A fervent debate over which operating system is safest for users has been raging for years, and it looks like the next chapter has begun, thanks to a report issued this week by the United States Computer Emergency Readiness Team (US-CERT).
US-CERT’s 2005 year-end index declared Unix/Linux logged more vulnerability reports in 2005 than market-dominant rival Microsoft Windows. It’s a revelation that probably has Bill Gates smiling, even though security experts are not buying into the report wholeheartedly.
By the Numbers
According to the numbers, US-CERT found 5,198 reported vulnerabilities in 2005. Broken down by platform, 2,328, or 45 percent, of those vulnerabilities were charged to Unix/Linux.
Another 2,058, or 40 percent, of the vulnerabilities were attributed to multiple operating systems. And only 801, or 15 percent, were credited to Microsoft systems. Tallied up, that means vulnerabilities found in Unix/Linux outpaced those discovered in Windows by three to one.
The Rest of the Story
It should be noted that US-CERT did not distinguish between Unix/Linux vulnerabilities and OS X vulnerabilities. Still, only about 25 vulnerabilities were attributed to Apple systems.
If one looked solely at numbers, Apple would boast the safest systems. But there are far fewer Apple computers on the market than PCs. That, said analysts, is why you can’t strictly count numbers.
What’s more, US-CERT does not filter out updates. What that means is one vulnerability could actually be recorded multiple times. US-CERT also does not break out individual vulnerabilities from warnings that cover multiple bugs.
So what do these numbers really mean? The Linux versus Windows security debate is comparable to the Firefox versus Internet Explorer Web browser debate.
Ultimately, it’s an argument between open-source and commercial software security. In the Web-browsing arena, Firefox is often declared the winner over Internet Explorer. But, again, the numbers collected by security researchers only tell part of the story.
Picking On the Attention Getters
One cannot make blanket statements about software safety, Michael Sutton, director of VeriSign company iDefense, told LinuxInsider. There are other factors, such as how the software is configured, that also play a role in security.
Take the Firefox versus Internet Explorer example. “It’s too simple to say Firefox is safer than Internet Explorer or vice versa. Firefox and Opera and any other browser have vulnerabilities. The level of research that’s put into them is certainly driven by how big the user base is,” Sutton said.
Just as Internet Explorer has traditionally garnered the most attention from researchers, Linux has been the subject of scrutiny in past years. What is important is not merely the number of vulnerabilities, but how they are handled when they do occur.
As the platform security debate continues, what is clear is that the overall number of vulnerabilities is on the rise. US-CERT recorded 171 vulnerabilities in 1995. Five years later that number had more than quadrupled to 1,090. And this year saw 2,210 more vulnerabilities than last year.
This is a classic argument. The question is: "How many vulnerabilities does Microsoft report?" Of course Unix/Linux are going to have more, because they actually get reported. Case in point…that little WMF vulnerability that "just came out" despite the fact that it was lying there and waiting for over 10 years for someone to discover. Other questions: "Do all of the Unix/Linux vulnerabilities encompass all of the software that gets bundled with a given Linux distribution? Are they comparing apples to apples here? If you just compare the core OS vulnerabilities, are the numbers significantly different?" My guess is it doesn’t matter. The Windows code is so complex, poorly written, bloated, and patched that no one will ever know the total number of vulnerabilities in that OS. My $0.02.