Doubt M$ will ya!!!
News Article (http://www.vnunet.com/News/1128907)

Windows suffered fewer security vulnerabilities than Linux last year, according to figures released by vulnerability tracker SecurityFocus.
Although the statistics so far only go up to August 2001, aggregated distributions of the Linux operating system suffered 96 vulnerabilities while Windows NT/2000 suffered only 42.

Breaking the figures down by distribution, Mandrake Linux 7.2 notched up 33 vulnerabilities, Red Hat 7.0 suffered 28, Mandrake 7.1 had 27 and Debian 2.2 had 26.

Windows, on the other hand, shared fourth most vulnerable position with 24, alongside Sun Solaris 7.0 and 8.0.

Although in previous years Windows has suffered the most vulnerabilities when compared to individual distributions, against the Linux aggregate the Microsoft operating system has consistently come out looking better off than its open source brethren.

For five years straight, in fact, Windows has come out less scathed than Linux, with 2000 pinpointed as the most significant year when Linux suffered over 150 vulnerabilities and Windows fell just short of 100.

But when looking at the bigger picture, the number of vulnerabilities discovered has rocketed since the start of last year and now peaks 150 new security discoveries a month, revealing a lot of bug-hunting activity poking holes in the security of operating systems in general.

Originally posted by Dwarf_Pr0n
Windows suffered fewer security vulnerabilities than Linux last year, according to figures released by vulnerability tracker SecurityFocus.
Although the statistics so far only go up to August 2001, aggregated distributions of the Linux operating system suffered 96 vulnerabilities while Windows NT/2000 suffered only 42.


That's bogus.

1. On the Linux count, they're including bugs that are identical between different distributions that have some core code in common. So the same bug is being counted twice.

2. The Windows results don't include bugs in things like IE and IIS (which MS will try very hard to convince you are not part of the OS), but the Linux bug counts include bugs in third party packages like Mutt, which may not even be installed by default.

3. The Linux source code is open. Many, many more people are looking at it. To take Redhat as an example -- they have 28 'bugs'. Windows 2K had 24. How many more bugs do you think are in Windows 2K that are unknown because the source isn't available to the same number of eyeballs.

It's sloppy journalism, and your critical faculties should be better.

N

well i personally dont give 2 ****s what is better, all i know is that my windows 98 system is as secure as a very heavy metal block hanging off a cliff on a strand of cotton.

so gatesy, SORT IT OUT!

tbh, it's believable. An "average user install" of a Linux distribution has enough holes in it to get rooted quite badly. I wouldnt say "less secure" as thats total FUD but about the same. Then again there are exceptions:-

Its mainly technical security floors (like buffer overflows) on linux, whereas windows it's implementation/design/over-feature floors (like the IE clipboard ripping bug).

This is one reason I use OpenBSD/NetBSD - they're pretty much locked down by default, you just turn what you want on. All the code has been audited nicely (OpenBSD anyway). Older versions of FreeBSD were as bad as Linux out of the box imho until they introduced half decent security by default recently (awaits nik's reply), so I wont count them until they've been proven.

Originally posted by nik


That's bogus.

1. On the Linux count, they're including bugs that are identical between different distributions that have some core code in common. So the same bug is being counted twice.

2. The Windows results don't include bugs in things like IE and IIS (which MS will try very hard to convince you are not part of the OS), but the Linux bug counts include bugs in third party packages like Mutt, which may not even be installed by default.

3. The Linux source code is open. Many, many more people are looking at it. To take Redhat as an example -- they have 28 'bugs'. Windows 2K had 24. How many more bugs do you think are in Windows 2K that are unknown because the source isn't available to the same number of eyeballs.

It's sloppy journalism, and your critical faculties should be better.

N

Not bitter at all that M$ is more secure are you :p:
Where does it say the bugs were found in different distributions, where does it say IE etc wasn't included with the M$ OS.
Just get over it and go spend hours configuring Linux to run one of the few games available for that format while the majority of us use Windows and run most software within minutes.

You never did statistics did you.

That wasn't the question.
WHERE DOES IT SAY MORE THAN ONE LINUX WAS USED?
WHERE DOES IT SAY IE ETC WASN'T INCLUDED?

exactly now STFU. :D

Originally posted by Dwarf_Pr0n
That wasn't the question.
WHERE DOES IT SAY MORE THAN ONE LINUX WAS USED?

Right here:

--
Breaking the figures down by distribution, Mandrake Linux 7.2 notched up 33 vulnerabilities, Red Hat 7.0 suffered 28, Mandrake 7.1 had 27 and Debian 2.2 had 26.
--

Try reading for comprehension next time.

The headline figure of '96' is misleading because it's aggregated results from all the distributions. In fact, I'm not entirely sure where they pull that '96' figure from, as 33 + 28 + 27 + 26 = 114, not 96.


WHERE DOES IT SAY IE ETC WASN'T INCLUDED?

The article doesn't. You actually have to go back to the security announcements that they used (they're all on the securityfocus web site) and work it out yourself. We call this "research".

Since I'm in the mood to demolish the original article, I may as well point out their basic methodology is flawed. Simply counting up the number of advisories released tells you very little about the security of the respective platforms.

In order to make a claim like "Windows more secure than Linux? Yep.", which the article does, you need to show a lot more.

For example, rate the severity of the bug. You might want to consider that a flaw that allows things like Code Red or Nimda to propogate is much more severe than one that (for example), fills up a filesystem.

You also need to look at the time between the vulnerability being announced, and a patch being available.

You need to look at the cost associated with each hole, and the effort required to fix it, and deploy those fixes.

You need to look at the size of the audience affected. Does it affect an obscure subsystem that 99% of the installations don't use (and are therefore not vulnerable to), or does it affect a critical subsystem that is enabled by default (like, say, uPNP)?

There's no explanation of which bugs are problems in the default install (and/or can't be configured around), versus which have to be explicitly configured in to the system by the admin.

Properly demarcate the areas of vendor responsibility. If problems in third party apps (rsync, Apache, etc) are fair game for inclusion in the Linux figures then I'd like to include all the ICQ vulnerabilities. Or the recent mIRC vulnerability that allows remote users to execute arbitrary remote code on your machine.

Finally, the article can be spun in a completely opposite direction. Specifically, look at it as "In 2001, crackers, with the benefit of having all the source code available, found only 28 security bugs in RedHat. In that same period, 24 vulnerabilities were discovered in Windows. How many more do you think are in there that haven't been found yet?"

N

You might also note that M$ are hardly forthcoming, with admitting that holes have been found, how many bugs do you think have been patched by windows update that you don't know about, that went along with other patches

Make no mistake I use Win 2k and prolly will continue to use it, however if you think its either stable or secure then you are deluding yourself :)

I can say the one thing MS did get right was making 2k a bit more stable than 98.... do naything for more than 20 hours and the computer just loses all ability to do anything!

Yeah, Windows will never be as secure as *nix systems because M$ generally don't have people developing and attempting to break it at the same time. Whereas the developers of Linux do.