Experts question Windows win in flaw tally

Critics have taken aim at a study published by the U.S. Computer Emergency Readiness Team that said more vulnerabilities were found in Linux/Unix than in Windows last year.

The report, Cyber Security Bulletin 2005, was released last week. It claimed that out of 5,198 reported flaws, 812 were found in Microsoft's Windows operating system, 2,328 were found in open-source Unix/Linux systems. The rest were declared to be multiple operating-system vulnerabilities.

The report has attracted criticism from some in the open-source community. Linux vendor Red Hat said the vulnerabilities had been wrongly tagged, and so could not be used to compare the relative security of Windows and Linux/Unix platforms.

Roundup
Windows flaw gets early fix

Microsoft issues patch early after catching flak over wait.

"The study is confusing and misleading. When you look at the list, the vulnerabilities are miscategorized," Mark Cox, a consulting software engineer at Red Hat, said. "For example, Firefox is categorized as a Unix/Linux operating-system flaw, but it runs just as well on a Windows platform. Apache and PHP also run just as well on both platforms. There are methodological flaws in the statistics."

In addition, Steven Christey, an editor for Common Vulnerabilities and Exposures, an organization that maintains a common vulnerability database, said that the statistics were no basis for comparison of the relative security of Windows and Linux/Unix, because they had been collected from different sources with different criteria for the collection of flaws.

"In my opinion, refined vulnerability information sources (CVE, Bugtraq, etc.) are still a year or two away from being able to produce comparable statistics," Christey wrote in an open letter posted online.

Secunia's Thomas Kristensen agreed with Christey that the various vulnerability collection sources made comparison more difficult. "I think Steve has got some good points on why comparing vulnerability numbers is difficult," said Kristensen, chief technical officer at the security company.

CERT itself pointed out that the information in its bulletin "should not be considered the result of US-CERT analysis," as it included information from outside sources.

Taking flaw types into account
Secunia thought that the nature of the reported vulnerabilities also made it difficult to compare security on the platforms, as Linux/Unix researchers concentrate on vulnerabilities in local privilege separation, while Windows researchers look at possible remote vulnerabilities.

"Generally, many of the vulnerabilities in Linux/Unix based products are classified as local vulnerabilities, including privilege escalation, local denial of service and local exposure of sensitive data. These kind of vulnerabilities are not regarded as particularly critical, but Linux/Unix researchers tend to focus quite a lot on this category, probably because of Unix's long history of proper privilege separation. This has only recently become more relevant in Windows (NT, 2000, and XP), but many Windows researchers still focus more on remote issues," Secunia said.

The US-CERT study has also caused online debate within the open-source community. In Newsforge, the Linux and open-source online publication, Joe Brockmeier and Joe Barr cast doubt on the vulnerability totals.

"The two figures are not representative of today's two major operating-system platforms. One figure represents the vulnerabilities found in Windows operating systems: XP, NT, 98, and so on. The other represents a total figure not just for Solaris, AIX, HP-UX, the BSDs, and Linux, but for a hundred different versions of Linux," the article said.

Red Hat's Cox said Linux operating systems were more secure for businesses than Windows platforms, as fewer vulnerabilities were critical and patches were brought out more quickly.

"There is also the issue of timing," he said. "With Linux products, critical updates are available within a day. If you look at Red Hat Enterprise Linux 3, the average patch time is under a day. With the recent critical WMF (Windows Meta File) vulnerability, it took Microsoft seven days," he said

Microsoft was not available for comment at the time of writing.

Tom Espiner of ZDNet UK reported from London.

[shane--2008]

this requiers experts?

honestly, how often do i have to patch my linux box due to a
serious threat? ummmm, not to date? minor, yes. serious? no.

meanwhile, EVERY windows flaw seems to be an all or nothing
issue. even the latest is a fine example. so serious they offered
a patch out of order?

and my linux patches are all to stop minor issues. windows
hasn't even started patching issues as minor as linux is now
worried about. just wait till MS gets around to little issues. in
about 30 years......

[MKenzie]

Don't bad mouth Micorsoft

They've been doing the best they can. Remember that they are not using a linux workstation to do their work so they have to reboot and patch as well as copy features from KDE and OS X.
We should be setting up accounts on our machines so that windows users have somewhere to go when they need a secure and reliable connection.

[robertcampbell2]

Holier then thou

I can see why the Linux\Unix\Open Source community is frustrated. Their chief claim to fame centers around security. To find out that they have thousands of vulernabilities means that they no longer can walk on water.

For the last few years the Linux\Unix Open Source has vilified Windows, Microsoft, and Windows users, while at the same time portraying themselves and their systems as the God appointed savior of the computer world.

No matter which way you spin the figures, the moral of the story is that people who live in glass houses shouldn't throw stones.

PS
Doesn't it seem a little odd that all of the "experts" have some sort of Linux\Unix\Open Source heritage?

[gesslar]

lol

That's awesome. You completely ignore some pretty fundamental questions of mathematics.

