Turning up the heat up another notch on a long-simmering debate, the Aberdeen Group has published a study comparing the security of Linux/UNIX systems with that of the Microsoft Windows family of products.
"Contrary to popular misperception, Microsoft does not have the worst track record when it comes to security vulnerabilities. Also contrary to popular wisdom, UNIX- and Linux-based systems are just as vulnerable to viruses, Trojan horses, and worms,” Aberdeen's report states.
Based on CERT advisories for 2001 and 2002, Aberdeen reached the following conclusions:
- "Virus and Trojan horse advisories affecting Microsoft products peaked at six in 2001, which then bottomed out at zero for the first 10 months of 2002.
- Virus and Trojan horse advisories affecting UNIX, Linux, and open source software products went from one in 2001 to two for the first 10 months of 2002.
- Advisories affecting network equipment products jumped from two in 2001 to six for the first 10 months of 2002.
- Firewalls and other security products were affected by just two advisories in 2001, but have been linked to seven advisories for the first 10 months of 2002.”
The report also points out that Apple is becoming vulnerable, “now that it is fielding an operating system [OS X] with embedded Internet protocols and UNIX utilities.”
Windows vs. Linux/UNIX vulnerabilities
Aberdeen Group report, vol. 1, no. 35, is dated Nov. 12, 2002, and it’s a brief but interesting read. I can’t post a direct link since you have to subscribe to see the report. But it doesn’t cost anything, so I recommend that you go to the Aberdeen site, register, and then take a look at the entire report.
Some people will dismiss the report as Microsoft-sponsored hot air, but the raw data is there for everyone to see in CERT's Advisories and Incident Notes, giving legitimacy to The Aberdeen Group’s conclusion that open source operating systems in general, the new Mac OS X, and critical security programs themselves, aren’t as safe as many proponents suggest.
The underlying data is worth a close look. No new Windows platform virus or Trojan CERT advisories were issued in the period of January 2002 through October 2002. CERT’s confirmed vulnerabilities list shows that the threat level is growing faster for Linux/UNIX platforms than for Windows. This could be a statistical anomaly due to the much larger number of Linux/UNIX versions (although there are actually fewer versions available now, as there has been consolidation in both the Linux and UNIX markets in recent years). So the number of threats is growing while the number of Linux/UNIX versions is shrinking.
Perhaps this is an indication that UNIX is becoming less genetically diverse and therefore is more vulnerable to attack because the market isn’t so fragmented. One Microsoft virus would attack a lot of systems, but it used to take a slightly different virus for every version of Linux/UNIX. That's not always the case anymore.
The open source community sometimes claims that vulnerabilities are “more serious” in Windows, but I don’t know of an objective way to measure that. And lacking a generally accepted method, all we are left with are the raw numbers. Microsoft rates vulnerabilities when it publishes a patch, but we need a comparable way to rate Linux/UNIX bugs if we’re going to compare the seriousness of the patches released for these platforms.
It’s useful to look at incidents as well as confirmed vulnerabilities (advisories). Although this isn’t exactly the same as measuring how serious a vulnerability is, it provides a good way for those in the security business to judge how many attacks are taking place, or at least how many are being reported.
According to the Aberdeen report, “In 1995 the incidents reported by CERT numbered 2,412. However, incidents tracked by CERT skyrocketed from 21,756 in 2000 to 52,658 in 2001, and then to 73,359 for the first nine months of 2002. Clearly, the trend in incidents and advisories is going up, and at an alarming rate.”
However, we should always take incident statistics with a grain of salt. After all, vulnerabilities are easy to count, but who knows how many attacks go unreported.
Microsoft has recently announced a new policy for rating vulnerabilities. The company says this was due to customer complaints about far too many “critical” warnings, which compelled administrators to patch vulnerabilities even when the critical rating was not warranted by the actual risk.
According to Microsoft’s director of security assistance, Steve Lipner, the new rating system will expand the old Critical-Moderate-Low reporting scale to include Important, which will fall between Critical and Moderate.
Most of the old Critical vulnerabilities will now be labeled Important, including threats that could lead to system penetration and file compromise. The Critical rating will be reserved for Internet threats (e.g., major disasters of the Code Red variety).
A new two-tier security bulletin system with a less technical bulletin service will also be hosted at http://www.microsoft.com/security/ to supplement the current one, which many users found simply too technical.
A recent eWeek report brings yet another aspect of this subject to the forefront by pointing out that White House Cybersecurity Tsar, Richard Clark, has called for mandatory vulnerability reporting to a central federal government office. This would require any security firm discovering a new vulnerability to report it with the goal of forcing vendors to respond more quickly to new threats.
Others feel this may lead to premature disclosure of vulnerabilities, which happened in the past when the FBI’s National Infrastructure Protection Center attempted to coordinate reports with various vendors.
The newly organized (Sept. 26, 2002) Organization for Internet Safety is also developing a proposed set of guidelines for timely and safe reporting of vulnerabilities. OIS founders include Microsoft, @stake, Symantec, Caldera, Network Associates, BindView, and Oracle, so there may be some muscle behind these guidelines.
We will probably always be comparing apples and oranges when we try to see how the number and severity of vulnerabilities found in the major competing platforms match up. But this really doesn’t matter in the real world. The bottom line is that if a vulnerability leads to intrusions on your network, it’s a problem, and it doesn’t matter whether the vulnerability was a “high” risk or a “low” risk, only whether it cost you time and money to deal with it.
Most of us are supporting legacy systems and always will be. Only new companies have the luxury of selecting a platform based only on security, performance, and initial cost. That’s further limited to only new companies that have an expert IT staff in place to advise the company founders before they buy a single computer. It’s far more likely that a platform decision will be based on the experience of the founders, the vendor who gets there first with the best proposal, or, most likely of all, which platform runs a line-of-business application that the company needs.
The Aberdeen Report concludes that the reduction in Microsoft vulnerabilities is the result of the company’s much-touted new security initiative. It may be too early to determine that, but it is a relief to see that no major viruses have besieged Windows in 2002.
As for Microsoft’s new security labeling system, I think it is useful. It makes sense to reserve the Critical rating for those dangerous global threats that can spread around the world quickly and temporarily threaten the integrity of corporate systems.