Server platforms Toolkit

Is Linux as vulnerable as Windows?

Tags:
Security,
Aberdeen Group,
Windows,
Linux

John McCormick Tech Republic

Published: 24 Feb 2003 11:08 GMT

The open source community sometimes claims that vulnerabilities are "more serious" in Windows, but I don't know of an objective way to measure that. And lacking a generally accepted method, all we are left with are the raw numbers. Microsoft rates vulnerabilities when it publishes a patch, but we need a comparable way to rate Linux/Unix bugs if we're going to compare the seriousness of the patches released for these platforms.

It's useful to look at incidents as well as confirmed vulnerabilities (advisories). Although this isn't exactly the same as measuring how serious a vulnerability is, it provides a good way for those in the security business to judge how many attacks are taking place, or at least how many are being reported.

According to the Aberdeen report, "In 1995 the incidents reported by CERT numbered 2,412. However, incidents tracked by CERT skyrocketed from 21,756 in 2000 to 52,658 in 2001, and then to 73,359 for the first nine months of 2002. Clearly, the trend in incidents and advisories is going up, and at an alarming rate."

However, we should always take incident statistics with a grain of salt. After all, vulnerabilities are easy to count, but who knows how many attacks go unreported?

Microsoft has recently announced a new policy for rating vulnerabilities. The company says this was due to customer complaints about far too many "critical" warnings, which compelled administrators to patch vulnerabilities even when the critical rating was not warranted by the actual risk.

According to Microsoft's director of security assistance, Steve Lipner, the new rating system will expand the old Critical-Moderate-Low reporting scale to include Important, which will fall between Critical and Moderate.

Most of the old Critical vulnerabilities will now be labeled Important, including threats that could lead to system penetration and file compromise. The Critical rating will be reserved for Internet threats (e.g., major disasters of the Code Red variety).

A new two-tier security bulletin system with a less technical bulletin service will also be hosted at http://www.microsoft.com/security/ to supplement the current one, which many users found simply too technical.

A recent report brings yet another aspect of this subject to the forefront by pointing out that White House Cybersecurity Tsar, Richard Clarke, has called for mandatory vulnerability reporting to a central federal government office. This would require any security firm discovering a new vulnerability to report it with the goal of forcing vendors to respond more quickly to new threats.

Others feel this may lead to premature disclosure of vulnerabilities, which happened in the past when the FBI's National Infrastructure Protection Center attempted to coordinate reports with various vendors.

The newly organized (Sept. 26, 2002) Organization for Internet Safety is also developing a proposed set of guidelines for timely and safe reporting of vulnerabilities. OIS founders include Microsoft, @stake, Symantec, Caldera, Network Associates, BindView, and Oracle, so there may be some muscle behind these guidelines.

Final word

We will probably always be comparing apples and oranges when we try to see how the number and severity of vulnerabilities found in the major competing platforms match up. But this really doesn't matter in the real world. The bottom line is that if a vulnerability leads to intrusions on your network, it's a problem, and it doesn't matter whether the vulnerability was a "high" risk or a "low" risk, only whether it cost you time and money to deal with it.

Most of us are supporting legacy systems and always will be. Only new companies have the luxury of selecting a platform based only on security, performance, and initial cost. That's further limited to only new companies that have an expert IT staff in place to advise the company founders before they buy a single computer. It's far more likely that a platform decision will be based on the experience of the founders, the vendor who gets there first with the best proposal, or, most likely of all, which platform runs a line-of-business application that the company needs.

The Aberdeen Report concludes that the reduction in Microsoft vulnerabilities is the result of the company's much-touted new security initiative. It may be too early to determine that, but it is a relief to see that no major viruses have besieged Windows in 2002.

As for Microsoft's new security labeling system, I think it is useful. It makes sense to reserve the Critical rating for those dangerous global threats that can spread around the world quickly and temporarily threaten the integrity of corporate systems.

For a weekly round-up of the enterprise IT news, sign up for the Enterprise newsletter.

Tell us what you think in the Enterprise Mailroom.

Go to section: