition of Linux to include lots of applications that wouldn't be included with Windows), but that the Open Source community is just more honest and releases updates more often.


Lack of bulletins does not imply lack of holes. What is being measured is both questionable as is the method by which is it measured. One wonders if there was an agenda driving this, rather than an honest review of the risks involved.

christopher_roach
2006-01-11 14:50:54
Study just acedemic...
$title =~ s/acedemic/academic/;
dannyo_152_redux
2006-01-11 15:07:08
Conventions
With all due respect, conventional wisdom is that all operating systems and applications have bugs and are therefore potentially vulnerable to security breaches.


Observation would note that Windows machines have the most successful world-traversing exploits, by far.

Otis_2003
2006-01-11 18:33:15
Conventional wisdom?


content="text/html; charset=ISO-8859-1"
http-equiv="content-type">



Did you purposely or ignorantly mislead
your readers?



The sheer number of vulnerabilities means very little when you compare
those stats with the severity of the vulnerabilities, how easy they are
to exploit, and how long it takes a for a vendor to respond to them.



When you cut though all the stats, it is really quite easy to spot
which operating system is style="font-weight: bold;">TRULY
the most vulnerable when you have a look at the 22 Technical Cyber
Security Alerts that were issued by US-CERT last year. For the record,
they are the style="font-weight: bold;">MOST SERIOUS
alerts:


  • 11 of them were for Windows
    platforms

  • 3 were for Oracle products

  • 2 were for Cisco products

  • 1 was for Mac OS X

  • None were for Linux!


That's quite a different picture now, isn't it? 


Otis_2003
2006-01-11 18:34:37
Conventional wisdom?
Did you purposely or ignorantly mislead your readers?


The sheer number of vulnerabilities means very little when you compare those stats with the severity of the vulnerabilities, how easy they are to exploit, and how long it takes a for a vendor to respond to them.


When you cut though all the stats, it is really quite easy to spot which operating system is TRULY the most vulnerable when you have a look at the 22 Technical Cyber Security Alerts that were issued by US-CERT last year. For the record, they are the MOST SERIOUS alerts:


* 11 of them were for Windows platforms
* 3 were for Oracle products
* 2 were for Cisco products
* 1 was for Mac OS X
* None were for Linux!


That's quite a different picture now, isn't it?

carlaschroder
2006-01-11 19:23:40
Nice subtle humor, Mr Gralla
I don't know how you keep a straight face! Me, I'd crack up laughing before I even got halfway, and ruin the gag. Good job.
aristotle
2006-01-11 20:20:09
Re:
  1. What fraction of the vulnerabilities had what severity?
  2. What were the average reaction times for fixes and until a new package was pushed out so newly installed were secure by default (particularly when differentiated by severity)?
  3. What fraction of the vulnerabilities affect a base system install?
  4. Is this Slashdot now?
jwenting
2006-01-12 01:33:00
I'm not surprised
I'm not surprised either by those numbers nor by the fully expected ostrich attitude and namecalling of the Linux hotheads.



Indeed numbers don't say everything, but they sure are an indication.

Yes, many of the problems hitting Windows have consequences that are far better publicised. This has nothing to do with the severity of the problem and everything with the prevalence of the operating system and the attitude and expertise of its users.

With many users not keeping their OS up to date an exploit has more time to propagate, and with the vast majority of people (and especially consumers) using Windows there is a far greater incentive for creators of exploit to target that platform.

In the meantime the most serious exploits (the ones that kick routers and major corporate servers offline) are almost exclusively Unix exploits for the same reason. But because people suffering from those exploits usually are under rather strict NDAs and overall too embarrassed to not have installed the security update that was released 2 years before those incidents rarely get widely publicised.

The company I work has had 2 intrusions in the last 3 years. One hit a Windows laptop someone had hooked onto his home internet connection after turning off the firewall to get more performance (procedure error, with that firewall in place nothing would have happened), the other hit a Linux server that should never have been online in the first place (another procedure error) and had critical holes unfixed for over a year.

