Study Finds Windows More Secure Than Linux

cfelde writes "A Windows Web server is more secure than a similarly set-up Linux server, according to a study presented yesterday by two Florida researchers." In addition to the Seattle Times article, there is also coverage on VNUnet. From the article: "The researchers, appearing at the RSA Conference of computer-security professionals, discussed the findings in an event, 'Security Showdown: Windows vs. Linux.' One of them, a Linux fan, runs an open-source server at home; the other is a Microsoft enthusiast. They wanted to cut through the near-religious arguments about which system is better from a security standpoint."

Another study

[suso (153703)]

Study finds Slashdot as repetitive as Philip Glass

Knock Knock Joke

[R2.0 (532027)]

Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?

Phillip Glass

My 8 year old daughter, a great afficionado of knock knock jokes, didn't appreciate it.

Integrity?

[samtihen (798412)]

Well, apparently this is the second time Microsoft has come out on top of a research project by Mr. Richard Ford [fit.edu].

http://www.virusbtn.com/magazine/articles/letters/ 2004/01_01.xml [virusbtn.com]

Apparently there was some question to the validity of an earlier project because it was sponsored by Microsoft.

However, I would like to note that both researchers seem very well educated, especially in computer security. And, additionally, they both note that a lot more could be done to lock down the Linux server.

A lot more could certainly be done...

[emil (695)]

OpenBSD runs chroot() Apache. Does IIS have similar capability?

The chroot() patch was never taken up, but it would probably not be that difficult to install on Linux.

I would be disinclined to run any other way at this point.

Re:Integrity?

[leuk_he (194174)]

from the article

Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk -- the period from when a vulnerability is first reported to when a patch is issued.


I hoped for a deeper analysis, like the security model used or how it behaves in networks. But it just back to counting vulnerabilities.

--Nothing to see here, move on.

Re:Integrity?

[jedidiah (1196)]

This study appears to be a clear example of redifining terms and using statistics to muddle an issue. While the conclusion of the study might be valid given the assumptions, I challenge the assumption.

I challenge the assumption that Redhat vulnerabilities are equal to Microsoft vulnerabilities.

Given the history of malware, they clearly are not.

This study is nothing more than a more formalized version of a certain form of trolling once popular on COLA.

Re:More FUD

[Otter (3800)]

Ummm, Florida isn't in Washington. Or if it is, we have bigger problems going on than Linux or Windows vulnerabilities.

And, to the grandparent -- if you read your own link, the previous study was not sponsored by Microsoft.

These studies are pointless. Both can be secure

[Mustang Matt (133426)]

I don't get it. I guess I need to read the article.

A webserver needs port 80 and maybe 443 open. Any webserver can be secured.

Where's the news?

Newsflash... ONE Linux Fan..

[Staplerh (806722)]

Interesting. Some relevant snippets:

A Linux enthusiast at the RSA Conference in San Francisco has reluctantly concluded that Microsoft produces more secure code than its open source rivals.

In an academic study due to be released next month Dr Richard Ford, from the Florida Institute of Technology, and Dr Herbert Thompson, from application security firm Security Innovation, analysed vulnerabilities and patching and were forced to conclude that Windows Server 2003 is more secure than Red Hat Linux.

Now, I'll concede that Dr. Ford and Dr. Thompson do sound reputable, but one is an admitted Windows enthusiast and while the other one is a Linux fan who changed his minds, this hardly sounds like a study .

It's an interesting question, and I'm sure there is no clear cut answer, but a more systematic study (with more parties, rather than just two scientists) is going to be needed to answer this sort of question before the 'results' are trumpetted. I'm sure Microsoft will pick this one up and run with it, however.. more of those annoying ads that seem peppered throughout Slashdot.

Not only that, but I find this quote odd..

[schon (31600)]

A Linux enthusiast at the RSA Conference in San Francisco has reluctantly concluded that Microsoft produces more secure code than its open source rivals.

Umm, so MS showed him their source code? I find that a little hard to believe.

If he can't see the source, how can he make any determination at all?

Re:Newsflash... ONE Linux Fan..

[bonch (38532)]

No offense. But it sounds like people are searching for things to dismiss this study. Um, yes, a Linux guy changed his mind after seeing the conclusions of the study. That means it's not a valid study?

I'm getting a little disturbed at the way all pro-Linux studies are being accepted and all other studies are being dismissed here. Critical thinking should always be welcome. And, yes, Linux is NOT perfect, it is NOT flawless, and it IS full of security holes like anything else. Nobody should take their operating systems so personally that they feel attacked when Linux is criticized.

Note that this doesn't go for everybody. But there are a lot of zealots in the community who need to learn to see outside their own perspective.

Re:Newsflash... ONE Linux Fan..

[EvilTwinSkippy (112490)]

Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance.

Um, no. Your average system administrator earns about $62k has at least 2 years experience, and generally a bachelors degree in a related field. At least according to most industry figures. [salary.com]

The job title also entails tweaking system configurations for security, evaluating patches, etc. etc.

Not again...

[PoprocksCk (756380)]

"Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk -- the period from when a vulnerability is first reported to when a patch is issued."

So Windows is more secure than Red Hat because Microsoft chooses to report less vulnerabilities and release less patches? Hmmm...

(Move along, nothing new to see here.)

Non Story

[bfree (113420)]

Until the report is released this is a non-story, just fuel for the FUD machine. Unfortunately we will have to wait for a month to actually discuss what this means so I don't even no why I am bothering to post to this!

The security of a server...

[jmcmunn (307798)]

...is only as good as the security of the admin setting it up. It doesn't matter how many updates need to be run, whether one or one hundred. If the system admin doesn't keep the server up to date, it's only a matter of time until the server will be vulnerable.

Now let the flaming begin, so you can all argue about the number of patches/updates required for each system, how long it takes for Linux/Windows to respond to problems, and all that good stuff. We all know that's the only reason this kind of story shows up on Slashdot is to start a good flame/troll war! :-)

Self-Evident

[Wvyern (701666)]

"...Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance." By his own admission the Linux administrator is a "Wizard" compared to the average MS Systems Admin. Well, that just about says it all doesn't it?

I'm no zealot

[InfallibleLies (654694)]

of either Linux or Windows, but really, how is one more secure than the other? If there's an equally exploitable hole in each, is it the one that gets fixed faster more secure? If it is, then the only thing making one more secure than the other is the administrator. He/She's the only one who can patch their systems by actually downloading the patch and applying it.

No matter how fast a patch is issued, you still have to install it for it to work.

Delay in announcing MS vulnerabilities?

[Saint Stephen (19450)]

Doesn't Microsoft encourage delaying announcing vulnerabilities until a patch is available?

Enthusiast?!

[Vollernurd (232458)]

How the hell can anyone claim to be a "Microsoft enthusiast"?! It's hardly a hobby.

Hardly a study

[metatruk (315048)]

This was a hardly a study. I don't see any data presented here, and certainly no methodology used to gather the data. Sorry, but the scientific method always wins.

Sorry, but this "study" is not a study.

Why was this even posted?

RTFA then talk

[digitalgimpus (468277)]

Read it for yourself. It reads:

"Believe it or not, a Windows Web server is more secure than a [i]similarly set-up[/i] Linux server, according to a study presented yesterday by two Florida researchers."

So when you load a linux server with software that has known security holes....they are both equally as secure.

It's not groundbreaking news.

"Days of Risk" vs. Full Disclosure

[Daedala (819156)]

Neither article defined "days of risk" to my satisfaction. Is it "days since the vulnerability was published" or "days since the vendor was informed of the vulnerability"? I suspect that Microsoft is more likely to hear things privately early. ASN.1 library anyone? It was discovered in July 2003, and announced and patched in February 2004. Was that six months of risk or one day?

Secondly, there's no discussion of how the criticality of a vulnerability was weighed. If every "day of risk" for Windows was "critical," and every "day of risk" for RedHat was "moderate," then I'd differ with their conclusions. Further, there was no mention of whether they considered actual exploits in the wild.

Also in the news...

[NoMoreNicksLeft (516230)]

cfelde writes "Satanism is less evil than a christianity, according to a study presented yesterday by two Florida researchers." In addition to the Seattle Times article, there is also coverage on VNUnet. From the article: "The researchers, appearing at the RSA Conference of philosophers, discussed the findings in an event, 'Religion Showdown: Good vs. Evil.' One of them, a satanist, performs perverse human sacrifice rituals; the other volunteers at the local homeless shelter. They wanted to cut through the near-political arguments about which religion is less evil from a morality standpoint."

Horribly flawed

[StormReaver (59959)]

"There are some people who are sceptical [of the results]," said Dr Thompson. "We would encourage them to replicate this type of study. If you see flaws please tell us."

Are they joking? Their metric (reported vulnerabilities) is absurd for a number of reasons.

1) Microsoft reports only a fraction of its vulnerabilities. Remember when Win2000 had over 65000 known (to Microsoft) flaws? No more than a handful were ever reported. Microsoft reports flaws only after bearing enormous public humiliation. Of course Microsoft's flaw count is going to be low. Microsoft hides them all until forced to disclose.

2) Linux vendors report every hair out of place. It doesn't matter if the flaw causes a D to look like an O on the third day of the Summer Solstice, but only if that day matches the 4th digit of PI, and only if the computer has calculated the cure for cancer at exactly 15 milliseconds after the user's orgasm.

3) Seriousness of vulnerabilities. Due to the nature of full disclosure under Linux, it will -always- have higher reported flaw counts than Windows. The vast majority of reported Linux flaws, however, are relatively benign, while the vast majority of reported Windows flaws hand over complete control of your computer to some third party.

4) Widespread Propagation. Windows, by its intended design, makes propagating exploits to these vulnerabilities trivially easy (automatic, actually), while this has yet to be accomplished on Linux (and likely won't be).

Sorry, but this "study" is complete nonsense.

Quality Research

[deanpole (185240)]

One datapoint makes a terrible graph.