According to a report published November 12 by Aberdeen Group, “Security advisories for open source and Linux software accounted for 16 out of the 29 security advisories – about one of every two advisories – published for the first 10 months of 2002 by Cert.” Read the report at NewsForge.
Linux, Open Source have ‘more security problems than Windows’
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
http://www.extremetech.com/article2/0,3973,704119,00.asp
meanwhile, my brother just installed XP for the 5th time. twice it ate its own .dlls for no known reason and twice it fell to virus attacks.
…..i am scared of all the linux and mac attack methods myself. both of them.
not that we will ever know how many there really are for windows, cause if you tell about one, you get sued.
You can’t say that this article is FUD. It is written by the editor in chief of many OSDN sites, including Slashdot and NewsForge. It is his report on a real, existing report by the Aberdeen Group.
As for WindowsXP “eating itself”, tell to your brother to install an anti-virus app and not open suspicious email, and moreover, tell him to create accounts instead of running as administrator.
to each thier own.
As Open Source gets more and more accepted.
2-3 years ago Windows accounted for nearly all the server and desktop installs out there, hence they gleaned virtually all the security issues.
As Linux and Open Source software become more accepted, it stands to reason that more bugs are going to be exposed -All software has the potential to be buggy, and/or poorly written.
It’s just that now Open Source options are improving to the point wherein they’re garnering a larger market share. Hence there’s more people using them in more varied environments, and yes, bugs are likely to become apparent that wouldn’t have shown up were it still a few hundred users or so using the software. It’s just something that’s going to happen.
They key though is whether Open Source authors can respond to the bugs and patch them quicker than their Redmond counterparts.
Oh… And the other part of the key is whether the deployers of this software are more proactive in patching their systems than their MS counterparts (who largely are content to just let Windows Update push down the patches it sees fit to).
So far, at least from my point of view, it appears that Open Source authors not only patch quicker, but are much more open to the discussion of bugs than Microsoft is.
Which is good! If you were starting up a large business today, or even a small one, would you prefer software you know will be patched frequently and consistently, and who’s publishers are open about any problems that may pop up, or would you prefer going with Microsoft knowing that not only will they not tell you about security issues until they’ve bothered to roll out a patch, but that they also might not tell you about something that could be damaging your infrastructure “right now”?
How do they quantify the number of Linux/Open Source security vs. Windows? Let’s do the math:
1. Linux/Open Souce has X number of KNOWN security issues/advisories since its source is open and can be viewed by anyone.
2. Windows has Y number of KNOWN security issues/advisories reported by non-Microsoft employees. What is the Z number of UNKNOWN security issues since Windows source code is closed and can not be reviewed for possible security risk?
So the comparison is non-sense.
My 3-cent worth.
Are they seperating application vulnerabilities from the core OS??? example=== IE (according to micorsoft) is part of the OS,, so are they counting IE holes in with the OS.. And with linux apache is not part of the core OS are they including holes from apache with the entire OS???
I read a lot of comments on newsforge regarding this issue and no one can say for sure how they are totalling vulnerabilities.
This isnt biased one way or the other.. They both work and both do a job.. and if you think that anything is secure yoru nuts.. and that goes for anything, computers, cars, houses, banks……
The way I explain this to other folks goes something like this.
These are known security holes.
Just like Mr. Xung noted, Windows has a number of security holes that nobody outside of Microsoft and the crackers knocking over the systems know about.
Why?
There is no one else looking at the code pointing out possible exploits.
Do you think the crackers out there are actually reporting all of the security problems with NT? They just OWNZ your butt and move on to the next challenge.
With Linux, developers that care about the problem not exploiting it report the issue immediately.
That is the difference.
I’d think this point would be rather mute considering that by the very nature of open source software, security issues are much more likely to be put out in the open (admitted to…) than they are for Windows. Doesn’t it sometimes take weeks (months) for Microsoft to release a patch to a security issue that they’ve known about for a while, but haven’t had the chance to fix? I’d imagine there are many other yet unpatched security issues that they’re holding out on.
Ok, first of all no one said Linux was inpenetrable.
Linux has security concerns but they are fixed quicker and
faster due to Open Source not relying on security through
obscurity.
MS has open up so many other fronts in the War on Linux(passing around letters in Congress disadvantaging OSS,licensing ostracism, self-serving acts of Charity, and of course looming on the horizon the Death Star that is Palladium) that I am little surprized when they haul out the old Big Lie Fud Attack Warhorse.
Still you have to hand it Softy and their minions.
