It's all over the mainstream media: the CERT 2005
shows that "Unix/Linux" had three times as many
vulnerabilities as Windows. The security battle is over, and Windows has
won. Of course, if one actually looks
at the list, the story no
longer seems so clear.
Let's examine a few entries:
- There are four vulnerabilities in 4D Webstar, one in ADP elite, one in
Adrian Pascalau GIPTables, two in Alexander Barton nqIRCd, two in Alexis Sukrieh
Backup Manager, one in Alkalay.Net, one in Andrew Church IRC Services,
two in Appfluent Technology Database IDS, etc. Chances are that most
Linux systems out there are not affected in any way by any of these
- Eight vulnerabilities are in proprietary Adobe products, which have
little to do with Linux.
- The Apache mod_ssl
SSLVerifyClient vulnerability is listed nine separate times. The
Apache SpamAssassin denial of service vulnerability appears three
- Forty-one of the "Unix/Linux" vulnerabilities are in Apple software,
mainly OS X and Safari.
- Four are specific to the Astaro Security Linux distribution.
One could go on for some time, but your editor
chose to stop before finishing with the letter "A". The point should be
clear anyway: drawing any conclusions from the length of this list makes no
sense at all.
One might make a reasonable Linux vulnerabilities list by (1) removing
the large numbers of entries for BSD and proprietary Unix systems,
(2) removing duplicates, and (3) removing proprietary products
and other packages not normally shipped or installed with Linux
distributions. The resulting list would certainly be less than 20% of the
size of the version posted by CERT.
One might also be tempted to look at CERT's advisory list for 2005.
Of the alleged thousands of "Unix/Linux" vulnerabilities, exactly one (the
Orifice buffer overflow) merited an advisory from CERT. Every other
alert sent out in 2005 was for Windows and other proprietary products. It
might have been nice for CERT to mention this when it put up its list of
One can also point out that most of the vulnerabilities were found as the
result of active auditing efforts; they were fixed before anybody exploited
them. Many of them are theoretical in nature, and many of them are only
exploitable by local users. All vulnerabilities are not created equal.
In the end, however, one fact remains: even a list which is 10% as long as
CERT's is too long. We can argue relative security all we want (and we
should dispute the outright silliness that results from CERT's list), but
Linux still is not as secure as we need it to be. When the length of that
list gets rather closer to zero, we'll be in a position to brag about the
security of Linux.
to post comments)