Linux riskier than Windows?

Companies face greater risks if they run their Web sites on Linux rather than Windows, a Microsoft-funded study has concluded.

Last year, Web servers based on Windows Server 2003 had fewer flaws to fix than those based on Red Hat Enterprise Linux ES 3 in a standard open-source configuration, researchers said in a paper released on Tuesday.

Moreover, the study indicated that the Microsoft-based Web server had far fewer "days of risk"--a measure of the number of days that each vulnerability is known, but unpatched--than the open-source rival.

"All this study can do is give people pause, to say they shouldn't go with common wisdom over which platform has more security," said

"We believe there to be inaccuracies."

--Mark Cox, security response team leader, Red Hat

Herbert Thompson, one of the three authors of the paper and the director of research and training at Security Innovations, a security applications company. The common belief is that Linux is more secure that Windows.

The paper has already caused controversy, as some details were presented at the RSA Conference last month. Previous studies comparing measures of security in Windows and Linux have also caused heated discussion.

"We believe there to be inaccuracies," Mark Cox, the leader of Red Hat's security response team, wrote about the recent study in a blog posted to the software company's Web site on Tuesday. He said that the study did not separate "critical" vulnerabilities from less serious ones, a comparison that would favor Red Hat.

Red Hat did not otherwise comment on the paper and referred requests for comment to the blog.

Counting the holes
For the study, researchers counted the fixes published for flaws in each Web server setup in 2004. In addition, they tallied days of risk, the cumulative number of days between the time information on a flaw is publicly released and the time the software developer patches that vulnerability.

A server using Red Hat Enterprise Linux ES 3 had more than 12,000 days of risk, while a Microsoft configuration had about 1,600, they said.

As for flaws, a Red Hat-based Web server with open-source Apache Web server software, MySQL database and the PHP scripting language had to deal with 174 holes in its default configuration, the study found. A Web server based on Microsoft Server 2003, Internet Information Server 6, Microsoft SQL Server 2000 and ASP.Net had 52 vulnerabilities in the default configuration.

The researchers also studied Red Hat and Windows Web servers in minimal configurations, taking out of consideration applications that are not needed for serving Web pages. Even in that case, Microsoft still handily beat Red Hat, with only 52 flaws, compared with 132 for the Linux software.

Red Hat's Cox countered the findings in his blog posting.

"There were only eight flaws in Red Hat Enterprise Linux 3 that would be classed as 'critical' by either the Microsoft or the Red Hat severity scales," he wrote. "Of those, three-quarters were fixed in a day, and the average was eight days."

Critical flaws are generally those that allow an attacker to remotely take control of a computer system. The study did break vulnerabilities

FUD

FUD, FUD, FUD, the boys from Redmond are marching!

FUD, FUD, FUD, the lies from Redmond are marching!

[hion2000]

Agreed

This is no more than a ploy by Microsoft.

The classic LAMP stack (Linux, Apache, MySQL, PHP or Perl) has proven successful time and time again for YEARS.

If I were Microsoft I wouldn't be spreading FUD. Rather, I'd spend the time fixing bugs in my software, and actually making IE as well as IIS more than a piece of junk.

FUD

FUD, FUD, FUD, the boys from Redmond are marching!

FUD, FUD, FUD, the lies from Redmond are marching!

[hion2000]

Agreed

This is no more than a ploy by Microsoft.

The classic LAMP stack (Linux, Apache, MySQL, PHP or Perl) has proven successful time and time again for YEARS.

If I were Microsoft I wouldn't be spreading FUD. Rather, I'd spend the time fixing bugs in my software, and actually making IE as well as IIS more than a piece of junk.

[t8]

Really

Is that right! Wow.

[t8]

Really

Is that right! Wow.

[Jerry Dawson]

Advertising

Frankly, Microsoft seem to prefer spending money on advertising and lawyers rather than on producing a (long overdue) decent operating system. Talk to the hand...

Advertising

NT, 2000 & XP Pro all worked fine for me. OTOH I had plenty of issues with several versions of Redhat. AIX is fine. But my iBook with OS X sits (unbootable) on one of my parts racks, waiting to be canibalized.

OK - so I tell tell people "Whatever your problem, ME isn't the answer". But you buy a decent M$ OS & things are fine - I even had M$-DOS 3.3, and NEVER did it let me down after several YEARS.

[Jerry Dawson]

Advertising

Frankly, Microsoft seem to prefer spending money on advertising and lawyers rather than on producing a (long overdue) decent operating system. Talk to the hand...

