Linked by Thom Holwerda on Fri 6th Jan 2006 22:56 UTC
Privacy, Security, Encryption Open source experts have hit back at a study published by the United States Computer Emergency Readiness Team that said more vulnerabilities were found in Linux/Unix than in Windows in 2005, labelling the report misleading and confusing. The report has attracted criticism from the open source community. Linux vendor Red Hat said the vulnerabilities had been miscategorised, and so could not be used to compare the relative security of Windows and Linux/Unix platforms.
Thread beginning with comment 82648
To read all comments associated with this story, please click here.
do you know windows mr. cox?
by smashIt on Sat 7th Jan 2006 00:37 UTC
smashIt
Member since:
2005-07-06

For example, Firefox is categorised as a Unix/Linux operating system flaw, but it runs just as well on a Windows platform. Apache and PHP also run just as well on both platforms. There are methodological flaws in the statistics,

well, the difference is that microsoft doesn't bundle windows with php or apache.
but red hat does. so every bug found in a package included with rhel is a bug in rhel.

You should look at the number of critical vulnerabilities. It's a better comparison to look at the critical vulnerabilities that affect customers due to the platform they use. There are fewer critical vulnerabilities, and they are fixed faster in Red Hat Linux

iirc there was such a comparison between rhel and win 2k3 about a year ago. the "problem" was that windows won...

Reply Score: 3

dylansmrjones Member since:
2005-10-02

Actually not.

Take a look at Secunias website.
Windows loses big time.

Windows 2003 Server is shipped with IIS6 and many other services, and of course the big security risk known as 'Internet Explorer'.

The major problem with CERTs list is the fact that flaws are counted several times. E.g. they are duplicates. This is true for Windows as well as for *nixes and other OS'es.

So the list is unusable for comparison for any platform in the list.

Reply Parent Score: 2

smashIt Member since:
2005-07-06

Take a look at Secunias website.
Windows loses big time.


please tell me where i have to look.
when i compare win 2k3 Enterprise-edition with RHEL 4 windows "wins" with 75:138 over the period of 2003-2006

if you only look at 2005-2006 (RHEL 4 was released in march 05, so it still has an advantage of 3 month) windows "wins" 36:138

Reply Parent Score: 1

dotMatt Member since:
2005-07-29

"well, the difference is that microsoft doesn't bundle windows with php or apache. but red hat does. so every bug found in a package included with rhel is a bug in rhel."

RedHat makes Apache/PHP (along with many other packages) optionally available, not part of a base install. IE, Outlook Express, Media Player, are all installed by default on a Windows OS (Even on Windows SERVER!!!!! WHY THE HECK DO I WANT MEDIA PLAYER ON MY SERVER!?!?!?!), and there is no way to remove them. Even if RedHat *did* decide that Apache should be part of a base install, a quick rpm -e could remove it.

I would love to see a security comparison of a *minimal* windows install to a *minimal* linux (pick a distro) install (as I believe all servers should start in a minimal configuration). Then, compare similar Web Server configs, similar DB configs, etc, such that the *applications* on each platform are now being validly compared (Apache vs IIS, MSSQL vs MySQL). Heck -- I'd even like to see a comparison of Apache & MySQL (etc) on Windows vs *nix, since they are cross platform!

Reply Parent Score: 1

gonzo Member since:
2005-11-10

I would love to see a security comparison of a *minimal* windows install to a *minimal* linux

Why minimal? That is not REAL world.

This IS REAL world, 90% of the time Linux is on the top:

http://www.zone-h.org/

65 single IP
54 mass defacements

Linux (51.3%)
FreeBSD (16.0%)
Win 2000 (16.0%)
Win 2003 (10.9%)
SolarisSunOS (3.4%)
Win NT9x (1.7%)
Win XP (0.8%)
(0.0%)

REAL world pal, real world..

Reply Parent Score: 1

smashIt Member since:
2005-07-06

I would love to see a security comparison of a *minimal* windows install to a *minimal* linux (pick a distro) install (as I believe all servers should start in a minimal configuration). Then, compare similar Web Server configs, similar DB configs, etc, such that the *applications* on each platform are now being validly compared (Apache vs IIS, MSSQL vs MySQL).

i already wrote in my first post that such a study was made one year ago

http://www.osnews.com/story.php?news_id=9750

Reply Parent Score: 1

unoengborg Member since:
2005-07-06

well, the difference is that microsoft doesn't bundle windows with php or apache.
but red hat does. so every bug found in a package included with rhel is a bug in rhel.


True, but the only way to get a fair comparison would be to compares systems with equal functionality.

You could do that by exclude a lot of packages from Red Hat, or to add packages like MS-Exchange, MS-SQL Server, MS-Office to the Windows install.

Or you could compare number of bugs/program on Windows v.s. Red Hat. To get an even better value multiply with the average number of days a bug goes unpatched on each system.

Reply Parent Score: 2