Linux riskier than Windows?

Companies face greater risks if they run their Web sites on Linux rather than Windows, a Microsoft-funded study has concluded.

Last year, Web servers based on Windows Server 2003 had fewer flaws to fix than those based on Red Hat Enterprise Linux ES 3 in a standard open-source configuration, researchers said in a paper released on Tuesday.

Moreover, the study indicated that the Microsoft-based Web server had far fewer "days of risk"--a measure of the number of days that each vulnerability is known, but unpatched--than the open-source rival.

"All this study can do is give people pause, to say they shouldn't go with common wisdom over which platform has more security," said

"We believe there to be inaccuracies."

--Mark Cox, security response team leader, Red Hat

Herbert Thompson, one of the three authors of the paper and the director of research and training at Security Innovations, a security applications company. The common belief is that Linux is more secure that Windows.

The paper has already caused controversy, as some details were presented at the RSA Conference last month. Previous studies comparing measures of security in Windows and Linux have also caused heated discussion.

"We believe there to be inaccuracies," Mark Cox, the leader of Red Hat's security response team, wrote about the recent study in a blog posted to the software company's Web site on Tuesday. He said that the study did not separate "critical" vulnerabilities from less serious ones, a comparison that would favor Red Hat.

Red Hat did not otherwise comment on the paper and referred requests for comment to the blog.

Counting the holes
For the study, researchers counted the fixes published for flaws in each Web server setup in 2004. In addition, they tallied days of risk, the cumulative number of days between the time information on a flaw is publicly released and the time the software developer patches that vulnerability.

A server using Red Hat Enterprise Linux ES 3 had more than 12,000 days of risk, while a Microsoft configuration had about 1,600, they said.

As for flaws, a Red Hat-based Web server with open-source Apache Web server software, MySQL database and the PHP scripting language had to deal with 174 holes in its default configuration, the study found. A Web server based on Microsoft Server 2003, Internet Information Server 6, Microsoft SQL Server 2000 and ASP.Net had 52 vulnerabilities in the default configuration.

The researchers also studied Red Hat and Windows Web servers in minimal configurations, taking out of consideration applications that are not needed for serving Web pages. Even in that case, Microsoft still handily beat Red Hat, with only 52 flaws, compared with 132 for the Linux software.

Red Hat's Cox countered the findings in his blog posting.

"There were only eight flaws in Red Hat Enterprise Linux 3 that would be classed as 'critical' by either the Microsoft or the Red Hat severity scales," he wrote. "Of those, three-quarters were fixed in a day, and the average was eight days."

Critical flaws are generally those that allow an attacker to remotely take control of a computer system. The study did break vulnerabilities

FUD

FUD, FUD, FUD, the boys from Redmond are marching!

FUD, FUD, FUD, the lies from Redmond are marching!

FUD

FUD, FUD, FUD, the boys from Redmond are marching!

FUD, FUD, FUD, the lies from Redmond are marching!

[t8]

Really

Is that right! Wow.

[t8]

Really

Is that right! Wow.

[Jerry Dawson]

Advertising

Frankly, Microsoft seem to prefer spending money on advertising and lawyers rather than on producing a (long overdue) decent operating system. Talk to the hand...

[Jerry Dawson]

Advertising

Frankly, Microsoft seem to prefer spending money on advertising and lawyers rather than on producing a (long overdue) decent operating system. Talk to the hand...

[Bill Dautrive]

If yolu believe this

You are a frikken retard, plain and simple.

Perhaps if they spent more time making solid products they wouldn't have to pay people to publish bogus reports.

[Bill Dautrive]

If yolu believe this

You are a frikken retard, plain and simple.

Perhaps if they spent more time making solid products they wouldn't have to pay people to publish bogus reports.

Microsoft-funded ;)

"Microsoft-funded study". Word "study" may suggest scientifcal methodology but in combination with "Microsoft-funded" it looks for my like oxymoron.

Microsoft-funded ;)

"Microsoft-funded study". Word "study" may suggest scientifcal methodology but in combination with "Microsoft-funded" it looks for my like oxymoron.

Just my 2 cents..

I would have to agree that being "funded" by Microsoft makes this study hard to believe. But, as Linux/Netware/Mac proffesionals we should look at the positives to this type of media.

First, Microsoft never engages their marketing propaganda machine unless they feel a threat. This isnt a bad thing, its a good thing. This mean Microsoft is for the first time publically, acknowledging that Linux based systems are a threat to what it percieves as its dominence in the market. And, as typical with MS, when it cant gather enough hard facts to support its position, it engages its marketing propaganda engine and attacks in the media.

Second, attacks and name calling as in previous posts should be refrained from. Not for the obvious reasons, but for the good of the open-source community. Many decision-makers in these on-the-fence companies are reading these stories and the posts to them while trying to decide if open source is the way to go, or the MS monopoloy should remain in their organizations. MS would portray open source initiatives as a bunch of "high-schoolers" coding immature applications not ready for the "real" world. Lets not give them ammunition to believe we arent at the top of the game along with the proprietary-source market.

