What operating system has the most vulnerabilies?

What operating system has the most vulnerabilies?

Summary: US-CERT has the answers, and it's not Windows.

SHARE:
90

From US-CERT:

Cyber Security Bulletin 2005 Summary

2005 Year-End Index
Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, so the information should not be considered the result of US-CERT analysis. Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.

This bulletin provides a year-end summary of software vulnerabilities that were identified between January 2005 and December 2005. The information is presented only as a index with links to the US-CERT Cyber Security Bulletin the information was published in. There were 5198 reported vulnerabilities: 812 Windows operating system vulnerabilities; 2328 Unix/Linux operating vulnerabilities; and 2058 Multiple operating system vulnerabilities.

Emphasis mine. The bulletin lists all of the vulnerabilities by operating system.  Note they have Apple/Mac included in the Unix/Linux category.

I was looking for stats on market share for operating systems and found this. I can't vouch for the accuracy of these stats, but here's the rundown.

Windows XP    77.92%
Windows 2000    9.82%
Windows 98    4.78%
Mac OS    4.11%
Windows ME    1.99%
Windows NT    0.86%
Linux    0.30%
Windows 95    0.12%
Web TV    0.03%
Windows CE    0.02% 
SunOS sun4u    0.01% 
PSP    0.01% 
Hiptop    0.01% 
Unknown    0.00% 
FreeBSD i386    0.00%

What if Mac OS and Linux were at the top of the list?  Would those 2328 'nix vulnerabilities (which include Apple/Mac) result in massive exploits putting malware/spyware on those machines?  I don't know, but I think it's food for thought.  If Mac and 'nix had top market share, my guess is the malware pushers would be all over them. Comments?

US-CERT link via Security Fix.

Topic: Operating Systems

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

90 comments
Log in or register to join the discussion
  • Vulnerability of PDAs

    'Small' operating systems such as Windows Mobile/ Pocket PC, Symbian and othes are increasingly hosting financial transactions but have not yet received the attention they will need to continue on down this path with relative safety.
    jmarkwell
  • Figures can't lie, but liars can figure

    The issue isn't that cut-and-dried as implied in the article. Question the statistics:
    - the Linux/Unix vulerabilities, are they all on the kernel (highly unlikely) or are they including all application programs that can run under Linux/Unix? Not every system uses every application out there - I'm not running Evolution or Thunderbird, I'm using another e-mail client, for example.
    - How many of these vulnerabilities have been eliminated? The report only emphasises how many were REPORTED, not how many were ELIMINATED.
    - How many of these vulnerabilities have been eliminated? Microsoft is notorious for leaving known vulnerabilities unpatched until they get around to it. (Hey BG, here's a round tuit.) On the other hand, Open Source projects that are widely used tend to get patched very quickly.

    In addition, how are they counting the number of Linux/Unix installations out there? The number seems very low considering how many *nix server boxen are out there, are they just counting desktops and laptops?
    lordshipmayhem
    • Besides...

      It's not like some security issue in Solaris is going to affect people
      who use Mac OS X or BSD or Linux or....

      Lumping all the varieties of Unix together like this only serves one
      purpose: making it look worse than Windows. So, yes, it is a lie.
      Most of the Windows flaws affect almost every version of Windows
      currently in use, but most of the Unix flaws effect only a subset of
      the users of a few versions of a single distribution of a single
      variant of Unix.
      Immanuel Tranz-Mischen
  • Figures can't lie, but liars can figure

    The issue isn't that cut-and-dried as implied in the article. Question the statistics:
    - the Linux/Unix vulerabilities, are they all on the kernel (highly unlikely) or are they including all application programs that can run under Linux/Unix? Not every system uses every application out there - I'm not running Evolution or Thunderbird, I'm using another e-mail client, for example.
    - How many of these vulnerabilities have been eliminated? The report only emphasises how many were REPORTED, not how many were ELIMINATED.
    - How many of these vulnerabilities have been eliminated? Microsoft is notorious for leaving known vulnerabilities unpatched until they get around to it. (Hey BG, here's a round tuit.) On the other hand, Open Source projects that are widely used tend to get patched very quickly.

    In addition, how are they counting the number of Linux/Unix installations out there? The number seems very low considering how many *nix server boxen are out there, are they just counting desktops and laptops?
    lordshipmayhem
  • A bit more detail, please

    We've been down this "weigh the stacks of reports" route before, and the usual fine print applies:

    * How many redundant reports are included? A report of the same vulnerability in Firefox for SuSE, Red Hat, Debian, Mandriva, etc. could conceivably show up a dozen times in the totals.

    * How many of the vulnerabilities apply to functions that don't come with Microsoft Windows? For instance, that same Firefox vulnerability might apply equally to the MS version but not be reported against Microsoft.

