Secunia have reported that more flaws were found in Redhat Linux (633) than in Windows (123), but even a blind man can see it is nowhere near a fair comparison.
Redhat is made up of the core operating system, and thousands of third party applications that people can choose to install. (or not). 99% of the 633 security flaws found in Redhat Linux were in the third party applications, only 1% were in the core OS.
Windows however, only had 123 bugs, but 96% of them were in the core operating system. Since 3rd party apps are not supplied or supported by Microsoft however, all of their bugs did not get added to the total as they did in Redhat’s case.
Does anyone else think that this is perhaps not a fair comparison? I can tell you one thing, I’d rather have a core OS with 1% of 633 flaws (6.33), than one with 96% of 123 flaws 118.08. The OS results could just have easily been put “Windows had 118.08 more OS security flaws than Redhat Linux.”
With regards to Firefox, they also seem to be counting flaws that Mozilla have found themselves. We know they are not doing the same for IE, because Microsoft don’t announce flaws they find themselves. Again, not really a fair comparison.
Interesting however, is the patching statistics for IE and Firefox.
Out of eight zero-day bugs reported for Firefox in 2007, five have been patched, three of those in just over a week. Out of 10 zero-day IE bugs, only three were patched and the shortest patch time was 85 days.
(taken from here)
Microsoft’s best patch result was 85 days to release and only 3 out of 10 flaws patched, verses 5 out of 8 and just over a week for Firefox.
Statistics are all good and interesting, but taken in the wrong light, can paint a picture that is dangerously incorrect.
January 23rd, 2008 at 8:27 am
85 days for a security patch is pretty pathetic, but Apple has Microsoft beat in this department. A flaw was found in a piece of open-source software that transmitted passwords in cleartext over the internet. Within 2 weeks of discovery, it was fully patched in the open-source project. Apple took six months to release a fixed version in OS X.
So I think it would be very helpful to see what the overall statistics would be for OS X!
January 27th, 2008 at 11:50 pm
This issue illustrates once again how raw statistics can be manipulated to “prove” whatever the pollster wants to prove. Even the method of sample taking can be, and universally is, manipulated to “prove” the desired result.
January 28th, 2008 at 3:31 am
Good analysis! I have not installed Red Hat in quite some time. While the OS itself is clearly much stronger than Windows, all of those extra apps that come with Linux ARE installed, particularly by the naive user. So you do get the flaws.
However, you are correct that the serious problems are with the OS, better to have 6-7 flaws that were quickly corrected than 118 that might take 6 months to correct. Good reporting.
January 28th, 2008 at 8:47 pm
No, it’s not really good reporting. This article as well as the original show where the devil is in the details. A little less pro-linux flavor in pointing out differences would make this good reporting (as well as someone who can at least write with proper grammar – MS “doesn’t” announce flaws, etc).
For example:
“Since 3rd party apps are not supplied or supported by Microsoft however, all of their bugs did not get added to the total as they did in Redhat’s case.”
This means that RedHat does supply and is therefore is responsible for the third party apps provided with the distribution. Then, in fact the study is accurate enough. There are more bugs.
It is important when relating “core OS” bugs, but remember, alot of what is considered “core OS” for Microsoft is covered by a third party app in Linux, since MS loves to hook all sorts of bloat into their distribution as the “core OS” to monopolise functionality.
The original report by Secunia tries to be fair as best as it can. It is getting really old that Linux people cry foul anytime someone points out where their weaknesses are.
January 30th, 2008 at 5:24 pm
Well, if we want to compare apples to apples, then Redhat would be compared to Windows server 2003, and to be fair, they would not count packages in Redhat that do not have a comparable application included in Windows, meaning no MTA for email and so on.
I think the end result would be the same mentioned in my actual article..
What do you mean by included in Windows anyway? IE, OE etc? They are included in Windows, but nobody uses them on servers anyway.
Apart from which, we are talking about CORE OS flaws.. not those in paintbrush or IE etc… and in that standard, Windows loses.
I do find it odd, that people (like the commenter above) think it’s fair to compare the dozen or so Microsoft apps included with Windows, to the thousands of 3rd party apps included in Redhat. If you do count bugs in Redhat as they appear to have, then you’d count (for example) all bugs found in Postfix and Sendmail MTA’s, but why? no server can run both anyway because they do the same job, they are offered there as a choice. (and standard Windows server 2003 doesn’t include an MTA at all.)
I should also add, that if you choose server during install, Redhat doesn’t install the thousands of user apps.. so does that mean they should be counted or not? like verses like, you can’t have it both ways.
Also I love the arrogance of some people (primarily yanks) to question the spelling and grammar of others without first checking where that person is from and what form of English is being written. (there is more than one people)
rgds
Franki