Linux, Windows, and security FUD

It's 2013. but the Linux FUD just keeps coming. In the most recent example, security firm Trustwave claimed that Linux kernel vulnerabilities went unpatched more than twice as long as it took to fix unpatched flaws in Windows. This assertion would be a lot more believable if it wasn't coming from a Microsoft partner.

What no one seems to have bothered to do when they reported that Linux was far more lax about taking care of so-called zero-day flaws was to see where Trustwave was coming from. Had they bothered with even a simple Google search they would have found that the company had partnered with Microsoft to bring their application firewall to Internet Information Server (IIS). In particular, Trustwave made a point of boasting how they'd collaborated with the Microsoft Security Response Center (MSRC).

A little more research would also have revealed that Trustwave has a rather untrustworthy reputation. Last year, Trustwave, which is also a Secure Socket Layer (SSL) certificate authority, admitted to selling a subordinate root certificate to an organization to allow it to eavesdrop on encrypted employee traffic.

Trustwave backed away from this policy after they were caught. Christopher Soghoian, principal technologist at the ACLU's Speech Privacy and Technology Project, suggested that since "Trustwave sold a certificate knowing that it would be used to perform active man-in-the-middle interception of HTTPS traffic." and that since "With root certificate power comes great responsibility. Trustwave has abused this power and trust, and so the appropriate punishment here is death (of its root certificate)." In the event, Trustwave dodged this penalty.

Moving from the general to the specific, if you take a closer look at Trustwave's claims you'll find that they're  based on two (2) 2012 examples from Linux and Windows. Trustwave also admits that the number of critical vulnerabilities -- as determined by the Common Vulnerability Scoring System (CVSS) assessment of factors like potential impact and exploitability -- identified in the Linux kernel were lower than in Windows last year, with 9 in Linux compared to 34 in Windows. The overall seriousness of vulnerabilities were also lower in Linux than Windows, with Linux having an average CVSS score of 7.68 for its vulnerabilities, compared to 8.41 for Microsoft.

So, let me understand this. Linux is less secure than Windows based on a total of four examples, while having slightly more than a quarter of its total security holes and its vulnerabilties are less serious than Windows!? Does this make any sense to you? It doesn't to me.

Given all this, you'll excuse me if I take suggestions that Trustwave has shown Linux to be far less secure than Windows with a mountain-sized grain of salt.

I find it far more telling that month after month, Microsoft keeps repairing critical problems across its entire software portfolio. Funny how that keeps happening even as Microsoft keeps claiming how much more secure its newer programs and operating systems are than the older versions.

In the meantime, Linux, which I freely admit isn't completely secure—no operating system on the planet ever will be—continues to be be trusted by the world's biggest Web sites, such as Google, Facebook, and Wikipedia and by such mission-critical sites as the New York Stock Exchange and the London Stock Exchange. Now, as it has been for decades, Linux remains more secure than Windows, and no FUD can refute this.

Related Stories:

• Linux trailed Windows in patching zero-days in 2012, report says
• iOS 6.1 bug lets anyone bypass iPhone lock screen
• Don't open that PDF: There's an Adobe Reader zero-day on the loose
• Microsoft fixes critical Windows, Office, IE security flaws
• Microsoft's DroidRage Twitter campaign goes painfully wrong