Saturday, March 26, 2005

Linux lags Windows in new security report

A report released today (by Security Innovations) indicates Windows Server 2003 may actually be more secure than its most popular Linux competitor when it comes to vulnerabilities
and the time it takes to patch them. Paper is at,

Another Microsoft funded research..according to Thompson:
“We’ve gotten funding from Microsoft ..”

The study is limited:

“This study appears to be more concerned with vulnerability counts and patch-release cycles than in actual security or securability.”

here’s the method:

In the Security Innovation report, the trio took requirements for three typical enterprise Web server environments and scrutinized known vulnerabilities and subsequent patches. The Windows Server 2003 platform included ASP.NET for scripting, a SQL Server 2000 database server and Microsoft Internet Information Services 6.0 Web server. Any function was accepted by default during installation (assuming many admins just keep clicking the Next button during the process). On the Linux side, the team used two different configurations for Red Hat Enterprise Linux 3.0. Both ran PHP for scripting, a MySQL database server and an Apache Web server. But one version included high modularity, where essentially the researchers installed whatever Red Hat had available; the other was minimally configured to include only core components.

the problem is..

“Most of us in the Linux security community have been saying for years that the average Linux distribution — Red Hat, SuSE, etc. — isn’t terribly secure ‘by default.’ Good security comes from careful configuration, not by running an installer,”

and RedHat data doesn’t seem to follow the study:

The Red Hat Security Response Team publish the data allowing anyone to run these metrics for themselves, see

some comments from the community:

Todays Security advice from Secunia for Mandrake 10.1 is that all known vulnerabilities are patched see Todays Security advice from Secunia for Windows Server 2003 has 13% of known vulnerabilities not patched see and 4 of these problems date back to 2003! So the maximum time MS takes to patch vulnerabilities in Server 2003 is 2 years and still counting - where is that mentioned in this “research”?


1 comment:

rmacapobre said...

you know big corporations of tobacco and mcdonalds like to create doubt in the populace about wether smoking actually cause cancer or eating fastfood cause obesity .. maybe the same is true about linux and windows.