LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for July 2, 2009

RealtimeKit and the audio problem

VFAT patent avoidance and patent workarounds

LWN.net Weekly Edition for June 25, 2009

Apache attacked by a "slow loris"

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Counting vulnerabilities

Counting vulnerabilities

Posted Jun 28, 2007 1:40 UTC (Thu) by jimparis (subscriber, #38647)
Parent article: Counting vulnerabilities

Wait a sec. You said there were 52 vulnerabilities in Wireshark. Wireshark can also be installed on Windows. That means Windows had at least 57 vulnerabilities, not 5. Or did they not count it just because it wasn't installed by default? Well, installed or not, the vulnerabilities couldn't have been triggered unless you actually RAN Wireshark.

If you want a fair comparison, you'll have to perform the same tasks on both systems. In most cases, that will involve either:
(1) Not running some of the software on the Linux machine. Even if it's installed, if the program is never executed (and can't be started by an attacker), it doesn't matter from a security point of view.
(2) Or, you need to install the same or equivalent set of software on the Windows machine -- in which case you've just introduced more vulnerabilities.

(Log in to post comments)

Counting vulnerabilities

Posted Jun 29, 2007 20:25 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

The study compares products, so Wireshark on Windows doesn't count because it's not part of the Windows Vista product.

The article says the study doesn't count bugs in "packages" that are on RHEL but not Vista, which I assume means capabilities. And it doesn't say that the Wireshark bugs were counted against RHEL. (Though I could imagine they were if Vista comes with a similar tracing facility).

I believe a much more interesting figure would be number of bugs that were exploited during the period. That would discount bugs in unused code and bugs with no realistic way to exploit. It would be more applicable to the question, "should I do this job with Windows or with Linux"?

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds