[NTLUG:Discuss] US-CERT Cyber Security Bulletin SB04-245 -- Summary of SecurityItems from August 18 through August 31, 2004

Kevin Brannen kbrannen at pwhome.com
Thu Sep 2 20:45:58 CDT 2004 

terry wrote:

> This link, (summary list of "Bugs, Holes, & Patches" as reported by 
> CERT), was sent to me by a MS orientied IT person that contends that 
> Linux is as insecure or maybe even more insecure than MS Windows.
>
> <http://www.us-cert.gov/cas/bulletins/SB04-245.html#altsoft-agsm>
>
> First glance shows:
> MS Windows has only:
> 23 "Bugs, Holes, & Patches"
>
> And Unix / Linux has:
> 51 "Bugs, Holes, & Patches"
>
>          **** humm.... "& Patches" ****
>
> Second glance shows:
> MS Windows:
> 18 out of 23 "No workaround or patch available at time of publishing."
>
> Unix / Linux
> 6 out of 51 "No workaround or patch available at time of publishing."
>
> or
> MS Windows:  18  unresolved security issues
> Unix / Linux  6  unresolved security issues
>
> I guess we could say MS has a lot of work to do?
> Fair?  Unfair? or Maybe that's uderstandable given the fact that our 
> developer base is somewhat broader than theirs?
>
> I don't know how many of those MS issues have been worked out since 
> publish dates of above listed advisories,
> BUT
> Some of those  Unix / Linux issues seem to have been worked on, or 
> maybe even worked out completely:
> ==============================================================
> ...
> So, does that knock the score down to 5 to 18?
> or not?


A LOT of the problems, for both OSs, are in applications not shipped by 
MS or are not part of the Linux kernel, they're optional; and a fair 
number of the Unix/Linux ones are not for Linux.  If you go down to just 
these problems, it looks like MS = 5 or 6, and Linux = 3.  So I find it 
hard to say "Linux is as insecure or maybe even more insecure than MS 
Windows".

However, :-) you can take almost any list like this and make either side 
look good depending on how you slice, dice, and prioritize it.  My 
preferred metric is how much time I have to spend to keep it secure and 
to recover from security problems (cracks, viruses, adware, patches, 
etc.).  Looking at it that way, I've spent way more time working on/with 
MS OSs then with Linux (and Unix), and I'm a Linux/Unix admin and developer.

Kevin

More information about the Discuss mailing list