Thursday, 24 March 2005

WindowsrocksF-Secure has a real knack for creative sarcasm on it's security weblog, and today is no exception in their headline linking to an interesting report. Apparently, a study has been published showing the relative number of vulnerabilities, comparing Windows 2003 Server to a Linux distribution in several configurations.

Update: In a won't-really-build-confidence-with-the-common-folk move, apparently the researchers did not reveal at the RSA conference that this study was funded (but according to the researchers, not influenced by) Microsoft. They reveal this fact in the published study itself, but did not tell the audience at the conference when they presented the results. Read more here.

Get the PDF file of the study here. For a document describing the methodology in detail and for more information (including an email address to provide comments), go here.

F-Secure used the headline, "It's Official - Linux Sucks?" No doubt others will comment that the reality of the situation is that Windows is better for stupid people (meaning people who don't harden their machines). Flames will go forth, but you can't deny the report.

The end result of the study is that Windows Server 2003 was more secure than the Linux distributions tested.

Uh, heh... That should make a few people stand up and scream.

Using out-of-the-box, standard/recommended OS installs, the researchers found that the Windows 2003 server was more secure, with less vulnerabilities counted and a lower average for days of risk, when compared to the Linux distributions tested (Red Hat Enterprise Linux in default and "minimal" recommended configurations):

"In this report, we have studied both quantitative and qualitative data that affects the vulnerability and thus operational security risk of different web server platforms. In order to produce a meaningful comparison of platforms, systems were tested in their default configurations and then looked at in minimal server role configurations. When the default configuration did not provide for a functional web server, systems were configured according to manufacturer’s directions."

For a quick Readers' Digest style overview of the result of the study, get the free PDF of the report and flip down to page 35 and look at the charts on that page. I won't post all the images and tables here, that's what the report is for.

In reality, this is a complex study that is worth reading. The methodologies applied appear to be good ones, and the results are pretty compelling. The real world is never as simple as s lab environment, but if nothing else, this certainly shows how far Windows Server has come over the years (or else it shows how poor Linux distributions have become, or maybe some of both).

Add/Read: Comments [4]
IT Security | Tech
Thursday, 24 March 2005 17:36:18 (Pacific Standard Time, UTC-08:00)
#  Trackback

Referred by: [Referral] [Referral] [Referral]
Friday, 25 March 2005 04:22:38 (Pacific Standard Time, UTC-08:00)
Heh, you know you're gonna get flames over this one...

I should point out that I could've sworn that RHEL turns on the firewall as part of the install script, so if you pay attention and turn it on when it asks, there's very few remotely exploitable vulnerabilities. And I would also suggest thinking about other distributions - Gentoo comes with zero services enabled by default. It's kinda hard to exploit a service that's not even running ;)

Friday, 25 March 2005 06:09:15 (Pacific Standard Time, UTC-08:00)
Yeah, I know. It was an "interesting" way to do a study.

By the way - I definitely *don't* think Linux sucks - I use it for servers all the time and find it to be great for a number of reasons (I also use Windows a lot and like it, too). I just thought the study was - well - interesting. :)
Sunday, 27 March 2005 16:32:12 (Pacific Standard Time, UTC-08:00)
You might find this study interesting as well:

They connected computers to the internet, and left them. Apparently, the XP SP1 (sans firewall) succumbed within 5 minutes.

I find it interesting how we have studies coming from both sides that claim to prove opposite things.
Sunday, 27 March 2005 20:27:03 (Pacific Standard Time, UTC-08:00)
Yes, I think you can make a study say whatever you want, if that's what you've set out to do. But the real test of a study is to replicate the study using the same methodology.

By the way - with regard to the XP SP1 study TTL results, that's not at all surprising. The one I mentioned in the blog entry was comparing server OS setups. The Windows client is much better from a security standpoint with SP2, but it still has plenty of room for additional improvments, to be sure.
Comments are closed.