Here we go again [LWN.net]

vnunet has posted another one of its Linux security articles with the same sort of theme:

X-Force, the US-based monitoring group of security software firm Internet Security Systems, has been tracking the number of security holes in software. Last year the centre found 149 bugs in Microsoft software compared to 309 for Linux. This year the situation was worse, with 485 Linux bugs this year compared to Microsoft's 202.

Nobody would try to argue that Linux is free of security holes - anybody who thinks so need only read the rest of this page to learn otherwise. But the above comparison is absolutely meaningless for a number of reasons:

Each distribution is counted independently. The same vulnerability in five distributions will count as five separate vulnerabilities. This practice, of course, inflates the number of reported Linux problems.
Linux vulnerabilities include those in applications (i.e. PostgreSQL) which are not part of a standard Windows system.
Most Linux vulnerabilities are found through code audits and similar efforts; they are patched and reported before any exploits happen. Any Windows bugs found through similar audits are fixed silently and do not appear in these counts.

Articles like this one try to make it appear that Linux has worse security problems than other operating systems. If you look, however, at the amount of actual security pain suffered by Linux administrators, the story is different. Linux security is nowhere near as good as it really should be, but it's not as bad as some people would like to make it out to be.

(Log in to post comments)

Windows versions counted as one vulnerability?

Posted Oct 3, 2002 5:29 UTC (Thu) by grahammm (subscriber, #773) [Link]

I suppose that if there is vulnerability which affects Windows 95,98,ME,NT4 W/S, NT4 Server, 2000 W/S, 2000 Server, XP Home and XP Pro, that it is probably only counted once rather than as 9 vulnerabilities as it would if it affected different Linux distributions.

Here we go again

Posted Oct 3, 2002 15:44 UTC (Thu) by bodosom (subscriber, #3774) [Link]

Is there some evidence to support the counting scheme used? I tried the site but you have to pay for X-Force and I wasn't able to find any other specifics.

It certainly sounds like they must be doing (bug * distro) counting but I'd like to know for sure before I try debunking local FUD.

Here we go again

Posted Oct 3, 2002 16:29 UTC (Thu) by dbreakey (guest, #1381) [Link]

Can't say for certain but, if they are, it certainly wouldn't be the first time. I've routinely come across articles that claim these sorts of figures, but whenever somebody is able to track down solid information, it has always turned out to be a case of counting vulnerabilities multiple times.

It doesn't seem to be deliberate maliciousness; just a misunderstanding. These analysts often seem to consider each distro as a separate entity, even though they usually think of Windows as just multiple versions of the same product (which is ironic, considering as a very solid argument could be made that they are actually different products altogether).

Here we go again

Posted Oct 3, 2002 17:28 UTC (Thu) by pben (guest, #2538) [Link]

Is there a good indpendent summary of securty problems of Windows like this page has for Linux? I still have to use Windows sometimes and would like to know what to look out for, especially the stuff that has never been patched.

Here we go again

Posted Oct 3, 2002 19:29 UTC (Thu) by dbreakey (guest, #1381) [Link]

I find it hard to trust an agency such as this to report reliable figures; this is a division of a commercial entity that sells security solutions and, so far, I can only find software for Windows.

I can't, however, browse their enterprise-level solutions without setting up a profile, so I can't say what offerings they may have in there.

Unfortunately, I can't trust that there isn't a conflict of interest here, so I'd be cautious about trusting any such report.