"In response to Jeff Jones' Monthly Security Scorecard I did some research on Secunia and made some statistics to answer his. Jeff's Scorecard is quite minimal in my opinion and as pointed out by some of the comments, is missing some interesting facts. These facts include the outstanding advisories, for example, and of course the amont of software installed. Since Linux installs a lot more software the numbers are a bit skewed; however, even if I only take the numbers from Secunia with regard to advisories, vulnerabilites fixed, etc., things still look quite different then on Jeff's charts."
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2006-10-25
I'm not sure what point you were trying to make"
Actually I was referring to the years of that not being the case.
My point was motive. That there is a very large motive to be able to exploit large Linux and BSD systems.
And Linux gets hacked all the time. Just less than Windows:
http://www.zone-h.org/component/option,com_attacks/Itemid,44/
Yes, I know that these are website hacks, and I know what we are talking about is much more than that.
But there is more to security than exploitable code.
Secure by Default and Secure by Design are as important, if not more important than secure code:
http://en.wikipedia.org/wiki/Secure_by_design
http://en.wikipedia.org/wiki/Secure_by_default
As an example, Windows XP Home sets up two (three if you count System) administrative users, by default, with no way to apply a password to them. Then, after you apply a password to your account, it still hides Administrator from you "to protect you" (from forgetting it's password), so that almost every XP Home system *at least* has one Administrator account (aptly named so you don't have to guess) without a password.
This level of insecure defaults and design permeates though Microsoft software.
I set up XP Pro, fully patched (pre IE7), with the MS Shared Computer toolkit, and locked it down with its highest security settings. Leaving only IE accessible for Internet access. I typed "Desktop" into IE and could then create shortcuts to... anything I wanted.
Linux is far from perfect, far from secure especially in code, but it sure as hell does a better job of secure design and secure defaults.
Microsoft is doing better. Much better with Vista, IE7 and IIS6. But there is so much left open, and they still fall short in many areas (UAC for example).
Just an opinion of mine : )
Edited 2007-03-19 03:12
Member since:2005-07-10
chrono13 - If you are not biased then who else is? You are now just changing your tone because it is proved that Apache has a worst security record as compared to IIS6.
Now you are trying to turn the topic around and then leave your opinion with no example. Where is Microsoft falling short?
You think UAC is bad then what about Ubuntu? They prompt for logged in user's password? Why can't a rogue software show me the same prompt and steal my password? IMHO UAC is better than the password prompting approach of Ubuntu.
Member since:2005-07-06
Yes, there has been a major improvement in Windows/IIS 6.0; but that is due to pressure being put onto Microsoft by competition rather than a genuine desire by Microsoft to do the right thing and secure their software.
But don't be surprised to see Microsoft going back to its sloppy habits with the launch of Windows 2007 Server - to secure a system, but must be designed from the ground up to be secure; there is no such thing as a 'bug free' operating system, but if you design it properly the first time, patching and controlling the damage caused by a security issue is made alot easier.
Microsoft knows exactly what the problems are with Windows, but it would require them to throw out the whole system and start again; yes, there are some good technologies which Microsoft has, but at the same time, alot of it is motivated by a desire to 'control' rather than simply to deliver the best product to the customer.
Its been seen over and over again; ODF vs OOXML, and no attempt by Microsoft to sit down with the ODF community and voice their concerns - backwards compatibility? bull crap, I can open up a word document and save it as ODF in OpenOffice.org - does ODF need 'Word backwards compatibility' in the ODF specification? of course not, its a rouse by Microsoft to justify re-inventing the wheel.
Passport, another example; "give us all your customer data, and we'll sell it back to you" - another attempt to jam a 'solution' down the throats of customers, and the customers turning around and saying no.
How about Microsoft work on improving their products rather than reinventing the wheel for political purposes which yield no benefits to customers either short or long term.
Member since:2007-02-17
{ Its been seen over and over again; ODF vs OOXML, and no attempt by Microsoft to sit down with the ODF community and voice their concerns - backwards compatibility? bull crap, I can open up a word document and save it as ODF in OpenOffice.org - does ODF need 'Word backwards compatibility' in the ODF specification? of course not, its a rouse by Microsoft to justify re-inventing the wheel. }
In respect of ODF vs OOXML, Microsoft do not need to justify "re-inventing the wheel" so much as they need to justify "utter avoidance of using open standards".
Wherever there is an existing perfectly adequate open standard, Microsoft avoid it like the plague, lest it become commonly used.
ODF is but one example. Web standards are another, Microsoft Java is another, SVG is another, as is ogg vorbis.
The list is endless. If it is an open standard which any software vendor may use and implement ... Microsoft will do their utmost to see that Windows systems don't support it, so that the standard will hopefully die, and everyone will be forced to use Microsoft's proprietary alternative, which in turn requires that one runs a Windows platform.
Member since:2006-08-18
Member since:
2006-07-04
"In theory, Windows is only attacked more, and only successfully attacked more, because of its dominant market share.
But that theory doesn't hold true to Real Life when you take into account market share of Apache VS. IIS"
---------------
I'm not sure what point you were trying to make, but IIS6 has a much better security record than does Apache 2.x. Hell, IIS6's record is nearly perfect.
IIS6 security record since it was released in 2003:
http://secunia.com/product/1438/?task=statistics
Three vulnerabilities, none rated as "Highly" or "Extremely" critical, and all patched.
Contrast that with Apache 2.x's record since 2003:
http://secunia.com/product/73/?task=statistics
31 advisories, 3% "highly critical", 10% unpatched and 3% "partially" patched.
Edited 2007-03-19 02:47