La regla de la radicación o fijeza Concepto

OSS/FS, and that all the OSS/FS OSes in its study were less vulnerable than Windows in 1999-2000, unless you counted every GNU/Linux vulnerability multiple times. One approach to examining security is to use a vulnerability

database; an analysis of one database is the Bugtraq Vulnerability Database Statistics page. As of September 17, 2000, here are the total number of vulnerabilities for some leading OSes:

OS 1997 1998 1999 2000

Debian GNU/Linux 2 2 30 20

OpenBSD 1 2 4 7

Red Hat Linux 5 10 41 40

Solaris 24 31 34 9

Windows NT/2000 4 7 99 85

4. You shouldn’t take these numbers very seriously. Some vulnerabilities are more important than others (some may provide little if exploited or only be vulnerable in unlikely circumstances), and some vulnerabilities are being actively exploited (while others have already been fixed before exploitation). OSS/FS OSes tend to include many applications that are usually sold separately in proprietary systems (including Windows and Solaris). For example, Red Hat 7.1 includes two relational database systems, two word processors, two spreadsheet programs, two web servers, and many text editors. In addition, in the open source world, vulnerabilities are discussed publicly, so vulnerabilities may be identified for software still in development (e.g., “beta” software). Those with small market shares are likely to have less analysis. The “small market share” comment won’t work with GNU/Linux, since GNU/Linux is the #1 or #2 server OS (depending on how you count them). Still, this clearly shows that the three OSS/FS OSs listed (Debian GNU/Linux, OpenBSD, and Red Hat Linux) did much better by this measure than Windows in 1999 and (so far) in 2000. Even if a bizarre GNU/Linux distribution was created explicitly to duplicate all vulnerabilities present in any major GNU/Linux distribution, this intentionally bad GNU/Linux distribution would still do better than Windows (it would have 88 vulnerabilities in 1999, vs. 99 in Windows). The best results were for OpenBSD, an OSS/FS OS that for years has been specifically focused on security. It could be argued that its smaller number of vulnerabilities is because of its rarer deployment, but the simplest

explanation is that OpenBSD has focused strongly on security - and achieved it better than the rest.

5. This data is partly of interest because various reporters make the same mistake: counting the same vulnerability multiple times. One journalist, Fred Moody, failed to understand his data sources - he used these figures to try to show show that

GNU/Linux had worse security. He took these numbers and then added the GNU/Linux ones so each Linux vulnerability was counted at least twice (once for every distribution it applied to plus one more). By using these nonsensical figures he declared that GNU/Linux was worse than anything. If you read his article, you also

must read the rebuttal by the manager of the Microsoft Focus Area at SecurityFocus to understand why the journalist’s article was so wrong.

6. In 2002, another journalist (James Middleton) made the same mistake, apparently not learning from prior work. Middleton counted the same Linux vulnerability up to four times. What’s bizarre is that he even reported the individual numbers showing that specific Linux systems were actually more secure by using Bugtraq’s vulnerability list through August 2001, and somehow he didn’t realize what it meant. He noted that Windows NT/2000 suffered 42 vulnerabilities, while Mandrake Linux 7.2 notched up 33 vulnerabilities, Red Hat Linux 7.0 suffered 28, Mandrake 7.1 had 27 and Debian 2.2 had 26. In short, all of the GNU/Linux distributions had significantly fewer vulnerabilities by this count. It’s not fully clear what was being considered as being “in” the OS in this case, which makes a difference. There are some hints that vulnerabilities in some Windows-based products (such as Exchange) were not counted, while vulnerabilities in GNU/Linux products with the same functionality (e.g., sendmail) were counted. It also appears that many of the Windows attacks were more dangerous (which were often attacks that could be invoked by remote attackers and were actively exploited), as compared to the GNU/Linux ones (which were often attacks that could only be invoked by local users and were not actively exploited at the time). I would appreciate links to someone who’s analyzed these issues more carefully. The funny thing is that given all these errors, the paper gives evidence that the GNU/Linux distributions were more secure.

7. The September 30, 2002 VNUnet.com article “Honeymoon over for Linux Users”, claims that there are more “Linux bugs” than “Microsoft bugs.” It quotes X-Force (the US-based monitoring group of security software firm Internet Security Systems), and summarizes by saying that in 2001 the centre found 149 bugs in Microsoft software compared to 309 for Linux, and in 2002 485 Linux bugs were found

compared to Microsoft’s 202. However, Linux Weekly News discovered and reported serious flaws in these figures:

1. “Each distribution is counted independently. The same vulnerability in five distributions will count as five separate vulnerabilities. This practice drastically overstates the number of reported Linux problems.

2. Linux vulnerabilities include those in applications (i.e. PostgreSQL) which are not part of a standard Windows system.

3. Most Linux vulnerabilities are found through code audits and similar efforts; they are patched and reported before any exploits happen. Any Windows bugs found through similar audits are fixed silently and do not appear in these counts.

Indeed, assuming that the vulnerabilities were only counted three times (and thus dividing by only 3) would show Linux as having a better result, never mind the fact that there are more than 3 Linux distributions and the other factors noted by Linux Weekly News.

Indeed, as noted in Bruce Schneier’s Crypto-gram of September 15, 2000,

vulnerabilities are affected by other things such as how many attackers exploit the vulnerability, the speed at which a fix is released by a vendor, and the speed at which they’re applied by administrators. Nobody’s system is invincible.

A more recent analysis by John McCormick in Tech Republic compared Windows and Linux vulnerabilities using numbers through September 2001. This is an interesting analysis, showing that although Windows NT lead in the number of vulnerabilities in 2000, using the 2001 numbers through September 2001, Windows 2000 had moved to the “middle of the pack” (with some Linux systems having more, and others having fewer, vulnerabilities). However, it appears that in these numbers,

bugs in Linux applications have been counted with Linux, while bugs in Windows applications haven’t - and if that’s so, this isn’t really a fair comparison. As noted above, typical Linux distributions bundle many applications that are separately purchased from Microsoft.