More sensational news the past days about how Windows is superior in security with less vulnerabilities than Linux or OSX...
Their proof? The following table:
What are they smoking?
Why separate Windows versions and not Linux kernels or OSX versions.
ΕΔΙΤ:
I didn't want to include direct links to sources, so just google:
"windows less vulnerable than linux or osx"
or the link below:
http://lmgtfy.com/?q=windows+less+vulnerable+than+linux+or+osx
Such numbers! Many proof! So information!
The results are skewed, and this is why...
Why separate Windows versions and not Linux kernels or OSX versions.
Since they combined the Linux and OSX versions, it's only fair to combine the Windows results as well...
Lets do some quick, basic math: that would put Windows at a total of 248 vulnerabilities...which means, Linux is our "new" leader in security.
basically.
#captainobviousftw
Just in case anyone missed it. xD
I saw this graph on Winbeta.org which is a Windows Biased website anyways, but i look at it to keep updated with the Windows 10 Preview Updates. I do agree it's definitely skewed to holy hell, this is exactly how the tests should have been listed.
Linux Vulnerabilities are easier to find due to the source being open. on a similar note, if OS X or Windows would of been Open Source i do believe their numbers would of been just as low as the vulnerabilities on the Linux Kernel. but yes, Someone fart at this mans general direction
the ORIGINAL SOURCE:
http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/
Also is it just me or is it amusing that Windows Server has the most vulnerabilities out of all the Microsoft products listed?
Just to play devil's advocate here but I would expect that if you looked the vulnerabilities for windows were the same for each version listed. In which case if you do a combined total for Windows it would remain at 38 as the same vulnerabilities are in Windows Vista, 7/8 and Server editions.
The vulnerabilities for Linux are listed against the Kernel so unless they are grouping different Kernel versions I expect that's probably an accurate figure for 3.16 etc.. vulnerabilities per distro would probably be application related.
Remember Windows has a reputation for being vulnerable for the following reasons;
1) Legacy - it really was terrible years ago.
2) Poorly written applications.
3) Users with local admin not knowing what they are doing.
Anyway, the report stated Internet Explorer as one of the most vulnerable apps, and in my experience that rings true. In managed environments Windows Server is very secure.
Just to play devil's advocate here but I would expect that if you looked the vulnerabilities for windows were the same for each version listed. In which case if you do a combined total for Windows it would remain at 38 as the same vulnerabilities are in Windows Vista, 7/8 and Server editions.
They could have easily grouped Linux vulnerabilities the same way. eg The same vulnerability found on RedHat kernels with the same vulnerability found on other distros' kernels.
Also there are two major Linux kernel version if I'm not mistaken. The 2.6.x line and 3.2.x line??
In any case, we need someone willing to dig into NVD's data for confirmation.
PS
I should mention that I'm not a Linux expert. Just switched two years ago.
That's a fair point. If I get a chance I'll try and see if I can make any sense of the source data to see if I can compare Windows Server 2012 R2 to RHEL or Suse.
MY SIDES!!!
But you guys don't understand: security flaws that are willingly implemented by the NSA are not counted as vulnerabilities, but as "features" lolz...
Seriously though, there is no way to make a graph about this crap, because there is no way to even scratch the surface on the amount of vulnerabilities and bad code in closed source software.
iOS/OSX have a BSD legacy, which makes them probably way better in terms of coding quality in comparison to MS-Windows, but still, there is no way to really know how vulnerable they are.
GNU/Linux is completely open source, en yet there are still new vulnerabilities found and added on a monthly basis... yup, that's right, GNU/Linux is technically the most innovating and evolving out of all of them, because it spans much more platforms and much greater compatibility and functionality. In that ever changing code, there are bound to be bugs that lead to vulnerabilities, because that's just the way it is. Being open source though, these bugs can be tracked, and when they're found, they're fixed immediately. From Linux Kernel 4.0 on, there is even live kernel patching, that implements security fixes in the kernel's code in-session, without even having to restart the machine.
And that's the big difference between Linux and the rest: Linux accepts that bugs happen, and focuses on implementing mechanisms to minimize the damage and to optimize the patching, because everything is out in the open, nothing can be hidden, and every line of code has the name on it of the person that contributed that line of code. Commercial closed source platforms deny that there are problems as long as they can, they usually wait as long as they can before patching, and they try to block any and all communications about possible security or quality problems in their code. They don't have quality control to speak of, because their code is obfuscated anyway.
