Note on my views before you read: This is not bashing Windows or Linux. It’s bashing people who think xxx is better then yyy because xxx was fixed more often then yyy.
This article has a few major issues, even if it's so short. Linux is not Unix. It looks like Unix, and acts like it on the outside, but it's not Unix, and it handles the internals differently, and this has a major impact on it's security. Without getting into the micro kernel vs. monolithic kernel issues, you should know that lumping them together is crazy.
Also, this article doesn't say if it was taking into account the different flavors of windows. If it hit 2K and 2K3, was it one, or two? If the same thing his Suse and Red Hat, was it one, or two? If it hits an optional GPL program that ships with both, but no one has running on a server, is it one, or two, or zero?
Did any of these reports take into account if damage could be limited? Sure, if you were for some strange reason surfing the web on your 2K3 server, you could get hit by a image file. But this could not hit the server on it's own. And even if it could, you could have just ran the regsvr32 command to unload it till the patch was out, and you tested the patch in the lab. You do test patches before running them, right?
Also, what does this have to do with security? I mean really, sure, it sounds scary, but all these issues do is increase the attack surface. Sure, it's bad, but it's not the ONLY facet of security. If all your servers were directly connected to the internet, and not running 3rd party firewalls, and ran every programs installed on them at once, then use, I would be worried. But as it stands now, few vulnerabilities reported in a system have any effect on OUTSIDE attacks. So someone on your Unix mail server can become root if they have local access, big deal. Now if the mail daemon it’s self has an issue, then I would worry more.
You protect the NETWORK from outside threats, you protect COMPUTERS from internal threats. And for the love of god, don’t let your computers trust each other. A secure OS shouldn’t trust it’s self, why should it trust OTHER computers.
A vulnerability is only a vulnerability if it can be reached, and exploited.
Now then, let’s look at the page they got this info from:
www.us-cert.gov/cas/bulletins/SB2005.html
The first seven issues posted:
1Two Livre d'Or Input Validation Errors Permit Cross-Site Scripting
3Com 3CDaemon Multiple Remote Vulnerabilities
3Com 3CDaemon Multiple Remote Vulnerabilities (Updated)
3Com 3CDaemon Multiple Remote Vulnerabilities (Updated)
3Com 3CServer FTP Command Buffer Overflows
3Com Network Supervisor File Disclosure
7-Zip Arbitrary Code Execution
Ok, who here runs 7zip on a windows server, or even a production machine. The same thing can be seen in the Linux and Unix ones. That page is to help you find the program, based on what OS you have, it does not, in any way, shape, or form, say one has more then the other. It’s saying more issues were found on Linux and Unix SOFTWARE. Not the operating systems. Now when you think of all the Windows based programs out there, and all the Unix and Linux based ones, it makes you wonder how this can happen. Well, look at open source programs. How often do they get updated? Many of them have snapshots out every day. And yes, many times these are reported into cert. So this means that this whole page has NOTHING to do with comparing security between OPERATING systems. But what did the article say?
Linux/Unix-based operating systems — a set that includes Mac OS X, as well as the various Linux distributions and flavours of Unix — had over twice as many vulnerabilities as Windows, according to the United States Computer Emergency Readiness Team (US-CERT), which is part of the US Department of Homeland Security.
The OPERATING systems didn’t have the vulnerabilities, the software added on did. So unless you run servers with ALL of these pieces of software, you can’t compare the two.
And yes, I *HATE* articles like this.
