In last Friday's article "Experts question Windows win in flaw tally", scores of security experts came out to defend Linux and Unix. A spokesperson for Secunia questioned the count claiming that Linux/Unix vulnerabilities were less severe because a smaller percentage of Linux and Unix vulnerabilities were remotely exploitable. Red Hat's Cox said that "Linux operating systems were more secure for businesses than Windows platforms, as fewer vulnerabilities were critical and patches were brought out more quickly". Since these claims are easily verifiable using Secunia's own advisory database, let's have a look.
If we take a quick look at Secunia's own database of security advisories for Windows 2003 Server Standard Edition, we see from the "Where" pie-chart that Windows exploits were remotely exploitable 61% of the time. We also see from the "Criticality" pie-chart that Windows exploits were highly or extremely critical 39% of the time. Now if we look Red Hat Enterprise Linux ES 4 which competes with Windows 2003 Server Standard Edition, we see from the "Where" pie-chart that Red Hat Linux exploits were remotely exploitable 83% of the time. From the "Criticality" pie-chart, we see that Red Hat Exploits were 26% highly or extremely critical.
This data from none other than Secunia clearly contradicts Secunia's claims that Windows was more often remotely exploitable because we have Windows at 61% and Red Hat Linux at 83% remotely exploitable. Red Hat's claims that Linux vulnerabilities were usually less critical might have some merit if we just look at the percentages of 39% critical for Windows and 26% critical for Linux, but it's laughable if we look at the sheer number of Red Hat Linux vulnerabilities versus Windows. There were 138 security advisories for Red Hat Enterprise Linux ES 4 in just 10 months of which 35 were highly or extremely critical. Windows 2003 Server Standard Edition had only 76 advisories in the last 3 years of which 30 where highly or extremely critical. This means Windows Server had fewer critical vulnerabilities in 3 years than Red Hat Linux ES 4 in 10 months! The fact that Red Hat had a smaller percentage of critical vulnerabilities is nothing to be proud of.
There will always be those who say that Red Hat isn't representative of Linux because they can roll their own Linux. The fact of the matter is; Red Hat is the market leader in corporate Linux distributions and the chances of a corporate IT department rolling their own flavor of Linux is about as high as a smoker rolling their own cigarettes. I've always said that OS doesn't matter when it comes to security because it really depends on the skills of the administrator to lock down their own platform, but it's time for these Linux advocates to deal with the fact that they themselves don't have the cleanest record in town.