Linux has gaping security holes caused by systems administrators who either can't or won't keep up with the latest patches, according to a report from British security firm mi2g.
Mi2g last week attracted a firestorm of criticism when it declared that Linux trailed Windows in overall security. The most secure operating systems are Apple OS X and the open source BSD, according to the study, which mi2g said was not funded by any outside party.
Many of Linux's security flaws are caused by multiple distributions of the operating system, and lack of standardized security regimes and procedures for applying patches, said mi2g chairman DK Matai.
Matai said mi2g is not hostile to Linux. He noted that the company runs Linux and other open source products, including Apache, MySQL, and PHP.
"We're just simply saying that the average system out there is not sufficiently patched up," Matai said. "Users have no clue as to whether their system is at the latest level of distribution or not. And they don't have adequate administration skills."
He added, "One of the biggest complaints we hear from our customers and contacts is it's very difficult to find a qualified Linux administrator."
John Weathersby, executive director of the Open Source Software Institute, said the security problems are just a natural evolution in a maturing Linux market.
"Now that Linux is growing on the desktop, it's becoming a larger target," Weathersby said. "You will surely see more attacks on Linux. As the market matures you'll have products that come to market that make it easier and more convenient to protect against hackers in a Linux environment."
Mi2g found Linux security problems often go unsolved because many users of the free operating system refuse to pay for upgrades and support, Matai said. Vendors like Red Hat are, increasingly often, charging for upgrades and support.
The most controversial—and confusing—section of the mi2g study was the decision to exclude viruses, worms and other malware from the comparative ratings of security in operating systems.
While Windows is more susceptible to viruses and other automatically operating malware, Linux is more susceptible to targeted hacker attacks—and the hacker attacks are a more serious threat, Matai said.
Successful manual attacks do much more damage to their targets, even if they are far more rare than automated attacks, Matai said.
If mi2g had included viruses and another automatically operated malware in the ratings, Linux would have been rated more secure than Windows, Matai said. But BSD and Mac OS X would still be more secure than both.
Matai said BSD and Apple are not protected from attacks just because they're relatively rare compared with Windows and Linux, Matai said. BSD and Apple are used in many mission-critical applications and high-security government and military installations. "There are many genuine reasons to attack BSD and Apple," he said.