    * How many of the vulnerabilites are mutually exclusive? A vulnerability in [b]sendmail[/b] and another in [b]exim[/b] might both be counted against Unix (although both also run on Microsoft) but it's impossible to have both running on the same machine.

    Details matter.
    Yagotta B. Kidding
    • another detail

      all good points, but here's another very relevant question - how many of those vulnerabilities are opportunities for remote code execution? a lot of vulnerabilities listed on the 'nix side are stuff like denial of service or result in crashing the affected software (as opposed to the os itself). of the ones that offer remote code execution, how many result in root access, as opposed to some restricted user like 'nobody' or 'apache'?

      i've seen this sort of 'analysis' argued for years, and the fact is it's so simplistic and to be worse than useless. counting vulnerabilities for an os on one hand and a different os plus all its installed apps on the other hand - not to mention the comparatively closed versus open defect reporting methodologies of the two doesn't even rise to the level of an apples and oranges comparison. it quite simply tells you *nothing* about the relative security of the os's in question.
      alleycat_z
      • I never gave that a thought

        I wonder if the same can be said for mac? My kids xp is as secure as I can make it. But damn thats allot of holes to plug
        hughe
    • Some Details

      Here is a partial list of the UNix/Linux/OSX grouping;

      # Apache Insecure Temporary File Creation
      # Apache mod_include Buffer Overflow (Updated)
      # Apache mod_include Buffer Overflow (Updated)
      # Apache Mod_Proxy Remote Buffer Overflow (Updated)
      # Apache mod_ssl Denial of Service (Updated)
      # Apache mod_ssl Remote Denial of Service (Updated)
      # Apache Mod_SSL SSL_Util_UUEncode_Binary Stack Buffer Overflow (Updated)
      # Apache mod_ssl SSLCipherSuite Access Validation (Updated)
      # Apache mod_ssl SSLCipherSuite Access Validation (Updated)
      # Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass
      # Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
      # Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
      # Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
      # Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
      # Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
      # Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
      # Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
      # Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
      # Apache SpamAssassin Lets Remote Users Deny Service
      # Apache SpamAssassin Lets Remote Users Deny Service (Updated)
      # Apache SpamAssassin Lets Remote Users Deny Service (Updated)

      Notice something there? It's the same vuln over and over again. Also apache runs on Windows but it's not listed on the Windows side. It is rather listed on the 2058 Multiple operating system vulnerabilities. So in reality you have to count the 815 Windows vulns + 2058 vulns which are double listed in the Linux/Unix/MacOSX side as the MultiOS vulns are listed in the Linux/UNix/MacOSX side but not the windows side. This thus places the Windows Vulns at 2873.

      Another thing... Many people are claiming that Linux/Unix don't have as many exploits as Windows becuase it is a smaller target. While this is true of desktop Unix/Linux however Serverside Linux/Unix use on the net... what server is number 1?? Hint its not IIS on MS.
      Edward Meyers
  • I think you're absolutely right

    Microsoft is the top dog and the top target. It goes with the territory. It would be interesting if we had a number or ratio of attacks vs. market share.
    bob2cam
  • I'm calling BS on this

    The source of the counts is here: http://www.us-cert.gov/cas/bulletins/SB2005.html

    If you look at the Linux/Unix vulnerabilities, most (1442) of them say "(Updated)". Every "(Updated)" vulnerability is is a duplicate listing, and each duplicate is counted. If a vulnerability affects a program that's available on a dozen distros, you'll see it counted as a dozen vulnerabilities. There are some duplicates in the Windows list, but they are few and far between.

    And probably most of the vulnerabilities they list are not the fault of either operating system, but are in third party software, some of it pretty obscure.
    dtfinch
  • Protect the elite!

    That's it, protect the interests of the elite by twisting the numbers to dumb down the consumer!
    gadgetguy05
  • Troll?

    Thanks for trolling, you can go back to your part-time jounalism course.
    spinit_z
  • How many distros were included in the study?

