Linux more secure than Windows?

[Snapster]

Something and something to stoke the fire a little. Saying that however, I think the results were badly presented.

 

[Drakkon]

"As Linux becomes more common, we'll see more attacks against it"

I think that sums it up great right there...people find holes where the biggest shares are to exploit the most users...if i wrote a virus to attack linux it would probobly propogate through 2-3 machines before contained. Write a virus for windows and you get hundreds of thousands in one shot

 

[n0cmonkey]

I'm not sure how many of the vulnerabilities in the first one are OS vulnerabilities and not application vulnerabilities. How many different mail servers are you planning on running on the single host? How about web servers? VPN solutions?

Some of the entries on the US-Cert page are repeats/updates. It's kinda silly.

And how many of those were remote holes? Remote root holes? How many apply to desktops? Workstations? Servers?

As a side note though, OpenBSD only had 5 issues mentioned on that page. :evil:

 

[n0cmonkey]

Originally posted by: Drakkon

"As Linux becomes more common, we'll see more attacks against it"

I think that sums it up great right there...people find holes where the biggest shares are to exploit the most users...if i wrote a virus to attack linux it would probobly propogate through 2-3 machines before contained. Write a virus for windows and you get hundreds of thousands in one shot

Compare IIS's history to Apache's.

 

[Drakkon]

Originally posted by: n0cmonkey

Originally posted by: Drakkon

"As Linux becomes more common, we'll see more attacks against it"

I think that sums it up great right there...people find holes where the biggest shares are to exploit the most users...if i wrote a virus to attack linux it would probobly propogate through 2-3 machines before contained. Write a virus for windows and you get hundreds of thousands in one shot

Compare IIS's history to Apache's.

Well i didnt but this guy did: http://blogs.msdn.com/michael_howard/archive/2004/10/15/242966.aspx
More people use Apache 2.0 though than IIS 6.0, thus less vulnerabilities were found

 

[mundane]

From what I understood, the reports are mostly from applications for the OS, not the OS itself. Arstechnica had an article a few days ago:

"Over 5,000 bugs in 2005"

... Interestingly, most of the flaws listed by US-CERT are application bugs rather than security holes in the underlying OS. This is likely due to the more stringent QA testing that operating systems undergo before release. ...

And some responses in the discussion:

apparently some bugs are listed multiple times on the list.

Exactly. This study means two things, jack and ******. With a couple dozen major variants of *NIX, is it surprising that they have more bugs than a more homogeneous platform? Should bugs from the CoreOS of xyz platform be counted the same as bugs from notepad.exe, as this study seems to do? What about DOS attacks versus misspelled text versus root-level compromise? Are these all worth the same? Assessing security by counting bugs from vague categories is pretty worthless.

I would like to see a breakdown of bugs exploitable by an unauthorized external user.

If you browse through the list, it seems a lot of the MS vulnerabilities are available to unauthorized remote users, while a large number of the *nix bugs are only exploitable if the attacker has already logged into the box via some other means.

While local exploits are definitely a problem, they aren't nearly as much of a threat as remotely exploitable bugs.

Pro-active security is the only valid security model for any platform still.

While I've come to expect the Ars crowd to be strongly *nix leaning, they do bring up a number of valid points. Without elaborating on the severity of the reported bugs, there's no way to evaluate the overall impact of the numbers.

 

[n0cmonkey]

Originally posted by: Drakkon

Originally posted by: n0cmonkey

Originally posted by: Drakkon

"As Linux becomes more common, we'll see more attacks against it"

I think that sums it up great right there...people find holes where the biggest shares are to exploit the most users...if i wrote a virus to attack linux it would probobly propogate through 2-3 machines before contained. Write a virus for windows and you get hundreds of thousands in one shot

Compare IIS's history to Apache's.

Well i didnt but this guy did: http://blogs.msdn.com/michael_howard/archive/2004/10/15/242966.aspx
More people use Apache 2.0 though than IIS 6.0, thus less vulnerabilities were found

I don't see where he factors in what is enabled by default. Or how about IIS5? Or which webservers have enabled internet crippling worms. Or which are simply little DoSes instead of root compromises...