Windows beats UNIX on vulnerabilities

By Derek Sooman on January 5, 2006, 8:05 PM
One might be forgiven for thinking that Windows security is a complete and utter joke, given the kinds of stories that we ran in 2005. Time after time there were reports of security flaws and other problems, which were often then exploited by malware. However, it has now emerged that, during last year, Windows suffered less security vulnerabilities than Linux and UNIX. Yes, itís true.

In fact, Linux and UNIX experienced more than three times as many reported security vulnerabilities than Windows. Thatís the word from US Computer Emergency Readiness Team (CERT), and their annual year-end security index. Last year, Windows experienced 812 reported operating system vulnerabilities. Linux and UNIX, however, experienced 2,328.

CERT found more than 500 multiple vendor vulnerabilities in Linux and Unix spanning old favourites such as denial of service and buffer overflows, while CERT recorded 88 Windows-specific holes and 44 in Internet Explorer (IE).
Still, keep expecting Windows problems to hit the headlines more than UNIX related ones Ė attacks on the Microsoft OS generate much more concern among the public and tend to be made out to be more terrible.




User Comments: 37

Got something to say? Post a comment
CrossFire851 said:
And this is some surpise????
Eleventeen said:
Well, to some I guess. Some people still think that Linux is so secure that you don't need to worry about anything. Now that hackers or whatever you want to call them know that alot of big businesses and such are moving to Linux, the viruses and exploits will increase, perhaps dramatically. It's still really a surprise to me that Linux and Unix have had more exploits than Windows tough, it's hard to believe.
iluvnug said:
Even though there may be more overall instances of vulnerabilities, Linux is still more securable than Windows if implemented and maintained properly. [url]http://www.ameinfo.com/75175.html[/url]
maxtor said:
Linux IS more secure. As long as you have a router you DONT have to worry about anything! I hope you realize that they aren't talking about a specific Linux OS, there are hundreds. And there are about 15 really popular ones that are most used, with windows almost everyone is using xp. Think about it.@CrossFire851. Yes... it isn't true. Windows is the winner of insecurity.Keep in mind though, that my main computers are running on a Windows OS. I run all my servers on Linux.
exscind said:
Is it really a surprise, though? Microsoft is only a scapegoat because whenever there's security flaw it affects more people than any other systems out there. This means more people will whine about it and exaggerate the problem. I'm not saying Microsoft is perfectly safe, but I don't see how the die-hard Linux or Unix people can reject Microsoft so easily yet defends the former. This article hits it dead on, and glad it's there to raise another perspective to look at this situation.
maxtor said:
@iluvnug. Exactly.But the same goes for Windows, if the proper security measures are taken it can be quite a safe OS as well.
fuzzymutant said:
The number of vulnerabilities is irrelevant.A meaningful security measure is how much productivity was lost last year due to windows vulnerabilities versus how much was lost to unix insecurities ?Another is how much fraud was perpetrated due to each ?I expect that from a productivity front, windows accounts for 99% of it.As for fraud, probably 95%, but that depends if you count phishing / keyloggers / spyware. Not that this data is meaningfully captured, most companies do not report security breaches.Both windows and unix have their place, both are very useful, I could almost do without windows if it were not for specific applications I need, I could almost live without unix if I did not want a presence on the net :)
schwit said:
Current Windows version have one bug that trumps all and will never get fixed in the current versions ...A non-admin account is difficult if not impossible for home users.
PUTALE said:
interesting. Well, I guess with the use of linux on the rising, specially among government and big businesses, it's not surprising to see this. After all, people are interested in the infromation not really on our computer but rather the info stored in big companies. I think this is partially due to MS's better OS (XP) as well as their more frequent update in their security flaws.
CrossFire851 said:
[b]Originally posted by CrossFire851:[/b][quote]And this is some surpise????[/quote]I didn't have time to read this right i mistunderstoud it i thought that it had said something else...... sry for getting everyone wriled up.
otmakus said:
It's true that people whine more when there was another flaw in Microsoft's products discovered, because Microsoft is used by a vast majority of people in the world. But I think that's just natural. Microsoft charged a premium for their products, and they obviously tried to crush their competitors repeatedly. We want something that we buy with our hard earned cash to work perfectly, and if it isn't, we have the right to whine.Linux isn't safer than Windows. Most Linux user have more experience with computer systems than Windows user. The fact that Linux still got busted more often than Windows shows that it's still a long way for it to be able to compete with Windows at the same level.
Per Hansson said:
That article is so skewed it's amazing, "linux" as they call it is infact, in example Red Hat's case, a system with over 3000 applications included, you don't expect more vulnerabilities then?How many can you count in Windows? 10 maybe? Word, Notepad, MsPaint... Yahoo!!!Gotta love those researchers...
Rage_3K_Moiz said:
Windows problems are just reported more because an overwhelming majority(including me) uses them. So of course people will be bothered about something that they use than something that they don't, won't they? And XP hasn't been around as long as UNIX and Linux so that gives hackers more time to exploit vulberabilities in Linux and UNIX than in XP.
spike said:
LOL! I can't believe what I'm seeing before my eyes here - people talking about Linux and unix as thoough they are the same thing (they are similar, but not one and the same.)Worse stil is that people are talking about Linux as though it's one single operating system that's been around for years. That last comment...[quote]And XP hasn't been around as long as UNIX and Linux so that gives hackers more time to exploit vulberabilities in Linux and UNIX than in XP.[/quote]...is truly amazing. It's almost as if it implies that Fedora Core 4 is not only the same as Mandrake 9.x, but is also no different from fedora 1, 2, and 3.Windows XP itself is no different in that respect. If you can lump all historical Linux OS's together, you can't then turn around and pick out only a current incarnation of windows. Windows XP is nothing more and nothing less than Windows NT 5.1. Anybody got a development history on the NT kernel?
asphix said:
[b]Originally posted by exscind:[/b][quote]Is it really a surprise, though? Microsoft is only a scapegoat because whenever there's security flaw it affects more people than any other systems out there. This means more people will whine about it and exaggerate the problem. I'm not saying Microsoft is perfectly safe, but I don't see how the die-hard Linux or Unix people can reject Microsoft so easily yet defends the former. This article hits it dead on, and glad it's there to raise another perspective to look at this situation.[/quote]I agree whole heartedly.I'm not going to linger long on this topic as I forsee it blowing up into a huge argument. A lot of people have strong opinions one way or another on this topic. Its nice to see someone not taking shots at microsoft for once.It will only get worse as Linux continues to gain popularity and thus the attention of hackers.
Nic said:
I think that what's interesting is that despite Windows systems being in far greater numbers than Linux systems, then if "...Linux and UNIX experienced more than three times as many reported security vulnerabilities than Windows..." that says a lot about how good security really is on those OSes.Surely Linux and Unix systems should be reporting less security issues because there are far less Linux and Unix systems in use compared to Windows?
spike said:
hmmm.Would be an interesting experiment I think if we could put one linux box and one windows box online and advertise them as machines that are there purely for the purpose of letting people have a go at them.
MonkeyMan said:
Well, this is expected, because Microsoft receives more publicity. The more popular your software is, the more headlines it will receive. In Microsofts favor, it is the number one software developer in the world, so it will receive headlines, rather minor or small.
barfarf said:
This surprised me too. I suppose it make sense that linux has had more issues but since its in the minority compared to Windows we dont hear about it that much. As others have said MS is the big red barn of OS's making it an easy target that effects everyone. While Linux is in the outback at least compared to OS install base. Who knew.
maxtor said:
I find it hard to believe that spike is the only person here that actually understands what is messed up about this article. The article is talking about Linux in general. In reality Linux has to have more vulnerabilities, it only makes sense. How many different people/teams are developing different Linux OS's? Now compare that to Windows. People use your head and try to comprehend.
Strakian said:
Fascinating information to be sure, but I see a lot fo folks getting up in arms to defend Linux just because THEIR Linux machine is secure. I'm sure that the diferent versions were all factored in, however, so it might upshoot the number a bit. Anyway, I really got a tickle out of some of the comments made by people here so far that just don't want to accept that Linux may have more flaws than windows. Hehe, you made my day, thanks!
luismigilbert said:
itīs funny actually...Linux/Unix vulnerabilities are not taking people attention..Windows vulnerabilities do..
DragonMaster said:
Which one had the most critical security issues?Also, if there is more patches with UNIX, it means that they fixed more things.
asphix said:
[b]Originally posted by DragonMaster:[/b][quote]Which one had the most critical security issues?Also, if there is more patches with UNIX, it means that they fixed more things. [/quote]or had more wrong to begin with?I understand your point maxtor, but also consider they arent just talking "windows xp professional" but all of microsofts currently supported OS's (and maybe the past.. basically any OS in use maybe? we need further information on exactly how the tests were done). 2003 serverXP professionalXP homeXP MCE2000 advanced server2000 server2000 professionalwindows 98windows 98 SEwindows MEWindows NT 4.0above are still used by people today and since the article had no clear distinction of which version and just said "windows" its unsure if we should include these or not. You could also further split these OS's via service packs since those usually entale some major changes to the OS and would constitute the same difference between linux versions your asking us to consider. I'm sure I might have missed some releases in there also. I woudlnt be surprised if people still use windows 95 though with that OS their connectivity to the internet would be so limited that it may be safe to discount it completely.I'm not saying your point isnt valid. We cant say either way. But if you're going to play one side of the fence acknowledge whats on the other as well.[Edited by asphix on 2006-01-06 12:59:55]
barfarf said:
Well the best way to compare would be the cost per capita. That would give the real and fair cost of using linux and unix vs windows system. Over the 2005 year from all flavors of linux and unix and gather the total cost of downtime, prodcution loss, repair..etc due to vulnerabilities from businesses. There will be of course errors in determining what was caused by vulnerabilities or human error but if you have large enough sample size those error will be minimized. Then take all flavors of windows (i know for fact some businesses still use windows 98 and maybe even old systems) determined their costs. Then divide both by their estimated install base. This will give $$$ cost per machine or per user. For this to be fairly accurate its best do it only in the USA and only with businesses since they can give the most consistant data plus they would have the greatest effect on the economy. As my econ prof said "What affects the economy effects you."
iluvnug said:
What versions of windows, linux, and unix is US-CERT talking about here? I don't know if one can make the assertion that is being made in the title of this news in regards to anyone one version versus another.
mentaljedi said:
[b]Originally posted by barfarf:[/b][quote]Well the best way to compare would be the cost per capita. That would give the real and fair cost of using linux and unix vs windows system. Over the 2005 year from all flavors of linux and unix and gather the total cost of downtime, prodcution loss, repair..etc due to vulnerabilities from businesses. There will be of course errors in determining what was caused by vulnerabilities or human error but if you have large enough sample size those error will be minimized. Then take all flavors of windows (i know for fact some businesses still use windows 98 and maybe even old systems) determined their costs. Then divide both by their estimated install base. This will give $$$ cost per machine or per user. For this to be fairly accurate its best do it only in the USA and only with businesses since they can give the most consistant data plus they would have the greatest effect on the economy. As my econ prof said "What affects the economy effects you."[/quote]Yes, not because money is more important but is a good measure of how serious somehthing is. I myself have never been hacked into but my computer seems to destory itself (no joke).
John Smith said:
I had always assumed it was the better way to go security wise. Ya learn something new every day.
cyrax said:
Now you see, i was about to go into a long winded argument about why window not as good as unix and then it hit me....its like telling a grown person about the dangers of spitting in the wind. Its something you know instinctively, windows was built on flawed architecture thus it makes sense that there would be more serious flaws than unix. It ain't the number hosse, its how bad it is that counts.
exscind said:
I think some missed the point that others have tried to argue. Sure, Linux... in fact, let's just make it Windows vs Everything Else (abbreviated to EE hereon). Windows has less vulnerabilites exploited/found than EE, and it is understandable due to the different variations of EE; however, the point is how many times have you seen news reporting on EE vulnerabilities in comparison to Windows? I don't disagree, I do think Linux (aka EE!) - in general - is safer than Microsoft. But I do disagree with those hardcore anti-Windows fellows claiming invincibility with their EE operating system while condemning Windows to all hell. There is a difference between the two, but it's not the hyperbole that many makes it out to be.And for the record, yes I do think this article is a bit skewed and obviously biased in the preconception before the article was even written. But I do like the fact that this article is trying to chip down the wall that the anti-Windows fan club is trying to build, and tries to show the gap between the two sides are not as wide as they want to believe. Windows has inherent flaws that makes it naturally more vulnerable to attacks (and the magnitude of the attack), but hackers are still able to dig into EE's architecture now that it is becoming more popular. The flawed infrastructure simply makes the hackers' job easier; it doesn't deter them away at all.
maxtor said:
@exscind. Thank you. That is exactly what I was trying to say. Hopefully everyone will read your post. I don't believe that I am biased; I'm not sure if you were implying that to me. I use Windows almost as much as I use EE(lol). Now to sum up your post. When you compare the Windows vulnerabilities to the vulnerabilities of just about everyother operating system, of course Windows will have less vulnerabilities.Like you previously said, "this article is a bit skewed and obviously biased".I guess I have to hand it to Microsoft though. This year was probably their best year yet. Seems to me that more security holes have been fixed/patched, and XP is more secure than ever. Although I cannot say that it is secure, but with a router and the right software it gets pretty close...
xerowingsx5k said:
Woah, when I read the title, I almost thought this was something Microsoft is supposed to be proud of. Microsoft's Windows line has consistently shown us security flaw after security flaw of problems. I remember the time when I would receive a Windows update almost every other day to patch security flaws. As much as I don't like Windows, I can't seem to live without it.
eko said:
Well, consider these facts:1. Linux is free, Windows costs a lot of money2. Some people have always been, in a way or another, against the crowd. If everyone goes in one direction, why should I follow?3. Consider the fact that the number of vulnerabilities is not the only thing that matters. Just think about the gravity of those vulnerabilities. I've seen lately some critical vulnerabilities on Windows, but the ones one Linux are less worrying. So let's just try to separate the facts, to try and find out exactly what are the real things which stay behind that info. As long as we don't know exactly how accurate the results are, I think it's premature to go and make an accusation, or even a strong opinion, over one thing or the other !
Mictlantecuhtli said:
Open source software probably has a lot more "vulnerabilities" in applications, if they are called that, but their developers patch them quickly. I don't think every patch is counted at CERT.I don't know how many people are debugging closed source software - sometimes (if not usually) their end user license agreements even prohibit that.[quote]You may not reverse engineer, decompile, or disassemble the Software, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation.[/quote]So how are you going to find those vulnerabilities?
PanicX said:
Interesting article. I like all the fuss its stirred up while it failed to show anything of any significance. If you're trying to use a report like this to display actual system security, there's a few things you need to know. First is the difference between a vulnerability and an exploit. A [url=http://www.microsoft.com/technet/archive/community/colu
ns/security/essays/vulnrbl.mspx]vulnerability[/url] is "a security exposure that results from a product flaw, and which the maker of the product should fix." An [url=http://mtechit.com/concepts/security_exploit.html]explo
t [/url]is "a bug or misconfiguration on a Host System which can be used by an Intruder to gain unauthorized access to that Host System or to a network to which it is connected. The Intruder might also take advantage of this problem to cause Denial of Service."A machine with say, 2328 vulnerabilities may infact, be more secure than a machine with 1 exploitable vulnerability. How's that possible? Say for instance you have Kerio 6.13 installed which contains [url=http://www.us-cert.gov/cas/bulletins/SB05-320.html#win5
a vulnerability[/url] that allows users with disabled accounts to still bypass the firewall. However you may not have any disabled users, which would make this vulnerability unexploitable, and you remain secure. The real measure of security is the number of exploitable vulnerabilities for each OS. Not to mention that this study includes thousands of vulnerabilities in third party products that are not part of a default OS installation. You can't measure a computers security by vulnerabilities in software thats not installed on your machine.Whether or not Linux (which is just a kernel BTW) is more secure than Windows is debatable. I don't have any research that conclusively shows a users risk with either OS. However I tend to beleive that windows vulnerabilities are more publized, A. because the huge userbase that is possibly affected by it. B. because they're exploitable vulnerabilities.
nic said:
A vulnerability becomes an exploit only when some has devised a method to make use of the defect. Hackers would need to spend time coming up with inventive ways of using any known vulnerabilty. More vulnerabilities in Windows turn into exploits because there is a large base of would be hackers trying hard to find an exploit that will be usefull. I think its wrong to suggest that windows has more exploitable vulnerabilities than Linux, as the user base for Linux is much smaller and less exploits are therefore devised. Opensource software by its nature allows hackers to examine the code and therefore find more exploits, if these exist. Maybe this explains the large number of vulnerabilities found in Linux.
maxtor said:
@nic. Actually, that is a very good point that I didn't consider. Even though I believe that Windows has many more vulnerabilities than Linux or Unix, that is a point I actually never thought of. The reason that Linux and Unix have more vulnerabilities than Windows has already been explained by the many people defending the OSes. It only makes sense that Linux and Unix have more vulnerabilities, which like I just said, reasons have already been explained, and there is no need for me to say it again. :)
Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.