ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > News > Hardware

Server platforms Toolkit

Is Linux as vulnerable as Windows?

John McCormick Tech Republic

Published: 24 Feb 2003 11:08 GMT

Turning the heat up another notch on a long-simmering debate, the Aberdeen Group has published a study comparing the security of Linux/Unix systems with that of the Microsoft Windows family of products.

"Contrary to popular misperception, Microsoft does not have the worst track record when it comes to security vulnerabilities. Also contrary to popular wisdom, Unix- and Linux-based systems are just as vulnerable to viruses, Trojan horses, and worms," Aberdeen's report states.

Based on CERT advisories for 2001 and 2002, Aberdeen reached the following conclusions:

"Virus and Trojan horse advisories affecting Microsoft products peaked at six in 2001, which then bottomed out at zero for the first 10 months of 2002.
Virus and Trojan horse advisories affecting Unix, Linux, and open source software products went from one in 2001 to two for the first 10 months of 2002.
Advisories affecting network equipment products jumped from two in 2001 to six for the first 10 months of 2002.
Firewalls and other security products were affected by just two advisories in 2001, but have been linked to seven advisories for the first 10 months of 2002."

The report also points out that Apple is becoming vulnerable, "now that it is fielding an operating system [OS X] with embedded Internet protocols and Unix utilities."

Windows vs. Linux/Unix vulnerabilities

Aberdeen Group report, vol. 1, no. 35, is dated Nov. 12, 2002, and it's a brief but interesting read. I can't post a direct link since you have to subscribe to see the report. But it doesn't cost anything, so I recommend that you go to the Aberdeen site, register, and then take a look at the entire report.

Some people will dismiss the report as Microsoft-sponsored hot air, but the raw data is there for everyone to see in CERT's Advisories and Incident Notes, giving legitimacy to The Aberdeen Group's conclusion that open source operating systems in general, the new Mac OS X, and critical security programs themselves, aren't as safe as many proponents suggest.

The underlying data is worth a close look. No new Windows platform virus or Trojan CERT advisories were issued in the period of January 2002 through October 2002. CERT's confirmed vulnerabilities list shows that the threat level is growing faster for Linux/Unix platforms than for Windows. This could be a statistical anomaly due to the much larger number of Linux/Unix versions (although there are actually fewer versions available now, as there has been consolidation in both the Linux and Unix markets in recent years). So the number of threats is growing while the number of Linux/Unix versions is shrinking.

Perhaps this is an indication that Unix is becoming less genetically diverse and therefore is more vulnerable to attack because the market isn't so fragmented. One Microsoft virus would attack a lot of systems, but it used to take a slightly different virus for every version of Linux/Unix. That's not always the case anymore.