By: Greg on 2002-06-27 20:32:28
Section 2 - Comparing apples to elephants
< print >
<< back < articles home > next >>
I also commonly see people use Security Focus's statistics list as a comparison of OS security. This started when some "journalist" who's name escapes me used this list to claim Windows was more secure than Linux. It then became a FUDmiester's favorite. It was used incorrectly so often that Security Focus put up a warning describing why doing so was totally inaccurate.
Below are their two key points, quoted directly:
There is a distinct difference in the way that vulnerabilities are counted for Microsoft Windows and other operating systems. For instance, applications for Linux and BSD are often grouped in as subcomponents with the operating systems that they are shipped with. For Windows, applications and subcomponents such as Explorer often have their own packages that are considered vulnerable or not vulnerable outside of Windows and therefore may not be included in the count. This may skew numbers. This is a simple raw count of the vulnerabilities in our database that are associated directly with an operating system. The factors mentioned above were not taken into consideration when generating these graphs.
Basically, these numbers are comparing apples to elephants. A Linux distro comes with TONS of software, where Windows comes with very little. The default server install of Linux would have considerably fewer security holes when compared to Windows.
Comparing apples to apples would mean comparing Apache to IIS, for example. A check of ALL the security flaws found in the Apache 1.3.x series (released in June 1998 and still used today, including on this webserver) shows sixteen flaws. Of that sixteen, only 2 involve running arbitrary code thereby exposing the possibility of cracking the box itself. The rest are DOS attacks and less serious flaws. So that's four bugs a year, .5 a year being major. I found a list of Apache's security flaws at Apache Week. Finding a list of all the security flaws in IIS is somewhat more difficult. After manually sifting through CVE to eliminate duplicates or flaws in applications other than IIS, I found eighteen vulnerabilities which could allow taking over the box, and the best estimate I could get was over fifty minor security bugs in the same span of time. Here's the kicker: this was only for IIS 5.0. So in about three years, IIS 5.0 sees 6 major vulnerabilities a year to Apache's .5. And I won't even get into how long it takes Microsoft to release a fix for flaws.
Linux is a registered trademark of Linus Torvalds. Linux systems contain a large component of GNU Software, see www.gnu.org for details.
All other brand and product names are or may be trademarks of, and are used to identify the products and services of their respective owners.
All other content Copyright (C) 2002 Linux Muse. Powered by MagaMuse v0.3.5, (C) 2002 Greg Lincoln.