Top 10 Windows Vulnerabilities vs. Top 10 GNU/Linux Vulnerabilities (October 10th, 2003)

SANS Top 20 Vulnerabilities - The Experts Consensus

Thanks to Mary for posting this on Xeebra.com.

This is a very informative read for those interested in security

comparisons between the two operating systems of the i386++

architecture. Personally, I wish that they had listed the top 10

vulnerabilities for Apples as well.

There's something interested to note, though. Exhibit A (excerpt from article):

Top Vulnerabilities to Windows Systems

(SNMP)

Top Vulnerabilities to UNIX Systems

Now, let's look at how many of the Windows vulnerabilities are tied

to the operating system. W1 (in some cases), W3, W4 (especially IE 6),

W5, W6, W7, W9, W10.

Let's look at the Unix vulns tied to the OS: U1, U2, U4, U5, U6 (Senmail is typically on by default), U7, U9, U10.

Interesting. About the same, and both Windows and GNU/Linux have issues with an email related application (Outlook/Sendmail).

Now - consider that these vulnerabilities are pretty well balanced

between the two operating systems, and that they are only the top 10.

I'd love to see a top 100 list comparison, because I think they'll have

to do some serious digging on GNU/Linux to come up with 100. Windows

would be easy, I think.

Given the apparent balance of the vulnerabilities, consider which

vulnerabilities have adversely affected the internet most over time.

Now, go read Microsoft's Ubiquity Guarantees Security Trouble again. Deep breath, Microsoft afficionados, deep breath.

Look. Equal vulnerabilities in operating systems, yet one operating system has been compromised more than the other.

If you want to argue and say that it's not ubiquity, that leaves us

with the more exploited OS being technically inferior. Take your pick.

Comments

One thing I can tell you is that it's a damn sight easier to secure

Linux boxen than Windoze boxen. Let's talk about the process for

applying software patches...

1. Windoze

First you run the Microsoft Security Baseline Analzyer. Next you go to Windoze Update. You download and install all patches.

Then you go to the homepage for the other MS applications you're

using and look for security updates and patches that aren't available

through Windoze update. You download and apply these.

Through all of this you have been rebooting servers, restarting services, and generally pissing off your users.

Now that you've wasted five hours move on to the next server to patch, happily thinking about the other 80 you still have to go.

2. Debian Linux

Drop to a shell and type: apt -get && apt -upgrade (if you

have more than one Linux box just make this part of a script that logs

onto all boxen and does this).

Debian will find and apply all needed patches and upgrades, not just

for the OS, but also for most of the installed software. This will

happen concurrently on all of your servers. Some servers may need to

have services restarted, but you can put this in the script.

There you go. I can update all of my Debian boxes in one shot. Three

days later the MS admin will be lucky to have covered 1/2 of his

territory, and by then the exploit is probably already making the

rounds.

There's bad design and then there's BAD design...

Posted by: Sean at October 10, 2003 10:42 AM