Linux Has Bugs; Get Over It

Information Week ^ | 1-27-03 | Fred Langa

[ImaGraftedBranch]

Langa Letter: Linux Has Bugs: Get Over It

Fred Langa contends that some Linux proponents harm their cause by hiding from the facts--it's just as buggy as Windows XP.

By Fred Langa, InformationWeek
Jan 27, 2003 (12:00 AM)
URL: http://www.informationweek.com/story/IWK20030124S0013

I made a private bet with myself when I ran an item in my newsletter called "Linux Hacks On The Rise". It cited a study of software problems reported by CERT--the Computer Emergency Response Team that impartially tracks computing security threats. (CERT is part of a federally funded research and development center at Carnegie Mellon University in Pittsburgh.)

Among other things, the article said: "...more than 50% of all [CERT] security advisories ... in the first 10 months of 2002 were for Linux and other open-source software solutions."

My only point in bringing up this issue was to show that no operating system is immune to bugs and security issues: As Linux grows in popularity, it will have its own full share of problems.

It's hard to imagine a less inflammatory or more obvious assertion--that all operating systems have bugs and security issues--but I won my bet: Linux and open-source fans thought I was attacking them or their preferred operating system. They deluged me with E-mails, many irate, claiming that CERT (and I) were dead wrong.

The two most-common arguments against the report were:

1) There really aren't that many Linux/open source bugs, especially compared with, say, Microsoft Windows. Many readers argued further that CERT erred by counting the same bugs multiple times in different distributions and versions of Linux or other open-source software; these repeated bugs should have been counted as one meta-bug.

2) Open source bugs, when they do occur, aren't that big a deal anyway because they can be fixed far faster than Windows bugs.

Trouble is, these arguments are based on old information: Yes, there once was a time when both of the above statements were true, but in a moment I'll show you some very current, non-CERT stats and info that illustrate why both statements are now emphatically false. (We'll get to the specifics in a moment.)

But this isn't a bad thing. Rather, I take it as a very positive sign of the growing maturity and mainstream appeal of Linux and open source software. Let me explain:

Linux's And Open Source Software's Excellent History
Linux (and the whole open source movement in general) got its reputation for solid software and rapid fixes when this software was used mostly by a relatively small group of extremely knowledgeable people. They knew what they were doing, and generally ran their software on stable, proven hardware platforms; or, when brand-new hardware was used, it was used in fairly generic ways. (For example, video card drivers for Linux tended not to support exotic feature sets; Linux video usually operated at fairly conventional resolutions and settings.)

This is a benign development environment. Any software can succeed if it's placed only in the hands of a small group of knowledgeable experts who can avoid many problems in the first place, and participate in rapid repair of any unavoidable problems that do occur.

And "rapid repair" was a very real thing: The open source arena tended to attract some of the best and brightest of the world's computing community; people who wanted to do good, and whose contributions were almost always positive, focused on the continual improvement of their software.

But things changed. The open source community has fragmented into myriad competing segments, each with its own different, and increasingly quasi-proprietary, distributions of software. Huge numbers of new users of all skill levels have entered what once had been an experts-only enclave. (Even Wal-Mart now sells cheap PCs with Linux and open source applications preinstalled.) It's much harder to produce software for an audience of all skill levels running who-knows-what hardware, than for an audience only of experts running a limited subset of known-good hardware.

And, not trivially, as the Linux/open source segment has grown, it's finally attracted the attention of crackers (malicious hackers). You see, crackers like to aim at the fat part of the bell curve because that's where the most potential victims are. That's one of the primary reasons why more people try to hack Microsoft software than any other: If a malicious hacker wants fame or notoriety, Microsoft software is the obvious target because more people use Microsoft software than any other.

And to me, this is a key thing: When the Linux/open source community was tiny, few hackers bothered to look for exploitable issues there. It simply wasn't an attractive target. In other words, it wasn't so much that Linux and similar software were truly free from exploitable holes, but simply that no one was trying to find them.

But again, that all changed as Linux and open source software entered the mainstream. Now that this software is a fully viable alternative to conventional commercial software, an inevitable consequence is that more problems will come to light. As novice users, funky hardware mixes, and active cracking all come into play, the bug counts are going up. In fact, way up.