If you have 10 different versions of linux that use the same tool, and each distribution (version) of linux reports a problem with that issue. Does that count as 1 or 10 security issues?

Well, according to the report, it counts as 10, despite the fact that it's the ONE tool that has the vulnerability. Which is precisely one of the major sticking points about this report; most specifically considering the fact that this isn't isolated to one or two instances, but is pretty common throughout the reports thus resulting in a HUGELY inflated number.

You should use whichever OS you prefer, which is mostly the fundamental philosphy of FOSS (Free and Open Source Software): Options and freedom.

Enjoy your choices.

[fear_and_loathing]

You know what...

I'll take a million minor flaws that go unexploited to the almost
daily cluster f**k that is the Windows operating system!!!

Mac owner for 5 years... Not a single problem!

So, where's William Tait NOW?

Just as I said in the microsoft flaw story, where he so pompously posted this biased, off-base, and totally inacurate study.

IT'S FUD. That's all it is. Now then, who wants to do a real comparison of Any windows version versus any other OS out there. One on one at a time. Not one of them is as bad as Windows.

[tbsteph]

Glass House?

I just love to watch the Linux community react to the words "flaw" or "security" problem." when it comes to their OS. Gee, I thought Linux was the holy grail of all operating systems? How can it have holes or security problems? Guess the only way you have to defend this sacred cow is to discredit the messenger. Makes politicans seem totally inadequate when defending their actions.

[tvleavitt]

Apples and Oranges

Any tally of Windows security flaws will be almost exclusively related to elements of the operating system or design flaws in core system application framework elements.

A tally of *nix security flaws will consist of these, plus a host of other ***application level*** security flaws... is the security of Windows negatively impacted when some teenager writes a Visual Basic application, puts it up on Download.com, and it turns out to have a security flaw?!?

[arthurdent3]

MS sells a sub grade product

It seems too many people are missing the main point here about the patch situation.
Windows is not free and cost money. MS charges a lot of money for their products and IMO should be producing virtually bug free software for the cost.
Linux is almost free and I would expect a few problems here and there with it.
So in the end MS is the real loser here not linux.

[darkane]

More bias reporting..

Way to go CNET for giving unqualified and unimportant individuals a voice to vent their propaganda. These idiots trying to say that the list wasn't categorized correctly are either blind, or handicapped.

For example, this Mark Cox moron complains about how Firefox is labeled as a *nix-only flaw. Well, if he had even glanced at the list before CNET used his uninformed quote, he would realize that there are Firefox flaws listed under Windows, *nix, and cross-platform. There are platform-specific flaws for Firefox because the code IS DIFFERENT FOR EACH O/S. You would think somebody involved in the development of open-source software would understand that.

Another example of CNET reporting with an agenda.

[Jon N.]

Why is everybody out to kick the baby?

Look. M$ Windows is a work in progress, just as are all O/S's. It is an investment, & people are being hurt bigtime by the openings that are exploited in it. I'm not going to call them flaws! Linux is the new kid on the block...respectively. Why is everybody wanting to kick the baby? It is time to get down to the real issue at hand, and that is the cyber-terrorist! Right now, the cyber-consumer has only three options: (A) Buy into the 92% marketshare, with it's large software share, openings, vulnerabilities, & its constant protection upkeep that's required with the most recent of the cyber-terrorists & their attacks, (B) a O/S that can only run on the computers that supply the O/S, have a user friendly & secure O/S, that have only a 3-4% marketshare, & will be moving to an Intel-based processor in the 1Q of 2006, or (C) Get a freely downloadable, secure, open-source O/S that's also a work in progress, but is more secure than the current Win XP, has great adaptability & flexability, & has had no critical alerts in the past year! Add to that, it can be installed onto any P-III/AMD-based system. Come on folks! These companies aren't the culprits! These companies are trying to make our cyber-lives better & more efficient! Who are the culprits? The Cyber-Terrorists are! It's time to stop slapping these criminals on the wrists when we catch them, & start punishing them harshly as they should be, no matter the age! Make I.D.Theft a crime of International Grand Larceny! Make Virus encoding & deploying a Terrorist act! Make writing & deploying Spyware a crime of International Espionage. Make it an International Terrorist act to bot a computer, or to remotely commandeer a web server! Let's get the real criminals! Let's get the morons that have nothing better to do with their time & lives, than to steal peoples life-savings, steal their identities, & ruin countless peoples lives & finances. Let's get to the root of the real problem. Let's get the cyber-terrorists...by any means neccessary !!!!

[wbenton]

Serious Request to CNET

You need to quit spending time on usless things like proving that Microsoft is better than Linux. How much is Microsoft paying you to write such articles?

On the other hand... to set the record straight... CNET should better spend their time on investigating each and every flaw reported in each and every operating system across the board... with no favorites.

And their final report should include time to patch which means the amount of time it took from when the OS maker was first made aware of the flaw until they time they came out with a patch.