    If you say that between all the Linux based (centos, mandriva, mandrake, Suse, Redhat, Debian, Slackware, ...)and Unix based distributions (AIX, SunOS, Solaris, DG-UX, Unix Ware, SGI, ...) All in all since the seventies when Unix started there are probably well over 200 distributions. If we divide the number of vulnerabilities 2328/200 = 11.64 per each. Windows has 6 distributions 6/812 = 135.3. So there are an average of 135.3 vulnerabilities per Windows distro and 11.64 per Unix/Linux distro. I typically like to know how a study was funded, conducted, and who did it. Without knowing this I absolutley do not believe the study any more than I believe a lifetime warranty on a set of pots and pans that when you read it doesn't cover the handles, the surface, or any damage not caused by faulty manufacture (I bought a set just like this thinking wow it has a lifetime warranty). You just can't believe much of what you read these days.
    kedens
  • What if Mac OS and Linux were at the top of the list?

    quote::What if Mac OS and Linux were at the top of the list? Would those 2328 'nix vulnerabilities (which include Apple/Mac) result in massive exploits putting malware/spyware on those machines? I don't know, but I think it's food for thought. If Mac and 'nix had top market share, my guess is the malware pushers would be all over them.::quote

    I think that the guess that the malware pusher would be all over Mac and Linux is correct. I think your assumption that they would be any where nearly as successful as they are with MS Windows is incorrect.

    I've just had a quick scan through the lists, and the stricking fact is the significantly larger percentage of High risk vulnerablities there are in that 812 __reported__ MS Windows vulnerabilities (Microsoft has never been very forthcomming with information regarding system vulnerabilities, and nothing has happened recently that leads me to revise my opinion of those 812 reported vulnerabilities), compared to the percentage in the 2328 reported (that number is almost certainly every possible vulnerability that can be found in the combined Unix/Linux systems).

    Given that 77.8% of MS Windows Systems are MS Windows XP, it is probable that most of those __reported__ vulnerabilities are to be found in MS Windows XP systems - which in itself is interesting, as MS Windows 2000, of which MS Windows XP is a direct successor, was touted as the most secure MS Windows sytstem yet.

    In additon MS Windows systems share those 2058 Multiple operating system vulnerabilities, with the Unix/Linux.

    When one looks at the vulnerabilities, that exist on the Unix/Linux sheet what we find is that most of them affect some Distributions but not others, which means that while there are a large number of reported vulnerabilities listed under Unix/Linux they are often only a danger to a subset of that group.

    Unix/Linux, and especially Linux vendors, Distribution builders tend to not only be very forthcomming about vulnerabilities in their distributions, often a work around is supplied - such as advice to roll back to a known secure module - but are very quick to supply patches for reported vulnerabilities, especially those ranked high risk.

    Microsoft, has not to my knowledge changed significantly over time, often not reporting even high risk vulnerabilities until they have actually developed a patch for it, and in the process leaving their long suffering customers at the mercy of malware developers, often for quite lengthy periods of time.

    In conclusion, I suspect that if Mac and Unix/Linux were at the top of the popularity list, malware writers would target then just as they do MS Windows. However I also suspect that they would not have anything like the rates of sucess that they currently enjoy.

    A point that should be noted. Unix and Linux and Open Source Software are at the top of the popularity list when we are talking about Servers, especially those with a large web presence, and yet, it is vulnerabilities in the much smaller numbers of MS Windows servers that are most successfully exploited.
    tracy anne
    • No platform is immune

      " compared to the percentage in the 2328 reported (that number is almost certainly every possible vulnerability that can be found in the combined Unix/Linux systems) "

      You're crazy if you think that number represents every vulnerability in Unix/Linux, and the same goes for the Windows numbers. I've been developing comercial software for over 13 years now and I can tell you that there isn't a piece of production code out there that doesn't have bugs or potential security issues, on any platform period.

      The problem is we (as an industry) don't know how to build software that's free of defects and/or security issues. You might think it's because the programmers on a given platform suck and I will agree with you that inexperienced developers don't help the issue but even the most seasoned engineer can't avoid leaving bugs and security holes in their code. I've found bugs/security issues in code that I've looked over 20 - 30 times and I'm supposed to know what I'm doing...

      This is a fundemental Computer Sience problem that can only be fixed with better programming languages (chief problem in my opinion) and better tools to automatically detect these issues.

      If you think about it this is an industry that's only been in existance for what 50 - 60 years. Compare that with something like carpentry that's been around for thousands of years. It could easily take us another 100 years before we get a complete grip on this problem...
      searchdude
      • Some good points

        quote::You're crazy if you think that number represents every vulnerability in Unix/Linux, and the same goes for the Windows numbers.::quote

        I agree, what I said was that number almost certainly represents every vulnerability that __can__ be found in Unix/Linux. That does mean all that there are, or indeed all that there will be. It's interesting to note here that, at least in the case of Linux and BSD Unix the source code is available for viewing by all, so there is at least a strong probability that this number represents the majoroity of current vulnerabilities. And they are NOT kept secret until a fix is found for them, instead they are published so that remedial action can be taken immediatly, by sysadmins, to mitigate their effects.

        quote::I've been developing comercial software for over 13 years now and I can tell you that there isn't a piece of production code out there that doesn't have bugs or potential security issues, on any platform period.::quote

        I've been developing commercial software for 30 years, and I can tell you that you are correct.

