Linux vs. Windows: Which Is More Secure?

In a new report, Is Linux More Secure Than Windows? from Forrester Research Inc., based in Cambridge, Mass., Computing Infrastructures Senior Analyst Laura Koetzle finds that both Windows and Linux can be deployed securely. Microsoft Corp., however, fixes security problems the quickest—which is a good thing, since it also has the most major security holes.

Forrester found that many IT professionals believe that Linux is more secure than Windows, but Koetzle found that the real-world answer is more complicated than that simplistic analysis.

Koetzle believes, based on a survey of past security vulnerabilities, that security vulnerabilities follow a timeline—in other words, that they have a lifespan.

In this lifetime, real vulnerabilities to attack are usually born with a public disclosure of the problem in a form like the Bugtraq security mailing list. Next, the ISVs or open-source developers prioritize the vulnerability and build a stable fix for it.

Lagging behind these developers, unscrupulous hackers then start exploiting the vulnerability. However, its only after one of them builds an automated script tool for unskilled vandals (aka script kiddies) that the number of attacks really takes off.

The real period of enterprise vulnerability is after these script-kiddy tools appear and before customers apply the patch. In other words, most real-world security breaches on either operating system could be fixed with timely patch management.

But the fault doesnt lie entirely with sloppy system administration, according to Koetzle. "Its up to the customer to apply it (the patch)," she writes. "But doing so isnt a simple task: Because few firms stick to consistent platform configurations and most lack robust testing and deployment procedures, patch application can take months—or longer. For example, for the nine highest-profile Windows malicious code incidents as of March 2003, Microsofts patches predated major outbreaks by an average of 305 days, yet most firms hadnt applied the patches."

Forrester believes, though, that the judging of how well operating system vendors deal with security problem is bigger than just quick patch release and how well the vendor enables administrators to apply those patches. To Forrester, the key questions in judging operating systems are: how quickly does an operating system vendor fix public security vulnerabilities; how severe are those problems, compared with other vendors; and how close the vendor gets to fixing 100 percent of its security flaws.

To get quantitative answers to these questions, Forrester used two metrics. The first is the number of days between when a problem is publicly disclosed and when the operating system vendor releases its fix. In Linuxs case, a component maintainer—such as The Apache Software Foundation for the Apache Web server—can patch security holes, but then there may be a delay before the Linux distributor releases the component creators patch. Forrester calls this period the "distribution days of risk."

The second metric is the United States National Institutes for Standards and Technologys ICAT project standard for high-severity vulnerabilities. According to ICAT, high-severity vulnerabilities can be used for exploits that enable any of the following: 1) a remote attacker to violate the security of a system (i.e., gain an account), 2) a local attacker to gain complete control of a system or 3) the Computer Emergency Response Team Coordination Center to issue an advisory.

Using these metrics, Forrester looked at security-vulnerability data for the period between June 1, 2002 and May 31, 2003 for the operating systems Debian, Mandrake, Windows, Red Hat and SuSE.

Microsoft came in with the lowest average "all days of risk" with an average of 25 days between disclosure and fix release. In addition, the company fixed all of its security holes. However, ICAT classified 67 percent of Microsofts vulnerabilities as high-severity, placing Microsoft "dead last among the platform maintainers by this metric," the report noted.

By comparison, only 56 percent of Red Hat Inc.s Linux distributions vulnerabilities were qualified as high-severity. Red Hat fixed 99.6 percent—all but one—of the 229 applicable Linux vulnerabilities. Red Hat and The Debian Project—which is run by Software in the Public Interest Inc., a non-profit group that runs a number of similar projects—were the fastest of the Linux distributors, taking 57 days to fix these problems. Debian had the least number of distribution days of risk for the Linux vendors but only fixed 96.2 percent of the vulnerabilities.

MandrakeSoft had a poor days-of-risk showing, but ICAT numbers showed only 60 percent of its flaws to be high-severity. The company fixed 99 percent—all but two—of its 199 applicable vulnerabilities.

SuSE Linux, now owned by Novell Inc., did better than MandrakeSoft in resolving problems in a timely manner, but ICAT considered 63 percent of SuSEs 176 applicable vulnerabilities severe. Of those vulnerabilities, SuSE only fixed 97.7 percent.

Based on these results, Forrester didnt come out with a single recommendation. Instead, the analyst firm recommends that businesses that value quick patches look to Microsoft and Debian. At the same time, though, Forrester is concerned that Microsofts new monthly security policy may delay important fixes.

If your business has relatively unsophisticated administrators, Forrester recommends MandrakeSoft, Microsoft and SuSE, since all three of these companies "hang their hats on the ease with which relatively unskilled users and administrators can install, configure, and patch their platforms," according to the report. If your staff is a step above that, Forrester recommends Red Hat and Microsoft.

Check out eWEEK.coms Linux & Open Source Center at http://linux.eweek.com for the latest open-source news, reviews and analysis.

Be sure to add our eWEEK.com Linux news feed to your RSS newsreader or My Yahoo page: