Secunia and Red Hat defense of Linux laughable
Summary: This means Windows Server had fewer critical vulnerabilities in 3 years than Red Hat Linux ES 4 in 10 months! The fact that Red Hat had a smaller percentage of critical vulnerabilities is nothing to be proud of.
In last Friday's article "Experts question Windows win in flaw tally", scores of security experts came out to defend Linux and Unix. A spokesperson for Secunia questioned the count claiming that Linux/Unix vulnerabilities were less severe because a smaller percentage of Linux and Unix vulnerabilities were remotely exploitable. Red Hat's Cox said that "Linux operating systems were more secure for businesses than Windows platforms, as fewer vulnerabilities were critical and patches were brought out more quickly". Since these claims are easily verifiable using Secunia's own advisory database, let's have a look.
If we take a quick look at Secunia's own database of security advisories for Windows 2003 Server Standard Edition, we see from the "Where" pie-chart that Windows exploits were remotely exploitable 61% of the time. We also see from the "Criticality" pie-chart that Windows exploits were highly or extremely critical 39% of the time. Now if we look Red Hat Enterprise Linux ES 4 which competes with Windows 2003 Server Standard Edition, we see from the "Where" pie-chart that Red Hat Linux exploits were remotely exploitable 83% of the time. From the "Criticality" pie-chart, we see that Red Hat Exploits were 26% highly or extremely critical.
This data from none other than Secunia clearly contradicts Secunia's claims that Windows was more often remotely exploitable because we have Windows at 61% and Red Hat Linux at 83% remotely exploitable. Red Hat's claims that Linux vulnerabilities were usually less critical might have some merit if we just look at the percentages of 39% critical for Windows and 26% critical for Linux, but it's laughable if we look at the sheer number of Red Hat Linux vulnerabilities versus Windows. There were 138 security advisories for Red Hat Enterprise Linux ES 4 in just 10 months of which 35 were highly or extremely critical. Windows 2003 Server Standard Edition had only 76 advisories in the last 3 years of which 30 where highly or extremely critical. This means Windows Server had fewer critical vulnerabilities in 3 years than Red Hat Linux ES 4 in 10 months! The fact that Red Hat had a smaller percentage of critical vulnerabilities is nothing to be proud of.
There will always be those who say that Red Hat isn't representative of Linux because they can roll their own Linux. The fact of the matter is; Red Hat is the market leader in corporate Linux distributions and the chances of a corporate IT department rolling their own flavor of Linux is about as high as a smoker rolling their own cigarettes. I've always said that OS doesn't matter when it comes to security because it really depends on the skills of the administrator to lock down their own platform, but it's time for these Linux advocates to deal with the fact that they themselves don't have the cleanest record in town.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
And now for some facts
Some early remarks:
<b>windows list</b>
In the windows vulnerabilities there are several which are recordings of multiple vulnerabilities in one vulnerabilitie. To know all the vulnerabilities IMHO they should all be recorded as seperate ones.
Of these Windows vulnerabilities 9 are left unpatched with the following distribution: 2003 - 5, 2004 - 1, 2005 - 3, of which the one in 2004 is a partial fix. As we've seen before sometimes some of these unpatched flaws are attacked.
As we're having a look at servers, there's some mention of for instance a word vulnerability, as far as i'm concerned these shouldn't be counted. The same applies for vulnerabilties which could occur while browsing as i expect that a server is not meant for browsing which leads to some more vulnerabilities which can be deducted.
<b>Red Hat list</b>
As i assume that a linux server is installed in the most efficient manner, i assume that no software is installed which isn't necessary, so no windowsmanagers etc. are installed, the same applies for browsers, messenger etc.
I did a count on the list, the following vulnerabilites where recorded and have drawn my attention:
PDF related - 5
Browsing related - 14 (these count for a lot of criticial etc.)
email - 5
messenger related - 5
Above is just a small list of vulnerabilities which will not hit the average installed server. A lot more are dependend on what the server is actually doing. If it's a print server, than CUPS related (3) should be taken into account, but then all others related to PHP etc. should be left out, as they shouldn't be installed.
No flaws remained unpatched though i cannot assess the speed of patch release as this is not measured by secunia.
If I have a look at the vulnerabilities listed (especially the critical ones and remote ones, most of them are either firefox, mozilla, thunderbird or ethereal related, none of them is related to the kernel!!)
<b>Conclusion</b>
So is the defense of RH and secunia laughable? I actually don't think so if you have a deeper look at the vulnerabilities. It all depends on where you're using the server for.
Can i make any conclusion about which of both is safer, I can't as I can't go through the list of windows vulnerabilities as I can go through the Linux list (though some are even clear for me)
George, you shouldn't be making conclusions solely based upon the graphs, but should instead also analyse the underlying data, which you've obviously haven't done. With regards to security it would also be good to state that there are vulnerabilities left unpatched etc. as this also attributes to security!!
But then again I rest my case!!
George Get the Facts
Sensationalism and misleading his readership.
Paul Murphy on the other hand writes a fair and balanced article:
http://blogs.zdnet.com/Murphy/index.php?p=501
Paul Murphy does his homework.
Get the Facts George, you disappoint.
Secunia's own numbers
No george
It's about interpretation of the numbers george, taken the facts into account that Dietrich is mentioning!!