And you MUST NOT include Linux as one single bundle as it is not... you need to report each and every single Linux and Microsoft flaw and patch per OS vendor.

Likewise, you also need to include the shortest time and the longest time to offer a patch. And that list should also be prioritized according to criticality as well.

Once you've done that homework... your answer to the Experts questions will all be resolved and CNET might just gain a bit of credibility in my eyes!!!

A disgrungled reader,
Walt

[Andrew J Glina]

Funny

Is Linux one or many? I wish there was a decision on this. I often read "Linux will be the domanant desktop in a few years" but this will never happen unless Linux is considered unified. It seems that Linux is one when talking about how good it is, but many when discussing flaws. Until Linux is simply Linux and not scores (or is hundreds?) of distributions the common Joe will choose Windows of MacOS.

[Andrew J Glina]

Windows of MacOS

I meant "Windows or MacOS". I apoligise for the accidental linking of Microsoft and Apple.

(Edit function CNET?????)

[booboo1243]

Linux is one and many.

For unification, the Linux Standards Base project is coming along quite nicely, and has adopters from most of the major distros.

As for the one or many issue, it's one when talking about the kernel and common programs (gcc, GNOME, KDE, etc.), but many when talking about everything else, as it can be configured for many different uses (server, firewall, desktop, embedded). The same is true with Windows; while the desktop may look the same, XP home is a different beast to Server 2003.

[Zymurgist]

Experts? Why does it take "experts"?

The premise is a little daft. You can go to the website yourself and check out the security notices. It doesn't take an expert.

Look at the UNIX notices and compare to the Windows notices. The avergage Windows notice is listed 1.5 times, the average UNIX/Linux notice is listed 10 times (multiple citations for the same flaw, generally from stemming from multiple sources contributing reports). Of the Windows notices 75% are OS-related, while with UNIX/Linux, only about 10% are OS-related. Most of the Windows flaws cited provide adminisrative access to the machine where most of the UNIX/Linux flaws a mechanisms for denial-of-service attacks (and all of the privilege escalation threats require having shell-access as an authenticated user on the system).

It doesn't take an expert to see the differences both quantitative an qualitative.

[Earl Benser]

Excpet that Windows users......

.... are most vocal about the flaws, while Unix/Linux/OS X users
don't seem to notice. Could it be that Unix/Linux/OS X flaws just
don't have any noticeable effect???????

[aqvanavt]

Win vs. Linux

This is a big battle between two divergent business applications. Donationware Vs. Corporate enrichment. What they have in common is the battle for market control. Regardless of any similarities in flaw stats donationware has the same need for constant product improvement as does MS. MS has to sell it's changes as new and improved. Any honest look at Vista and you can see WinXP, WinME, and Win95. Aside from some nice graphical add ons and the need for more memory and CPU usage, what is the buyer of Win Vista getting? I don't see better computing. I use both WinXP and Linux/Fedora Core. Linux requires far less resources to operate compared to WinXP. The one advantage I see for MS users is that there are more third party applications available. There is a lot of room here for competition and improvement regardless of OS.

[Mister C]

Wha!

A study involving M$ and FUD. Unbelievable!

[clsgis]

Why the media are soft on Windoze

Long long ago I wrote a feature for BYTE magazine. The process begins with asking for an author's guide. BYTE's AG was mostly about how to write a glowing product review. They stated right out front that they would not publish an unfavorable review; don't bother submitting one.

I asked the editor why, and he told me *exactly* the same thing I would read years later in Chomsky and Herman's book, Manufacturing Consent. The purpose of the commercial media is not to inform the reader, it is to deliver advertising to consumers *in a business-friendly environment*. Readers don't pay the bills, advertisers do. Reporters and editors internalize this perspective while they're still in journalism school. By the time they're working, it just feels natural and they're completely unaware of their built-in bias.

That's why a distinguished professor of climatology is identified as an "environmentalist" while a public relations flack for the oil industry is an "official" or an "expert." (See <a class="jive-link-external" href="http://www.fair.org/index.php?page=1978" target="_newWindow">http://www.fair.org/index.php?page=1978</a> ) And it's why BYTE and PC Magazine and Tech Now would never *dream* of presenting a complete and fair story on the current Internet security situation.

It's also why they can't tell you which corporations are responsible for the spam problem and how easily they could fix it if they wanted to. You just don't run a story that makes the corporations look as bad as they really are. If you had any desire to do it, you wouldn't be working in trade journalism.

[clsgis]

We're just spoiled

The relationship Windoze users have with their computers is that of an abused spouse. They live in fear that they might do some little thing that triggers a violent episode. And they've been led to believe the violence they suffer is their own fault. They go around making excuses for their abusers. That black eye is from running into a door.

Those of us who use trustworthy software, whether we choose proprietary or open, don't have that problem. Computers are among the most reliable things in our lives. Forgive us for gloating.

[robvme]

Of course

anything favorable to Microsoft must be flawed.