Link to CERT report: http://www.us-cert.gov/cas/bulletins/SB2005.html#UnixLinux
Linux is less popular and thus less targeted by hackers, etc. Take your pick.
I am a Windows/Capitalism fan as much as the next guy, but I don't know if it's entirely fair to lump Linux with Apple. Of course, as someone else said, it's hard not to have scrutiny when you're installed on about 97% of the world's personal computers. The most recent Windows flaw, dealing with images, affected every Windows OS since 1990! It took that long to discover.
ping.
After all this time, you'd think that the mainstream tech press could get it right when reporting on security. The sheer number of vulnerabilities means little when compared with other factors, such as the severity of the vulnerability, how easy it is to exploit the vulnerability, and how long it takes a vendor to respond to the vulnerability.So you want to talk about vulnerabilities?
While some outlets are saying that "Windows beats Linux/Unix on vulnerabilities," Windows admins are sweating the WMF vulnerability without any patch available from Microsoft. Microsoft disclosed the WMF vulnerability on December 27. This was a zero-day exploit, meaning that exploits were found in the wild before the vulnerability was known.
Here we are, more than a week later, and Windows admins are having to use unofficial patches to try to protect themselves. Microsoft says it expects to have a patch next week, if it passes quality testing, meaning the window of opportunity for this nasty little vulnerability will be at least two weeks. One source cites at least 70 malicious WMF files in the wild so far.
It's worth noting that this vulnerability is a design issue, not a buffer overflow or some other exotic exploit -- WMFs are supposed to be able to call external procedures and execute code. Microsoft is vulnerable because the company included a feature to run arbitrary code from an image file.
This is not to say that the data from US-CERT is a meaningless aggregation. You can easily spot the most vulnerable operating system in wide use today by taking a look at the Technical Cyber Security Alerts issued by US-CERT last year. Here's the bottom line:
That's quite a different picture than the one the Microsoft press machine wants you to see. Here's more of the same. US-CERT's list of current vulnerabilities contains a total of 11 vulnerabilities, six of which mention Windows by name, and none of which mentions Linux.
- 22 Technical Cyber Security Alerts were issued in 2005
- 11 of those alerts were for Windows platforms
- 3 were for Oracle products
- 2 were for Cisco products
- 1 was for Mac OS X
- None were for Linux
:Cert included under the Linux umbrella Mac OS X, as well as the various Linux distributions and flavours of Unix. It claimed that the Unix camp had more than twice as many vulnerabilities as Windows.
The Cyber Security Bulletin 2005, said that out of 5,198 reported flaws, 812 were Windows operating system vulnerabilities, while 2,328 were Unix/Linux operating bugs. "
So they took a dozen or more duifferent versions and added together the flaws and got a larger number than one operating system by itself so they declared that one operating system "safer."
Somebody is either stupid or paid off.
Let's apply that reasoning to homeland security: There are more security threats in the other 49 states put together than in New York by itself. Therefore New York is the safest state for terrorist attacks.
As far as the argument about flaws taking Microsoft longer to discover/fix goes, common sense would tell you that Open Source flaws are easier to discover since everyone can analyze the source code directly and immediately.
I have to agree that lumping the MAC OS in with out UNIX variants is mixing apples and oranges (pardon the pun).
Computer Emergency Readiness Team (CERT) has prepared a report for the government that claims that fewer vulnerabilities were found in Windows than in Linux/Unix operating systems in 2005
Looking at the cert list he based this off of I seem many thigs which are not Linux such as Apache, BZIP, Ethereal, and other *applications*. A bug in the windows version of Apache is not a windows bug, its an apache bug but apparently a bug in the Linux version of apache is a Linux bug.
Cert included under the Linux umbrella Mac OS X, as well as the various Linux distributions and flavours of Unix. It claimed that the Unix camp had more than twice as many vulnerabilities as Windows.
So Linux, OSX, and about a dozen UNIX operating systems are double that of windows? Why not count just Linux, or OSX, or Solaris? What this means is that vulnerabilities in the kernel are not only counted in every Linux distro but also problems which affect multiple UNIX distros are counted.
The remaining 2,058 were multiple operating system vulnerabilities. It is possible to hear the sounds of the provisional wing of the Linux and Apple glee clubs strapping cyber explosives to their belts at the announcement.
Ahh yes, this explains it its a hit piece.
It seems that the figures prove the impression of many in the security industry that the only reason Windows boxes get turned over the most is because there are more of them.
If one completely ignores the weakness of the study which include:
*couning Solairs, HP-UX, AIX, Linux, RedHat, Suse, Applications that run on any of these platforms
*Ignoring time to patch by the vendor
*Ignoring the severty of the bug
Then this statement might have merit.
"What is found" and "What exist" are two VERY different things.
I think so few own them that the hackers have gone after the 95% windows units for the most vast results.