Linux vendors hit back at analyst report

Linux vendors are unhappy with a Forrester report that compares the security of the open-source operating system and Windows but others say they are all missing the real issue

Linux vendors Debian, Red Hat, SuSE and Mandrakesoft have attacked a recent Forrester report that compared Microsoft's security with that of Linux.

In March, research group Forrester published a report entitled Is Linux more secure than Windows? The report examined the speed at which vendors published patches to vulnerabilities in their software and how easy the patches were to deploy. It concluded that although there is a perception that Linux is more secure than Windows, both operating systems can be deployed in an equally secure fashion.

But Linux vendors are unhappy with the results. They have questioned the accuracy of the report's conclusions and claimed it has little "real world value" because it does not help customers assess the "practical issues of how quickly serious issues get fixed".

According to Forrester's report, which collected data with the cooperation of all the vendors, the time from a vulnerability being publicly announced to a patch being deployed was an average of 25 days for Windows. The best performing Linux vendors -- Red Hat and Debian -- averaged 57 days, while SuSE averages 74 days and MandrakeSoft came in last at 82 days.

In a combined statement, the Linux vendors said that because the report simply averages the number of days between the discovery of a vulnerability and a fix being deployed, it provides an "inconclusive picture of the reality that users experience". "The average erroneously treats all vulnerabilities as equal, regardless of the risk. Not all vulnerabilities have an equal impact on all users," the statement said.

But security companies and uses say both Forrester's report and the war of words are misdirected because most security problems are caused by lazy administrators and users that do not apply patches that have already been released.

An IT director at a London-based media company, who asked to remain anonymous, said: "This is all about time to patch, rather than what usually gets machines hacked, which is ignorant people. Arguing about whether one company deployed a patch a few days earlier than another makes no difference if the patch is not deployed for six months," he said.

Ben Nagy, senior security engineer at security researchers eEye, agreed: "What causes our problems is when people don't patch known problems for six months and then they are surprised when they get the latest worm," he said.

But, said Nagy, when it comes to unknown threats, Linux is generally easier to secure than Windows because it can be set to deny system privileges to an application, which is "more challenging" with Windows, even for very experienced users: "You can deploy a Linux box that only has one stripped-down service -- such as a Web server -- that is running in a chrooted environment. This means taking away all the root or system privileges from that application, which you can't do completely with IIS. But this is something Microsoft is starting to do," he said.