<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
<h2><a id="execsummary">Executive Summary</a></h2>
<p>Much ado has been made about whether or not Linux is truly more
secure than Windows. We compared Windows vs. Linux by examining the
following metrics in the 40 most recent patches/vulnerabilities listed
for Microsoft Windows Server 2003 vs. Red Hat Enterprise Linux AS v.3:</p>
<ol>
<li>The severity of security vulnerabilities, derived from the
following metrics:
<ol>
<li>damage potential (how much damage is possible?)</li>
<li>exploitation potential (how easy is it to exploit?)</li>
<li>exposure potential (what kind of access is necessary to
exploit the vulnerability?)</li>
</ol>
</li>
<li>The number of critically severe vulnerabilities</li>
</ol>
<p>The results were not unexpected. Even by Microsoft's subjective and
flawed standards, fully 38% of the most recent patches address flaws
that Microsoft ranks as Critical. Only 10% of Red Hat's patches and
alerts address flaws of Critical severity. These results are easily
demonstrated to be generous to Microsoft and arguably harsh with Red
Hat, since the above results are based on Microsoft's ratings rather
than our more stringent application of the security metrics. If we were
to apply our own metrics, it would increase the number of Critical
flaws in Windows Server 2003 to 50%.</p>
<p>We queried the United States Computer Emergency Readiness Team
(CERT) database, and the CERT data confirms our conclusions by a more
dramatic margin. When we queried the database to present results in
order of severity from most critical to least critical, 39 of the first
40 entries in the CERT database for Windows are rated above the CERT
threshold for a severe alert. Only three of the first 40 entries were
above the threshold when we queried the database about Red Hat. When we
queried the CERT database about Linux, only 6 of the first 40 entries
were above the threshold.</p>
<p>Consider also that both the Red Hat and Linux lists include flaws in
software that runs on Windows, which means these flaws apply to both
Linux and Windows. None of the alerts associated with Windows affect
software that runs on Linux.</p>
<p>So why have there been so many credible-sounding claims to the
contrary, that Linux is actually less secure than Windows? There are
glaring logical holes in the reasoning behind the conclusion that Linux
is less secure. It takes only a little scrutiny to debunk the myths and
logical errors behind the following oft-repeated axioms:</p>
<ol>
<li>Windows only suffers so many attacks because there are more
Windows
installations than Linux, therefore Linux would be just as vulnerable
if it had as many installations</li>
<li>Open source is inherently less secure because malicious hackers
can find flaws more easily</li>
<li>There are more security alerts for Linux than for Windows,
therefore Linux is less secure than Windows</li>
<li>There is a longer time between the discovery of a flaw and a
patch for the flaw with Linux than with Windows</li>
</ol>
<p>The error behind axioms 3 and 4 is that they ignore the most
important metrics for measuring the relative security of one operating
system vs. another. As you will see in our section on <em>Realistic
Security and Severity Metrics</em>,
measuring security by a single metric (such as how long it takes
between the discovery of a flaw and a patch release) produces
meaningless results.</p>
<p>Finally, we also include a brief overview of relevant conceptual
differences between Windows and Linux, to offer an insight into why
Windows tends to be more vulnerable to attacks at both server and
desktop, and why Linux is inherently more secure.<br>
...<br>
<a
href="http://www.theregister.co.uk/security/security_report_windows_vs_linux/";>http://www.theregister.co.uk/security/security_report_windows_vs_linux/</a><br>
</p>
<br>
</body>
</html>