If you think they've missed the point, then make it clear by plain facts, analyse the lists (I'm sure you can do the windows one better than i can) and then draw youre conclusion.
BTW, I'm looking forward to your next blog about the newly found WMF vulnerabilities (just as we already expected that they would be there).
These #'s are higher because they only potential vunerabilities
for example, look at this advisory issued yesterday:
Ubuntu update for sudo
http://secunia.com/advisories/18363/
The update was available before the advisory was issued. It is already on my system.
Many google searches and nowhere has this been found to be an exploit. It was a "potential" risk and was patched very quickly.
And as pointed out before, you should try to understand the numbers
the OS as is the case with windows 2003.
The number of advisories applicable to any configuration would
depend of the components installed.
For example why would you include RHEL4 vulnerabilities for
desktop apps (e.g. Mozilla (SA16918, SA15139, SA14510),
Firefox (SA16919, SA15034, SA14448), HelixPlayer (SA16962,
SA15033, SA14472), Thunderbird (SA17090, SA14706),
evolution (SA15246), openoffice (SA15111), gaim (SA14947,
SA14558)) without including them in the windows server count
or equivalent?
Why would you ignore the number of unpatched vulnerabilities?
Why would you ignore the severity and attack vectors?
These were the points made by Secunia and RHEL to the terrible
over generalisations in the 2005 figures and the basis of Friday's
article "Experts question Windows win in flaw tally".
Indeed the report bundled all *nix together which is clearly
ridiculous.
The most frightening stat in the Secunia figures you liinked to is
55% of windows 2003 grant system access, with 31% for RHEL.
More investigation would be required to see how many of the
RHEL vulnerabilities would have granted server configuration
remote exploit that wasn't contained by SELinux.
This is the real definition of security, not some superficial
analysis of figures that may or may not apply to a specific
system configuration:-)
So...
a little reading before posting
Looks like George should do a little reading before posting.
This guy is an idiot, he is the Dan Quail of jourlalists.
Dan Quail
"potatoe", flawed premises, abuse of stats == same thing== stupidity
He spells his name Quayle - and he is funny
http://www.quotationspage.com/quotes/Dan_Quayle/
Very funny fellow.
As for George, you only have to read a few of his posts to know that he is heavily biased in favor of anything Microsoft. He's not so much as journalist as he is a fan of Microsoft.
Laughable? Indisputable?
[i]$ sort /tmp/nix_vulns | wc -l
[b]2329[/b]
$ $ sort /tmp/win_vulns | wc -l
[b]814[/b][/i]
OK, that's what we've been talking about.
[i]$ sed 's/[ ]*(Updated.*//' /tmp/nix_vulns | sort | uniq | wc -l
[b]1046[/b]
$ sed 's/[ ]*(Updated.*//' /tmp/win_vulns | sort | uniq | wc -l
[b]681[/b][/i]
Those are some pretty trivial filters. Others have been pointed out (such as counting announcements, rather than flaws themselves.)
That, IMHO, is enough by itself to require a complete restart of the discussion. By all means, make the case in enough detail to be debatable; giving enough detail to let us reproduce your results would be a good start.
Its even better than that
" 1. first, that a large number appear to be duplicates - (in fact 1,442 or 62% are duplicates of other listings); and,
2. none of these seem to be Unix related - they're essentially all application related, and so are the 2,058 classified as affecting multiple operating systems.
"
and even better on flaws that aren't
"in other words, the problem never existed, was (erroneously) reported in mid 2004, cleared in 2004, and counted against Unix in a 2005 summary claiming the authority of the United States Government."
Paul gives two examples but there are more than that on the list.
Another thing that Paul doesn't mention is that there are flaws listed on the Unix/Linux side that don't apear on the MS side but rather in the Cross platform vulnrabilties. The entire cross platform list is odd as Linux/Unix/Mac OSX are all grouped on one side where as the various Windows variaties are on the other - so What other OS are these vulnibilities effecting? OpenVMS? Also why are those flaws listed on the Unix/Linux side but not on the MS side.
Another point is why is Unix/Linux/MacOSX all grouped together. WHy didn't they break it down into MacOSX, AIX. HP-UX, Solaris, BSD, Unix-Other (For SCO and other less used Unix), Linux-Debian based, Linux-RedHat based, Linux-SuSE, Linux-Slackware based, and Linux Other? Then again why aren't the Windows numbers split into Windows NT based and Windows 9X based (Does MS even patch 9X and release security alerts for it anymore??) .
Anyhow this report explicitly states that you should not use it like several people in the press and George ire using it, saying one OS is more or less secure than another.
Regardless of that George is behind on his FUD- The FUD deJour is that Linux won't install on older hardware and MS Server 2003 supports more aged hardware than the various flavors of Linux do.
I never mentioned CERT's numbers
Look at the data
Look at reality!
So the question can be simplified to this: Do you lock all your doors or do you live in a bad neighborhood? If you live in a better neigborhood locking doors is not as important as when you live in the Virus prone slums.
Nothing but a M$hill
Bogart
Too funny. ;)
Yeah, that's right.
And difficult to manage, too; several PhD's have committed suicide!
And buggy! Sometimes it doesn't boot. Once it caught fire. Whole families are at risk.
Dear Lord, we're going to die. What were we thinking?!?!? No one will program for free.
They've changed the color-scheme on Bizarro-land since I was here, last. It's a nice look. Well, back to reality...