Feb 17 2005
Study finds Windows more secure than Linux
I just came across this article on Slashdot and must say the methods used in this so called study sure seem a little silly.
From the article:
the idea was to represent what an average system administrator may do, as opposed to a “wizard” who could take extra steps to provide plenty of security on a Linux setup, for instance.
So what exactly are they calling an average system administrator? Did they just install the software and leave everything with their default values? If an average system administrator did that then they deserve to be fired.
Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk — the period from when a vulnerability is first reported to when a patch is issued.
There are multiple questions surrounding this criteria, firstly how did they determine whether a vulnerability was reported? Did they refer just to information from RedHat and Microsoft or did they monitor the various security mailing lists? Did they filter the reported vulnerabilities to only include the installed applications seeing how RedHat reports vulnerabilities for a wide range of software?
Also the very nature of Open Source Software leads to more vulnerabilities being reported as people peruse the code and find a lot of theoretically vulnerabilities that somebody could exploit if they knew how so the fact there were more vulnerabilities reported for the Linux system could actually be a good thing as the patches would be making the system even more secure.
It just seems a very odd way of assessing the level of security in an operating system and from it’s description in the article it sounds like it doesn’t really prove anything.
The timing of the study is also quite interesting with the comments made by Microsoft’s Security Chief in this recent article where he claims Windows 2003 is more secure as they have issued less patches then RedHat and Suse have for their products,.