Linux vendors attack analyst report

Linux vendors Debian, Mandrake, Red Hat, and SuSE have hit back at research which claims that Linux and Microsoft products are both secure.

In a report released late last month entitled Is Linux more Secure than Windows?, analyst Forrester said: "Microsoft gets a bad rap for security, while many believe that Linux is relatively secure.

"A fair assessment? Not really: After collecting a year's worth of vulnerability data, Forrester's analysis shows that both Windows and four key Linux distributions can be deployed securely."

But now the Linux distributors are criticising the report, arguing that as it treats all vulnerabilities as equal it has limited real-world value for customers.

In a statement Debian, MandrakeSoft, Red Hat and SuSE said: "While the Linux vulnerability data that is the basis for the report is considered to be sufficiently accurate and useful we are concerned about the correctness of the conclusions made in the report."

The companies said they evaluate each flaw to determine the priority at which a fix for a vulnerability is to be worked. "Our users will know that for critical flaws we can respond within hours.

"This prioritisation means that lower severity issues will often be delayed to let the more important issues get resolved first."

The Linux companies claimed the analyst failed to take this into account when measuring the time between the public knowledge of a security flaw and the availiability of a vendor's fix.

"Not all vulnerabilities have an equal impact on all users," they warned.

"We believe the report does not treat the open source vendors and single closed source vendor in the same way. Open source software is known for its variety and its freedom of choice amongst the standards it defines.

"Multiple implementations of these standards are typically offered for both desktop and server use, which gives users the freedom to select software based on their own criteria rather than those of the vendor."