Whats Hot

Google

Sunday, January 22, 2006

Experts question Windows win in flaw tally

Critics have taken aim at a study published by the U.S. Computer Emergency Readiness Team that said more vulnerabilities were found in Linux/Unix than in Windows last year.

The report, Cyber Security Bulletin 2005, was released last week. It claimed that out of 5,198 reported flaws, 812 were found in Microsoft's Windows operating system, 2,328 were found in open-source Unix/Linux systems. The rest were declared to be multiple operating-system vulnerabilities.

The report has attracted criticism from some in the open-source community. Linux vendor Red Hat said the vulnerabilities had been wrongly tagged, and so could not be used to compare the relative security of Windows and Linux/Unix platforms.

"The study is confusing and misleading. When you look at the list, the vulnerabilities are miscategorized," Mark Cox, a consulting software engineer at Red Hat, said. "For example, Firefox is categorized as a Unix/Linux operating-system flaw, but it runs just as well on a Windows platform. Apache and PHP also run just as well on both platforms. There are methodological flaws in the statistics."

Secunia thought that the nature of the reported vulnerabilities also made it difficult to compare security on the platforms, as Linux/Unix researchers concentrate on vulnerabilities in local privilege separation, while Windows researchers look at possible remote vulnerabilities.

"Generally, many of the vulnerabilities in Linux/Unix based products are classified as local vulnerabilities, including privilege escalation, local denial of service and local exposure of sensitive data. These kind of vulnerabilities are not regarded as particularly critical, but Linux/Unix researchers tend to focus quite a lot on this category, probably because of Unix's long history of proper privilege separation. This has only recently become more relevant in Windows (NT, 2000, and XP), but many Windows researchers still focus more on remote issues," Secunia said.

In Newsforge, the Linux and open-source online publication, Joe Brockmeier and Joe Barr cast doubt on the vulnerability totals.

"The two figures are not representative of today's two major operating-system platforms. One figure represents the vulnerabilities found in Windows operating systems: XP, NT, 98, and so on. The other represents a total figure not just for Solaris, AIX, HP-UX, the BSDs, and Linux, but for a hundred different versions of Linux," the article said.

Red Hat's Cox said Linux operating systems were more secure for businesses than Windows platforms, as fewer vulnerabilities were critical and patches were brought out more quickly.

"There is also the issue of timing," he said. "With Linux products, critical updates are available within a day. If you look at Red Hat Enterprise Linux 3, the average patch time is under a day. With the recent critical WMF (Windows Meta File) vulnerability, it took Microsoft seven days," he said

link

0 Comments:

Post a Comment

<< Home


 

Search Popdex: