Controversial Report Finds Windows More Secure than Linux - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

07:25 PM

Controversial Report Finds Windows More Secure than Linux

Researchers found that Windows Server 2003 actually had fewer security vulnerabilities identified last year than Linux and that the holes in Windows took less time to patch. But Linux advocates say the report compares apples with oranges, and researchers have accepted money from Microsoft in the past.

Contrary to popular wisdom, Windows appears to be more secure than a popular version of Linux, according to an upcoming report from two security researchers.

The researchers found that Windows Server 2003 actually had fewer security vulnerabilities identified last year than Linux and that the holes in Windows took less time to patch.

But the study is already attracting controversy for its methodology. Linux proponents note that the two systems have different configurations and are not easily comparable since they contain different functionality out of the box.

"A lot of people are under the impression that one platform has more advantages," said Max Clark, a network consultant with Intercore, a Los Angeles-based consulting firm that provides support for both Windows and Linux systems. "The expertise of the person deploying it is what matters. The default configurations are important, but once you start consolidating software on top of the system, the system is only as secure as what's running on it."

The study, which compared Windows Server 2003 to Red Hat Enterprise Linux ES3, was conducted by Richard Ford, a research professor in the computer sciences department at the Florida Institute of Technology's College of Engineering, and Herbert Thompson, director of research and training at Security Innovation, a security technology provider.

Linux advocates criticized the study over allegations that the researchers accepted funding from Microsoft, a criticism also leveled at earlier studies finding Windows security superior to Linux.

The researchers declined to comment on whether Microsoft is funding the current study, saying they will disclose funding sources when the study is published finally. They defended the study, saying they are interested in hearing feedback from others willing to test their research findings to see if they are sound.

They Surprised Themselves

When researchers previewed the study at the RSA Conference in February, Ford told attendees he was a "Linux fan," according to accounts in the Seattle Times and VNUnet. He runs Linux and other open source software in his home.

Ford and Thompson said they were surprised by some of their results.

They examined typical Web server configurations, comparing a Windows Server 2003 system running Internet Information Server 6.0, SQL Server 2000 SP3 for Windows, and ASP.NET scripting against an open source system running Red Hat Enterprise Linux ES3, Apache web server with OpenSSL and OpenSSH, MySQL database, and PHP scripting.

For Red Hat, Thompson and Ford looked at both a default configuration as well as a minimal configuration with only the components essential to act as a Web server.

For Windows Server installed with all of its components, the researchers found 52 vulnerabilities that were fixed in calendar year 2004.

For Red Hat, in the minimal case, they identified 132 vulnerabilities fixed in 2004, and in the default configuration, they found 174.

They also looked at the time between when a vulnerability was publicly disclosed and when a patch was issued, which they referred to as the "days of risk." With Windows Server, they found there were 30 days of risk, but with Red Hat Linux there were 71.

"In the minimal stripped down case, the gap between the two was surprising," Thompson said. "With Microsoft's adoption of their secure development lifecycle, I believed that Windows would probably beat the default installation, but I did not believe it would beat the minimal installation."

Earlier Studies Agree

This is just the latest in a series of controversial studies that found Microsoft software more secure than Linux and other open source software. Last year, Forrester Research conducted a study where it also looked at days of risk and number of vulnerabilities. Forrester concluded that both Windows and four of the most popular Linux distributions could be deployed securely and that Microsoft had the lowest average total days of risk.

However, several Linux vendors took exception to the report's methodology, and recalled that Microsoft had commissioned an earlier report in 2003 from Forrester on the total cost of developing and deploying Web-based portal applications on Microsoft vs. Linux platforms. Although Microsoft did not fund the 2004 Forrester security report, critics claimed the earlier funding was evidence of bias.

The new study is receiving similar accusations. Messages on sites such as Slashdot pointed to Microsoft funding for other Florida Institute of Technology research projects.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
2018 State of the Cloud
2018 State of the Cloud
Cloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
9 Steps Toward Ethical AI
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/15/2019
How to Assess Digital Transformation Efforts
Lisa Morgan, Freelance Writer,  5/14/2019
Is AutoML the Answer to the Data Science Skills Shortage?
Guest Commentary, Guest Commentary,  5/10/2019
Register for InformationWeek Newsletters
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll