Posted on 01/09/2006 3:50:13 PM PST by cabojoe
THE UNITED STATES Computer Emergency Readiness Team (CERT) has prepared a report for the government that claims that fewer vulnerabilities were found in Windows than in Linux/Unix operating systems in 2005.
Cert included under the Linux umbrella Mac OS X, as well as the various Linux distributions and flavours of Unix. It claimed that the Unix camp had more than twice as many vulnerabilities as Windows.
The Cyber Security Bulletin 2005, said that out of 5,198 reported flaws, 812 were Windows operating system vulnerabilities, while 2,328 were Unix/Linux operating bugs.
The remaining 2,058 were multiple operating system vulnerabilities. It is possible to hear the sounds of the provisional wing of the Linux and Apple glee clubs strapping cyber explosives to their belts at the announcement.
It seems that the figures prove the impression of many in the security industry that the only reason Windows boxes get turned over the most is because there are more of them.
CERT's figures did not include figures for how quickly vulnerabilities are patched once they are discovered. You can have a look at the report here. And flame CERT not us. µ
Link to CERT report: http://www.us-cert.gov/cas/bulletins/SB2005.html#UnixLinux
Linux is less popular and thus less targeted by hackers, etc. Take your pick.
I am a Windows/Capitalism fan as much as the next guy, but I don't know if it's entirely fair to lump Linux with Apple. Of course, as someone else said, it's hard not to have scrutiny when you're installed on about 97% of the world's personal computers. The most recent Windows flaw, dealing with images, affected every Windows OS since 1990! It took that long to discover.
I agree about lumping Linux with Apple. Maybe someone can explain why they would do that.
What is really funny is that windows 98 is more secure than windows XP. Even the latest wmf problem is not currently a threat to 98 according to microsoft.
Don't know about that. Since XP/SP2 includes support for hardware Data Execution Prevention for processors that include it, I was never at risk unless I used some third party software that I've never heard of to view .wmf files.
ping.
After all this time, you'd think that the mainstream tech press could get it right when reporting on security. The sheer number of vulnerabilities means little when compared with other factors, such as the severity of the vulnerability, how easy it is to exploit the vulnerability, and how long it takes a vendor to respond to the vulnerability.So you want to talk about vulnerabilities?
While some outlets are saying that "Windows beats Linux/Unix on vulnerabilities," Windows admins are sweating the WMF vulnerability without any patch available from Microsoft. Microsoft disclosed the WMF vulnerability on December 27. This was a zero-day exploit, meaning that exploits were found in the wild before the vulnerability was known.
Here we are, more than a week later, and Windows admins are having to use unofficial patches to try to protect themselves. Microsoft says it expects to have a patch next week, if it passes quality testing, meaning the window of opportunity for this nasty little vulnerability will be at least two weeks. One source cites at least 70 malicious WMF files in the wild so far.
It's worth noting that this vulnerability is a design issue, not a buffer overflow or some other exotic exploit -- WMFs are supposed to be able to call external procedures and execute code. Microsoft is vulnerable because the company included a feature to run arbitrary code from an image file.
This is not to say that the data from US-CERT is a meaningless aggregation. You can easily spot the most vulnerable operating system in wide use today by taking a look at the Technical Cyber Security Alerts issued by US-CERT last year. Here's the bottom line:
That's quite a different picture than the one the Microsoft press machine wants you to see. Here's more of the same. US-CERT's list of current vulnerabilities contains a total of 11 vulnerabilities, six of which mention Windows by name, and none of which mentions Linux.
- 22 Technical Cyber Security Alerts were issued in 2005
- 11 of those alerts were for Windows platforms
- 3 were for Oracle products
- 2 were for Cisco products
- 1 was for Mac OS X
- None were for Linux
:Cert included under the Linux umbrella Mac OS X, as well as the various Linux distributions and flavours of Unix. It claimed that the Unix camp had more than twice as many vulnerabilities as Windows.
The Cyber Security Bulletin 2005, said that out of 5,198 reported flaws, 812 were Windows operating system vulnerabilities, while 2,328 were Unix/Linux operating bugs. "
So they took a dozen or more duifferent versions and added together the flaws and got a larger number than one operating system by itself so they declared that one operating system "safer."
Somebody is either stupid or paid off.
Let's apply that reasoning to homeland security: There are more security threats in the other 49 states put together than in New York by itself. Therefore New York is the safest state for terrorist attacks.
As far as the argument about flaws taking Microsoft longer to discover/fix goes, common sense would tell you that Open Source flaws are easier to discover since everyone can analyze the source code directly and immediately.
