Linux/Unix Vulnerabilities Outnumber Microsoft Windows' 3 To 1
January 6, 2006 4 Comments
Or do they? This is a fantastic example of numbers not meaning anything if you're just throwing something against the wall. Actually, these numbers are less than useless, they're just plain silly. The original stats are from the US-CERT site, but that fantastic headline came from this article. From the article: Tallies kept by the U.S. government's computer security group show that Linux and Unix operating systems faced nearly three times the number of vulnerabilities in 2005 than did Microsoft's often-maligned Windows.
In the US-CERT (United Stated Computer Emergency Readiness Team) year-end vulnerability summary, Linux/Unix accounted for a whopping 2,328 vulnerabilities, about 45 percent of the 5,198 total.
Now, before you get worried… let's dig into this numbers a bit. First, why are they lumping Linux, UNIX and OS X into a single group and then comparing it to a single vendor? Would you lump Lexus, BMW, Infinite, Toyota, Honda, Porsche, Volkswagen, Saab and Volvo into a single group, compare them to Chevy and then say that Chevy's are safer? I'd hope not. It gets worse though. They note only include things that are in no way related to the OS (GNU GNATS Gen-Index Arbitrary Local File Disclosure/Overwrite, Yukihiro Matsumoto Ruby Infinite Loop Remote Denial of Service (Updated), and Yapig Cross-Site Scripting & HTTP POST Requests Validity are three good examples, but you'll need to take a look at the full list to get a real appreciation) but they include multiple reports from different *NIX vendors about the same issue as different bugs. A bzip vulnerability is on there 10 times! The disturbing reality is, someone giving this a cursory glance might believe these asinine numbers. Never mind that they include safari in the *NIX number, even though that can't possibly impact you if you run Linux. Complete junk. Beyond the stupidity of the numbers though, there is a bigger issue. Security issues in Open Source actually get spotted and fixed on a regular basis. This is a *good* thing and it makes you much more secure in the end. The security by obscurity and closed source aspect of Windows means that a bug is only acknowledged and fixed when Microsoft decides to do it. Remember those png/jpeg issues from a couple years ago? They are just getting fixed now in Windows, where the Open Source world addressed them in 2003. You decide what is more security, but always look into the numbers you are given as opposed to just reading a headline that is meant to get readers. I look forward to the day when journalism like this just doesn't happen. Why do I think I'll be waiting a while?
CERT, Linux, Open Source, Microsoft, Security, vulnerability