Advertising

NT, 2000 & XP Pro all worked fine for me. OTOH I had plenty of issues with several versions of Redhat. AIX is fine. But my iBook with OS X sits (unbootable) on one of my parts racks, waiting to be canibalized.

OK - so I tell tell people "Whatever your problem, ME isn't the answer". But you buy a decent M$ OS & things are fine - I even had M$-DOS 3.3, and NEVER did it let me down after several YEARS.

[Bill Dautrive]

If yolu believe this

You are a frikken retard, plain and simple.

Perhaps if they spent more time making solid products they wouldn't have to pay people to publish bogus reports.

[catchall]

Ah, the zelot knee-jerk reaction

As someone in this thread pointed out, Nothing devious has happened; the study is fully documented. This is just marketing.
Instead of calling folks names, attempt to actually articulate your side of the debate. Document how Linux beats Windows, and why. Keep careful records, and prove your point, by the numbers.
If you can, that is. The nasty reality of what companies already own, where their data already lives, what skill sets are available, where management wants to go, ect. have a way of making simple decisions very complex.

[Bill Dautrive]

If yolu believe this

You are a frikken retard, plain and simple.

Perhaps if they spent more time making solid products they wouldn't have to pay people to publish bogus reports.

[catchall]

Ah, the zelot knee-jerk reaction

As someone in this thread pointed out, Nothing devious has happened; the study is fully documented. This is just marketing.
Instead of calling folks names, attempt to actually articulate your side of the debate. Document how Linux beats Windows, and why. Keep careful records, and prove your point, by the numbers.
If you can, that is. The nasty reality of what companies already own, where their data already lives, what skill sets are available, where management wants to go, ect. have a way of making simple decisions very complex.

Microsoft-funded ;)

"Microsoft-funded study". Word "study" may suggest scientifcal methodology but in combination with "Microsoft-funded" it looks for my like oxymoron.

Pozdrowienia z Ciechocinka

Bardzo miły był ostatni telefon od Pana ;-) Niestety nie wolno mi rozmawiac prywatnie w godzinach pracy. Pozdrawiam

Microsoft-funded ;)

"Microsoft-funded study". Word "study" may suggest scientifcal methodology but in combination with "Microsoft-funded" it looks for my like oxymoron.

Pozdrowienia z Ciechocinka

Bardzo miły był ostatni telefon od Pana ;-) Niestety nie wolno mi rozmawiac prywatnie w godzinach pracy. Pozdrawiam

Just my 2 cents..

I would have to agree that being "funded" by Microsoft makes this study hard to believe. But, as Linux/Netware/Mac proffesionals we should look at the positives to this type of media.

First, Microsoft never engages their marketing propaganda machine unless they feel a threat. This isnt a bad thing, its a good thing. This mean Microsoft is for the first time publically, acknowledging that Linux based systems are a threat to what it percieves as its dominence in the market. And, as typical with MS, when it cant gather enough hard facts to support its position, it engages its marketing propaganda engine and attacks in the media.

Second, attacks and name calling as in previous posts should be refrained from. Not for the obvious reasons, but for the good of the open-source community. Many decision-makers in these on-the-fence companies are reading these stories and the posts to them while trying to decide if open source is the way to go, or the MS monopoloy should remain in their organizations. MS would portray open source initiatives as a bunch of "high-schoolers" coding immature applications not ready for the "real" world. Lets not give them ammunition to believe we arent at the top of the game along with the proprietary-source market.

We all know how good, and in some cases better open-source software is than the MS stuff.. and this is due to our ability to work as a disconnected collective. Lets present this as a mature, intellegent position in responses to "studies" done by MS paid "researchers".

Because as we know.. When the facts are all presented, we have the winning products.. in the Linux/Novell/Mac arena.

Bob.
---------------------------------------------
"We can never see past the choices we dont understand." - You should know who said this and why.
---------------------------------------------

[Earl Benser]

How refreshing...

.... a contributor with intelligence, skill, and worthwhile ideas.

[aabcdefghij987654321]

Not the first recognition of Linux

This isn't MS's first salvo against Linux, this is just the latest of many. What is does recognize for the first time is that the overall security of a solution should be considered.

Of course a smart company will make that a part of their decision process, but only part.

[hion2000]

Just to point out..

There was a brief mention in the article about their "Get the Facts" campaign where they claim Windows servers are better than Linux servers [http://www.microsoft.com/windowsserversystem/facts/default.mspx].