Both holes had patches available which because of procedure errors had not been fixed and should never have been exposed to a scenario in which those holes could have been exploited because of more procedure errors.

We have more Windows workstations than we do Linux servers so I could conclude that Windows is far more secure than is Linux because the number of incidents per machine per year is a lot lower. I don't because I know full well all statistics are lies ;)
teejay
2006-01-12 02:44:08
Preston - did you even read past the first paragraph?
I mean really - did you even sneak a peek at any of the data at all?


Did you fail to notice the disclaimer saying precisely not to draw these types of conclusions?


After removing only some of the duplicates (updates to vulnerabilities already listed) - Windows drops from 813 to 671, Unix/Linux drops from 2328 to 891, and that UNIX/Linux includes at least 4 different commercial UNIX, Free BSD unix, OS X and Linux. Splitting UNIX/Linux into 3 or 4 categorys (BSD/Commercial UNIX, Linux and OS X) would give a far lower count to each than windows - even though each individual UNIX still has as many or more versions supported (and hence reported).


More importantly - most of the vulnerabilities are in user space applications rather than the operating system and even the main applications that come with an operating system (core servers, internet clients like web browsers and email).


So the numbers are not only incorrect (due to many duplicates of different kinds) but of no use as they are referring primarily to applications.


If you want to really compare useful numbers look at some specifics - IE had 45 vulnerabilities in 2005, Firefox had 1.

teejay
2006-01-12 03:14:22
I'm not surprised
Of course people are going to be annoyed when windows users claim to be more secure based on some almost random numbers that fell out of US-CERT.


The only thing I think most people have learnt here is the difference between reporting and journalism - this was somebody reporting a summary of a summary of some dodgy statistics - a journalist would have looked at the statistics and provided some useful information from them.

simon_hibbs
2006-01-12 08:14:37
No, he doesn't
In answer to the previous commentator's question, Preston ahs a history of failing to read, or eprhaps just even vaguely comprehend the things he posts about.


Take fro example the Big Mac Attack which was, er, not an attack because it wasn't seen in the wild, he climed it was a virus when actualy it was a manualy-installed rootkit, etc.


This one is equaly wrong. The headline is wrong - Linux doesn't have more vulnerabilities than Windows, only all versions of Linux plus several commercial Unixes have. Even then the picture is better for linux because the Linux numbers are for all the different distros added together - including duplicate vulnerabilities. If SuSE and RHEL and Debian all had the same vuilnerability it got counted three times against linux, and yet it's still actualy got fewer exploits than windows.


Simon Hibbs

aristotle
2006-01-12 12:52:57
Re:
With many users not keeping their OS up to date an exploit has more time to propagate, and with the vast majority of people (and especially consumers) using Windows there is a far greater incentive for creators of exploit to target that platform.


That would be a sensible claim, except three years ago, unpatched Linux machines in honeynets would be compromised as quickly as unpatched Windows machines. Plus the majority of infrastructure on the internet runs BSD or Linux, and these machines are hooked up to far juicier connections.


So a) there’s no lack of incentive for cracking Unix machines and b) it happened a lot more when Unix machines were less widespread than now.


The popularity argument is fallacious.

KevinPease
2006-01-13 09:03:16
Responsible Journalism
Mr Gralla,


Thought you might like to see an example of someone who checks their facts before publishing:


http://blogs.zdnet.com/Murphy/?p=501&part=rss&tag=feed&subj=zdblog


I expected better of O'Reilly. Very disappointed...


pjcabrera70
2006-01-13 09:35:35
Preston Gralla: Giving new meaning to the word "troll"
Mr.Gralla.


I have heard of people trolling on various message boards, blog comments, and even of trolling up and down hallways.


But this takes the cake as the first time I have heard of a weblog writer trolling on his own blog.


Bother to do some research next time, troll.

pjcabrera70
2006-01-13 09:37:00
About conventional wisdom ...
The conventional wisdom also says, Windows winnies are dumb.


Go Gralla! :-)