Most Unsecure OS? Yep -- it is Linux!

www.wininformant.com ^ | 1/13/03 | Paul Thurott

[ImaGraftedBranch]

November 26, 2002  | Paul Thurrott
Most Unsecure OS? Yep, It's Linux

According to a new Aberdeen Group report, open-source solution Linux has surpassed Windows as the most vulnerable OS, contrary to the high-profile press Microsoft's security woes receive. Furthermore, the Aberdeen Group reports that more than 50 percent of all security advisories that CERT issued in the first 10 months of 2002 were for Linux and other open-source software solutions. The report muddles the argument that proprietary software such as Windows is inherently less secure than open solutions. And here's another blow to the status quo: Proprietary UNIX solutions were responsible for just as many security advisories as Linux in the same time period. Could Windows be the most secure mainstream OS available today?

"Open-source software, commonly used in many versions of Linux, UNIX, and network routing equipment, is now the major source of elevated security vulnerabilities for IT buyers," the report reads. "Security advisories for open-source and Linux software accounted for 16 out of the 29 security advisories--about one of every two advisories--published for the first 10 months of 2002. During this same time, vulnerabilities affecting Microsoft products numbered seven, or about one in four of all advisories."

The stunning report makes several claims that seem to fly in the face of widely accepted beliefs. First, the Aberdeen Group says that Windows-based Trojan horse attacks peaked in 2001, when CERT released six such advisories, then bottomed out this year, when CERT didn't issue any alerts. However, Trojan horse-based attacks on Linux, UNIX, and open-source projects jumped from one in 2001 to two in 2002. The Aberdeen Group says this information proves that Linux and UNIX are just as prone to Trojan horse attacks as any other OS, despite press reports to the contrary, and that Mac OS X, which is based on UNIX, is also vulnerable to such attacks. Even more troubling, perhaps, is the use of open-source software in routers, Web servers, firewalls, and other Internet-connected solutions. The Aberdeen Group says that this situation sets up these devices and software products to be "infectious carriers" that intruders can easily usurp.

According to the Aberdeen Group, the open-source community's claim that it can fix security vulnerabilities more quickly than proprietary developers can means little. The group says that the open-source software and hardware solutions need more rigorous security testing before they're released to customers. This statement is particularly problematic because many Linux distributions lack the sophisticated automatic-update technologies modern Windows versions contain.

We can rail against Microsoft and its security policies, but far more people and systems use Microsoft's software than the competition's software. I believe that we'll never know how secure Linux is, compared with Windows, until a comparable number of people and systems use Linux. But despite the fact that Linux isn't as prevalent as Windows, we're still seeing a dramatic increase in Linux security advisories today. I think the conclusion is obvious.

[ImaGraftedBranch]

In part, the article states: "...more than 50 percent of all security advisories that CERT issued in the first 10 months of 2002 were for Linux and other open-source software solutions. The report muddles the argument that proprietary software such as Windows is inherently less secure than open solutions. And here's another blow to the status quo: Proprietary UNIX solutions were responsible for just as many security advisories as Linux in the same time period."

When there are 50 million Linux PCs to match the 50 million windows PCs, it will be extremely obvious that open source is not the way to go. You think the number of problems windows has had was bad? Wait until you have 50 million people using it, then fixing all of the problems -- as well as distributing them -- to people that purchased Linux because administrative costs were so low. Oh, Yeah -- we fired our administrators after we bought Linux....oops.

[Mo1]

PLEASE SUPPORT FREE REPUBLIC

Donate Here By Secure Server

Or mail checks to
FreeRepublic , LLC
PO BOX 9771
FRESNO, CA 93794
or you can use
PayPal at Jimrob@psnw.com

Become A Monthly Donor
STOP BY AND BUMP THE FUNDRAISER THREAD

[chance33_98]

Your slipping, why didn't you post this ;)

[The Duke]

Actually, if the argument is simply the level of risk
associated with open systems vs. proprietary systems isn't
that simply another way of advocating "security through
obscurity" - a paradigm that is no longer embraced by the
security community (or so they say)?

[jbstrick]

I recieve these CERT Advisories.

I would like to see this groups research in detail. What types of advisories were listed? How severe were they? etc.

