Lies, damned lies and US-CERT statistics

Richard

Active Member
Messages
2,028
Reaction score
0
Points
36
From Tectoinc Magazine:

Tectonic said:
The United States Computer Emergency Readiness Team's (US-CERT) annual summary of vulnerabilities discovered in computer software in 2005 unveiled that Windows appeared to be safer than Linux and Unix, with only 812 vulnerabilities reported in the Microsoft world, compared to 2 328 for Linux and Unix. The IT trade rags had a field day. However even a cursory glance at the list reveals two facts: the first is that Windows is still significantly more insecure than open source and closed source alternatives; and that much of the trade press are idiots (present company excluded, of course).

With the help of open source software OpenOffice.org (which had one vulnerability compared to Microsoft Office's four), we've managed to get some real statistics from the US-CERT list. The first trick is to discount all of the “Updates” - this is where US-CERT simply updates the status of an existing vulnerability. If a new patch comes out, or some new malicious code takes advantage of the vulnerability, it is marked as an update. Excluding the updates immediately drops the Linux/Unix vulnerability count to 887, and Microsoft's count to 672.

The next step is to compare product with product. The list is pretty general – for both Microsoft and Linux/Unix include both applications and the operating systems themselves. Furthermore, comparing Microsoft to every other vendor in the history of operating systems seems just a touch insane. So let's compare operating systems with operating systems, shall we?

All of Microsoft's discovered security exploits for Windows only amount to a pretty reasonable 44. Microsoft products in total (including MS Office, Internet Explorer, ASP.NET and the like) comes to 122.

Now for Linux. The Linux kernel itself had 90 vulnerabilities, 80 of which affected “multiple vendors”. It's still more than Windows (I'll get to that in a minute), but it's one heck of a lot less than 2 328.

Individual Unix distributions faired very well: Apple Mac OS X clocked in at 21 vulnerabilities, tied with IBM's AIX. HP-UX had only 15 vulnerabilities. SCO had only nine.

For the top Linux distributions, things look peachy. Red Hat had seven vulnerabilities; Suse 12; Debian 10; and Gentoo a mere five.

Non-Linux open souce distribution FreeBSD clocked in with 13, while ultra-secure NetBSD maintained its reputation with two vulnerabilities reported.

Now on to why Linux' kernel still managed to rack up double the vulnerabilities of Microsoft Windows. There are a heck of a lot of Linux kernels out there. Last week saw the release of 2.6.15. Some of the vulnerabilities affect multiple kernels, some only a handful, and some vulnerabilities are present only in a single version of the kernel. Further, kernels in testing are included in the US-CERT reports, since each kernel version can be downloaded by brave kernel developers from day one -- the same guys who find the vulnerabilities and publish them. One has to wonder how many vulnerabilities would be found in Microsoft products still in alpha.

Then there's the very real difference between open source and closed source. With open source code, vulnerabilities are pretty easy to find. You just have a look at the source, find some buffer overflow, and you clock up a vulnerability report. This function is typically performed by kernel developers, who know the kernel inside and out.

For Microsoft products, third party security companies use a hit-and-miss approach, where they nail one portion of one product with every cracking tool in their arsenal, and try and spot any potential threats. This means that for every vulnerability discovered, there are multiple potentials lurking under the surface, unseen except to Microsoft coders with access to the code (and they're not about to admit that they left a gaping hole in Redmond's operating system).

The bottom line is that the US-CERT list, while complete in itself, does not alone represent a mark of a secure or insecure operating system. While the likes of The Register, Techworld and others who really should know better proclaimed that Windows is the most secure operating system according to US-CERT, even a dyslexic monkey could figure out that in fact Windows had 22 times more discovered vulnerabilities than NetBSD last year, and that there really is nothing in the world quite as misleading as IT statistics.

You can find the story at http://www.tectonic.co.za/viewr.php?id=777
 

bigguy

Retired
Messages
10,984
Reaction score
10
Points
38
I read this awhile ago and find it very hard to believe Windows walked out being better than open source.
 

simmi

New Member
Messages
18
Reaction score
0
Points
0
This is exactly why im learning linux right now im gonna install Slackware today or on the weekend.
 
Top