Counting Bugs
There's no perfect, 100% reliable way of comparing bugs across operating systems, especially in an environment where operating systems usually ship with bundled software that may have its own, separate quality issues. But let's start by looking just at the operating system itself:

We can avoid CERT's problem of counting the same bug more than once if we compare the security patch/update counts for one popular distribution and version of Linux to one popular version of Microsoft Windows. In this way, we won't have the Linux count skewed by the same bug cropping up in hundreds of other versions and distributions; or have the Windows count skewed by bugs in other Windows versions or software products from Microsoft.

To further refine the comparison, let's look at operating system versions that came to market at about the same date. This way, both operating systems would have a more or less equal time during which problems could come to light.

It turns out that Microsoft Windows XP and Red Hat Linux 7.2 were released within a few weeks of each other. Both are still current and are actively supported by their respective vendors. So, let's take a look, starting on each vendor's patch/update pages:

For Red Hat Linux 7.2, you go to the Red Hat "errata" page https://rhn.redhat.com/errata/ and from there to the page specific to version 7.2 https://rhn.redhat.com/errata/rh72-errata.html . There, you'll see that, to date, Red Hat has issued 151 patches and updates (mostly for security issues; that's what the "broken lock" icon means) for that Linux version. For a very crude sense of scale, that works out to an average of around 2.3 patches per week.

Next, let's do the same thing for XP Professional, starting on Microsoft's errata page, the "HotFix & Security Bulletin Service"; use the pull-down menu to isolate just the XP-related items. You'll see that the page lists 21 XP-specific patches and updates to date. That's an average 0.35 patches per week.

But wait: Maybe that's not a fair count. After all, XP is the newest Windows version, but RH 7.2 isn't the newest Linux version. Red Hat's newest version is actually version 8.0, so let's look at that. Its errata page lists 27 patches and bug fixes issued in the four months the operating system has been available, an average of around 1.6 patches per week, so far. That's a rate significantly less than Red Hat's 7.2's, but still more than XP's.

These numbers may surprise you because we've all seen a veritable blizzard of patches and updates issued from Redmond. But Microsoft currently has 157 software products under active support, and a typical PC may have not only a Microsoft operating system but also a Microsoft browser, mail program, media player, office suite, and more. In the aggregate, the total number of bugs and patches to keep up with for all this software is daunting. And some of the issues have indeed been severe. (For example, Outlook Express was for years the very worst security hole on most PCs.)

But, if it's unfair to lump all open source software together for bug-counting purposes, it's also unfair to do the same thing for all Microsoft software. (Otherwise, to get an accurate assessment for Linux systems, you'd have to include the bugs from open source browsers and all other normal system add-ins or add-ons, on top of Linux's own bugs.) Instead, to avoid an apples/oranges comparison, it's better to look at specific brands, types, and builds of products across similar amounts of time: That's the only accurate way to see how, say, operating systems compare, or browsers compare, or E-mail programs compare, and so on.

But what about the types or severity of bugs? In fact, I hear this a lot from Linux partisans, that Microsoft bugs are "worse" than Linux bugs. There's a lot of subjectivity in better or worse comparisons, of course. But as a quick example, here's a Red Hat Linux 7.2 bug as described on the Red Hat page:

A vulnerability has been found in the ptrace code of the kernel (ptrace is the part that lets program debuggers run) that could be abused by local users to gain root privileges.

Now here's an XP bug, as described on the Microsoft site:

Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation: A security issue has been identified that could allow an attacker to compromise a computer running Microsoft Windows and gain complete control over it.

Which is "worse?" I actually think these are about the same--either way, someone can take over your PC. But some Linux partisans will insist that the Microsoft bug is somehow "worse." I disagree, but don't take my word for it: Read the descriptions of some bugs from the XP list and some from the Red Hat list, and make up your own mind.

Does all this mean Linux is terrible? Not at all! Complex software will always have bugs and security problems, and I consider Linux's bugs to be in the fully normal range and not worth getting agitated over. What's more, it's great to see such active bug-fixing as the Red Hat pages indicate: There always will be bugs in any software, and the rational thing to do is to fix them, rather than try to convince others that the bugs aren't real or somehow don't count.

Does all this mean XP is inherently wonderful? Nope. XP's bugs are fewer than Red Hat Linux 7.2, but also within the normal range, and likewise merit neither ecstasy nor apoplexy. And, as I said before, there's other Microsoft software--some of it bundled with XP--that has much worse records.

So here's what it does mean: Linux is a normal operating system; so is XP. Both have bugs, some major, some minor. Anyone who tells you that Linux is "inherently more secure" or "much less buggy" than XP simply isn't working from current facts. The reality is that bugs happen, even in Linux: Get over it.

