For many years, conventional wisdom has dictated that the open source operating system Linux is inherently more secure than Microsoft’s ubiquitous alternative, Windows.
The primary reason, say Linux advocates, is the nature of the open source development process.
With the source code available for all to review, flaws can be identified and rectified quicker than with proprietary operating systems, such as Windows.
So when Forrester Research released a report recently that concluded that Microsoft was quicker and more thorough at dealing with security vulnerabilities, it caused a storm of protest in the open source community. The four main Linux distributors positively fizzed with fury. “We believe the report does not treat the open source vendors and [a] single closed source vendor in the same way,” wrote representatives of Debian, MandrakeSoft, Red Hat and Novell/SuSE in a joint letter.
But Laura Koetzle, the Forrester analyst responsible for the report, stands four-square behind it.
She suggests that Microsoft has finally got its security processes working effectively, after several years of appearing to ignore the problem. “Most of the people I know in the security research community say that Microsoft today is very different from the Microsoft of two-and-a-half years ago. Then, Microsoft could hardly be bothered to take their calls,” says Koetzle.
One of the principal complaints of the open source community was that the report was not comparing like-with-like. Whereas Windows comes with little more than a web browser, a media player and some games, Linux distributions often arrive bundled with literally thousands of applications. Even low-end distributions can include MySQL and PostgreSQL databases, several office suites, web browsers, email packages and scores of games. “We are shipping so much more. We have so much more to support,” says Vincent Danen, security updates manager for MandrakeSoft.
But Koetzle says such objections are misinformed. She points out that her methodology was more sophisticated than simply examining the number and
severity of security vulnerabilities for different Linux distributions compared to Windows (see box). Instead, she put together different scenarios, such as running a web server or a database-driven application, and included only the stack of software that a typical Linux or Windows user might deploy in those scenarios. Then she examined the security vulnerabilities that users would have had to have implemented in those environments.
In addition, Koetzle did not simply accept vendors’ potentially tainted descriptions of what counted for a serious security vulnerability. Instead, she followed the classifications provided by the ICAT database, which is run by the US government’s standards body, the National Institute of Standards and Technology (NIST).
“I deliberately shied away from looking at the severity criteria that the vendors use because I would have been faced with the unenviable task of trying to reconcile different classification systems, which would have taken forever and made nobody happy. Least of all me,” she says.
Another objection put forward by open source advocates is that Microsoft effectively controls when security vulnerabilities are publicised, enabling it to have patches ready and waiting when security announcements are made. “Most people that report vulnerabilities to Microsoft give it a time frame. They say, if you don’t fix this in six months, we are going public,” says Danen. And six months ought to be more than enough time to fix any problem.
But while the Linux development process is more open than Microsoft’s, it is still most likely that someone who finds a flaw will quietly report it to the coordinator responsible for that section of code first, rather than rush out an email to Bugtraq or any other security vulnerability mailing list, says Koetzle.
The time lag between disclosure and the release of a patch has become increasingly important as hackers have become more proficient at releasing ‘exploits’ – applications that can automate an attack that takes advantage of security flaws. Just two years ago, it would typically take the hacking community more than six months to release a patch. Today, it can take little more than two days, while Microsoft still takes 25 days.
That makes it important for organisations not just to implement patches as quickly as possible, but also to take remedial action as soon as a flaw is publicised. For example, if a worm spreads via a particular network port, then those ports should be closed down at the network perimeter until the patch is implemented.
But the conclusions of the report were not necessarily cut-and-dried. While Microsoft could boast the fewest ‘days of risk’, the time between disclosure of a flaw and the release of a patch, more of its security flaws were rated as ‘high severity’.
What is more, attacks on Microsoft systems in recent years have been devastating. Linux has nothing that can compare with Nimda, Code Red, Blaster or SQL Slammer either for virulence or for the global damage that they caused.
All the same, Microsoft is certain to cite the Forrester report in future discussions with customers considering a switch to open source.