This article can also be found in the Premium Editorial Download "Information Security magazine: Keeping on top of risk management and data integrity essentials."
Download it now to read this article plus other related content.
Hugh Thompson knew the tallest obstacle to his research would be explaining the link to the company that bankrolled his controversial report that concluded Windows was more secure than Linux.
Thompson and research partner Richard Ford didn't mention during their entertaining presentation at the RSA Conference that Microsoft funded the study, which determined that Windows Server 2003 had a better patch record than different distributions of Red Hat's Enterprise Linux 3.0.
That was all the ammo Linux enthusiasts needed.
"People have come back and said [the report] automatically must not be relevant, fair and balanced," says Thompson, whose company, Security Innovations, prepared the report based on a methodology created by Ford, a professor at Florida Institute of Technology.
That's a shame. Even some of the most ardent Linux advocates now admit that Microsoft's security reforms have led to more carefully constructed code and configurations that are less prone to exploitation. But their comments are instantly drowned by the din that inevitably erupts any time someone suggests Linux might be softening or Microsoft is a security equal.
Think back two years to the war that erupted when British company mi2g claimed three-quarters of reported successful attacks worldwide during the onset of the Iraq war were against Linux servers: 19,208 compromises
Thompson, Ford and a third researcher did well to avoid comparing threats, even if they are equally important to the number and nature of network vulnerabilities. Instead, the trio figured parity could be found comparing patch cycles. They used one Red Hat box that accepted all default settings and one minimally configured to mimic security-conscious admins' preferences.
The team found that, in 2004, Windows recorded fewer security holes and released fixes in a shorter time. Windows had 52 vulnerabilities, while the default Linux installation had 174 and the configured version had 132. Moreover, using an independent agency's ratings system, 33 of the Windows holes were deemed serious, compared to 48 on the minimally configured Linux machine and 77 on the default configuration.
There's more: Using public disclosure forums, the team found that the average gap between exposure and fix for Windows was 31.3 days, compared to 69.6 and 71.4 for the two Linux distributions.
Is it fair to compare the security hole disclosure systems of an open-source community to a huge for-profit company that controls its release schedule? Is it even possible to find a Linux distribution that would represent an apples-to-apples comparison to Windows, thus quelling fairness claims? And does it even matter to the multitudes of small- to mid-sized companies that remain Windows-centric, or to the Linux devotees bent on defending their beloved OS no matter how many studies suggest problems are popping up?
Don't bother answering. Anything you say can and will be used against you.
This was first published in April 2005