“The United States Computer Emergency Readiness Team released its year-end summary of computer vulnerabilities. While Windows is regarded as the most insecure operating system, the US-CERT found four times as many vulnerabilities specifically related to Unix and Linux. Of 5198 reported flaws, 812 were for the Windows, 2328 for Unix and Linux, and 2058 more affected more than one operating system. Notably missing from the list of Windows vulnerabilities is the recently discovered Windows Metafile issue. No vulnerabilities were listed for Apple’s Mac OS X, however several had been disclosed during the year. Also, since OS X is based on Unix, it is vulnerable to some of the flaws associated with its core operating system.” Note: The link is fixed. I have no idea what happened there, sorry guys!
US-CERT: 5198 Linux, Windows OS Flaws in 2005
59 Comments
-
2006-01-04 5:06 pm
-
2006-01-04 7:16 pm
dylansmrjonesYes. The list sucks for Windows as well as for all other OS’es and 3rd party applications.
That’s what I wrote in my post.
Of course groklaw spens more time on the *nix side than Windows. Of course. It’s not the same as being biased though.
PJ favours *nix’es, and she doesn’t hide it. But she always remember to view it from both sides, which is why her credibility is so high. Much higher than any moderator or poster at OSNews (incl. me).
I know you don’t like her at all, but that says more about you than her, considering how much respect there is around her, especially from her selfappointed “enemies” (in regard to the SCO vs. IBM battle).
The poster you replied to is clearly biased and forgot the information about Windows – which I did post. Not that I’m not biased – but fairness is a virtue not to be forgotten. Hope you’ll learn it too, someday
-
2006-01-04 7:51 pm
whatThom, just run this little script I made (requires lynx and GNU sed):
#!/bin/bash
lynx –dump http://www.us-cert.gov/cas/bulletins/SB2005.html > stats.tmp
echo “”
echo “”
echo “Windows”
sed -e ‘/ * Windows Operating Systems/,/Unix/ Linux Operating Systems/ !d’
-e ‘s/(Updated*)//g’
-re ‘s/^[ t]+//’
-e ‘/^[*+] [[0-9]+]/ !d’
-e ‘s/[[0-9]+]//’ stats.tmp | uniq -c
|awk ‘{sum ++ ; entries += $1 }
END {print “Actual flaws :ttt ” sum “nNumber of flaws listed :t ” entries “nPercentage of dupes :tt”100 * ( 1 – sum/entries) “nn” }’
echo “Linux/Unix”
sed -e ‘/Unix/ Linux Operating Systems/,/Multiple Operating Systems/ !d’
-e ‘s/(Updated*)//g’
-re ‘s/^[ t]+//’
-e ‘/^[*+] [[0-9]+]/ !d’
-e ‘s/[[0-9]+]//’ stats.tmp | uniq -c
|awk ‘{sum ++ ; entries += $1 }
END {print “Actual flaws :ttt ” sum “nNumber of flaws listed :t ” entries “nPercentage of dupes :tt”100 * ( 1 – sum/entries) “nn” }’
echo “Any”
sed -e ‘/Multiple Operating Systems/,$ !d’
-e ‘s/(Updated*)//g’
-re ‘s/^[ t]+//’
-e ‘/^[*+] [[0-9]+]/ !d’
-e ‘s/[[0-9]+]//’ stats.tmp | uniq -c
|awk ‘{sum ++ ; entries += $1 }
END {print “Actual flaws :ttt ” sum “nNumber of flaws listed :t ” entries “nPercentage of dupes :tt”100 * ( 1 – sum/entries) “nn” }’
Here’s the result :
Windows
Actual flaws : 699
Number of flaws listed : 813
Percentage of dupes : 14.0221
Linux/Unix
Actual flaws : 1227
Number of flaws listed : 2329
Percentage of dupes : 47.3164
Any
Actual flaws : 1640
Number of flaws listed : 2058
Percentage of dupes : 20.311
47% of dupes for Unix or Unix like OSes. That’s pretty much isn’t it ?
