Linux/Unix Vulnerabilities Outnumber Microsoft Windows' 3 To 1
January 6, 2006 4 Comments
Or do they? This is a fantastic example of numbers not meaning anything if you're just throwing something against the wall. Actually, these numbers are less than useless, they're just plain silly. The original stats are from the US-CERT site, but that fantastic headline came from this article. From the article: Tallies kept by the U.S. government's computer security group show that Linux and Unix operating systems faced nearly three times the number of vulnerabilities in 2005 than did Microsoft's often-maligned Windows.
In the US-CERT (United Stated Computer Emergency Readiness Team) year-end vulnerability summary, Linux/Unix accounted for a whopping 2,328 vulnerabilities, about 45 percent of the 5,198 total.
Now, before you get worried… let's dig into this numbers a bit. First, why are they lumping Linux, UNIX and OS X into a single group and then comparing it to a single vendor? Would you lump Lexus, BMW, Infinite, Toyota, Honda, Porsche, Volkswagen, Saab and Volvo into a single group, compare them to Chevy and then say that Chevy's are safer? I'd hope not. It gets worse though. They note only include things that are in no way related to the OS (GNU GNATS Gen-Index Arbitrary Local File Disclosure/Overwrite, Yukihiro Matsumoto Ruby Infinite Loop Remote Denial of Service (Updated), and Yapig Cross-Site Scripting & HTTP POST Requests Validity are three good examples, but you'll need to take a look at the full list to get a real appreciation) but they include multiple reports from different *NIX vendors about the same issue as different bugs. A bzip vulnerability is on there 10 times! The disturbing reality is, someone giving this a cursory glance might believe these asinine numbers. Never mind that they include safari in the *NIX number, even though that can't possibly impact you if you run Linux. Complete junk. Beyond the stupidity of the numbers though, there is a bigger issue. Security issues in Open Source actually get spotted and fixed on a regular basis. This is a *good* thing and it makes you much more secure in the end. The security by obscurity and closed source aspect of Windows means that a bug is only acknowledged and fixed when Microsoft decides to do it. Remember those png/jpeg issues from a couple years ago? They are just getting fixed now in Windows, where the Open Source world addressed them in 2003. You decide what is more security, but always look into the numbers you are given as opposed to just reading a headline that is meant to get readers. I look forward to the day when journalism like this just doesn't happen. Why do I think I'll be waiting a while?
CERT, Linux, Open Source, Microsoft, Security, vulnerability
–jeremy
Jeremy's Blog 
sounds like you got the car comparison from the comments on the /. article, furthermore, such articles are released often and get the same response. One thing that interests me is that errors in programs that are not really the core os (such as the imperfect example bzip) are reported to the distro at all, where it should be reported to the distro ONCE the tool has been fixed and the distro should then upgrade. I would be interested to know why this is not what really happens.
Another example of meaningless numbers. It goes to show that a simple count of vulnerabilities means nothing unless you can show how long it was a problem for.
I don't often read /. comments anymore (so I didn't get the analogy from there) but it makes a lot of sense, so I wouldn't be surprised to see many people use it. As for why that happens, I don't know. At least bzip comes with the distro – some of the things listed aren't even available directly from a Linux vendor.
–jeremy
The members at groklaw are working to refute this FUD – or at least they are discussing how best to approach the subject.
Cheers
Richard