THE UNITED STATES Computer Emergency Readiness Team (CERT) has prepared a report for the government that claims that fewer vulnerabilities were found in Windows than in Linux/Unix operating systems in 2005. Cert included under the Linux umbrella Mac OS X, as well as the various Linux distributions and flavours of Unix. It claimed that the Unix camp had more than twice as many vulnerabilities as Windows. The Cyber Security Bulletin 2005, said that out of 5,198 reported flaws, 812 were Windows operating system vulnerabilities, while 2,328 were Unix/Linux operating bugs. The remaining 2,058 were multiple operating system vulnerabilities. It is possible to hear the sounds of the provisional wing of the Linux and Apple glee clubs strapping cyber explosives to their belts at the announcement. It seems that the figures prove the impression of many in the security industry that the only reason Windows boxes get turned over the most is because there are more of them. CERT's figures did not include figures for how quickly vulnerabilities are patched once they are discovered. You can have a look at the report here. And flame CERT not us. Source: The Inquirer
This report doesn't say which *nix based OS's are causing what vulnerabilities (for the most part anyways) but at least from CERT's perpective it looks as though *nix isn't the be all and end all security solution alot of people think it to be.
That is going to turn a few heads and raise a lot of questions! Looks like I'm betting off with Windows after all
Thats a huge variety of linux/bsd/unix and mac osx aswell. But the most developed unices like OpenBSD (the most secure OS), NetBSD and hardened kernels of Linux are very secure. This investigation includes the hundreds of flavours of linux/unix vs windows so the comparison is unfair. Throw in the built resistance of virii then it would show this report for what it really is. edit: after today's press frenzy over this report http://news.com.com/Experts+question+Windows+win+in+flaw+tally/2100-1002_3-6021867.html
Like I said in my 2nd post they don't mention what OS is affected on either the Windows side or the *nix side except for the few that have the distribution name listed in the flaw. But at least from the looks of it their telling the US government that Windows is a more secure platform. It could be a certain flavour of *nix is more security but their general consensus is MS has the more secure platform which I think is significant that at least as far as the US is concerned Windows has the safer platform and that they believe if *nix was to become as prevalent as Windows it would be an easier target to exploit than Windows. The only thing I think they should really have included is the time to fix the vulnerabilities. After all if you have 1200 vulnerabilities and their patched quickly before they can be exploited I'd say you have a better system than someone who has 100 vulnerabilities and has 20 exploited due to long patch times.
~~ I Call B.S. ~~ Rebuttal: This is truly hilarious. Come on, let's look at the facts, not the overwhelming slant. They are counting every single *nix as "Unix", every distro, even Mac OS X, and lumping them all together. There are literally thousands of Linux distributions. Also, they are counting every vulnerability reported for every piece of software that runs on some form of *nix. That means that a vulnerability in Safari, which only runs in OS X, is counted as a "Unix vulnerability". A distro specific flaw in SUSE, for example, is also counted as a *nix bug. They act like the entire platform is monolithic, like Windows, and that one bug which applies to one specific flavor of *nix somehow applies to all. In effect, the same bugs are counted mutliple times, even when they don't apply to all *nixes. Frankly, to do so is dishonest and ethically bankrupt. Certainly someone has an axe to grind here? Realistically, almost all *nix software, especially in Linux and BSD, is optional for the system to function. Not only that, but each individual Linux vendor takes responsibility for supplying patches for vulnerabilities in literally thousands of specific apps which are not part of the operating system itself, such as media apps, office apps, even games. Windows does not, but that doesn't mean that such software cannot contain vulnerabilities, does it? Also, the OSS community especially has an excellent track record of actually disclosing and patching vulnerabilities in a timely manner. As any educated person knows, Microsoft is horribile in this respect. For reference, take a look over here. You'll notice that although Linux distros are responsible for more than 100X more software per-distro than Windows, they are all 100% patched where Microsoft products are nowhere close. This article is FUD in it's purest form.
Yeah. Thank you AT. I was just about to go there. And on top of that, if you read Addis' link, it also clears things up a bit. First off, the report was "collected from different sources with different criteria for the collection of flaws." <-WTF? Boy that's a real reliable report. It sure would say something for our government if they take seriously a report that's made up of that sort of material. A software consulting engineer for Red Hat linux said "For example, Firefox is categorized as a Unix/Linux operating-system flaw, but it runs just as well on a Windows platform. Apache and PHP also run just as well on both platforms", yet they aren't counted as Windows flaws. Why is that? But come on people, think about this logically. They're taking every linuxish distro and every piece of software for the distro into account and comparing it to JUST the core OS of another. And like AT pointed out, all of the software you include in your linux-box is optional, even the GUI. For a more honest look at the same data, consult Addis' link.