Edit: Backslashes aren’t rendered properly, I hope y’all know sed and awk
Edited 2006-01-04 19:52
-
2006-01-05 2:13 pm
2006-01-04 1:50 pm
2006-01-04 2:01 pm
2006-01-04 2:02 pm
2006-01-04 2:34 pm
2006-01-04 2:37 pm
2006-01-04 3:05 pm
-
2006-01-04 3:28 pm
2006-01-04 3:12 pm
-
2006-01-04 3:19 pm
2006-01-04 4:21 pm
2006-01-04 4:21 pm
The U.S. is a large bureaucracy. It’s defiantly not a bunch of independent institutions like Holland, if that’s the case.
Yes I am from America and am sick of it but it’s the same throughout the world today anyway.The democracy part is only partial because voting for candidates is not based on merit since anyone can get in. I don’t agree with it.
Also anything using U.S. currency is contracted to U.S. in some way so naturally the U.S. defends it’s interests to the detriment of us all. Linux tries to stay independent under a GNU contract not dictated by the dollar which I whole-heartily agree with since I am a Star Trek person who thinks money is dying 
2006-01-04 5:13 pm
2006-01-04 6:11 pm
-
2006-01-04 6:26 pm
-
2006-01-04 8:20 pm
-
Thom Holwerda
So you’re saying you don’t have graft and corruption in the Netherlands? Political parties there don’t take campaign contributions and don’t do favors for people/corporations that do make (bribes) contributions?
Exactly. That’s because the law prohibits it. Personal donations are limited to a very small amount, and only once per year per person, and contributions from commercial entitities is prohibited altogether. Also, parties must, by law, detail their financial activities to the public. Remember, the Dutch parliament consists of about 8-10 parties, instead of the 2 (ok 3) that the US has.
And on the world index for corruption, the Netherlands is 11th, and the US 17th– but that’s bound to change after today’s news
.
2006-01-04 8:41 pm
-
2006-01-04 9:11 pm
-
2006-01-04 10:10 pm
-
2006-01-05 2:35 am
2006-01-05 7:06 pm
If anyone’s interested in the actual list, rather than downloading some random proprietary software (WTF?), here it is: http://www.us-cert.gov/cas/bulletins/SB2005.html
Enjoy.
No vulnerabilities were listed for Apple’s Mac OS X, however several had been disclosed during the year. Also, since OS X is based on Unix, it is vulnerable to some of the flaws associated with its core operating system.
All of the specific Mac OSX related vulnerabilities are included in the Linux/Unix list – and there are quite a lot.
So there 4x more linux/unix vulnerabilities, eh? Sounds great, and it will sure generate lot of publicity, but it is utterly useless. How can you compare Windows + X amount of apps (do we get a list of the apps that was tracked? acrobat reader is there, but how many other windows apps were checked?) and Linux/Solaris/FreeBSD + Y amount of apps, when there is little indication of the comparative number of X and Y.
In other words, after tracking Windows (an OS) AND a number of apps running on that os with Linux/FreeBSD/Solaris/whatnot (these are distinct operating systems) AND another arbitrary number of apps running on each or just one of these OSes reaching the conclusion that Linux/Unix has more bugs is fallacious. More than fallacious… how can they get away with this?
It’s even worse!
Some of the bugs are reported multiple times. Some of the software is mutually exclusive. E.g. you wouldn’t run three different mailservers on the same machine.
There is also no easy way to see the severity of the bug, and for how many days it was left unpatched.
It doesnt tell if the bug fix require reboot or force other unaffected services to be temperarly shut down to be fixed.
This statistics is utterly useless.
Is there also a list that shows what vulnerabilities have been pachted by now?
I normally look at http://www.secunia.com for security stuff about products.
I normally look at http://www.packetstormsecurity.org for exploit code to test if my systems are vulnerable
Yes, but it would be interesting to see how many of the problems on this list ar already pached in later versions of the software, and then compare what OS has the most patches. Also: how fast was i patched…
Well, the rest is already said: this is just a load of crap
of those listed, how many are critical? Linux being much more modular I’m not really surprised there are more flaws.
If there are more critical flaws for linux than windows, now I’m surprised. Are there?
unix is not one OS…
Let me translate. There are substantially more bugs found in at least 9 distinct operating systems – Solaris, SuSe, Cisco, SCO Unixware, RedHat Linux, OpenBSD, FreeBSD, NetBSD, and for some reason they count Safari bugs there as well, even though they don’t count OS X bugs separately + an arbitrary number of applications (including KDE and GNOME, that in itself has more apps that are counted for Windows) than in Windows + an arbitrary number of apps running on Windows. Yeah, this is a really useful comparison.
Windows 95 is more secure. I have used it for years and I haven’t cought any virus. I recommend it over Linux.
Windows 95 is more secure. I have used it for years and I haven’t cought any virus. I recommend it over Linux.
That’s the most ridiculous and naive statement I have heard in a long time.
“that’s the most ridiculous and naive statement I have heard in a long time.”
Yes but probably partially true. At work one of my colleagues came to me with his problem. For years he had been running Win 98 happily at home, then a couple of month’s before he installed XP, then his system began to slow down until it was totally bjorked with malware and he found he could neither reinstall XP or 98.
I gave him a set of Ubuntu disks and over the weekend he ran the Ubuntu live disk to surf the web, but he was too chicken to install it on his hard drive. He managed to find someone who could get XP to reinstall on his system. As advised, he had the good sense to install a hardware firewall/router and has been running OK since
Edited 2006-01-04 14:14
Maybe it’s not connected to the internet.
Then again, I don’t think I’ve gotten a virus in Windows since… 2002, running Windows ME. I’ve only had a computer of my own since 2000.
Actually, Win95 OSR2 behind a Linux firewall can be quite a secure desktop OS. It simply doesn’t support many of the common Windows exploit vectors.
To clarify, though, I wouldn’t recommend such a setup to anyone unless they had some specific need for it, and I wouldn’t connect such a machine DIRECTLY to the net. 🙂
Thom, sorry but your credibility is instant zero to me on this one.
This reads just like a FUD trollfest introduction, everything is BS in what you say :
While Windows is regarded as the most insecure operating system, the US-CERT found four times as many vulnerabilities specifically related to Unix and Linux
This is BS, scanning the Unix/Linux list, I see apps like Apache/MySQL/Vim (no kidding) which are not Unix/Linux specific, I see lots of different OS (Mac OS, Linux, Solaris, …), I see lots of “(updated)” entries (some have 10+).
So why this stupid trollish comment ?
Especially when the CERT warns :
“Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information”.
So from a 30 second analysis of the same informations that where given to you, I deduce that :
– More vulnerabilities are detected on open-source and Unix platforms (sth about more eyes and shallow bugs becomes all too true)
– One OS, Windows, has so much holes that it has its own section !!! Compared to other OS that are all grouped together so that Windows does not look like shit (no credibility on CERT on this one).
– This list does not list exploit, but discovered vulnerabilities, so it does not say much about the OS security state
Others have already noted the wrong in all the other things you say.
For example, Mac OS X vulnerabilities are listed, but due to what I said earlier, you won’t see it immediately. A good example is that “Apple Mac OS X AirPort Card Automatic Network Association” is cited in Unix/Linux vulnerabilities !!!! And I think everyone will agree that it is a Mac OS X specific vulnerability that have nothing to do in Unix/Linux vulnerabilities.
Thom, sorry but your credibility is instant zero to me on this one.
This reads just like a FUD trollfest introduction, everything is BS in what you say
Those are not my words. At OSNews we *link* to articles, mostly. Think before you post, please.
Those are not my words. At OSNews we *link* to articles, mostly. Think before you post, please
I’m sorry then, but it is not a problem of thinking on my part, it’s just that the link was broken at the time I read the list by the mean of another link, so I did not see anyone other than you as the author.
Why don’t you just link straight up to the CERT page? The author of the summary you linked to is obviously a babbling idiot.
I don’t see any reason to post a link to a short summary like that.
Why don’t you just link straight up to the CERT page? The author of the summary you linked to is obviously a babbling idiot.
I don’t see any reason to post a link to a short summary like that.
Because I found this via that website. Seems only fair practice to give credit where credit’s due.
Thom,
Maybe it’s *you* that should think before blowing out sensationalistic drivel. If you had paused to *think* before linking that garbage you might have realized that most of the “OS flaws” are really APPLICATION issues!
