A U.S. government study that reports there were three times more software vulnerabilities in the Linux/ Unix platform than in the Windows platform during 2005 not only is drawing criticism from the open-source community but also has prompted questions from security authorities.
Cyber Security Bulletin 2005, published last week by the United States Computer Emergency Readiness Team (US-CERT), indicates that, out of 5,198 reported flaws, 812 were Windows vulnerabilities, 2,328 were Linux/Unix flaws, and 2,058 were multiple system vulnerabilities.
Open to Interpretation
In response to the report, NewsForge.com pointed out that, while many in the trade press have concluded that Windows is three times safer than Linux, the government figures are somewhat misleading.
One figure represents the vulnerabilities found in Windows operating systems, including XP, NT, and 98, while the other represents a total figure for Solaris, AIX, HP-UX, the BSDs, and Linux, as well as 100 different versions of Linux.
"CERT's method of totaling the number of vulnerabilities is odd," said Joe Brockmeier, editorial director of Linux.com. "They are lumping together all of the vulnerabilities for Linux and Unix. But the sum of all the unique vulnerabilities from all the Linux distributions does not equate to the sum of vulnerabilities in any single distribution, and one could say the same about the various versions of Windows."
Severity vs. Numbers
A vulnerability in Mac OS X, for example, does not apply to Linux or Unix, he said, but the government report does not make that clear. Likewise, the Firefox browser is listed under the Linux platform, but it runs on multiple operating systems, said Brockmeier.
He also pointed out that the CERT study does not take into consideration the severity of vulnerabilities, or how long it takes a vendor to offer a fix.
Graham Cluley, senior technology consultant at security specialist Sophos, echoed that concern, saying that the severity of a vulnerability, and the number of reported exploits, is more significant that the number of flaws in a software platform.
"Just because one platform has more vulnerabilities does not necessarily mean it is less safe than another," Cluley said. "It's important to consider the amount of hacker activity associated with a particular flaw."
He, too, noted that CERT listed vulnerabilities in applications that run on Windows as well as Unix or Linux, but counted those flaws only as the Linux OS. "And we have noticed that the vast majority of computer viruses are aimed at Windows," said Cluley.
Windows Still Favorite Target
Yankee Group senior analyst Andrew Jaquith suggested that counting the number of software vulnerabilities is a "rear view" approach that only measures flaws after they are publicly revealed. "CERT does not measure the security of a given platform, and it is hard to draw any definitive conclusions from these numbers," he said.
The Windows OS, given its ubiquity, remains the favorite target of hackers and malware practitioners, said Jaquith.
Unlike Microsoft, said Brockmeier, the Linux community takes a proactive approach to security, seeking out flaws in the platform. Microsoft, on the other hand, does not open its code to scrutiny, and only reacts when it is notified of problems, he argued.
"CERT is trying to keep the public informed, which is a good thing, but people have to be careful in interpreting the information provided," he said.