Is Linux more secure than Windows?
That’s the question Forrester senior analyst Laura Koetzle attempted to answer in a recent report on the subject, but her analysis may be pouring gasoline on an already flaming debate.
Koetzle’s study compares security for Windows and four major Linux providers: Debian, Red Hat, MandrakeSoft and SuSE Linux, now owned by Novell.
The analyst chose a window of time — June 1, 2002, to May 31, 2003 — identified the number of security flaws reported for each operating system during that period, and analyzed that data based on vendor responsiveness, severity of the security flaws and thoroughness in correcting the flaws.
Fast Response by Microsoft
Her findings show that Microsoft, on average, released a fix for all 128 security flaws during the period within 25 days of a vulnerability’s disclosure. That compares with 57 days for Red Hat with 229 flaws and Debian with 286, 82 days for MandrakeSoft with 199 flaws and 74 days for SuSE with 176 flaws.
However, the security flaws in Windows tended to be higher-risk vulnerabilities than were found in the Linux products. Sixty-seven percent of the flaws in Windows were deemed “high severity,” compared with 56 percent of Red Hat’s, 57 percent of Debian’s, 60 percent of MandrakeSoft’s and 63 percent of SuSE’s.
Based on its findings, the report recommended:
- If you want security updates as quickly as possible, consider Debian and Microsoft.
- If you want security with installation ease, consider MandrakeSoft, Microsoft or SuSE.
- If you want to maximize security and operational ease, consider Microsoft or Red Hat.
Needless to say, Microsoft, which has been a whipping boy on security issues for many years, was pleased with the study’s findings.
“Microsoft welcomes Forrester’s decision to take an objective, in-depth look at the data behind vulnerability handling across the software industry and encourages all customers to review and evaluate the data in the context of their own computing environments,” a spokesperson, who asked not to be identified by name, told TechNewsWorld.
On the other hand, some members of the Linux community were less than pleased with the report.
“I think it was a wasted effort because I don’t think it gives any answers,” MandrakeSoft security update manager Vincent Danen said of the study from his office in Edmonton, Alberta, Canada.
“The problem with this report is that it is comparing apples to oranges,” he asserted. “If it were something limited strictly to Linux vendors, then it would make sense.”
The “apples to oranges” analogy was cited constantly during collection of data for the study, Koetzle told TechNewsWorld.
“Yes, Windows and Linux are developed very, very differently,” she said. “I am not disputing that in any way.
“But,” she continued, “enterprise customers don’t really care. When you’re picking a platform to operate on and you’re looking at security, what you care about is how secure it is. You don’t care how it was developed. You don’t care who developed it. You don’t care what methodology they used. What you care about is the result.”
She explained that she compared the systems based on function rather than differences in architecture.
Numbers Versus Quality
That functional analysis, however, provides a less than complete picture of the situation, according to Novell spokesperson Bruce Lowry.
“We think the conclusions of the report were off in terms of what really matters,” he told TechNewsWorld from his office in San Francisco. “It’s a quantitative report that doesn’t address the qualitative issues involved. And it’s the qualitative issues you need to be concerned with when picking a platform.”
This report “doesn’t address how quickly the most serious vulnerabilities are addressed,” he said. “We would argue that in the Linux community, for a variety of reasons, the most serious things are addressed the most quickly and the most effectively.”
Red Hat security response team leader Mark Cox explained to TechNewsWorld that each vulnerability that affects Red Hat products is individually investigated and evaluated. The severity of the vulnerability then is determined on the basis of risk, impact and software affected.
This severity is then used to determine the priority at which a fix for a vulnerability is being worked on, weighed against other vulnerabilities in the company’s current queue, he continued. This prioritization means that lower severity issues often will be delayed to let the more important issues get resolved first.
“Even though the Forrester report claims so, it does not make that distinction when it measures the time elapsed between the public knowledge of a security flaw and the availability of a vendor’s fix,” he said. “The average erroneously treats all vulnerabilities as equal, regardless of the risk.”