Posted on 01/09/2006 3:50:13 PM PST by cabojoe
Are you really that obtuse? the article compares all Unix including OSX and Linux to windows and then titles it 'Linux vs Windows'...
You're assuming every post that I didn't cite is correct. If the shoe was on the other foot, and these were Windows vulnerabilities we're talking about, you'd be the first to howl how unreliable and bogus this whole list is, based on the fact that there are this many known false positives and duplicates.
"Them" was the generic "they". Not so much directed at CERT specifically, though spewing unmitigated FUD like this as some kind of official statement is rather dubious. The "them" it was more directed to were fanboys like you who can't think straight enough to realize how incredibly bogus the numbers you inevitably jump behind are.
Here's a clue: Just because an article claims that Linux is bad, doesn't mean it is true.
When you support such bogus crap, it just makes you look silly.
I don't think the full extent of the damage caused by this particular vulnerability will ever be known, because it is going to take a while for even major players to get folks fully patched. We know that multiple variants of attacks were out there in the wild. Two dozen variants at least. Are you now attempting to claim that even this defect was some minor irritant that noone was really in danger of being infected by? While that claim may well be true for some of the other defects uncovered in the past that were somewhat similar, (and I believe I've backed you up on that on a couple of occasions in the past), I do not believe that is true in this case. It was (and is) truely dangerous.
I suspect I'll be seeing zombies compromised by this defect trying to send spam to me for the next 2 years.
"What is found" and "What exist" are two VERY different things.
Best reply of the thread!
Yup, if there were twice as many that exist my scrolling finger would get real tired scrolling through the Windows list, and numb going through the "Linux" list!
From: http://www.tectonic.co.za/view.php?id=777
9 January, 2006
The United States Computer Emergency Readiness Team's (US-CERT) annual summary of vulnerabilities discovered in computer software in 2005 unveiled that Windows appeared to be safer than Linux and Unix, with only 812 vulnerabilities reported in the Microsoft world, compared to 2 328 for Linux and Unix. The IT trade rags had a field day. However even a cursory glance at the list reveals two facts: the first is that Windows is still significantly more insecure than open source and closed source alternatives; and that much of the trade press are idiots (present company excluded, of course).
With the help of open source software OpenOffice.org (which had one vulnerability compared to Microsoft Office's four), we've managed to get some real statistics from the US-CERT list. The first trick is to discount all of the “Updates” - this is where US-CERT simply updates the status of an existing vulnerability. If a new patch comes out, or some new malicious code takes advantage of the vulnerability, it is marked as an update. Excluding the updates immediately drops the Linux/Unix vulnerability count to 887, and Microsoft's count to 672.
The next step is to compare product with product. The list is pretty general – for both Microsoft and Linux/Unix include both applications and the operating systems themselves. Furthermore, comparing Microsoft to every other vendor in the history of operating systems seems just a touch insane. So let's compare operating systems with operating systems, shall we?
All of Microsoft's discovered security exploits for Windows only amount to a pretty reasonable 44. Microsoft products in total (including MS Office, Internet Explorer, ASP.NET and the like) comes to 122.
Now for Linux. The Linux kernel itself had 90 vulnerabilities, 80 of which affected “multiple vendors”. It's still more than Windows (I'll get to that in a minute), but it's one heck of a lot less than 2 328.
Individual Unix distributions faired very well: Apple Mac OS X clocked in at 21 vulnerabilities, tied with IBM's AIX. HP-UX had only 15 vulnerabilities. SCO had only nine.
For the top Linux distributions, things look peachy. Red Hat had seven vulnerabilities; Suse 12; Debian 10; and Gentoo a mere five.
Non-Linux open souce distribution FreeBSD clocked in with 13, while ultra-secure NetBSD maintained its reputation with two vulnerabilities reported.
Now on to why Linux' kernel still managed to rack up double the vulnerabilities of Microsoft Windows. There are a heck of a lot of Linux kernels out there. Last week saw the release of 2.6.15. Some of the vulnerabilities affect multiple kernels, some only a handful, and some vulnerabilities are present only in a single version of the kernel. Further, kernels in testing are included in the US-CERT reports, since each kernel version can be downloaded by brave kernel developers from day one -- the same guys who find the vulnerabilities and publish them. One has to wonder how many vulnerabilities would be found in Microsoft products still in alpha.
Then there's the very real difference between open source and closed source. With open source code, vulnerabilities are pretty easy to find. You just have a look at the source, find some buffer overflow, and you clock up a vulnerability report. This function is typically performed by kernel developers, who know the kernel inside and out.
For Microsoft products, third party security companies use a hit-and-miss approach, where they nail one portion of one product with every cracking tool in their arsenal, and try and spot any potential threats. This means that for every vulnerability discovered, there are multiple potentials lurking under the surface, unseen except to Microsoft coders with access to the code (and they're not about to admit that they left a gaping hole in Redmond's operating system).
The bottom line is that the US-CERT list, while complete in itself, does not alone represent a mark of a secure or insecure operating system. While the likes of The Register, Techworld and others who really should know better proclaimed that Windows is the most secure operating system according to US-CERT, even a dyslexic monkey could figure out that in fact Windows had 22 times more discovered vulnerabilities than NetBSD last year, and that there really is nothing in the world quite as misleading as IT statistics.
Zeg,
Thanks for the find it was an interesting read..
Ping to Post #51 above. This is an update article for the CERT report.
Lie, damn lies, and statistics. You can get statistics to say anything you want them to say.
That was my first reaction too, but remember that "Windows" is actually an aggregation itself of several members each of two different lines of descent. (W3.1/3.11 > 95 > 98 > 98SE > ME and NT > Win2K > XP Pro/Home > etc.)
I have direct personal, daily experience with Windows XP professional and linux (FC2). Windows periodically has issues. Linux never does. My personal, day to day experience tells me one thing. This "study" tells me another. Which do you suggest I should believe?
Good read. Unfortunately for Linux zealots, it only reinforces CERT's claim.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.