05 January 2006

Windows XP five times as vulnerable to network attacks as Linux 2.6

67% of Linux vulnerabilities are network-safe, vs a mere 13% of MS-Windows XP vulnerabilities. Source Secunia.

That makes a better headline, don’t you think?


Alpha said...

Not sure of the real truth here but it was published on zdnet.com.au

Linux, Unix 'had more vulnerabilities than Windows'
By Tom Espiner, ZDNet UK
06 January 2006 02:08 PM

The US government has reported that fewer vulnerabilities were found in Windows than in Linux/Unix operating systems in 2005.
Linux/Unix-based operating systems -- a set that includes Mac OS X, as well as the various Linux distributions and flavours of Unix -- had more than twice as many vulnerabilities as Windows, according to the United States Computer Emergency Readiness Team (US-CERT), which is part of the US Department of Homeland Security.

The report -- Cyber Security Bulletin 2005 -- was published last week and found that out of 5,198 reported vulnerabilities, 812 were Windows operating system vulnerabilities, while 2,328 were Unix/Linux operating vulnerabilities. Two thousand and fifty eight were multiple operating system vulnerabilities.

However, the popularity of Windows means it is still much more likely to be attacked than Linux, according to security firm McAfee.

"In the Windows vs Unix debate, the number of vulnerabilities is less relevant than the amount that are turned into successful attacks. We see far more successful attacks against Windows, because it's the most common environment," Greg Day, security analyst at McAfee, said.

"As Linux becomes more common, we'll see more attacks against it," Day added.

McAfee recommended firms look more at the probability of attack, rather than whether an attack is possible.

CERT's report did not include figures for how quickly vulnerabilities are patched once they are discovered. According to security firm Secunia, 124 of its security advisories relate to flaws in Windows XP Professional, of which 29 are unpatched -- which gives it a lands Microsoft's operating system with a "Highly Critical" security rating.

In contrast, Red Hat 9 is affected by 99 Secunia warnings, but only one of these flaws has not been patched by Red Hat. SuSE Linux Enterprise Server 9 is covered in 91 advisories, but every one has been patched by the vendor. Both products get a 'Not Critical' rating.

Leon Brooks said...

I think the most incisive comment on the original CERT report was by a SlashDot poster calling himself nahdude812:

“even by their own description, this information is completely meaningless”

Or ruurd from GrokLaw:

“Tallying like this is inane, thinking that the tallies actually MEAN something is insane.”

_Arthur also pointed out that SANS list "Mac OS X" as the #17 security vulnerability of the year despite no OS X vulnerability having ever been exploited.

Real Life experience says that well-maintained MS-Windows servers get broken about three times as often as well-maintained Linux servers. The odds go up steeply in Linux’s favour for orphaned systems, but being ten or a hundred times safer doesn’t offer much comfort if you’re inevitably going to get 0wn3rz3d, which is the fate of all unmaintained systems.