Comparing Windows and Linux Security
Saturday, January 07, 2006
A new bulletin
from the Computer Emergency Readiness Team (CERT) has once again raised questions about the relative security of Windows and Linux. It provides a list of software vulnerabilities that were identified in 2005, categorized by operating system. To the surprise of some, almost three times as many problems were found in Unix and Linux, which are reported as a single category, as in Windows.
Open source fans have criticized
the document, complaining about how vulnerabilities were categorized and other things. From the looks of things, they're right to do so. The bulletin includes information from both CERT and other sources, and the methodology used in compiling it seems to have been informal at best.
Yet I did a similar analysis myself a couple of years ago, described here
, using a somewhat cleaner approach. I examined only CERT security advisories, categorizing them into four groups: Windows, commercial Unixes such as Solaris, other commercial software such as Lotus Notes, and open source software. I found that while commercial software in general and Windows in particular had far more CERT advisories in 2001, the picture had changed by 2002. Open source software, which is largely Linux- and Unix-based, had 15 advisories that year while Windows had only 6.
Does this matter? Security problems in Windows are so much more significant than those in Linux because Windows is so much more widely used. And even if Linux were perfectly secure, this wouldn't do much to loosen the grip that Windows has on most desktops today.
There is an important conclusion to draw here, however. Some in the open source world have long argued that, since the code can be examined by anybody, open source software is therefore more secure than proprietary software. But the evidence doesn't back up this claim. Commercial software surely isn't secure enough today, but the assertion that open source software is inherently more secure just isn't supported by the facts. Like it or not, security is a problem for everybody.