[general_re]

Windows advocates were perfectly right last year to point out that the number of advisories was a worthless metric for determining the security of an operating system. It's still a worthless metric, even when the shoe's on the other foot...

[Digital Chaos]

...Aberdeen Group reports that more than 50 percent of all security advisories that CERT issued in the first 10 months of 2002 were for Linux and other open-source software solutions.

Security advisories for open-source and Linux software accounted for 16 out of the 29 security advisories

They are not saying that Linux had more security problems than Windows, they are lumping Linux together with ALL open source software. There is a big difference.

[2 Kool 2 Be 4-Gotten]

Paul Thurrott
   Write for Windows & .NET Magazine  

Paul Thurrott is the news editor for Windows & .NET Magazine. He writes a weekly editorial
for Windows & .NET Magazine UPDATE (http://www.win2000mag.net/email) and writes a daily
Windows news and information newsletter called WinInfo Daily UPDATE (http://www.wininformant.com). 

Did a quick google search on Thurott. He's got a dog in this fight, that's for sure.

[hchutch]

From what I understand, the major versions of Linux (Mandrake, Red Hat, and the PRC rip-off of Red Hat - Red Flag) ARE open-source.

*shudders*

I'll stick with Windows.

[ikka]

This one is a howler.

Tell me again why all my customers are trying like crazy to get onto a Linux or Unix-based platform and away from NT and MS in general.

Tell me why, of all the scans that my web servers get, the bulk of them are from Windows boxes that have been compromised with the NIMDA virus (a patch for which has been out for a year).

[babyface00]

I'd like to see some details too.

The vast majority of viruses and worms are transmitted by e-mail. Yes, servers are vulnerable from attack directly, so lets see the security comparison between the two servers, under direct attack.

Linux and Windows servers may be just as vulnerable on the system level (although I doubt it), but the huge doorway into the organization is Outlook. It doesn't matter how secure your front door is, when you've got the garage door wide open and every kid in the neighborhood can wander in.

[Bush2000]

Your slipping, why didn't you post this ;)

Because this isn't anything new. Most everyone (without an ideological axe to grind, that is) recognizes that open source code is just as buggy as closed source.

[Bush2000]

Tell me again why all my customers are trying like crazy to get onto a Linux or Unix-based platform and away from NT and MS in general.

Because you're a dedicated ABMer who doesn't serve MS customers.

[Bush2000]

Did a quick google search on Thurott. He's got a dog in this fight, that's for sure.

Thurott is merely reporting research by Aberdeen Group. Are they shills, too? /NOT

[Question_Assumptions]

Without knowing the severity and scope of the advisories, you can't really make a comparison. As an analogy, just counting legal infractions would make me, with maybe a half-dozen traffic citations, a worse criminal than a person with a single murder conviction.

[Dominic Harr]

Look at the date on this article.

It's old, and was indeed posted before.

It is a falsified report. Funny stuff, actually. Look into how they arrived at their conclusions . . .

Propaganda has to be repeated, to be effective.

And yes, Smeagol2000 was there.

Nasty little linuxes, smeagol will throttle them, yessss, preciousssss.

[Bush2000]

It's old, and was indeed posted before.

November 11, 2002. That's old?

It is a falsified report.

It's pretty amusing to see Linux sycophants twist in the wind when their lies are exposed...

[babygene]

" When there are 50 million Linux PCs to match the 50 million windows PCs"

Most front end equipment (routers, cable modems, etc.) use open source OS's. Many (probably a large portion) of the Windows machines in the home or business hide behind a NON-MS operating system.

This front end equipment takes the brunt of attacks. The simple fact is that if you have a Windows machine on a network without a firewall, you WILL get infected. Probably within 45 minutes.

Even with a firewall, if you run IE for a browser and/or Outlook for mail, you WILL get infected.

[HAL9000]

When there are 50 million Linux PCs to match the 50 million windows PCs, it will be extremely obvious that open source is not the way to go.

The Aberdeen Group is lulling unwary Windows users into a false sense of security with their flawed analysis. Counting advisories is not the way to determine which platform is most vulnerable.

History shows that *nix system users are more diligent about reporting security issues as soon as they are discovered, and issuing a fix as soon as possible. Microsoft ignores security issues, avoids issuing security advisories and delays issuing fixes.