Linked by Thom Holwerda on Fri 16th Mar 2007 17:02 UTC, submitted by Shawna McAlearney
Privacy, Security, Encryption "Starting today, I plan on posting a monthly vulnerability scorecard for common server and workstation Operating System products. I'm going to keep these scorecards pretty clean of discussion, but you can review my methodology, sources and assumptions." Note that these results speak only of fixed vulnerabilities; the author aims to include information on non-fixed problems and the time it takes to fix problems as well. You should also read this, by the way.
Thread beginning with comment 222105
To read all comments associated with this story, please click here.
Nothing to see here, move on...
by melkor on Sat 17th Mar 2007 01:21 UTC
melkor
Member since:
2006-12-16

Why are we even paying attention to such silly 'vulnerability charts'? There are lies, damn lies and statistics. Need I say anymore? OK, I will.

1. The chart counts fixed vulnerabilities. I think it is safe to assume that any code will have a certain percentage of bugs and vulnerabilities. That is just the nature of code. I think we can all agree to this basic statement, yes?

2. Said vulnerability charts ONLY cover fixed vulnerabilities.

We can deduce several points from point 2.

a. OSS has more bugs/vulnerabilities
b. OSS recognises and fixes more bugs/vulnerabilities

Point a. above can be disputed though. We do not know the *total* amount of known bugs/vulnerabilities, because Microsoft does NOT publically admit them. In fact, Microsoft in the past has told bug/vulnerability researchers NOT to post their findings, at least until they've notified Microsoft and given them a suitable period of time to fix the issues. This causes:

c. unknown bugs/vulnerabitilities that have not been publicised, but are known by the blackhats. You can bet your bottom dollar that the blackhats will be taking full advantage of said vulnerabilities between the time they were first found, and the time they are patched. The old adage, 'the early bird gets the worm' comes into mind here.

So, d. comes into play:

d. How quick are bugs/vulnerabilities noticed and patched?

I think it is safe to assume that more people work on OSS than Microsoft software. More eyes, means more problems are noticed, which means more bugs/vulnerabilities are fixed. I think it is also safe to assume that the cycle of this process is quite fast. Previous Secunia reports back my assumptions here - OSS patches far quicker than Microsoft. The old adage 'why put off tomorrow, what you can do today' also comes to mind here.

That said person works for Microsoft also casts a shadow of doubt over the validity of his claims. Even if we allow for the fact that GNU/Linux is used on 2% of world desktop PCs, and Microsoft Windows variants on 96% of them (leaving 2% for Macs), if we work with ratios, you will find that the total number of 'owned' systems on GNU/Linux is far lower per capita than Microsoft Windows (the same applies to OS X I might add, it's lower as well).

Some will argue that this is because GNU/Linux and OS X have smaller numbers of users, so less blackhats concentrate on them. This is partially true, but not holistically accurate imho. The UNIX system of doing things has been around for a long time now, and has always been used for mission critical applications. This is purely because of security and reliability (and scalability for that matter). Take into account that few GNU/Linux systems run anti virus software...imagine running ANY Microsoft Windows variant without anti virus software, how long would it realistically last on an open network?

I'm not saying UNIX or GNU/Linux are totally safe, they're not. Read point 1 again. All code has bugs. Period. Security by obscurity is never a good design imho - you're relying on the fact that you're leaving a security vulnerability open, and that a blackhat hasn't discovered it yet (and started abusing it). Better to acknowledge the vulnerability publically, have it known, and have 10,000 eyes looking at it and fixing it in a few hours, than leaving it 'hidden' in the hope that it won't be abused.

Another important factor, one that I think is just as important, if not more important than the code issues myself, is the PEBKAC issue. UNIX and GNU/Linux users are more PC competent, and therefore more cautious, less prone to make errors that endanger their systems. Most of this is because Microsoft Windows, has, over a period of time, been dumbed down to cater for the average 'idiot user', of which there are many. This dumbing down, makes the system easier to use, but at the expense of security and reliability imho. You can have one, or the other, not both.

Dave

Reply Score: 2

PlatformAgnostic Member since:
2006-01-02

I think you have to look pretty hard to find remotely exploitable security vulnerabilities in WinXP SP2 or in Vista (I'd be happy if you could point one out to me). Running AV is not strictly necessary on the open internet, and the major form of exploit these days is in fact PEBCAK.

I think platform security these days is given more attention than it deserves. I'm confident that finding holes and insecurities in websites with custom PHP, ASP.NET, or any other dynamic content generation will yield far more fruit. Stop trying to pick on Windows, and try to go after live.com, you'll get more change from that. (Not to mention 'live' anagrams with 'evil').

Reply Parent Score: 2