A recent study by the U.S. government indicates that the number of security vulnerabilities in the open-source Linux/Unix operating systems is three times greater than that of Windows. This has not only drawn criticism from the open-source community but has also led many security experts to express skepticism.
The 2005 Cybersecurity report released last week by the U.S. government’s Computer Emergency Response Team (CERT) documented a total of 5,198 vulnerabilities, of which 812 were attributed to Windows, 2,328 to Linux/Unix, and 2,058 spread across other systems.
Is There Really Three Times the Danger?
In response to this report, the website NewsForge.com asserted that the government’s data contained “errors,” noting that several independent reports from non-open-source organizations have concluded that Windows is rife with dangerous security vulnerabilities that can easily be exploited by hackers.
While the vulnerabilities in Windows are reported solely for the XP, NT, and 98 versions, the 2,328 vulnerabilities for Linux/Unix encompass a wide range of operating systems including Solaris, AIX, HP-UX, BSD, and multiple versions of Linux itself.
“The total counts of vulnerabilities from CERT are absurd. They lump all Unix and Linux vulnerabilities together, which does not accurately reflect the security situation of a specific operating system,” Joe Brockmeier, editor-in-chief of Linux.com, reacted sharply.
Real Risks and Data
For example, according to Joe, a vulnerability in Mac OS X cannot be applied to Linux or Unix, yet the government report failed to clarify this point. Furthermore, the Firefox browser is categorized under the Linux umbrella, aggregating all its security vulnerabilities with Linux, even though it operates across various operating systems.
Moreover, Joe pointed out that CERT’s research did not take into account the severity of the reported vulnerabilities, nor the time it takes for companies to release patches.
Graham Cluley, a senior consultant at Sophos, also stated that the severity of a vulnerability, as well as the number of exploits, are the two most critical criteria for evaluating the safety of an operating system—not the aforementioned broad aggregation.
“Having a lot of minor vulnerabilities does not mean that this operating system is less secure than another. What matters is the extent to which a specific vulnerability can be exploited by hackers,” he noted.
The vast majority of viruses and Trojans still primarily target Windows operating systems.
Windows – The Most “Preferred” Target
Analyst Andrew Jaquith from Yankee Group believes that CERT’s method of “counting” software vulnerabilities is a very superficial and biased approach, as it is solely based on publicly disclosed vulnerabilities. “It cannot measure the inherent security status of that operating system, and therefore cannot yield any accurate conclusions.”
Currently, the Windows operating system, due to its widespread popularity, remains the most favored target for hackers and malware.
Unlike Microsoft, Joe argues that the Linux community takes a different approach to security: probing existing vulnerabilities within the system. In contrast, Microsoft keeps its product source code secret and only reacts when notified about incidents.
“Providing information to the public is good, but if the information is presented in an unclear manner, it will certainly confuse users and misrepresent the nature of the issue,” Joe asserted.
Thiên Ý