After toting up the vulnerabilities in Windows XP Service Pack 2, Red Hat Desktop 3 and Red Hat Desktop 4, Microsoft’s Jeff Jones concluded:
Whether you look at the all up total vulnerabilities, look at high severity vulnerabilities, or look at the weighted Workload Vulnerability Index, it is hard to argue against the fact that Red Hat 3 required less vulnerability-driven work than Red Hat 4, and Windows XP SP2 required less than either.
Jones’ conclusion is indisputable, as long as you play by his rules. Here are three of them:
- Jones’ Rule for Vendor-Defined Product
Vendor-defined products are any apps included on the CD. Flaws in each product accrue to the vendor’s negative tally. - Jones’ Rule for Role-Based Products
A webserver is a role-based product. Same goes for a fileserver or database server. A role-based comparison includes the apps required to fulfill the assigned role, as defined by Microsoft and its partner, Security Innovation. An example: Steps for “hardening” the role products, which would substantially reduce vulnerability, are not implemented. Thus, while the packet filtering abilities of iptables are at a Linux admin’s fingertips, they are apparently out of bounds. [pdf] - Jones’ Rule for Fixes
A vulnerability in an application isn’t fixed until the vendor who stamped the CD distributes it.
Within these proscribed rules, the outcome is inevitable, even admirable.
But a Linux CD is a convenient store-on-a-disk. You can choose Red Hat, SuSE, Ubuntu, etc. for installation conformity and ease of updates. And you needn’t wait for distributor fixes. You can often get them from the original authors.
How do Linux admins find out about problems and updates? By monitoring the appropriate outlets, like CERT, SANS, SecurityFocus, and many others.
I expect little more from a CD distributor than I expect from a convenience store. I’m perfectly comfortable using search engines and forums.
It’s not the same with Windows boxes. As Microsoft is the only source for Windows, the company can be a huge, single point of failure.
Case in point: Remember when the world stood still during the WMF Exploit fiasco that took out XP SP2, circa New Year’s 2006? Ilfak Guilfanov delivered a patch while Microsoft dithered.
I expect more from Microsoft, because I must. Everything on the disk came from Redmond.
In the end, it will always be impossible to squarely compare Windows with Linux. Each fulfills different needs and expectations.
But as even Jeff Jones would tell you (I hope), the guy who makes the rules always wins.
9 comments
Comments feed for this article
August 1st, 2006 at 9:09 pm
cyber_rigger
One could look at the average vulnerability rate per each software package.
Assume that a Linux distro has 18,000 software packages (Debian, Ubuntu).
If this whole Linux distro had 1 vulnerability per day
that would mean each package
would have an average of 1 vulnerability per every 49 years.
As far as I know Windows XP doesn’t ship with 18,000 software packages.
August 2nd, 2006 at 9:09 am
tweakt
And with 50 packages installed, I’d get owned just about once every year…
Don’t play games with numbers, it doesn’t make sense, and it sounds like Microsoft logic. Besides, what qualifies as a “software package” in a linux distribution varies wildly, from small utilities like gpm, to entire office suites like openoffice.
August 2nd, 2006 at 9:15 am
BJ Gillette
Hi cyber_rigger.
Agreed. It’s much like comparing an individual book publisher like Prentice Hall to Amazon Books.
August 2nd, 2006 at 9:38 am
BJ Gillette
Hi tweakt.
I think you and cyber_rigger are largely saying the same thing.
Nobody cares how many vulnerabilities are in all the brands of software loaded onto a Linux distie, any more than they care about all the books Amazon sells.
That’s just stinkin’ thinkin’.
Having said that, bookstores with reputations for selling better books sell more books… ideally, ideally.
August 2nd, 2006 at 10:42 am
cyber_rigger
Anyone know how many packages in MS Windows XP,
(that would be subject to a vulnerability report)?
August 2nd, 2006 at 11:39 am
grouch
Just check unpatched vulnerabilities.
http://secunia.com/product/22/
“Microsoft Windows XP Professional with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical”
‘Currently, 29 out of 144 Secunia advisories, are marked as “Unpatched” in the Secunia database.’
http://secunia.com/product/2535/
“The Secunia database currently contains 0 Secunia advisories marked as “Unpatched”, which affects RedHat Enterprise Linux ES 3.”
‘Currently, 0 out of 291 Secunia advisories, are marked as “Unpatched” in the Secunia database.’
Which numbers make you feel more secure, 29 out of 144 or 0 out of 291?
August 2nd, 2006 at 3:48 pm
Grant
He also neglected to include Internet Explorer. Secunia counts it seperate, even though you can’t remove it, while the Firefox vulnerabilities count against any Linux distribution that includes it.
August 2nd, 2006 at 4:26 pm
BJ Gillette
Like I said, guys, the deck was stacked.
Having said that, it was mighty decent of Security Innovation and Microsoft to share their methodology.
Frankly, I’m amazed that Red Hat and SuSE haven’t responded with detailed counter-studies of their own.
August 3rd, 2006 at 7:15 am
Todd G
Red Hat blew the studies off.
“The main metrics of the Security Innovation study treated all vulnerabilities as equal, regardless of their risk to users and did not take into account how fast vendors repair vulnerabilities.”
Reseller News: MS wrong on security claims: Red Hat