Then you might *think* that some idiot at CERT hasn’t the first clue how to differentiate OS flaws from APPLICATION flaws. (Hm, maybe there’s an interesting story…)
And that makes this “summary of computer vulnerabilities” utter trash, unless you’re just looking for another quick-hit sensationalistic hit of misinformation.
…and maybe instead posted something actually *thoughtful* like “Hey, over at CERT there’s this pseudo-list of supposed OS vulnerabilities that are mostly application-level problems – read it for a bit of insight as to how useless CERT really is.” But, maybe that would require too much *thought*, eh?
“Think before you post”, indeed!
Most of the flaws in Linux and compatible systems are duplicates counted 3-4 and 5 times, some even more than that.
Several windows flaws are duplicates as well, so the list in unusable until someone clears it out and removes all duplicates.
Eric Raymonds “Fetchmail POP3 Client Buffer Overflow” is counted 5 times in the “Linux and *BSDs” group. And the list is unusable for Windows as well.
Read more here: http://www.groklaw.net/article.php?story=20051231142317870
@ Thom: Please don’t link to articles which are so lame. It might generate some more traffic and some ads revenue, but puhlease… it reduces the credibility of OSNews. And we don’t want that.
Thom: Please don’t link to articles which are so lame. It might generate some more traffic and some ads revenue, but puhlease… it reduces the credibility of OSNews. And we don’t want that.
This is a completely off-topic statement, but here at OSNews the world doesn’t evolve around ad revenues. We have stated that numerous times: the little money OSNews gets from ads goes directly to hosting costs, and that’s it.
We as editors and maintainers get NOTHING, and do everything on a voluntary basis. I strongly FIGHT against statements like yours because they somehow imply I only post news for money. Which pisses me off, and let this be a serious warning on your end.
This news got posted because I know people are interested in knowing things like this. Of course these comparisons are always skewed and full of errors– but what if this exact same report said that UNIX had less flaws then Windows? Would you also complained in the same way you just did?
Exactly.
Edit: removed the don’t reply crap. Shouldn’t be nescesary anymore after disabling anon. posting
.
Edited 2006-01-04 14:09
Exactly. Those visitors are “information consumers” and don’t have a clue that behind OSNews there are volunteers who work for pleasure, but definately not for money. However, it’s a lot of work.
This also pisses me off. If you don’t like OSNews, go to Slashdot or Newsforge. Or better yet, gather the articles you want on the web yourself.
But respect the work of volunteers who work for you for free.
Sorry this is offtopic. Joe User are you really Justin Sane of Anti-Flag. If so I just want to say the Terror State CD was really great.
I love your twisted “logic”, Thom:
“This news got posted because I know people are interested in knowing things like this. Of course these comparisons are always skewed and full of errors– but what if this exact same report said that UNIX had less flaws then Windows? Would you also complained in the same way you just did?”
First off, the wording makes it sensationalist bullsh-t, not objective news. Secondly, what does your hypothetizing have to do with anything? The hypothetical reaction to an equally hypothetical UNIX-positive sensationalist bullsh-t has nothing to do with the fact that, quite frankly, you’ve just f-cked up as an editor by linking deceivingly-worded low-quality sensationalist bullsh-t masquerading as news.
Stop avoiding responsibility by appealing to hypothetical situations; it makes you look unprofessional in this real situation.
Yeah, people are very interested in reading BS, poor quality articles. Way to go Thom! And it’s interesting BS that people are “interested” in too! Whoop dee doo.
This news got posted because I know people are interested in knowing things like this. Of course these comparisons are always skewed and full of errors– but what if this exact same report said that UNIX had less flaws then Windows? Would you also complained in the same way you just did?
I already knew about the list from CERT. And if you look in my post, you can see I’m also writing that the list is screwed up for Windows as well. I actually write this several times.
So the answer is: If you had said Windows had more flaws than Linux I would complain, yes (because I knew about the list already). And then I’d have asked you for a list with all duplicates removed
But it still beats me how you can link to such a lousy article. We both know you can do better
Indeed, this announcement has got a lot hidden behind it.