LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

openSUSE and the distribution of proprietary software

LPC: What's happening with webcams

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb)

RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb)

Posted Apr 10, 2008 18:38 UTC (Thu) by Requiem (guest, #51519)
In reply to: RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb) by rmunn
Parent article: RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb) 

Always look at methodology, in this case Linux vulns and Windows vulns are counted
differently.

Vulnerabilities are typically found in Linux through code audit, so whether or not the
vulnerability allows for an actual exploit is theoretical.  A higher percentage of all the
vulnerabilities are found as well.

Windows has less in the way of theoretical exploits, since the typical way to find one is to
implement it, and more unknown active exploits, because there are always more bad guys looking
for vulnerabilities than good.

Also keep in mind that windows being popular gets the security researchers more interested in
keeping it locked down as well.  If Linux becomes dominant, it gets hold of more of the good
guys too.

(Log in to post comments)

RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb)

Posted Apr 10, 2008 22:49 UTC (Thu) by drag (subscriber, #31333) [Link] 

Also Microsoft will silently fix potential exploits without disclosing it. 

A few times they disavowed it, then later on they would admit to it. More then one.

The theory is that the first thing that happens when Microsoft publishes a patch or
information people take that and write a exploit to attack unpatched systems. So by being
secretive about fixes they are actually doing people a favor.

Also open source projects will often release patches for problems that are not exploitable,
but they _could_ be exploitable if a bunch of other bad things happen. That is most problems
that open source projects release as problems are not exploitable. Microsoft will not admit to
those or fixing those. 

And people have proof of this sort of behavior. People have examined patches to Microsoft OSes
and have reverse engineered them to find out what exactly they are doing and what systems they
are patching. One black hat found at least 7 different fixes in a patch that only had one
publicly announced fix.

Also not all of Microsoft's software gets the same amount of treatment. There are many bug
fixes in Windows XP and such that don't make their way into Windows XP POS (point of sale). 

AND on top of this Distributions ship with much much much more software then what is provided
by Microsoft.


If you want to have a vulnerability vs vulnerability comparison you will have to sit down and
go through them one by one and examine things carefully.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds