[NTLUG:Discuss] US-CERT Cyber Security Bulletin SB04-245 -- Summary of SecurityItems from August 18 through August 31, 2004
Kevin Brannen
kbrannen at pwhome.com
Thu Sep 2 20:45:58 CDT 2004
terry wrote:
> This link, (summary list of "Bugs, Holes, & Patches" as reported by
> CERT), was sent to me by a MS orientied IT person that contends that
> Linux is as insecure or maybe even more insecure than MS Windows.
>
> <http://www.us-cert.gov/cas/bulletins/SB04-245.html#altsoft-agsm>
>
> First glance shows:
> MS Windows has only:
> 23 "Bugs, Holes, & Patches"
>
> And Unix / Linux has:
> 51 "Bugs, Holes, & Patches"
>
> **** humm.... "& Patches" ****
>
> Second glance shows:
> MS Windows:
> 18 out of 23 "No workaround or patch available at time of publishing."
>
> Unix / Linux
> 6 out of 51 "No workaround or patch available at time of publishing."
>
> or
> MS Windows: 18 unresolved security issues
> Unix / Linux 6 unresolved security issues
>
> I guess we could say MS has a lot of work to do?
> Fair? Unfair? or Maybe that's uderstandable given the fact that our
> developer base is somewhat broader than theirs?
>
> I don't know how many of those MS issues have been worked out since
> publish dates of above listed advisories,
> BUT
> Some of those Unix / Linux issues seem to have been worked on, or
> maybe even worked out completely:
> ==============================================================
> ...
> So, does that knock the score down to 5 to 18?
> or not?
A LOT of the problems, for both OSs, are in applications not shipped by
MS or are not part of the Linux kernel, they're optional; and a fair
number of the Unix/Linux ones are not for Linux. If you go down to just
these problems, it looks like MS = 5 or 6, and Linux = 3. So I find it
hard to say "Linux is as insecure or maybe even more insecure than MS
Windows".
However, :-) you can take almost any list like this and make either side
look good depending on how you slice, dice, and prioritize it. My
preferred metric is how much time I have to spend to keep it secure and
to recover from security problems (cracks, viruses, adware, patches,
etc.). Looking at it that way, I've spent way more time working on/with
MS OSs then with Linux (and Unix), and I'm a Linux/Unix admin and developer.
Kevin
More information about the Discuss
mailing list