Linux riskier than Windows?

[ITJunkie]

Linky

I think anytime a company funds research that inevitably makes claims that "mine is better than yours", one must proceed with a certain amount of skeptisism.

That being said, I think the article is summed up best with this quote:

Thompson admitted, however, that security largely depends on the expertise of the administrator.

FWIW....

 

[Wyck]

Companies face greater risks if they run their Web sites on Linux rather than Windows, a Microsoft-funded study has concluded.

*gasp*

 

[Sunner]

Another day, another study, I wonder who actually reads these anymore?
One day Novell comes out with a study saying SLES9 is the most scalable, secure, and all around asskickiest OS you can find.
The day after Microsoft comes out with one that concludes that Redhat sucks in various ways.
And yet a day later Sun comes out with one that says Solaris is the best OS in every category, but Linux isn't too bad either, as long as it's on Sun hardware.
Redhat responds with a study that says RHEL is safer than Solaris and Windows.
Sun changes it's mind and says Solaris still rules, but Windows ain't too bad either, however Linux now sucks.

And so forth.

 

[ITJunkie]

Originally posted by: Sunner
Another day, another study, I wonder who actually reads these anymore?
One day Novell comes out with a study saying SLES9 is the most scalable, secure, and all around asskickiest OS you can find.
The day after Microsoft comes out with one that concludes that Redhat sucks in various ways.
And yet a day later Sun comes out with one that says Solaris is the best OS in every category, but Linux isn't too bad either, as long as it's on Sun hardware.
Redhat responds with a study that says RHEL is safer than Solaris and Windows.
Sun changes it's mind and says Solaris still rules, but Windows ain't too bad either, however Linux now sucks.

And so forth.

hehehe...ain't that the truth.

 

[n0cmonkey]

The days of risk metric is decent. Counting vulnerabilities is not. This is getting old.

"We believe there to be inaccuracies," Mark Cox, the leader of Red Hat's security response team, wrote about the recent study in a blog posted to the software company's Web site on Tuesday. He said that the study did not separate "critical" vulnerabilities from less serious ones, a comparison that would favor Red Hat.

That's part of the problem with counting vulnerabilities. Another problem is the fact some of these studies count vulnerability reports from <insert distro>. Often times you'll see 3 reports, each one related to a different mail server. That should be 1 vulnerability instead of the 3 they normally count.

This story doesn't spell it out, but they might _not_ have fallen into this trap:

As for flaws, a Red Hat-based Web server with open-source Apache Web server software, MySQL database and the PHP scripting language had to deal with 174 holes in its default configuration, the study found. A Web server based on Microsoft Server 2003, Internet Information Server 6, Microsoft SQL Server 2000 and ASP.Net had 52 vulnerabilities in the default configuration.

The researchers also studied Red Hat and Windows Web servers in minimal configurations, taking out of consideration applications that are not needed for serving Web pages. Even in that case, Microsoft still handily beat Red Hat, with only 52 flaws, compared with 132 for the Linux software.

132 flaws in apache? Oh, they probably mean "applications they wanted to use to serve web pages." Still that's a lot for Apache, PHP, and mysql...

Screw it, use OpenBSD.

 

[VirtualLarry]

I find it interesting that after MS has started to promote their "level of security", in terms of a purely lesser number of announced vulnerabilities - but at the same time, has started to combine multiple patches into one hotfix/one announcement, and even go so far as to simply not announce certain vulnerabilities at all, as vulnerabilities. (Such as the XP SP2 firewall "critical" hotfix, which wasn't listed among the released vulnerabilities at that time, and the worst one listed was below "critical" - conveniently - because that one was simply not included.)