If you are going to lie, lie big.
every system made by humans has bugs/errors/whatever…
this is normal.
the good thing about open source environment is, that if you see somewhere a problem (if you look into security lists and that kind of things) you mostly would see a description of the error/problem/whatever and in the same posting you see a way to fix/patch/replace/whatever your component wich has the error/bug/security issue/etc.
this is complete diffrend then on the microsoft platform. there you have to pray that microsoft will produce a fix for your problem. and all this in a resonable time and without paying big $$$ for the fix (normaly you dont pay for fixes at microsoft. but they started to fix errors only in new releases of their software and this is allmost the same like paying big $$$ for the fix [you need to buy the new version]).
or try to submit a error to them. do you realy know where you have to send/address the error issue? i would say: “NO you dont know it!” and i am shure that you will tell me that you dont need to submit this error to microsoft, because manny million people are using the same software as you and shure someone else has found out this error and sended it to microsoft. and beside that… you are shure that microsoft knows about it. -> you are again WRONG!
and another thing is:
finding errors in a open system is much easyer then in a closed system. oss is open and everyone can look at the code/logic and find bugs/errors/security problems/etc…
in microsofts components, you have to work hard to find errors and if you find them you have to be very carefull to publish them.
anyway… errors are errors and they need to be fixed.
and i love every error/bug/security issue/etc we find in oss, because it makes it better each day. in windows i have the feeling that this is a never ending storry. and when i see another security issue with windows i feel like this will never ever end.
… tell him to create accounts instead of running as administrator.
You can’t do that. Most apps out there aren’t multi-user aware. And last, games crap out when installing them using the Run As context menu command (i.e. RTCW)
The comparison of known/unknown bugs can just as easily apply to open source as well as closed source. Even if a project finds a few bugs in their open source software and reports them, there could still be more bugs in it that weren’t found. Apache/Mozilla are good examples. The same goes for closed source. Need I list examples for it?
It would probably be best to actually compare the number of
exploits and the time it took to patch. Making adjustments
for popularity and function. Not sure which side this would
benefit more. If the proponents of keeping source closed
say that it helps prevent exploits, then the number of
exploits should be fewer. (After adjustment for popularity)
Unfortunately, the only technology we have to compare that
is really popular on either side is Apache vs IIS. The rest
of the [desktop/app] arguments can be argued over
indefinitely. It won’t matter until we can figure out how
to accurately adjust for the massive differences in
popularity.
When it comes down to it, given the proper firewall
technology and safeguards, even a networked DOS could be
“safe.” I could get more into this but I won’t.
I’d love it if OSNews had more development articles instead
of just reports on [insert today’s linux distribution
release or slashdot runoff]. This isn’t a dig at you
Eugenia, if people submitted more original os content I’m
sure you’d post it. The articles that get the most
responses are about OS development/new technology. Most of
us here are probably OS developers anyway.
I could be wrong though.
it does not make MS any better or Linux any worse. remember 2 years ago when MS said they will not advortise there security holes? well, if they are not anounsing then ofcource Linux will have more since they ALWAYS anounce.
>You can’t do that. Most apps out there aren’t multi-user aware
Then do not run old applications. Run proper 32bit apps, written for the NT/2k/XP environment and not old, Win9x code. By running the proper apps you do a favor to your XP, which no matter how it tries to be compatible with legacy Win9x code, it will perform _much better_ if you actually run proper NT code and *especially* XP-specific drivers.
>I’d love it if OSNews had more development articles instead of just reports on
A few days ago I posted an article asking people to submit articles. Only one person replied and sent his article over (the KDE article we posted in the beginning of this week). I can’t be writing all the articles over here, I have a real life to run too. OSNews already takes most of my free time (about 80% actually, every day) and I don’t think I can commit more to it. It is overkill to do so, for free. Sometimes I sleep at 2 AM in the morning preparing articles, or cleaning up code, or sending emails back and forth with OS companies and JBQ is pissed off at me for not going to sleep at the same time he is.
I still remember a certain adminstrator spending a few days and sleepless nights trying to get Code Red off his beloved Windohs machines…. only to have them reinfected again the next day. I’ve never laughed so hard in my life.
Give them a few months and Microsoft will be reporting that they have fewer holes then OpenBSD :-p
Eugenia, the article itself isn’t FUD, but the Aberdeen report most definately is. Just search Google:
http://www.google.com/search?hl=en&ie=ISO-8859-1&q=Aberdeen+Microso…
The first half dozen hits is for Aberdeen saying all these good things about .NET and SQL Server and whatnot. Now, I don’t doubt that Microsoft’s increased efforts at fixing security bugs is paying off (most of the recent services paks have been security oriented) but counting the number of advisories on CERT is a lot like those *BSD is dying trolls that count the number of hits for “BSD” and “Windows” on Usenet and come to the conclusion that *BSD is dying. What matters in the real world is end-result security. Which product, when set up correctly, is most likely to be reasonably secure. In the security world, people care about track record. UNIX and Open Source has that track record, Microsoft does not. If they can go several years with a good security record, then people will start believing that they’ve really turned themselves around and have taken security seriously. But it takes a lot of work to undo the past, and you can’t blame people for not believing you until you really come up with proof.
