Linux, Windows, and security FUD

Linux, Windows, and security FUD

Summary: Once again, a Microsoft partner claims that Linux is less secure than Windows. What else would they say?


It's 2013. but the Linux FUD just keeps coming. In the most recent example, security firm Trustwave claimed that Linux kernel vulnerabilities went unpatched more than twice as long as it took to fix unpatched flaws in Windows. This assertion would be a lot more believable if it wasn't coming from a Microsoft partner.

Despite what its critics may say, Linux now, as always, remains a very secure operating system.

What no one seems to have bothered to do when they reported that Linux was far more lax about taking care of so-called zero-day flaws was to see where Trustwave was coming from. Had they bothered with even a simple Google search they would have found that the company had partnered with Microsoft to bring their application firewall to Internet Information Server (IIS). In particular, Trustwave made a point of boasting how they'd collaborated with the Microsoft Security Response Center (MSRC).

A little more research would also have revealed that Trustwave has a rather untrustworthy reputation. Last year, Trustwave, which is also a Secure Socket Layer (SSL) certificate authority, admitted to selling a subordinate root certificate to an organization to allow it to eavesdrop on encrypted employee traffic.

Trustwave backed away from this policy after they were caught. Christopher Soghoian, principal technologist at the ACLU's Speech Privacy and Technology Project, suggested that since "Trustwave sold a certificate knowing that it would be used to perform active man-in-the-middle interception of HTTPS traffic." and that since "With root certificate power comes great responsibility. Trustwave has abused this power and trust, and so the appropriate punishment here is death (of its root certificate)." In the event, Trustwave dodged this penalty.

Moving from the general to the specific, if you take a closer look at Trustwave's claims you'll find that they're  based on two (2) 2012 examples from Linux and Windows. Trustwave also admits that the number of critical vulnerabilities -- as determined by the Common Vulnerability Scoring System (CVSS) assessment of factors like potential impact and exploitability -- identified in the Linux kernel were lower than in Windows last year, with 9 in Linux compared to 34 in Windows. The overall seriousness of vulnerabilities were also lower in Linux than Windows, with Linux having an average CVSS score of 7.68 for its vulnerabilities, compared to 8.41 for Microsoft.

So, let me understand this. Linux is less secure than Windows based on a total of four examples, while having slightly more than a quarter of its total security holes and its vulnerabilties are less serious than Windows!? Does this make any sense to you? It doesn't to me.

Given all this, you'll excuse me if I take suggestions that Trustwave has shown Linux to be far less secure than Windows with a mountain-sized grain of salt.

I find it far more telling that month after month, Microsoft keeps repairing critical problems across its entire software portfolio. Funny how that keeps happening even as Microsoft keeps claiming how much more secure its newer programs and operating systems are than the older versions.

In the meantime, Linux, which I freely admit isn't completely secure—no operating system on the planet ever will be—continues to be be trusted by the world's biggest Web sites, such as Google, Facebook, and Wikipedia and by such mission-critical sites as the New York Stock Exchange and the London Stock Exchange. Now, as it has been for decades, Linux remains more secure than Windows, and no FUD can refute this.

Related Stories:

Topics: Linux, Operating Systems, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The London Stock Market runs on Windows,

    they abandoned their unixes to go full Windows. You remember, medias showcased extensively a study showcasing the London Stock Exchange switch to a superior Windows architecture, leaving Linux behind.

    Well true it was yesterday. but to me it feel is the same, again. I smell desperation. To use to that kind of tactics, you must be on a bad ground.
    Good article, Steven.
    • Microsoft Troll again

      Microsoft Troll again
      Henrique Dourado
      • And where is SJVN coming from?

        What exactly makes this SJVN FOSS troll trustworthy?
        • Just a typial Monday morning.

          Is Windows the most secure OS ever created? No. Is Linux? No. How about OS X? Nope. Each has failings in certain areas; some suffer from not being patched for lengthy periods, others for other reasons.

          Now I don’t know if someone from MS backed over his beloved family pet, or if he’s blaming someone’s poor accounting tactics on MS because they used Excel, for his seething hatred of MS, who knows?

          What is a disservice to those he’s supposedly here to “help” is that his bias, his “I can’t let Linux be shown in any type of poor light, ever” attitude is really just handing people a big lie, at their expense, not his.

          Our business has a Windows IIS server and a Linux based Web server for two different reasons and applications, and the bottom line is neither has been successfully hacked, even though one is “the most secure OS this world will ever see” and the other “Laden full of holes and exploits, a disaster in a box” in SJVN’s view.

          Now, how is that possible? I guess it really just boils down to how good your web admins and procedures are, and if someone wants to cherry pick “only bad Windows stories” and “good Linux stories”, well yeah his arguments will be “validated” every time he writes an “opinion” piece.