This has been disputed in great detail by Novell.
[http://www.novell.com/linux/truth/response.html]

To be funded

I belive that everybody see the difference between scientifical study and commercial material. I would like only to remid C|Net editors to use proper quotation sometimes;)

Thank you for your care for "the good of the open-source community". However if you look more general on the posts here you will find something else than threats for open-source community.

have nice day :)

Just my 2 cents..

I would have to agree that being "funded" by Microsoft makes this study hard to believe. But, as Linux/Netware/Mac proffesionals we should look at the positives to this type of media.

First, Microsoft never engages their marketing propaganda machine unless they feel a threat. This isnt a bad thing, its a good thing. This mean Microsoft is for the first time publically, acknowledging that Linux based systems are a threat to what it percieves as its dominence in the market. And, as typical with MS, when it cant gather enough hard facts to support its position, it engages its marketing propaganda engine and attacks in the media.

Second, attacks and name calling as in previous posts should be refrained from. Not for the obvious reasons, but for the good of the open-source community. Many decision-makers in these on-the-fence companies are reading these stories and the posts to them while trying to decide if open source is the way to go, or the MS monopoloy should remain in their organizations. MS would portray open source initiatives as a bunch of "high-schoolers" coding immature applications not ready for the "real" world. Lets not give them ammunition to believe we arent at the top of the game along with the proprietary-source market.

We all know how good, and in some cases better open-source software is than the MS stuff.. and this is due to our ability to work as a disconnected collective. Lets present this as a mature, intellegent position in responses to "studies" done by MS paid "researchers".

Because as we know.. When the facts are all presented, we have the winning products.. in the Linux/Novell/Mac arena.

Bob.
---------------------------------------------
"We can never see past the choices we dont understand." - You should know who said this and why.
---------------------------------------------

[Earl Benser]

How refreshing...

.... a contributor with intelligence, skill, and worthwhile ideas.

[aabcdefghij987654321]

Not the first recognition of Linux

This isn't MS's first salvo against Linux, this is just the latest of many. What is does recognize for the first time is that the overall security of a solution should be considered.

Of course a smart company will make that a part of their decision process, but only part.

[hion2000]

Just to point out..

There was a brief mention in the article about their "Get the Facts" campaign where they claim Windows servers are better than Linux servers [http://www.microsoft.com/windowsserversystem/facts/default.mspx].

This has been disputed in great detail by Novell.
[http://www.novell.com/linux/truth/response.html]

To be funded

I belive that everybody see the difference between scientifical study and commercial material. I would like only to remid C|Net editors to use proper quotation sometimes;)

Thank you for your care for "the good of the open-source community". However if you look more general on the posts here you will find something else than threats for open-source community.

have nice day :)

[axslinger]

Of Course

MS gets thrashed so often for their "swiss cheese" OS's they have to make a major news event out of studies such as these. And a news event it is! While they are normally spending all of their time patching gaping holes, for once there is an upside.

[axslinger]

Of Course

MS gets thrashed so often for their "swiss cheese" OS's they have to make a major news event out of studies such as these. And a news event it is! While they are normally spending all of their time patching gaping holes, for once there is an upside.

[System Tyrant]

Lies and the Lying Liars who tell them.

As far as this report goes it could be full of truth, but the problem is who paid for it. In my opinion how can you believe a company like Microsoft who has lied to people for years. When it comes to waying the BS factor Microsoft still outways Open Source.

Now I'm not trying to attack the validity of the report. I am saying that it's hard to believe it when it was commissioned from Microsoft. Guilt by association I suppose.

I haven't read the report, but plan to when I get time. My question is did Microsoft help them properly configure Windows? Did they run Linux straight out of the box without modifing it's configurations? Did they run Windows straight out of the box without reconfiguring security?

I would like to see a report done that wasn't commissioned by Microsoft or a Linux Group that configured each server for it's optimal security and performance. Although no report is every truly going to be unbiased this would come closer.

As long as the methodology is good

true, it may/may not have been funded by MS. But who else would fund such a study? Coca-Cola? As long as the methodology was good and the full results are available for inspection, that should be ample to offset that.

[System Tyrant]

Lies and the Lying Liars who tell them.

As far as this report goes it could be full of truth, but the problem is who paid for it. In my opinion how can you believe a company like Microsoft who has lied to people for years. When it comes to waying the BS factor Microsoft still outways Open Source.

