The Caffeinated Penguin

musings of a crackpot hacker

Debunking the "window of opportunity" security myth

Posted By on March 7, 2005

There have been a couple of articles that have come out in the past few months detailing how Windows is more secure than Linux. This is the most recent. The problem is that all of these studies stuffer from a fatal flaw in their common logic.

The logic is to use the method factors in the number of reported (aka publicly disclosed) vulnerabilities. More vulnerabilities, less secure. There is also discussion of the “days of risk”, which is a day when there is an open, unpatched vulnerability. There is one big problem (and a bunch of little ones) with this logic – Microsoft cheats. How? Well, Microsoft certified partners are required to report vulnerabilities in Microsoft software to Microsoft and only to Microsoft. If they report the vulnerability to anyone else, they lose their certified partner status. (This may apply to other levels of Microsoft affiliates and licensees; I'm not sure of the full scope of this stipulation). Consequently, a large number of vulnerabilities in Microsoft software are either fixed immediately after being publicly reported (because MS has the fix when they announce the bug), or are never disclosed to the public. After all, what better way to keep confidence in your product then to sweep things under the rug?

So, this lowers both the number of reported vulnerabilities (which, is the number of vulnerabilities reported by Microsoft, not to Microsoft. Linux vulnerabilities, on the other hand, are typically reported to the package maintaner, not the distribution vendor. Therefore, the vendor has no control over disclosure of vulnerabilities. In some cases, they hear about it when everyone else does, which may be quite a long time before the patch comes out, depending on the complexity of the problem. Additionally, the divisions in the security community about limited disclosure (disclose to the software vendor only), vs. full disclosure (disclose to the public at large) seems to fall along source code development methodology lines (closed vs. open source). Since the open source development model is inherently open, their bug reporting is equally open. The closed source model favors secrets, and the vulnerability disclosure often reflects this.

So, this increases the number of Linux vulnerabilities reported, and decreases the number of Windows vulnerabilities reported.

Don't forget that the “severity of vulnerabilities” issue doesn't hold much water either – after all, there is no consistent grading system for vulnerabilities, so one person's Moderate might be another person's Severe.

Finally, the Linux results are skewed in favor of more vulnerabilities merely because Linux distributions include more packages. Does Windows include an office suite by default? Nope. Multiple databases? Nope. Multiple desktop environments? Nope. High class backup software? Nope. Featureful CD mastering applications? Nope. Most Linux distros come with all of these, many as default options, and often with multiple versions of the same class of application (multiple word processing suites are not uncommon). The more applications, the more potential for vulnerabilities.


Comments

Loading Facebook Comments ...

Leave a Reply

Please note: Comment moderation is currently enabled so there will be a delay between when you post your comment and when it shows up. Patience is a virtue; there is no need to re-submit your comment.