Wednesday, January 04, 2006

Linux/Unix has more vulnerabilities... Or not

CERT Year End Summary

Saw this article posted on Slashdot and thought I'd add my opinions.
The basic gist of the article is as follows:

There were 5198 reported vulnerabilities: 812 Windows operating system vulnerabilities; 2328 Unix/Linux operating vulnerabilities; and 2058 Multiple operating system vulnerabilities.

Noting that Linux/Unix has nearly 3 times the number of flaws. Now is this something unexpected? Does it prove what Windows pundits have been saying for years? I don't believe the answer is quite that black or white.

A raw count is less important than the nature of the flaw and its accessibility. One thing I'd like to see is a break down between local or remotely exploitable. The vector of the flaw is really what to me, defines how severe a flaw is these days. If you're talking about something in which you already need local access first, then exploit, you can most likely lock this down a bit more. A remotely accessible flaw on the other hand or something which cannot be filtered through system change (IP rules, intercepted), security policy or configuration changes is to me a more severe issue.

If you look at the MS exploits, the key problem is the vector is often something that cannot be easily locked down. With Linux/Unix the problem is the myriad of applications written for the OS that can be exploited and a sometimes limited accountability for the application. Neither software model is fool proof, rather there's a pro/con to each. MS generally has fewer known Kernel flaws (yes I'm sure I'll take flack for this statement). While Linux/Unix apps tend to have shorter turn around once the flaw is found.

Everything has flaws, it's a question of how the user is able to deal with it. *steps off the soap box*

0 Comments:

Post a Comment

<< Home