While the article does make a valid point, I think the most important thing to look at while comparing the CERT results is how they were organized.
Basically, Windows = 98, ME, 2000, XP, 2003 and *nix = Solaris, BSD, OSX, Red Hat, Suse, Debian, Mandriva, etc,etc,etc...
You could make the arguement that they are comparing Win32 to POSIX compliant OS's I suppose, but it still doesn't give you the ability to come to any conclusions.
The other problem with the results are that many of the vulnerbilities are not even *nix problems. If apache has a vuln, it is considered to fit under the *nix group. Even though Apache can run in Win32. The same goes for many other packages that can not be considered part of the *nix OS's.
And finally, another issue. There is a lot of duplication in the actual results. For example, a vuln in gzip might be listed as 10 vulnerabliities because there are 10 distro's that come with the vulnerable version of the software.
There are to many variables to come to any sort of conclusion from the CERT results.
The article listed above uses the "security through obscurity" method to rate different OS's. Every net admin/sec expert knows that you are only playing with fire if that is your method of security.
I agree Drew, the argument about which OS is the more secure is ultimately pointless and certainly not answered by this article. However what interested me is some of the questions and points they raised rather than any conclusions. Namely the fact that the most insecure OS is the one most people want to attack, and therefore the one that has the most vulnerabilities detected. And as you say, security through obscurity is not the way to go
Building on the commen assumption that "Security by obscurity" is not a good security practice, we might state that windows is becoming more secure with every hack that is exposed (and eventualy pathed). While *NIX os's are staying less secure due to fewer exposure
I can totaly agree with your statment that it is totaly pointless to argument that this or that OS is more secure or less secure. It is the design and the sysadmin that ultimately make up the sum of security:
Is a SELinux placed on the open Internet more secure then a Windows NT4 placed on a home network with no Internet connection?
Note on my views before you read: This is not bashing Windows or Linux. It’s bashing people who think xxx is better then yyy because xxx was fixed more often then yyy.
This article has a few major issues, even if it's so short. Linux is not Unix. It looks like Unix, and acts like it on the outside, but it's not Unix, and it handles the internals differently, and this has a major impact on it's security. Without getting into the micro kernel vs. monolithic kernel issues, you should know that lumping them together is crazy.
Also, this article doesn't say if it was taking into account the different flavors of windows. If it hit 2K and 2K3, was it one, or two? If the same thing his Suse and Red Hat, was it one, or two? If it hits an optional GPL program that ships with both, but no one has running on a server, is it one, or two, or zero?
Did any of these reports take into account if damage could be limited? Sure, if you were for some strange reason surfing the web on your 2K3 server, you could get hit by a image file. But this could not hit the server on it's own. And even if it could, you could have just ran the regsvr32 command to unload it till the patch was out, and you tested the patch in the lab. You do test patches before running them, right?
Also, what does this have to do with security? I mean really, sure, it sounds scary, but all these issues do is increase the attack surface. Sure, it's bad, but it's not the ONLY facet of security. If all your servers were directly connected to the internet, and not running 3rd party firewalls, and ran every programs installed on them at once, then use, I would be worried. But as it stands now, few vulnerabilities reported in a system have any effect on OUTSIDE attacks. So someone on your Unix mail server can become root if they have local access, big deal. Now if the mail daemon it’s self has an issue, then I would worry more.
You protect the NETWORK from outside threats, you protect COMPUTERS from internal threats. And for the love of god, don’t let your computers trust each other. A secure OS shouldn’t trust it’s self, why should it trust OTHER computers.
A vulnerability is only a vulnerability if it can be reached, and exploited.
Ok, who here runs 7zip on a windows server, or even a production machine. The same thing can be seen in the Linux and Unix ones. That page is to help you find the program, based on what OS you have, it does not, in any way, shape, or form, say one has more then the other. It’s saying more issues were found on Linux and Unix SOFTWARE. Not the operating systems. Now when you think of all the Windows based programs out there, and all the Unix and Linux based ones, it makes you wonder how this can happen. Well, look at open source programs. How often do they get updated? Many of them have snapshots out every day. And yes, many times these are reported into cert. So this means that this whole page has NOTHING to do with comparing security between OPERATING systems. But what did the article say?
Linux/Unix-based operating systems — a set that includes Mac OS X, as well as the various Linux distributions and flavours of Unix — had over twice as many vulnerabilities as Windows, according to the United States Computer Emergency Readiness Team (US-CERT), which is part of the US Department of Homeland Security.
The OPERATING systems didn’t have the vulnerabilities, the software added on did. So unless you run servers with ALL of these pieces of software, you can’t compare the two.