We all know how good, and in some cases better open-source software is than the MS stuff.. and this is due to our ability to work as a disconnected collective. Lets present this as a mature, intellegent position in responses to "studies" done by MS paid "researchers".

Because as we know.. When the facts are all presented, we have the winning products.. in the Linux/Novell/Mac arena.

Bob.
---------------------------------------------
"We can never see past the choices we dont understand." - You should know who said this and why.
---------------------------------------------

Just my 2 cents..

I would have to agree that being "funded" by Microsoft makes this study hard to believe. But, as Linux/Netware/Mac proffesionals we should look at the positives to this type of media.

First, Microsoft never engages their marketing propaganda machine unless they feel a threat. This isnt a bad thing, its a good thing. This mean Microsoft is for the first time publically, acknowledging that Linux based systems are a threat to what it percieves as its dominence in the market. And, as typical with MS, when it cant gather enough hard facts to support its position, it engages its marketing propaganda engine and attacks in the media.

Second, attacks and name calling as in previous posts should be refrained from. Not for the obvious reasons, but for the good of the open-source community. Many decision-makers in these on-the-fence companies are reading these stories and the posts to them while trying to decide if open source is the way to go, or the MS monopoloy should remain in their organizations. MS would portray open source initiatives as a bunch of "high-schoolers" coding immature applications not ready for the "real" world. Lets not give them ammunition to believe we arent at the top of the game along with the proprietary-source market.

We all know how good, and in some cases better open-source software is than the MS stuff.. and this is due to our ability to work as a disconnected collective. Lets present this as a mature, intellegent position in responses to "studies" done by MS paid "researchers".

Because as we know.. When the facts are all presented, we have the winning products.. in the Linux/Novell/Mac arena.

Bob.
---------------------------------------------
"We can never see past the choices we dont understand." - You should know who said this and why.
---------------------------------------------

[axslinger]

Of Course

MS gets thrashed so often for their "swiss cheese" OS's they have to make a major news event out of studies such as these. And a news event it is! While they are normally spending all of their time patching gaping holes, for once there is an upside.

[axslinger]

Of Course

MS gets thrashed so often for their "swiss cheese" OS's they have to make a major news event out of studies such as these. And a news event it is! While they are normally spending all of their time patching gaping holes, for once there is an upside.

[System Tyrant]

Lies and the Lying Liars who tell them.

As far as this report goes it could be full of truth, but the problem is who paid for it. In my opinion how can you believe a company like Microsoft who has lied to people for years. When it comes to waying the BS factor Microsoft still outways Open Source.

Now I'm not trying to attack the validity of the report. I am saying that it's hard to believe it when it was commissioned from Microsoft. Guilt by association I suppose.

I haven't read the report, but plan to when I get time. My question is did Microsoft help them properly configure Windows? Did they run Linux straight out of the box without modifing it's configurations? Did they run Windows straight out of the box without reconfiguring security?

I would like to see a report done that wasn't commissioned by Microsoft or a Linux Group that configured each server for it's optimal security and performance. Although no report is every truly going to be unbiased this would come closer.

[System Tyrant]

Lies and the Lying Liars who tell them.

As far as this report goes it could be full of truth, but the problem is who paid for it. In my opinion how can you believe a company like Microsoft who has lied to people for years. When it comes to waying the BS factor Microsoft still outways Open Source.

Now I'm not trying to attack the validity of the report. I am saying that it's hard to believe it when it was commissioned from Microsoft. Guilt by association I suppose.

I haven't read the report, but plan to when I get time. My question is did Microsoft help them properly configure Windows? Did they run Linux straight out of the box without modifing it's configurations? Did they run Windows straight out of the box without reconfiguring security?

I would like to see a report done that wasn't commissioned by Microsoft or a Linux Group that configured each server for it's optimal security and performance. Although no report is every truly going to be unbiased this would come closer.

And one of these days I might learn how not to triple post

While proofreading my content

And one of these days I might learn how not to triple post

While proofreading my content

[HansinYabutay]

My Own Study of Myself

Today, I'm releasing my own study of my best product, namely ME. My study finds that (1) I'm the smartest guy in my zip code, (2) I'm better looking than Brad Pitt, and (3) I have more money than the Pope. Add to that my numerical superiority over Ron Jeremy, and I'm ready to hit the market.

[HansinYabutay]

My Own Study of Myself

Today, I'm releasing my own study of my best product, namely ME. My study finds that (1) I'm the smartest guy in my zip code, (2) I'm better looking than Brad Pitt, and (3) I have more money than the Pope. Add to that my numerical superiority over Ron Jeremy, and I'm ready to hit the market.