Tuesday, December 18, 2007

Ubuntu vs Vista Vulnerability Counts in 2007 : Destroying the FUD



There has been a lot of FUD flying around stating that Microsoft Windows Vista is more secure compared to Linux. What has been actually compared are the number of vulnerabilities fixed, for a distribution of Linux and Windows Vista. Both 3 month and 6 month studies have been published, with the intention of showing Linux security in a poor light. Now, this is in no way an apples to apples comparison, because Linux contains plenty of applications. Furthermore, vulnerabilities for server applications had also been included. For an apples to apples comparison, just the OSes have to be compared. Now, I went to Secunia, and found out the vulnerabilities affecting Ubuntu 6.06 and Vista for the entire year 2007 till date. What I found was surprising, since in 2007, in the OS (which I took to be the Kernel + X windows + Desktop environment for Ubuntu with their libraries), Ubuntu had only three highly critical vulnerabilities. Windows Vista, in fact had 10. Check it out for yourself.

For this study, I checked only the highly and extremely critical vulnerabilities because these are the vulnerabilities which hackers actually use to get into the system. The moderately critical vulnerabilities give DoS attacks causing crashes, while the mildly critical vulnerabilities do not cause system compromise or require a local access. However, these mildly critical reportedvulnerabilities are increased in the Linux distros.

All the other vulnerabilities in Linux were due to other applications like Firefox or Xine or Open Office. My earlier analysis has already shown that Firefox is more secure than Internet Explorer, even though Firefox had more vulnerabilities. If comparable applications in Windows Vista were installed, the vulnerability counts of Vista, in all probability would have exceeded Ubuntu. Especially if Quicktime or Real were installed along with an instant messenger service in Vista, the comparison would have been really interesting, but I am leaving that for my next post.


Note that this analysis is just for disproving the FUD. Actually, the reason why Linux is more secure is different. It has a more secure architecture, and has a wonderful tool (synaptic)which can update all the applications in a single click, an ease which is simply missing in Windows, as a result of which many people do not update their third party software properly. But more of that later. Just remember, this graph above is an argument against FUD. The real reasons for security is different. Vulnerability counts are a horribly flawed metric to compare Operating systems. Furthermore, even days-of-risk are not a good measure to campare security in Linux distributions relative to closed source OSes.

N.B: For the record, the highly and extremely critical vulnerabilities are 10 for Vista, 13 for IE7 on Vista, 3 for Windows mail and 2 for Windows media player.
For Ubuntu, all the three vulnerabilities listed above were in Open SSL (I disagree with the criticality, but that is another matter). There were other highly critical vulnerabilities in Firefox, Open Office, Poppler, imagemagick, Xine-lib , krb5 ,and w3m, for the default desktop installation. If possible, and my ISP permits (they are a stupid lot), I will give more information tomorrow. Since more patches may come in the rest of the year, I am not giving the exact numbers now.

This comparison is just from the information found in Secunia. Other security analysts may give different ratings.

Update: These packages showed highly critical vulnerabilities till 12/19/2007

Package Advisory
OpenSSL SA27363

SA27021
Firefox SA24205

SA25469

SA25984

SA26095

SA27311

SA27725

SA23282
Open Office SA27077

SA26022

SA24647

SA23711
Imagemagick SA27048

SA25992
Poppler SA27632
Xine-UI SA24462
w3m SA23588
Koffice SA27658
Thunderbird SA27383

SA26572

SA24410

SA23591
Krb5 SA26644

SA25801

SA23772
php SA26102

SA25372
tcpdump SA26286

Of these, only OpenSSL can be considered a part of the OS. Kerberos is not enabled, php and tcpdump are server packages and the others are applications packages (of which Koffice and thunderbird are not a part of the default installation in Ubuntu anyway). I will update the list again at the end of the year.Also note that these are advisories. An advisory may contain more than one vulnerability. e.g OpenSSL has 2 advisories but 3 vulnerabilities. For this study, vulnerability checking of the applications have also been done upstream.