When someone points out that more vulnerabilities were attributed to *NIX than Windows, all the linux users just turn their backs and say: I never said it was impenetrable.
True, Aberdeen is a consulting group, and they are beholden, in many respects, to the company paying the bills, so I’f microsoft sponsored the study, it would have that bias. But the data is from CERT, who are, by all accounts, platform agnostic.
How many times, how many forums, how many blogs are filled with anti-Microspft ranting saying how insecure Windows is, and how anyone can ownz it willy nilly, only to find that Linuxis just as bad in some respects.
Hurts to have the shoe on the other foot, doesn’t it?
The usual way they make these microsoft-sponsored “reports” is to count the same Unix/Linux-vulnerability several times (one for Redhat, one for Mandrake etc) and to include security advisories for third-party applications. These reports are totally without value.
so then by the logic of the article, the citiznes of Iraq are happier with there government than the citizens of a western nation who have so many dissidents speaking out.
hmmm. something tells me that that is just not true.
There are bound to be less security holes in a program that is allowed to mature, so the longer that XP stays around the less holes it will have.
Problem is that Microsoft wants to keep getting your money so they force you to upgrade to their newest software which brings you back to new code with some of the same or all new holes and the cycle begins again. This is amplified by the fact that there are no really true “innovations” coming from MS any longer (or being bought up and repackaged by MS) and they’re now trying to embed middleware and pass it off as “innovation” which does nothing but create more security holes.
That’s one thing that OSS will always have over MS. Open Source Software is not completely motivated by profit, so OSS developers provide security patches on programs as long as there is a user base and you don’t have to start from scratch again if don’t need or want to move to the latest and greatest. The old saying “If it aint broke, don’t fix it.” comes to mind. Microsoft can never take the same approach because it’s always been All About The Benjamins.
Out of all the Windows machines that get hacked/viruses/etc, what percentage of those are boxes who’s owners regularly installed security patches (Windows update) and kept their anti-virus software up to date? If more people would do that (as I’m sure most Linux users do), I think the number of problems reported would be greatly decreased.
I’m not here to say that one OS is more secure than the other, but I also think it’s a little unfair to slam the OS because some user who hadn’t updated his security/anti-virus in 2 years gets hacked.
well, if all MS does is tweak the UI, tehy can sell you a new OS that is just a bunch of security fixes with a few new apps and by that tehy let the code mature…why do you think they went to not nameing there products after the version number? becasue you get more people buying upgrades if they saw Win95 -> win98 rather than windows 4.0 -> windows 4.11
the former makes it look like a major revision when in reality it is just an incremental….this is why I think Mac needs to move to this type of nameing…the new mac folks drawn in to the platform becasue of OS X did not know that Apple has always made the .x releases major. before the updater, you had to pay for the .x.y releases, though you could get an upgrade version for 20 bucks if you own the .x version. when they released 10.2, I looked at it as normal and went to wip out my student ID….until they made the free for teacher deal and I just had my cousin get it for me 🙂
Since when does number of alerts prove which product is more or less secure.
First of all when the products are open source your going to find more security flaws AND get them fixed quicker. Thats just an non-debatable fact. Also You can’t even begin to compare the turn around time for opensource versus MS, who as we all know have up till this point ignored security researchers until they go public. Only now after the entire world reached a boiling point with MS’s insecure product design did they finally admit that they haven’t take security seriously and how that was a mistake. Gee thanks MS for finally admitting to what we’ve known and been saying all along. Feel free to try and defend that point.
Second the real world impact of Microsoft flaws versus opensource flaws is startling. MS flaws in IIS, Outlook and IE cause literally billions of dollars of damage year after year.
There are certainly viruses and worms which target opensource software, but they haven’t done nearly the financial damage that Microsoft products have. It will be many many years before opensource software ever comes close to reaching the amount of money that companies have spent cleaning up MS’s security problems.
Also MS has a great solution for software that they sold you which is fundamentally broken from a security standpoint. Figured out what it is yet? Yep you guessed it, buy more MS software. Its funny but when its found that automakers sold consumers a broken product they have to do a recall and yet when MS does it the solution is more money for MS. At least with Linux you have the ability to fix the problem or upgrade for free.
So in summary number of security incidents means jack. The real story as always is between the lines.
Let’s say you had a choice of joining one of two teams. 5 of the members on Team A have an injury. 3 of the members on Team B have an injury.
Which team would you rather play on?
After choosing to join Team B you are told that the members of Team A have minor bruises but the members of Team B have malaria.
