January 5, 2006


Author: Joe Brockmeier and Joe Barr

Everywhere you look in the trade press today, you'll find glowing misrepresentations of US-CERT's latest annual summary of vulnerabilities discovered in 2005. If you take the summary findings at face value, you would likely conclude that Windows -- with 812 reported vulnerabilities -- is a much safer operating system than something called "Unix/Linux," which totaled 2,328. The US-CERT summaries have become the fodder for a FUD festival, and many scribes sympathetic to the Microsoft cause go out of their way to make sure the real picture never emerges.

Microsoft wants you to read the headlines as "Windows 3X safer than Linux." (If Microsoft is being quiet about the US-CERT numbers, it's because the company is too busy trying to come up with a fix for the Windows Meta File (WMF) vulnerability.) But even the most cursory examination shows that the two figures are not representative of today's two major operating system platforms.

One figure represents the vulnerabilities found in Windows operating systems: XP, NT, 98, and so on. The other represents a total figure not just for Solaris, AIX, HP-UX, the BSDs, and Linux, but for a hundred different versions of Linux. The sum of all the unique vulnerabilities from all the Linux distros does not equate to the sum of vulnerabilities in any single Linux distro, and one could say the same about the various versions of Windows.

That's why it is a completely meaningless exercise to discuss those totals as if they present an accurate picture of the relative security of Windows and Linux.

Numbers don't mean everything

After all this time, you'd think that the mainstream tech press could get it right when reporting on security. The sheer number of vulnerabilities means little when compared with other factors, such as the severity of the vulnerability, how easy it is to exploit the vulnerability, and how long it takes a vendor to respond to the vulnerability.

So you want to talk about vulnerabilities?

While some outlets are saying that "Windows beats Linux/Unix on vulnerabilities," Windows admins are sweating the WMF vulnerability without any patch available from Microsoft. Microsoft disclosed the WMF vulnerability on December 27. This was a zero-day exploit, meaning that exploits were found in the wild before the vulnerability was known.

Here we are, more than a week later, and Windows admins are having to use unofficial patches to try to protect themselves. Microsoft says it expects to have a patch next week, if it passes quality testing, meaning the window of opportunity for this nasty little vulnerability will be at least two weeks. One source cites at least 70 malicious WMF files in the wild so far.

It's worth noting that this vulnerability is a design issue, not a buffer overflow or some other exotic exploit -- WMFs are supposed to be able to call external procedures and execute code. Microsoft is vulnerable because the company included a feature to run arbitrary code from an image file.

This is not to say that the data from US-CERT is a meaningless aggregation. You can easily spot the most vulnerable operating system in wide use today by taking a look at the Technical Cyber Security Alerts issued by US-CERT last year. Here's the bottom line:

  • 22 Technical Cyber Security Alerts were issued in 2005
  • 11 of those alerts were for Windows platforms
  • 3 were for Oracle products
  • 2 were for Cisco products
  • 1 was for Mac OS X
  • None were for Linux

That's quite a different picture than the one the Microsoft press machine wants you to see. Here's more of the same. US-CERT's list of current vulnerabilities contains a total of 11 vulnerabilities, six of which mention Windows by name, and none of which mentions Linux.

Still, scribes in the trade press are once again playing the US-CERT FUD game by trumpeting the misleading totals noted at the top of the story as being significant in weighing the relative security of Windows and Linux.

Shame on them for purposely -- or ignorantly, as the case may be -- misleading their readers. And shame on US-CERT for presenting its summary in a way that allows such easy misrepresentation.


  • News
Click Here!