Linux vendors hit back at analyst report

Linux vendors hit back at analyst report

Summary: Linux vendors are unhappy with a Forrester report that compares the security of the open-source operating system and Windows but others say they are all missing the real issue

TOPICS: Tech Industry

Linux vendors Debian, Red Hat, SuSE and Mandrakesoft have attacked a recent Forrester report that compared Microsoft's security with that of Linux.

In March, research group Forrester published a report entitled Is Linux more secure than Windows? The report examined the speed at which vendors published patches to vulnerabilities in their software and how easy the patches were to deploy. It concluded that although there is a perception that Linux is more secure than Windows, both operating systems can be deployed in an equally secure fashion.

But Linux vendors are unhappy with the results. They have questioned the accuracy of the report's conclusions and claimed it has little "real world value" because it does not help customers assess the "practical issues of how quickly serious issues get fixed".

According to Forrester's report, which collected data with the cooperation of all the vendors, the time from a vulnerability being publicly announced to a patch being deployed was an average of 25 days for Windows. The best performing Linux vendors -- Red Hat and Debian -- averaged 57 days, while SuSE averages 74 days and MandrakeSoft came in last at 82 days.

In a combined statement, the Linux vendors said that because the report simply averages the number of days between the discovery of a vulnerability and a fix being deployed, it provides an "inconclusive picture of the reality that users experience". "The average erroneously treats all vulnerabilities as equal, regardless of the risk. Not all vulnerabilities have an equal impact on all users," the statement said.

But security companies and uses say both Forrester's report and the war of words are misdirected because most security problems are caused by lazy administrators and users that do not apply patches that have already been released.

An IT director at a London-based media company, who asked to remain anonymous, said: "This is all about time to patch, rather than what usually gets machines hacked, which is ignorant people. Arguing about whether one company deployed a patch a few days earlier than another makes no difference if the patch is not deployed for six months," he said.

Ben Nagy, senior security engineer at security researchers eEye, agreed: "What causes our problems is when people don't patch known problems for six months and then they are surprised when they get the latest worm," he said.

But, said Nagy, when it comes to unknown threats, Linux is generally easier to secure than Windows because it can be set to deny system privileges to an application, which is "more challenging" with Windows, even for very experienced users: "You can deploy a Linux box that only has one stripped-down service -- such as a Web server -- that is running in a chrooted environment. This means taking away all the root or system privileges from that application, which you can't do completely with IIS. But this is something Microsoft is starting to do," he said.

Topic: Tech Industry

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • so, linux takes twice the time, at best, on average, to fix a vulnerability. never heard of people saying whether windows vulnerabilities are "Serious" or not. i'd assume if sth is a vulnerability, it would be serious. bravo on this report, though i think it still sympathises with linux too much. with good security management, i can hardly see why microsoft should be any less secure than linux, besides the fact that it is more often a target, and has a much less knowledgaeble installed base, on average (with all due respect to techies who use windows, of course).
  • Where on earth did they dig out this bunch what do they call themselfs Forresters i thought they chopped trees down all day not commented on software mind you they probably been paid by M$ any how so what differance does it make just like any piece of wood the report is floored .

    I wonder how far you have to dig in the M$ records to find David Tai on the payroll.???

    M$ not in the least secure full of holes yes safe no !
  • just a note for p.nikolic and other readers, forrester is a large, NASDAQ listed, independent research agency. now now, can't you take a little flak for linux's deficiencies? no one claims windows is perfect, no one claims linux is perfect. so chill out.
    btw i WISH i'm on micro$oft's payroll.. recommend me? :p