4 min read

Controversial Report Finds Windows More Secure than Linux

Researchers found that Windows Server 2003 actually had fewer security vulnerabilities identified last year than Linux and that the holes in Windows took less time to patch. But Linux advocates say the report compares apples with oranges, and researchers have accepted money from Microsoft in the past.
Security Innovations does not disclose details regarding relationships with clients, but Microsoft, HP, IBM, SAP, and Cisco have been previous clients, Thompson said. He declined to state whether Microsoft or Red Hat provided any funding for the new study, but said this information will be disclosed with the release of the final report. A full description of the methodology will be released so other researchers can scrutinize and try to repeat it, followed by the full report with the disclosure of the funding.

Open source advocates say the pro-Microsoft studies are suspect because they don't take into account the severity of the vulnerabilities or the different ways that vulnerabilities are reported and dealt with in the Linux community.

Mark Cox, head of the security response team at Red Hat, pointed to flaws with a recent comparison by Microsoft chief security executive Mike Nash in an online chat session last month. Nash claimed that 34 vulnerabilities had been found in Red Hat Enterprise Linux so far in 2005, but only 15 in Windows Server 2003.

"He was implying there were twice as many vulnerabilities in Enterprise Linux," says Cox. "Three of the Microsoft vulnerabilities were critical flaws, something that can be exploited without user interaction, like worms. Of the 34 vulnerabilities in Enterprise Linux, none of them were critical. The metrics are quite useless unless you take into account the relative severity of the issues."

Microsoft did not cooperate in requests for comment on this story..

Red Hat said Linux programmers address flaws relatively quickly. "The problem is these metrics only look at days of risk when the vulnerability is published and then when it's fixed, not the date when the bad guys found it and not the date when it was exploited," Cox said.

Thompson responded that the Linux community's quickness to disclose vulnerabilities to the public makes the operating system less secure. "Fewer people have historically followed responsible disclosure on the open source side," Thompson said. "With responsible disclosure, if someone finds a vulnerability in an application or the operating system, they report it directly to the vendor or the package owner. In the open source case, there are more people who disclose the flaw publicly in bug lists. Whereas in the Microsoft case, historically more people have followed responsible disclosure, and then Microsoft discloses the vulnerability and releases a patch for it."

Thompson said he hopes to continue the study on an ongoing basis, and to receive feedback from other security researchers as well as encourage independent testing by others.

"We want people to bake the cake themselves," he says. "We want to give people the recipe so they can see the numbers for themselves and get back to us."

Size Matters

Linux can appear to be less secure because the distributions are larger than Windows, said Novell. The company's SUSE Linux has 2,600 packages, far greater than Windows; the number of packages would have to be reduced significantly to make the software comparable, said Novell security architect Roman Drahtmueller.

In addition, the Linux distributors also supply the source code for every fix, so various users can check the code themselves, recompile it, and make sure there are no hidden back doors. "Customers can make sure that we have supported nothing but the fixes," Drahtmueller said. "The only way to prove we haven't put in a back door is because of the transparency we have on the package, and the way we publish the work to our customers."

The Open Source Development Labs criticized the study because it only looks at one flavor of Linux. "This is comparing Microsoft as shipped to a single vendor of Linux solutions," says Bill Weinberg, open source architecture specialist with the organization, which oversees Linux development. "It's not representative of the entire market."

Linux has several add-ons that can substantially increase the security of the system, such as Security-Enhanced Linux (SELinux), which was developed by the National Security Agency, and grsecurity, a set of kernel patches that prevent many buffer overflow issues, said Johannes Ullrich, chief technology officer for the SANS Internet Storm Center, a service that issues advisories of security vulnerabilities and hacking exploits. Skilled administrators who know how to apply these add-ons can effectively protect their systems and are better off than if they switch horses in midstream.

"Whenever a study comes out that says operating system A is better than operating system B," he said, "you have people switching from one operating system to another, even if they know the first operating system better, and you end up with a much less secure operating system."

Michael Cohn is a freelance journalist.)