          And somewhere a Linux server is melting down, or serving up malware, and SJVN will respond with “Impossible! It’s all FUD from a friend of MS’s. Don’t trust them, trust me!”
          William Farrel
          • Isn't it time to change up your screen names.

            Soooo lets see there is William Farrel, Loverock-Davidson, ..... you have a few more names you go by, what were they again?
          • TB7, is that you?

            The style appears to be the same.
            John L. Ries
          • cloggeddbottom.l.starr

            sorry buddy, I'm just William Farrel. No toddbottom3, nobody but me.

            I know with your 40 screen names it's hard for you to understand that most of us are content to be ourselves, with our single screen name.

            Nice try, though but your tell is showing.
            William Farrel
          • How does voting work on this site?

            I attempting to up-vote your comment when it was at +11, and it dropped down to just +1. Since I had been seeing this happen, I took a snip/pic of the status just before voting...
          • Linux enthusiast claimes that claims of Windows...

            ...quicker patching is another symptom of "what else would Microsoft claim?".

            But then again, what else would SJVN say??

            Im more tolerent that many, but I dont see how anyone can give only the least marginal credability to SJVN opinions on anything Microsoft. Hes a complete hack when it comes to writing anything about WIndows. When he sticks strictly to Linux, he makes some nice articles but he just grinds his credability to an absolute PULP in most of his articles that have anything to do with MS.

            He has nobody to blame but himself for this. He should have eased up a long time ago.
          • Right on brother

            They don't get it that Loonix is a HOBBYIST OS. When business needs to get stuff done, they use Windows.
          • William Farrel isn't your brother.

            In real life you would be nothing more than a stepping stone, to his paycheck. I would be surprised if William Farrel would even spit on you.
          • cloggeddbottom, note the difference in names

            will Ferrell vs william Farrel.

            Note the difference in spelling.

            Now my name is closer to Mike Farrell of M*A*S*H fame, but he has 2 L's.

            If you want to try and be funny, don't look stupid doing it, OK?
            William Farrel
          • Of course

            That's why more than 90% of the supercomputers use Linux. That's why most smartphones use Linux. That's why most of servers use Linux.

            Of course. Windows dominates the desktop market, ergo Linux is a hobbyist OS.

            If I were to say, I'd say exactly the opposite: since Windows is only successful in desktops and nothing else, I'd say that Windows is the hobbyist OS on the neighborhood.
          • Many relevant market research

            Shows that GNU/Linux is only the third in the servermarket. Windows is clearly number one, with Unix still leading over GNU/Linux. Of course the server market isn't inky comprised of supercomputers or webservers.
          • Most WEB servers use Linux, Denommus

            the majority of non web facing servers are Windows based, so it's successful in the server market, too. And didn't a report show that over 75% of servers sold last year where Windows based?

            Most smartphones use Android, not Linux, and because it was handed to them for free, with the promise of support. That doesn't make it better, it just makes it free, and "good enough" from most accounts I've read here.

            Oh, and "Ed_Hates_Loonix" is probably a new troll created by toddbottom7 so that he can be both Windows nut and Linux nut at the same time.

            William Farrel
          • increase in botnet attacks

            Hi :)
            So after decades of malware being limited to desktop machines we now see a rise in the number of Windows Servers and a corresponding rise in the increase of compromised servers.

            Android is one form of Gnu&Linux. Gnu&Linux is often free as well as being Free.
            Regards from
            Tom :)
          • unix-based is around 90%

            Hi :)
            Last i heard it was 90% of supercomputers using unix-based with an additional 9% using something similar and only around 1% using Windows.

            That 90% was added from 60% using Gnu&Linux, 20% using Bsd and 10% split between Unix itself and others that not many desktop users will have ever heard of. The point is that Bsd is possibly even better about security but is even less likely to be used on a desktop.

            Regards from
            Tom :)
          • ... for certain values of "get stuff done", that is.

            But if you want to run a top-tier stock exchange, crunch nuclear explosion simulations on a super computer, do serious CGI work for a Hollywood movie, run an Amazon or FaceBook or Twitter or Google -- you go to Linux for the heavy lifting.

            Now, if "get stuff done" just means "keep running legacy software that was hard-coded for Windows, with Windows-specific tools, Windows-specific formats, and which can't be ported without a total (expensive, possibly disruptive) re-write -- well then, that does indeed call for Windows. :P
          • Fixed

            They don't get it that Loonix is a HOBBYIST OS. When business needs to get stuff infected, they use Windows.
      • He is one of only two people in the world

        who believed the "Get the facts" website.