Windows more secure than Linux?
For the last week, I’ve seen various headlines referring to a report from US-CERT that indicated 2005 had 5,198 security flaws reported. Out of those 2,328 were reported for Linux/Unix, 812 for Windows and 2,058 affecting more than one operating system. Now, I’m seeing all sorts of headlines about how Windows is more secure than Linux based on this report. (?!?) Did anyone reporting “windows more secure than linux/unix” actually read the report, look at some of the details and compare with the Technical Cyber Security Alerts?
What’s really ironic about all of this is that it came out at a time when we’ve been dealing with the WMF vulnerability, which in fact wasn’t a vulnerability as much as a “feature” of a file format Microsoft designed some time back. (The function was in use since 1990 in Windows.) This vulnerability was there for each of the last 15 years then, but was only discovered and exploited this year, how many unix/linux bugs can claim that kind of heritage?
OH, there’s so much to dissect about this. Hang on this may be a long article….
For starters the comparison of Windows vs. Unix/Linux bulletin breaks down as follows. (I’ll try and filter down to the Operating systems used. I may overlook some because it’s a long list….) For the linux/unix side I’m not going to read every bulletin, as many cover multiple distributions. I’ll pick out those unix/linuxes (linuces?) that are mentioned by name in the bulletin title. Some are not listed for a core OS problem, but for add-on software. There are similar “add-on” software bulletins for Windows.
Windows covers Windows 98, ME, 2000, XP and 2003
Linux/Unix covers: Apple OS X, Astaro Security Linux, Debian Linux, FreeBSD, Gentoo, HP-UX, IBM AIX, Mandrake Linux, OpenBSD, Red Hat Linux, Sco Openserver, SGI IRix, Sun Solaris, SUSE Linux… if you go reading the details of “multiple vendors” bulletins you’ll find a few more distributions, kubuntu linux, and so on.
So you can see this is a fair comparison isn’t it 5 operating systems with a lot of shared code had 812 bulletins and 14 or more operating systems with varying release policies and varying amounts of shared software and code had 3 times as many bulletins or 2,328…. not bad at this point considering we’re looking at, at least 3 TIMES AS MANY operating systems in the comparison. (There are many distributions listed in the details that don’t get listed in the count I used above.) However…. let’s look at some more details.
I see a few duplicate advisories in the Windows list. One example is “Microsoft Agent Could Allow Spoofing” this shows up twice. Once with the initial US-Cert bulletin, then again when the Microsoft advisory came out with a patch. In this case, they both refer to the same CVE report http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1214 Some entries are duplicated 5 or more times. If you compare the duplicates in the Windows category to those in the Linux/Unix category though you’ll find there is MUCH more duplication. Here’s an example:
Clam Anti-Virus ClamAV Remote Denial of Service: – first entry shows multiple operating systems affected: Gentoo, Mandrake, Suse (various versions of each), the next copy adds Trustix, another copy adds Conectiva and yet another adds Altlinux FOR THE SAME VULNERABILITY. I’m not talking about a vulnerability that has been discovered to be more serious either. All are rated low and are simply reported multiple times when the vendors issue their own bulletins. I saw some duplicated as many as 12 times. It’s especially tedious browsing the “multiple distributions linux kernel” part of the list.
Now some things should be legitimately counted multiple times in this type of comparison. When a vulnerability is re-analyzed and is found to be more serious, etc. But the fact that 8 distributions put out an bulletin about the same bug does not mean that linux is more dangerous than windows when Microsoft releases 3 bulletins (some covering multiple bugs) in the same amount of time.
Oh and by the way, the Windows WMF bug was not included in the listing. Yes, I understand that it’s exploitable under linux using Wine, so now I guess now 20 distributions + wine and codeweavers and probably transgaming will put out bulletins and windows will yet again claim to be more secure because there was only one windows bulletin and 23+ linux related bulletins on the issue.
Ok, so let’s look at the Technical Cyber Security Alerts from US-CERT, these are the breaking news, big problem, “danger will robinson” kind of alerts that herald serious vulnerabilities. According to Newsforge, (I saw it but I’ll trust their counting abilities…)
22 Technical Cyber Security Alerts were issued in 2005
11 of those alerts were for Windows platforms
3 were for Oracle products
2 were for Cisco products
1 was for Mac OS X
None were for Linux
Oh, well, I guess it’s time for the old “if linux had the market share windows had it would have as many security problems.” Well let’s see, linux/unix is probably the widest deployed server operating system in the world all told. Windows is the most widely deployed desktop operating. Additionally, linux is open source and the source code can be broadly analyzed. Windows source code is closed and vulnerabilities can’t easily be discovered by access to the code because it is simply not easy to get access to the code. I would be willing to bet that if Windows source code were opened up we would see at least a doubling in the number of security bulletins. I don’t know, I can’t and we won’t, but that’s my opinion.
Further, it’s worth noting that Cert DIDN’T evaluate the numbers and say that Linux/Unix is more flawed than windows. I’m SURE Microsoft will love to spin these numbers that way, but it just doesn’t stand up to analysis. Now, to be fair, the article cited in the last link did say that the CERT list doesn’t address the severity of the issues, or how quickly they were patched. A look at Secunia found the following….:
CERT’s report did not include figures for how quickly vulnerabilities are patched once they are discovered. According to security provider Secunia, 124 of its security advisories relate to flaws in Windows XP Professional. Some 29 of these flaws are unpatched–which lands Microsoft’s operating system with a “highly critical” security rating.
In contrast, Red Hat 9 is covered by 99 Secunia warnings, but only one of these flaws has not been patched by Red Hat. Suse Linux Enterprise Server 9 is covered in 91 advisories, but every one has been patched by the vendor. Both products get a “not critical” rating.
So which operating system is more secure? I think it’s easier to secure a linux system than a Windows system, but, truth be told, it all boils down to the administration of the system. Even the best security models can be undermined. I personally, think Secunia’s analysis is a better way to compare “relative security” of two products. I like their rating of severity and keeping track of unpatched vulnerabilities.
Am I biased, yes, I use linux and I think the open source approach is a better way to build software. I’ve been impressed with the responsiveness and quick turn around of patches to open source projects and I’ve been impressed with how seriously MOST open source projects take potential security advisories, whether an exploit exists or not. Some vendors don’t seem to take as seriuosly such “possible vulnerabilities” unless there is an active working exploit.
To sum up, I don’t think the headline that most people took away from this summary of the years security bulletins says it all. Unfortunately many will read into it what they want and, much as was the case with the reporting on the WMF exploit, there can be a lack of depth.