        The difference between closed source development and Open Source develogreatest pronbpment is that closed source software has far fewer people viewing and critiquing the code than are viewing and critiquing the code of Open Source projects. The probability is that any given closed source software application WILL have vulnerabilities that WILL go unseen for far longer than similar vulnerabilities in Open Source code. Which means that most often, and we see this in practice in the current situation with MS Windows and the number and effectiveness of exploits on it, those vulnerabilities will be discovered first by those who develop malware.

        Typically, however, vulnerabilities found in unix/Linux/OSS software are found and published by hackers who have access to the source code.


        quote::The problem is we (as an industry) don't know how to build software that's free of defects and/or security issues.::quote

        You are absolutely correct. And that is a problem across the board.

        The difference between Closed Source Software and Open Source Software is that there are far fewer eye ball viewing the source code. As Eric Raymond wrote, and as Linus Torvolds with the Linux kernel, and almosy any OSS project have proven, ``given enough eyeballs, all bugs are shallow'' (this statement is actually attributed to Linus Torvalds).


        quote::You might think it's because the programmers on a given platform suck::quote

        Actually I don't. Microsoft have very high calibre developers, among the best in the business.


        quote::and I will agree with you that inexperienced developers don't help the issue but even the most seasoned engineer can't avoid leaving bugs and security holes in their code.::quote

        Correct.

        quote::I've found bugs/security issues in code that I've looked over 20 - 30 times and I'm supposed to know what I'm doing.::quote

        I find bugs in my own code as well, it's the ones I don't find that I worry about, and very often when working within the constraints of a closed soutce paradigm, as I do, I have no choice but to let those undiscovered bugs go, with the knowledge that the next time I hear about them it will be because something unexpected went wrong in production code.

        quote::If you think about it this is an industry that's only been in existance for what 50 - 60 years. Compare that with something like carpentry that's been around for thousands of years. It could easily take us another 100 years before we get a complete grip on this problem...::quote

        You have some good points, these points are however known to be problems by the industry, as a whole. It's what the OSS paradigm does to mitigate these problems that by and large makes it a more secure bet, in the present conditions.
        tracy anne
        • Developers on a platform

          I quote:
          ------
          quote::You might think it's because the programmers on a given platform suck::quote

          Actually I don't. Microsoft have very high calibre developers, among the best in the business.
          ------

          I don't think that's what the poster intended to say. I believe that what he or she meant was that *third-party* developers for Windows tend to be less skilled than those for other operating systems, a sentiment which - having seen a kid with a copy of VB.NET hack up a closed-source, Softpedia-accepted program in a couple of days, with little or no testing or debugging - I am inclined to heartily agree with. Even if the developer of a piece of OSS is inexperienced, at least one of those who look over the code at a later date is sure to know what he or she is doing.
          Twey
          • re: Developers on a platform

            "I believe that what he or she meant was that *third-party* developers for Windows tend to be less skilled than those for other operating systems"

            That's not entirely what I meant. My comment wasn't specific to any platform but it would be valid to say that VB has made it easy for almost *anyone* to write code, good or bad.

            Probably the better take away from my post would be that it doesn't matter how talented the programmer is, they are going to leave bugs and security holes in their code. It can't be helped and it isn't their fault. No one intentionally puts security holes in their code. And while it's true more eyes over the code is a good thing, that's not perfect either. We're humans and we're not the best at catching these sort of things. In this case the finger of blame should be pointed at the programming languages & tools we use to develop software. They're not good enough...

            With that said there's probably a lot that could be done to improve our ability to detect & patch security holes without having to have new languages & tools.

            And with regards to Open Source I'm not familiar enough with the community to be overly critical or supportive of it. I will say that from the outside it immediately sounds like a pyramid scheme and I think that's where a lot of the negitive reactions come from.
            searchdude
          • Open Source Software

            quote::And with regards to Open Source I'm not familiar enough with the community to be overly critical or supportive of it. I will say that from the outside it immediately sounds like a pyramid scheme and I think that's where a lot of the negitive reactions come from.::quote


            In what way is it like a pyramid scheme? I don't understand.

            Here is a book that is well worth the read http://eu.conecta.it/paper/Contents.html
            tracy anne
    • What?

      "as MS Windows 2000, of which MS Windows XP is a direct successor, was touted as the most secure MS Windows sytstem yet."

      Win 2K3 was the touted one. The one created from the onset with "trustworthy computing", note sarcasm.

      This report only consider desktop OS's, and since Linux qualifes it is included. A much better comparison would be server OS's. Let's compare NetWare, Linux and Win 2K3 and see which one fares best.

      My guess.....NetWare....always was, and still is the most secure.
      htotten