Speed Of Fixes
The second most-cited argument in reader mail was along the lines of: "Open Source bugs aren't that big a deal because they can be fixed far faster than Windows bugs."

Yes, under the very best and limited circumstances, this can be true: A raw, initial fix can be posted online sometimes within hours of a bug coming to light, and that's wonderful, when it happens. But that initial posting is often in source code, or in a form that requires that parts of the operating system or software be rebuilt or recompiled by the user. And it's usually posted in special developer-only portions of open-source Web sites. In other words, the patch may be useful to a handful of expert users. That's great for them, but what about everyone else?

Most patches take much longer to appear, and longer still to become generally available to all affected users, in finished, tested, easily installable form--even if, technically speaking, the initial instance of the bug was stomped out very quickly. Given the growing fragmentation of the open source community and the increasingly quasi-proprietary distributions of Linux, how could it be otherwise? It has to take time to get patches out.

Consider just two cases in point: The Open Source Mozilla project ran three years late in development, and that was just a browser, not an entire operating system. Linux itself took about 7 years before it was even remotely ready for prime time. In the face of software gestations this lengthy, I think it's hard to argue that open source's supposed "fast fixes" actually mean much in real world benefits.

This is a big chunk of Microsoft's problem, of course--it takes time to release a finished, auto-installing patch for all versions and builds of all affected in-use Microsoft software. This often makes Microsoft patches appear weeks or months after a bug comes to light. But as Linux and other open-source software face the same kinds of market problems, their pace is slowing, too. It's inevitable. The more complex and fragmented a software market is, the longer it will take for fixes to diffuse out to all builds and versions. Complex software takes time to write and debug: Get over it.

Put Down Those Flamethrowers
Don't get me wrong: I think the open source movement is a good thing, and I like Linux--it's running right now on two of my office PCs. And none of the above excuses or lessens the seriousness of Windows' own problems with bugs and security issues.

But, as much as the partisans wish it were so, open sourcing isn't a magic solution to the problems of bugs and security issues. As Linux and other open-source software grow in popularity and extend into a fragmented, uncontrolled mass marketplace, they will inevitably have their own full share of bugs and security problems, same as with any other software.

Anyone who tells you differently, or tries to convince you that their favorite operating system is somehow immune to market forces, human error, and plain malice, is doing both you and the operating system they espouse a disservice.

[ImaGraftedBranch]

Valid points. From an in-depth study of both current windows and current Linux, it is obvious that with the growing base of Linux users, more bugs will be uncovered. Just like what happened with Windows. Coders are not error free, and we can not foresee every possible contingency.

Sometimes Linux fans seem to think that their OS is 100% failsafe. It's not, and with wider usage, more bugs will be found. But, that is normal.

[chilepepper]

Of course Linux has bugs.

However, it is not a

THREAT TO UNITED STATES NATIONAL SECURITY DURING WARTIME

The way MicroSoft's "buggy" products are...

[shadowman99]

I've never heard anyone claim it was bug free. You only need to go to www.bugzilla.org to see how many bugs Linux has. They are publicly documented. There in no effort to deny the existance of coding errors, conflicts...etc - unlike those who practice "security through obscurity" and slip undocumented fixes in with service packs.

[Nick Danger]

• There is no program which could not be shortened by at least one line of code.
• No program is 100% bug-free.

  Therefore, by induction, any program in existence can be reduced to a single instruction which does not work.

[toothless]

Windows ships with how many extra programs? wordpad, IE, a couple crappy games. oh yea, notepad, paint and sound recorder. windows media player has had security patches recently.

Red Hat bundles literally thousands of extra programs.

Lets see the bugs per software package numbers...

Not that I hate windows, I think its great. So is linux.

[2 Kool 2 Be 4-Gotten]

Running apache on top of linux is a killer app. Running MS Word on top of Windows is a killer app. As always, the market gravitates to the best tool for the job. People want to frame the issue as "either/or" when in fact there are compelling reasons to use both, depending of the application.

I realize this thread is arguing over bugs and security but invevitably people want to argue over what's better. It's as if they want one OS to "win". Isn't an OS "winning" how we got into the situation that we are currently in?

[the_Watchman]

First, counting patches as an indicator of bugginess is flawed. The flip side is that a patch count is an indication of user responsiveness. It's hard to get fixes out of Redmond! A count also does not take bundling or batching into account.

