Is Linux Really More Secure Than Windows?

Origin: NewsFactor (www.newsfactor.com)
Source: Masha Zager
Date: 11/10/2002


Introduction

Ramen, Slapper, Scalper and Mighty may sound like Santa's new team of reindeer, but they are creatures far lower down the evolutionary ladder -- and much less welcome. These are worms that have infiltrated Linux servers in recent months, commandeering the servers for use in distributed denial-of-service attacks. Linux enthusiasts who once believed they were less vulnerable to attack than Microsoft (Nasdaq: MSFT) users have begun to wonder whether they were overly optimistic.
But it is a mistake to think that one operating environment is inherently more risky than another, according to Eric Hemmendinger, research director at Aberdeen Group. The number of security flaws in software, he said, depends largely on the software's age.

Mainframe operating systems, which have been perfected over decades, have very few security flaws. Security problems on mainframes tend to be caused by administrators' errors. Likewise, Unix, which has been popular since the 1970s, has also had most of its bugs shaken out.


Newer - and Riskier?

Newer operating environments like Windows and Linux, on the other hand, tend to have more flaws than those that have been thoroughly dissected. A large number of Windows problems are surfacing, in part because of the program's age and in part because of the number of people using Windows.

Linux, which is even newer than Windows and is not controlled by a single commercial entity, can be expected to have even more vulnerabilities than Windows. Hemmendinger commented, "I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system." BugTraq is a popular forum for discussion of computer security vulnerabilities. It is moderated by SecurityFocus, now a division of security firm Symantec.


Real-World Risks

However, the existence of security flaws -- and of hackers willing to exploit them -- does not necessarily add up to more risk for users. According to Hemmendinger, "The argument about whether one [operating system] is more secure than another doesn't reflect what actually happens in the real world."

Michael Rasmussen, director of research and information security at Giga Information Group and vice president on the international board of directors of the Information Systems Security Association, agreed, saying that both closed-source and open source systems struggle with security vulnerabilities.

"I personally find that the open source side of the debate has the stronger argument, even though you might see more vulnerabilities being reported," he said. "Just because software is closed and [most] people don't know there are security holes doesn't mean that security holes don't exist [or that] nobody knows about them. The security holes are still there." As a result, he noted, systems might contain significant vulnerabilities that administrators are unaware of.


Vendors Scrambling

Both Microsoft and Linux distributors are making efforts to patch security flaws as soon as they are discovered. Microsoft has organized a huge security program as a result of vocal complaints from users, while the Linux effort is, in Hemmendinger's words, "less disciplined but more timely."

Suppliers who are scrambling to provide patches, as well as users who wish the patches would arrive more quickly, feel pressured by "white hat" hackers. They publicize security flaws before giving suppliers a chance to fix them -- thus providing tools for malicious hackers to use.

In addition, a number of companies, such as Big Fix, Patchlink and St. Bernard Software, now offer managed services that can notify users of available patches, deliver them and even, in some cases, install them. These services, according to a report by Aberdeen Group, can help IT managers avoid the "time sink" associated with researching and applying security patches.


Staying Secure

"The good news," Hemmendinger told NewsFactor, "is that over the last six months we've seen a lot of people on the supplier side and the user side wake up to the fact that security patches are a big deal."

IT managers in both Windows and Linux environments can reduce their risk to manageable levels by staying up to date with security patches (by researching and deploying them manually or by using one of the new automated solutions), cleaning old accounts off computers, and shutting off unneeded programs, such as FTP (file transfer protocol), that may become avenues for malicious code.

"You're still not immune," Hemmendinger said, "but you can be reasonably sure that [a vulnerability] that was publicized a year ago won't bite you.