08:41 PM
Connect Directly
Repost This

Report: Windows Security Beats Linux

The report was Microsoft-funded, but researchers are providing the full methodology and challenging Linux advocates to prove them wrong.

Red Hat Enterprise Linux ES 3 has more high-severity risks than Windows Server 2003, and users are exposed to them for a longer period, according to a report released Tuesday.

A draft of the report was released last month and quickly attracted controversy for its methodology as well as allegations of ties between Microsoft and its researchers.

The full report confirms that Microsoft funded the study, and is sure to prompt further accusations of bias. But the researchers are providing the full methodology and challenging other security experts to test the legitimacy of their results.

Richard Ford, a research professor in the computer sciences department at the Florida Institute of Technology's College of Engineering, and Herbert Thompson, director of research and training at Security Innovation, a security technology provider, conducted the study. They used the ICAT Metabase, a database of vulnerabilities from the National Institute of Standards and Technology to measure the severity of the various vulnerabilities identified over the course of 2004. The report also tabulated the "days of risk" from the time vulnerabilities were publicly identified to the time they were fixed.

The report drew criticism from Red Hat. The head of the company's Security Response Team, Mark Cox, said on his blog,"Red Hat was not given an opportunity to examine the 'Role Comparison Report' or its data in advance of publication and we believe there to be inaccuracies in the published 'days of risk' metrics. These metrics are significantly different from our own findings based on data sets made publicly available by our Security Response Team."

Researchers analyzed the two systems configured as Web servers with add-on software.

The findings:

- Researchers found that the Red Hat Linux had 3,893 total days of risk for all the risks classified as high severity, compared to 1,145 for Windows Server 2003.

- The average days of risk per vulnerability were 71.4 for Red Hat Enterprise Linux, compared with 31.3 for Windows Server.

- The team also looked at the vulnerability of the two systems to a port scan. They found that Red Hat Enterprise Linux had 77 high-severity vulnerabilities in its default configuration compared to 33 for Windows Server 2003, out of a total vulnerability count of 174 for Red Hat vs. 52 for Windows.

However, Thompson admitted that the relative severity of a vulnerability doesn't necessarily correlate with how much damage an attack can cause. "I have seen multiple instances where l5 low severity vulnerabilities have been combined into an attack that would have done damage as bad as a high severity attack," he said. He also cautioned that the "attack surface" of both systems could be mitigated simply by turning on the firewalls that come with both Windows Server and Enterprise Linux.

1 of 2
Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.