Second, timeliness is there for users willing to recompile kernels. We found a problem in 2000 in the System V shared memory implementation which had been introduced by a patch submitted from Germany. I tracked down the responsible party and sent them an e-mail on Friday evening. After several mail exchanges on the week-end we had a fix in hand on Monday morning. The final fix was submitted for inclusion in the kernel during the next edit for the benefit of everyone else. How often does Redmond even bother to patch features which are in error?

[xrp]

Sorry, but the #1 security threat to the United States isn't their use of Microsoft operating systems, it is the masses of incompetent people that the government employs.

[xrp]

#2 is the cowtowing to political correctness, which ties in with #1.

[mj1234]

they will post patches/tell you why their programs can't
install or crash --IF YOU PAY THEM FOR THE FIX!!how do you
think Msft makes billions?

[Jay D. Dyson]

I've never heard anyone claim it was bug free. You only need to go to www.bugzilla.org to see how many bugs Linux has. They are publicly documented. There in no effort to deny the existance of coding errors, conflicts...etc - unlike those who practice "security through obscurity" and slip undocumented fixes in with service packs.

Indeed. Moreover, this argument that Windows is somehow absolved of blame because Linux has bugs is absurd.

It's not the quantity of bugs that causes problems; it's the quality of the bugs.

So far, Microsoft holds the title at being the most worm-friendly vendor of digital products on the 'net. BAR NONE.

In just the past two years we've had Code Red (I & II), Nimda, Melissa, ILOVEYOU, and Sapphire...all of which have -- according to business reports -- cost BILLIONS to clean up.

The last "successful" UNIX worm occurred back in the late 1980s. The UNIX crowd learned its lesson. But Microsoft keeps on making the same mistakes over and over again and expect different results. Worse still, when they release their patches for their original screw-ups, the patches come with a ridiculously prohibitive End User License Agreement (EULA) that demands the user sign over practically everything, save for their eternal soul.

-Jay

[Dominic Harr]

A THREAT TO UNITED STATES SECURITY IN WARTIME

This brings up one other thought:

The people that did this clearly had known about the exploit and were holding it back, and only released it now because the 'service pack' came out last Wed.

• Several people have said evidence points to China being the origin.

• S. Korea was hardest hit, and probably the main target.

• And now MS is going around showing Russia, etc, the source to Windows.

What else are our adversaries like China holding back for just the right moment?

[xrp]

How about that Slapper worm that in 2002 hit Apache and OpenSSL running on Linux platforms?

[Dominic Harr]

Consider, if you take a test, and miss 5 out of 10 questions.

If you said, "Well, no one's perfect, everyone misses questions on test", you'd be obviously making excuses.

I'm not even a Linux guy, but it's too obvious to the professionals:

All software has bugs.

MS products have *more* bugs, the bugs are *more* serious, and they do *more* damage, time and time again.

The argument, "Linux has bugs too", is specifically designed to pretend that there's no difference in quality.

[Jay D. Dyson]

How about that Slapper worm that in 2002 hit Apache and OpenSSL running on Linux platforms?

It was neutered before it even got a foothold. Show me where it's still crawling on the 'net (unlike Code Red and Nimda).

-Jay

[chilepepper]

How about that Slapper worm that in 2002 hit Apache and OpenSSL running on Linux platforms?

Correct me if I'm wrong, but I don't believe that worm brought down 13,000 Bank of America ATMS and knocked out the Internet in Korea.

[xrp]

You're exactly right, but the worm had the same potential. I guess one could pose the argument that people running Windows are more careless than those running UNIX/variants as Microsoft had a fix available in July 2002.

[The Duke]

Apples and oranges. Windows considers its "Operating System" to include such applications as Web Browsers, etc. In the world of Linux the operating system is a relatively small core of code, small enough that it could very well be free of bugs.

If we're going to consider system commands and utilities as part of the operating system then the bug counts may start to be comparable, however the very fact that these distinctions exist under Linux is itself a TREMENDOUS boost to security.

[Bush2000]

However, it is not a THREAT TO UNITED STATES NATIONAL SECURITY DURING WARTIME The way MicroSoft's "buggy" products are...

Rrrrrrrrrrright. Like buffer overflows in Apache or BIND or mySQL don't constitute an IDENTICAL THREAT. Only a trolling, ideologically-driven, ABM bigot would think otherwise.

[Bush2000]

So far, Microsoft holds the title at being the most worm-friendly vendor of digital products on the 'net. BAR NONE.

Wrong. Linux crapware is equally worm-friendly. The difference is that most hackers are more interested in bringing down MS than attacking Linux...