So if we accept that all code has bugs that can constitute vulnerabilities, and we even make abstraction of the fact that open source software, due to its open nature, has much less bugs per lines of code that obfuscated software, then lets' be real here for a second: look at the size of the code of a full featured GNU/Linux distro, then look at the size of the code of MS-Windows... then apply statistics and common sense... yup, there's your answer... just by the number of lines of code that supposedly just do the same thing, IF MS-Windows would reach the same coding quality standard as open source (which it definitely doesn't, not by a long shot!), THEN MS-Windows would already contain at least an order of magnitude more bugs than GNU/Linux, just by applying statistics.
Ok, going to the web.nvd.nist.gov website and using their search tool I compared RHEL 6.0 & 7.0 with Server 2012 R2 between January and December 2014 for high priority vulnerabilities.
The results were 6 found for each version of RHEL (so probably the same ones) and 24 for Server 2012 R2.
When you start a search you are also presented with this caution:
You can perform searches from here:
https://web.nvd.nist.gov/view/vuln/statistics
"Why separate Windows versions and not Linux kernels or OSX versions."
Well Apple considerer's all OS x 10 versions to be updates not new OS's.
As for Linux, well there are so many different versions out there that they just lumped then together. Tho i would rather they just picked the most commonly used ones and showed them.
What a load of bullcrap.
There is only "one" Linux Kernel, latest kernel is 3.19 (8 February 2015; 15 days ago) - wikipedia (or you can look at updates if you use Linux). Tho, latest version "offered" on mine Mint instalation is 3.16.0-31, but you can update it via terminal to the latest version, however i use reccommended kernel version for my system (3.13.0-37), and simply don't bother with it.
But for topic, for security, it is less relevant towards users, it is quite relevant for companies etc.
The other thing to consider is that there is a very active initiative to find and REPORT issues with the linux kernel.
MS and OSX will let you report bugs, but they have a really crappy system for reporting vulnerabilities.
If MS or OSX had a good way to report these types of issues, I promise you the numbers would be absolutely insane.
Operating systems aren't inherently more or less vulnerable than one another.
It's all about risk assessment, identifying threats when they appear and control/impact analysis.
I'd be more worried about a flash flood, loss of power or a RAID array failure.
Bad code is hardly anything to be concerned about lol.
IE should really be added into the Windows scores, you can't install windows without having IE come with it.
That report was a little skewed as server applications and some basic services that are vital or included with the windows operating system to function are not included in that report. The report also included every version of the kernel that had a report against it, most of these tend to get updated to minor versions that resolve these issues.
I prefer to look at what the companies/projects do as a whole gives you a better picture of what is going on. Below I ran the vulnerability reports from the NVD site for 2014 on each company/project (includes all of there products):
Microsoft: 512, 6.45% of all reported 2014 ***
Apple: 407, 5.13% of all reported 2014 ** *
Linux Kernel 233, 2.94% of all reported 2014
Canonical: 71, 0.89% of all reported 2014
Red Hat: 157, 1.98% of all reported 2014
Novel: 42, 0.53% of all reported 2014
Debian: 36, 0.45% of all reported 2014
Gentoo 3, 0.04% of all reported 2014
*** NOTE: 404/512 (78%) of Microsoft's are considered high.
** NOTE: 172/407 (43%) of Apple's are considered high.
* NOTE: Kernel stats are for all kernel versions listed on NVD for 2014
Yes I included Apple in here just for comparison... they have almost as many things get by them too, just not as severe as Microsofts.
So linux has issues, more than Microsoft, only if you group the major listed distros together with the kernel, if you take them as seperate companies + the kernel, they still produce far less errors, and this includes all versions of the kernel that had reports against them that year.
So really you can make that site spin the numbers any way you want; but in the end Microsoft is responsible for more vulnerabilities last year than the major Linux companies were by themselves.
There is a huge distruth in this. While Linux may have more vunerabiltiies (or so it is claimed), Windows is targeted more.
Also, having access to the source code in Linux provides a securtiy in itself.
Linux includes many technologies to help keep it users secure, something even iOS and Chrome OS couldn't match against Ubuntu 12.04 in a recent CESG on operating system security.
http://insights.ubuntu.com/wp-content/uploads/UK-Gov-Report-Summary.pdf