The Penguin bites back at Windows

Our postbag has been overflowing, following reports that certain distros of the Linux operating system suffered more security vulnerabilities than Windows last year.

Because all Linux distributions use the same kernel, figures cannot be aggregated for the open source OS. But readers have also pointed out that confusion has resulted from the fact that Linux distros typically ship with bundles of applications, which may also be prone to vulnerabilities.

According to the figures gathered from SecurityFocus's Bugtraq mailing list, mainstream Linux distros such as Mandrake 7.2, Red Hat 7.0 and Debian 2.2 had 33, 28 and 26 security vulnerabilities reported last year respectively.

This compares with a total of 24 security vulnerabilities reported for Windows 2000 - leading some commentators to argue that the Microsoft OS is more reliable than the least reliable Linux distros.

Bugtraq also reported that Solaris 7 and 8 tied with Redmond's score of 24 security bugs.

However, industry experts agreed with vnunet.com readers that the Bugtraq figues warrant careful examination as they include vulnerabilites in applications that ship with core operating systems.

Neil Barrett, technical director at security consultancy Information Risk Management, said: "Nine times out of ten, hackers break into a site through an application vulnerability. It's almost always the application packages that cause the problems."

One vnunet.com reader, Alex Roston, wrote in to say: "A Linux distribution already includes at least one webserver (and all the other packages an office might use, such as Netscape, Star Office and Evolution (a mail suite)... Your article fails to take into consideration the size of most Linux distributions. My Mandrake 7.1 distribution included 1500 packages, for a package/vulnerability ratio of about 55:1. I don't pay much attention to Windows distributions, but I suspect that the ratio of packages to vulnerabilities is much higher."

Tom Sightler, a senior network engineer, added: "With Linux distributions, the numbers do, in some cases, include vulnerabilities discovered in the OS, Sendmail, Apache, email clients, PostgreSQL, and hundreds of other programs that are included with the distribution."

Barrett said that when considering security vulnerabilities, you should always bear the applications in mind.

"The figures from the survey are probably correct," he said, "but people running Linux tend to be more switched on when looking for security bugs."

Reader Zach Younker said that a kernel versus kernel comparison would have been more appropriate. "The Linux operating system is comprised of hundreds of packages from various vendors.

"If you want to break it down you should do kernel vs kernel comparison. Comparing a complete operating system and all its programs to an operating system is just not fair," he said.

As many readers pointed out, it is also possible that because Windows is based on closed source code, the number of bugs reported are only the ones we know about. And while avoiding the Microsoft conspiracy theory, more vulnerabilities may have been reported in Linux because of its open source nature.

But Barrett also said that the severity of the vulnerabilities should be considered. "Some Microsoft errors are just trivial security problems like default passwords," he said. "I mean, how many times can you say 'Doh!' to that?"

If you have more to add to this topic, email us at feedback@vnunet.com.