Now I'm not trying to attack the validity of the report. I am saying that it's hard to believe it when it was commissioned from Microsoft. Guilt by association I suppose.

I haven't read the report, but plan to when I get time. My question is did Microsoft help them properly configure Windows? Did they run Linux straight out of the box without modifing it's configurations? Did they run Windows straight out of the box without reconfiguring security?

I would like to see a report done that wasn't commissioned by Microsoft or a Linux Group that configured each server for it's optimal security and performance. Although no report is every truly going to be unbiased this would come closer.

As long as the methodology is good

true, it may/may not have been funded by MS. But who else would fund such a study? Coca-Cola? As long as the methodology was good and the full results are available for inspection, that should be ample to offset that.

And one of these days I might learn how not to triple post

While proofreading my content

And one of these days I might learn how not to triple post

While proofreading my content

[HansinYabutay]

My Own Study of Myself

Today, I'm releasing my own study of my best product, namely ME. My study finds that (1) I'm the smartest guy in my zip code, (2) I'm better looking than Brad Pitt, and (3) I have more money than the Pope. Add to that my numerical superiority over Ron Jeremy, and I'm ready to hit the market.

[David Arbogast]

Interesting Study

As soon as you release your methods and assumptions for review, your study can be taken as seriously as the one Microsoft funded.

[HansinYabutay]

My Own Study of Myself

Today, I'm releasing my own study of my best product, namely ME. My study finds that (1) I'm the smartest guy in my zip code, (2) I'm better looking than Brad Pitt, and (3) I have more money than the Pope. Add to that my numerical superiority over Ron Jeremy, and I'm ready to hit the market.

[David Arbogast]

Interesting Study

As soon as you release your methods and assumptions for review, your study can be taken as seriously as the one Microsoft funded.

[Bill Dautrive]

I did, but you didn't understand it

The study is flawed. Like others have pointed out, it doesn't really take into account severity, nor the fact that MS hides/ignores/dismisses many flaws for a considerable time.

[landlines]

Right on! The "count" is suspect!

Our experience is that only the phone company is more stubborn than Microsoft when it comes to acknowledging the existence of a problem!

So unless we start with totally neutral, objective, and COMPREHENSIVE counts, all of this 'study' is "..a clanging of symbols and crashing of gongs....signifying NOTHING!!!"

Last I heard, Microsoft had PRECLUDED this type of study in all of its EULA's!

[Bill Dautrive]

I did, but you didn't understand it

The study is flawed. Like others have pointed out, it doesn't really take into account severity, nor the fact that MS hides/ignores/dismisses many flaws for a considerable time.

[landlines]

Right on! The "count" is suspect!

Our experience is that only the phone company is more stubborn than Microsoft when it comes to acknowledging the existence of a problem!

So unless we start with totally neutral, objective, and COMPREHENSIVE counts, all of this 'study' is "..a clanging of symbols and crashing of gongs....signifying NOTHING!!!"

Last I heard, Microsoft had PRECLUDED this type of study in all of its EULA's!

Numbers are inline with my own experience

FWIW, the published numbers are in-line with my own experience with 2 recently installed web servers based on vulnerablity measurements done by the ScanAlert service. ScanAlert is by no means a final say on vulnerability measures, but the relative problems with out-of-the-box Windows 2003/IIS 6.0 and Linux/Apache installations was in the same ballpark as the MS study suggested.

Numbers are inline with my own experience

FWIW, the published numbers are in-line with my own experience with 2 recently installed web servers based on vulnerablity measurements done by the ScanAlert service. ScanAlert is by no means a final say on vulnerability measures, but the relative problems with out-of-the-box Windows 2003/IIS 6.0 and Linux/Apache installations was in the same ballpark as the MS study suggested.

Misinformation from Microsoft funded organizations

Use of "Public Release of Vulnerable Disclosure Announcements" to prove the security of Microsoft products is similar to the Tobacco industries arguments that Tobacco does not cause Cancer" in the 1940-1990. By suppressing the real records, the ability to hide the truth becomes evident.

The truth is Microsoft has the ability to suppress, for a long periods of time, the Public Disclosure of Vulnerabilities with the use of Responsible Disclosure, National Security --- time of war and the Patriot Act. Once the vulnerability is release, Microsoft has a history of attacking the security researcher and dismissing the criticality of the vulnerability, until it impacts the customer. Then, if a worm/virus does impact the community, Blame it on Hackers or the Users for not taking some action.