Let’s just say that you made a decision without having all the information needed to make a good decision.
How severe are the vulnerabilities? dammit Is the vulnerability present in the default install of the OS?
Every user of windows is vulnerable to IE problems. Every single one.
A much much smaller percentage of Linux/users runs apache, BIND, or snort. If I am not running BIND I do not have to worry about my systems.
No software is perfect. OSS has its problems. Microsoft has its problems. Give us real information and we will make our own decisions.
also, add to that that MOST security issues are local root exploits NOT remote root exploits. a local explot on a desktop machine used at home as the family computer is not even a problem,unless you do like illegal stuff on it and. the feds have your PC.
I concur with Rayiner Hashem on this. The article itself is quite commendable. There is plenty to refute in the report, but the Newsforge article doesn’t bother doing so (much). Instead, it takes a more responsible approach, recognising that all software has bugs and suggesting that the community work harder to remove them.
With open source, software is fully transparent to everybody. All bugs are laid out for all to see, which means they can be found and fixed quickly. While it is true that crackers can see these holes as well, the benefits from transparency far outweighs the disadvantages. The same argument can apply in business and economics.
One thing the article doesn’t mention is how much the Aberdeen Group like selling their opinion to the highest bidder, which can be seen at http://www.theinquirer.net/?article=3039
lost credibility with me a long time ago.
has nothing to do with linux, windows, bsd, beos, amiga, atari or pong
there info just plain sucks.
–i’m an mcse, admin 30 server, 500 desktops.
wow, lot of you lan boys around here will believe anything.
I bet most of you clowns think changing the name of administrator account on windows does any good. a sign that you probably should stick to administrating desktops, since youll probably get owned ( if anybody actually cares about youre company)
The only fair way to compare vulnerabilities is to specify a windows PC and a linux PC running the same services/daemons and the same (or similar) applications, then compare.
And if Photoshop has a bug and Gimp hasn’t then it’s 1-0 for Microsoft.
Oh, and you’ll have to have some grading of the seriousness of the bug; something that crashes the app get 0.5 and something that gives you root/administrator get 2.0.
To summarize: It’s nearly impossible to come up with a fair system and it’s easy for either side to “make up” their own victory.
linux security advisories are there to report known faults.
if you don’t know about them in the first place, there’s no advisory.
i personally feel more secure becuase i know that bnothing is kept back – its all there for me to see. if i’m worried about bind, i keep watching teh advisories. and can respond.
i can’t say the same about other systems. and so i feel less secure becuuse obscurity os not security.
thats what i think and it works for me.
What is “Linux”, exactly? Once-upon-a-time it was just a kernel, but today people use it to refer to a whole OS. So where does the OS end and the apps begin? With GNU/Linux, this is difficult to determine. Is GNOME or KDE part of the OS? I would say no, because the system can run perfectly fine without them. The same can be said for programmes like BIND and Apache. What is Aberdeen’s definition? They don’t say.
For Windows, did Aberdeen include IE and Office? After all, due to MS software commingling a bug in IE or Office can affect the whole OS. Did they include IIS? We don’t know.
It’s a fact of life, software has bugs. It’s also a fact that you are always facing a new security threat, no matter what OS you use. But, there are advantages to useing alternative OS’s vs Windows. First, Alternatives aren’t in the business of denying there might be something fundamentally wrong with their code, then working out a fix for it. This is why bsd’s and linux’s get so much server market share. People can get results. The fact that open source exists, attests to the fact that these people who create this stuff have no reason to hide code- that they want to empower the Admins, ISP owners, and Programmers, IT and CS’s, and I can say for a fact Microsoft (and to some extent, apple) want to take that empowerment away.
Argue that till the cows come home.
So why is all of opensource, which is made by many different contributors, compared with Microsoft? Sounds like apples to oranges to me.
If you compare Linux to Windows, it gets tough to decide what is the OS and what is applications.
Shouldn’t sendmail, postfix, wu-imap, etc be compared to Exchange and Domino? How about Apache and wu-ftpd vs IIS? Office vs OpenOffice?
MySQL and Postgres vs MSSQL and Oracle? The list goes on and on.
The method of comparison is bogus – it’s just a reason to start another flame war. Can’t we all just get along
Wait till MS starts realy getting their buttz kicked in market share.Linux will become overwhelmed with bugs,virii,and trojans.Most likely written by MS!!
Linux kernel is not 1000 lines but with a lot more.
This is alredy difficult to know ALL behaviours of a 1000 lines program.
Yama, it is quite obvious they included IE in the equation because it is co-mingled with the OS. IIS is bundled but optional, and Office is another expensive product.
As for Linux, I doubt it sets its limits to the kernel… 🙂