| |
mark :: blog
It's been an interesting month so far with several reports of people
comparing the number of vulnerabilities in Microsoft software to those
in Linux distributions. I've previously talked at length about these
types of studies after last years Forrester report, but it seems that
these comparisons don't get any better.
Microsoft are
quoted and say that in 2005 to Feb 9th that Windows Server 2003
had 15 vulnerabilities, but in the same period Red Hat Enterprise
Linux 3 had 34, more than double!
What they failed to mention was that of those vulnerabilities, 3 of
the flaws affecting Windows Server 2003 were classed by Microsoft as
"Critical", flaws that can be remotely exploited without user
interaction to take control of a machine, for example by a worm. Of
the Enterprise Linux 3 vulnerabilities quoted, using the Microsoft
scale, none were Critical. Metrics like those they quoted are
completely worthless if you do not take into account the risk that the
vulnerabilities actually pose to users. One Critical vulnerability
and a worm or remote attacker owns your machine.
So of those 15 Microsoft issues:
3 Critical
3 Important
8 Moderate
1 Low
For Enterprise Linux 3 they counted 34 issues up until Feb 9th:
0 Critical
12 Important
14 Moderate
8 Low
I'm not saying that Red Hat is immune to Critical vulnerabilities,
in fact in the lifetime of Enterprise Linux 3 (Nov 2003 to date) we've
had 12. I'm also not saying that I think these stats show that Linux
is more secure (or safer) than Windows, just they just show how
useless stats like these are.
One of the things we at Red Hat can do to help our users determine
the risk of security issues is to provide some guidance on which
issues Red Hat is the most worried about. Since the release of Red
Hat Enterprise Linux 4 last week, the Red Hat Security Response Team
has been including severity impact statements on all security
advisories. find out
more. We've also gone back and applied the classification to
every Enterprise Linux advisory we've produced, and will publish that
list shortly.
Created: 24 Feb 2005
Tagged as: metrics, microsoft, red hat, security
0 comments
(new comments disabled)
|
|
|
Hi! I'm Mark Cox. This blog gives my
thoughts and opinions on my security
work, open source, fedora, home automation,
and other topics.
pics from my twitter:
popular tags:
[all],
apache,
apachecon,
apacheweek,
cve,
cvss,
fedora,
financial,
geocaching,
ha,
metrics,
microsoft,
nashville,
north carolina,
red hat summit,
redhat,
security,
trips
|
|