12 comments:

Anonymous said...

And this evaluation assumes people are using Vista.

How many Windows machines are still running XP, especially pre-SP2? How many are still running (*shudder*) Win9x?

There are hundreds of thousands, if not millions of machines out there that are compromised. What's the ratio of Windows to other OS's? 100 to 1? 1000 to 1?

The fact that Vista is such a boat anchor means a lot of people (like me) will not upgrade. Now my computer has been perfectly secure, as far as I know, but how many people are still security risks because they don't want Vista?

Maybe Windows 7 will return Windows to the level of quality and performance we had 3 years ago... in 2011.

Anonymous said...

I've also read that Microsoft fixes a lot of vulnerabilities in their Service Packs. They don't announce them in the Service Packs or that there even was a problem, as far as I know.

What bugs me the most is that Microsoft says it has the best turn around time for a vulerability-to-patch when it's obvious that they can say whatever they want about how long they have known about a vulnerability.

But there I go talking about the extremely obvious again.

Anonymous said...

I switched my laptop from XP to Fedora 8 a month ago. My laptop is faster since the switch, and the wifi is much more stable and reliable. Micro$oft can go pound salt. :-) de AC4RD

Anxiety said...

Maybe its just me... but I can't find where you are getting your numbers from. They don't seem to reflect what Secunia says at all.

Ubuntu 6.06
http://secunia.com/product/10611/?task=statistics_2007

Windows Vista
http://secunia.com/product/13223/?task=statistics_2007

Even if you only take the highly and extremely critical advisories, Ubuntu clearly still has more for the same time period.

Nilotpal Chowdhury said...

Anxiety,
check out the highly and extremely critical vulnerabilities of just the OS. There are plenty of mildly and moderately critical vulnerabilities by which your computer cannot be compromised. Then exclude the applications, because I am comparing just the OSes, and you will come to my numbers. I will try to post my chart by one day. Do not include applicationsKOffice, Open Office, Xine, Firefox, Thunderbird or the server applications like php. The server applications are not installed into a desktop.

Anxiety said...

Nilotpal,

Yeah... I think the confusion comes from the fact that pretty much everything in a distro is third party, being the nature of open source. It's really hard to nail down who exactly is responsible for which software.

Secunia seems to take the position that anything included in the release should count toward its vunerabilities. While I would definetly agree that it's their responsibility to ensure the updates available, even if they aren't the ones who fixed the issue in the first place.

With Microsoft it's a much clearer picture of _who_ to blaim but also a much dirtier picture of _what_ is to blaim since things seem to be intergrated or just taken for granted as part of the larger system.

Nilotpal Chowdhury said...

Anxiety, have posted the vulnerabilities. You have to note that some advisories have more than one vulnerability

Anonymous said...

You can twist the numbers anyway you want. There are more copies out there of Vista than Linux, and there is a reason for that, it is better. It has developer support, it has ease of use, people can casually game, people can go buy useful software for it.

Windows is there with security, they've really stepped it up, what they need to do now is step up in performance and tweak their usability a bit.

Ubuntu isn't bad, it is just kinda boring.

Nilotpal Chowdhury said...

Vista is more in use because it comes preinstalled in most computers. And most users do not know, nor care what an OS is.
Yes, Microsoft has really stepped up their security, and it is much better than XP. But it is still not as good as Linux.

vmguru said...

Hi,

I have to disagree with chowdhury. It is not always the case the more spreaded the product the more security problems it has. I mean look at apache its more widely used than IIS, but IIS have many more security problems in it. Its that Windows always released to the market way before it get mature enough. If you want to further more to see how Ubuntu really compare to Vista take a look at

http://itcomparison.com/OS/vistavsubuntu/vistavsubuntu.htm

and yes definitely Ubuntu is a lot more secure !!!

enjoy,
vmguru007

ali khan said...

You made some good points there. I did a search on the subject matter and found most guys will approve with your site….advertising | advertisement | production houses in pakistan | pakistani matrimony

Best Article Websites said...
This comment has been removed by the author.