I have to agree that lumping the MAC OS in with out UNIX variants is mixing apples and oranges (pardon the pun).
Computer Emergency Readiness Team (CERT) has prepared a report for the government that claims that fewer vulnerabilities were found in Windows than in Linux/Unix operating systems in 2005
Looking at the cert list he based this off of I seem many thigs which are not Linux such as Apache, BZIP, Ethereal, and other *applications*. A bug in the windows version of Apache is not a windows bug, its an apache bug but apparently a bug in the Linux version of apache is a Linux bug.
Cert included under the Linux umbrella Mac OS X, as well as the various Linux distributions and flavours of Unix. It claimed that the Unix camp had more than twice as many vulnerabilities as Windows.
So Linux, OSX, and about a dozen UNIX operating systems are double that of windows? Why not count just Linux, or OSX, or Solaris? What this means is that vulnerabilities in the kernel are not only counted in every Linux distro but also problems which affect multiple UNIX distros are counted.
The remaining 2,058 were multiple operating system vulnerabilities. It is possible to hear the sounds of the provisional wing of the Linux and Apple glee clubs strapping cyber explosives to their belts at the announcement.
Ahh yes, this explains it its a hit piece.
It seems that the figures prove the impression of many in the security industry that the only reason Windows boxes get turned over the most is because there are more of them.
If one completely ignores the weakness of the study which include:
*couning Solairs, HP-UX, AIX, Linux, RedHat, Suse, Applications that run on any of these platforms
*Ignoring time to patch by the vendor
*Ignoring the severty of the bug
Then this statement might have merit.
Because it was a lazy hit piece
Example: Because you could bring down the internet by crashing a handfull of BSD servers.
Easy explanation. The so-called study dealt with flavors of Unix. We all usually describe that as _nix. Apple's OSX is actually their Graphical User interface built on top of FreeBSD, which is a free distribution of UNIX, and is still around today. That it is VERY stable is without question, and this was the trait that Apple was undoubtedly looking for.
Another issue in vulnerability might be that Apple does not always (not a Mac owner, so i'm out on a limb here, hope i don't saw myself off!) use standard hardware, It's Apple, not a PC! If a piece of hardware is relatively obscure, it's probabably not going to be targeted with a given exploit, if indeed the exploit is even possible with that particular piece of hardware. Apple by and large uses proprietary hardware, contributing to the higher cost of a MacIntosh.
If you hang out on these tech threads very much you've probably seen the post below. I repost it because noone has been able to come up with a reason that a target of just 12,000 systems spread across the internet is more tempting than several million Unix/Linux/Mac systems out there.
Also n3wbi3's point about being able to bring down much of he net's infrastructure by attacking a handful of hosts is a good one.
I just knew if I scrolled down this thread a while, I'd see exactly this bit of fud thrown out.
Fortunately, I have a reply that I've previously written to counter this silly FUD.
Oh, I don't know. Perhaps as someone else already said on this thread, it might be done for the bragging rights of having created the first successful virus/worm to attack Macs.
I've seen this charge that the small market share that Mac and Linux have is what keeps them safe. It is repeated often enough and seems reasonable enough until you actually look at the history of some other worms/viruses.
Consider: the spread of the Witty Worm.
Quoth the poster:
Witty infected only about a tenth as many hosts than the next smallest widespread Internet worm. Where SQL Slammer infected between 75,000 and 100,000 computers, the vulnerable population of the Witty worm was only about 12,000 computers. Although researchers have long predicted that a fast-probing worm could infect a small population very quickly, Witty is the first worm to demonstrate this capability. While Witty took 30 minutes longer than SQL Slammer to infect its vulnerable population, both worms spread far faster than human intervention could stop them. In the past, users of software that is not ubiquitously deployed have considered themselves relatively safe from most network-based pathogens. Witty demonstrates that a remotely accessible bug in any minimally popular piece of software can be successfully exploited by an automated attack.
I suspect there are more than 12,000 Linux and/or Mac hosts out there on the internet.
Also, consider that the folks who were hit with this were also among the more security-concious users:
The vulnerable host population pool for the Witty worm was quite different from that of previous virulent worms. Previous worms have lagged several weeks behind publication of details about the remote-exploit bug, and large portions of the victim populations appeared to not know what software was running on their machines, let alone take steps to make sure that software was up to date with security patches. In contrast, the Witty worm infected a population of hosts that were proactive about security -- they were running firewall software. The Witty worm also started to spread the day after information about the exploit and the software upgrades to fix the bug were available.
Show me a successful worm/virus against Macs and I'll listen. Until then, your talking point is FUD.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.