MS vs. open source: Security's the same

When you read about the security problems of some open source applications and operating systems, some of you have nodded approvingly, and muttered words that sound a lot like "I told you so." Let's face it, all the smugness about the superiority of open source code has been pretty hard to take.

Of course, the open source people claim that such charges simply aren't true. They say open source products are better because more people work on them and then distribute the patches--meaning that security holes get fixed right away. Microsoft, as the leading vendor of proprietary software, claims the same thing.

The fact is, both sides have their share of problems--but neither side has the edge when it comes to fixing security holes. You're just as likely to encounter a security problem with open source code as you are with Microsoft Windows, and the fix is just as likely to appear quickly and be done properly.

Normally, this is the point where Microsoft gets trashed for its seemingly endless list of security patches for Windows. That's not going to happen here. Yes, Microsoft does have a long list of security issues for which it has issued patches. But the fact that those patches exist means somebody in Microsoft is making sure those fixes are made.

According to Steve Lipner, Microsoft's Director of Security Assurance, the company's Security Response Team operates seven days a week and has been known to issue patches toWindows security within hours of finding out about a problem. This sounds pretty responsive to me, certainly as responsive as the open-source solution to fixes--hoping someone steps up to the plate, creates a fix, and makes it available.

The problems with security are not greater or fewer with Microsoft's code versus open source. They're just different. Want another opinion? In the FBI's ongoing list of the top 20 security problems, the number of Windows and open-source problems are about equal. The bottom line is that you should choose your OS or Web server software by how well it meets your needs--because these days, security really isn't the differentiating factor.

Which do you trust most when it comes to open-source security: open source, proprietary, or both equally? Tell me what you think in TalkBack.

Wayne Rash runs a product testing lab near Washington, DC. He's been involved with secure networking for 20 years and is the author of four books on networking topics.

• Related stories

• Alerts

Add your opinion

Linux vs Windows 2000 Security ...Con Zymaris -- 27/03/02

Linux vs Windows 2000 Security Alert Comparison

We've had this discussion before...

I'll just re-iterate something that has been bounced around on previous occasions.

http://www.cyber.com.au/users/conz/linux_vs_windows_security_alert_comparison.html

which states:

There has been much discussion about the security vulnerability rates
between Windows and Linux. Firstly, let me state that this focus on pure
numbers and graph plots of vulnerabilities is pointless. There is no such
thing as a truly secure operating system, there is only the
ongoing
process of keeping a host or network secure. One can never achieve a state
of 'security Nirvana'. Think of it as a treadmill, constantly moving you
(as a system administrator) backwards. You have to 'walk' forward just
to keep still. If you don't move forward with security patches, security
tools, revamped system security processes, you'll be flung off the end
of the treadmill from sheer inactivity, and by the way, the crackers have
access to the treadmill's speed control knob, and keep pushing up the speed.

As an ancillary, all operating systems can be made 'secure', by whatever
reckoning you attribute to this term. It all boils down to time, effort,
money and will. What is security worth to you and your network? Some operating
systems seem to need more of these, some less. They all need some.
The Open Source community has made much of the 'with enough eyeballs,
all bugs are shallow' concept; that by using enough technical users, some
or many security concerns can be overcome. I am a believer of this epithet,
however, think about it for a second: 'with enough eyeballs, all bugs are
shallow'. What this is saying, in effect, that when a bug becomes an issue, many people have the source code, and it can be quickly resolved. To paraphrase,
when we get hit by a bug, we can swat it quickly and without waiting for
a vendor. I believe that for widely used free software projects, this too
is true. There is one important proviso to this train-of-thought to keep
in mind though, which makes exploitable security bugs a slightly different
beastie to general-purpose bugs. A general bug which hits an individual
user or site, gets reported to the maintainers and gets resolved, generally
doesn't have the same possible impact as a security bug, particularly a
remotely exploitable one. A general bug (if catastrophic enough) can cause
loss of data or system un-availability, but a security bug can cause your
system to become 'owned' by a cracker, for you to lose data through deletion,
have data sent to your competitors or leaked to the trade press, have invalid
data inserted into your records, have customer credit cards stolen etc
etc. Further, vulnerabilities become known and spread on back-room IRC
channels like wildfire. While a general bug may be encountered by you and
a few others over the course of a segment of time; a remotely exploitable
vulnerability has the attribute of attracting penetrative tests against
tens of thousands of hosts in a matter of hours of discovery, causing far
more damage and strife than a general bug. Finally, catastrophic general
bugs which affect many are few and far between (unless you include various
Microsoft Service Packs), as most people do not tread the bleeding edge
of operating system releases, and widely used systems and sub-system software
generally doesn't harbour catastrophic general bugs for long. Security vulnerabilities, however, can arise in code or a subsystem which is widespread
and very well entrenched, further accentuating the possible spread of damage.
In summary, the dues-ex-machina of 'with enough eyeballs, all bugs are
shallow' holds, but possibly only after substantial damage has been done
to many hosts on many networks. At least we know that if it's important
for users of the said sub-system, the security problem will be resolved
at the source-level, a surety we don't have wi

• Reply to comment
• Reply to story
• Report offensive content

This guy completely misses the ...Lachlan Moss -- 27/03/02

This guy completely misses the point. He talks about Microsoft’s fast response times on security issues: The issue isn’t the fast responses, it’s the ones that don’t come at all that are problematic. Whopee-Doo if M$ is up to speed sometimes.
And he seems to think you can illustrate the situation by simply counting security issues. It hasn’t occurred to him that M$ ones are so bad that a script kiddie can take total control of a whole system, and that the Linux ones take an experienced hacker to exploit, often just to understand it. Or that all of the os/fs security issues are broadcast through the entire os/fs community. God only knows how many M$ has kept out of the media. Nor is there recognition that to get the figures balanced and equal (M$ and Linux security bugs) you have to add all the Linux’s together. This means many bugs are being counted many times over. The figures for individual Linux’s are very low. What if we add all the windows s-bugs together? Woah!
He doesn’t recognise that the M$ ones are almost all the result of stupid company policies either, usually as a result of the opinion of M$’s all-important marketing department. Open source is free from these fools.
Neither is there consideration of the user bases. If both camps had equally sized user-bases, due to the nature of open-source, M$ would have absolutely no hope of keeping up. If the user-bases were reversed, Microsoft would not even be a viable option. Remember how fast it is growing ;-)
And last but not least, most people don’t run Linux’s for the security. It’s just a bonus that they are more secure. Most people run it for cost, the functionality and intuitiveness of the user-environment, ease of use (Yes people, for doing heaps of things (particularly techie stuff) Linux is waaayyyy easier) configurability, dependability, availability, freedom of choice (in so many areas that you windoze users don’t even know exist yet), sheer speed, the speed of the development cycles(**** happens five times faster in the Linux world), the quality of the apps, the lack of any Linux viruses that work.
And oh yeh, there’s that little thing about the five year uptimes. So what if M$ is getting better at security issues?

• Reply to comment
• Reply to story
• Report offensive content

Cont... Linux vs Windows 2000 ...Con Zymaris -- 28/03/02

Cont... Linux vs Windows 2000 Security Alert Comparison

While there are various industry correspondents who have eloquently
outlined the steps that are necessary in the design and development of
software which has a tendency to be more secure, a good approach to software
security can be quickly given. Design the software with multiple layers
of trust. Design it so that no part immediately trusts the other part.
Make it small. Make it modular. Use languages which can either avoid buffer-overflow
problems, or perhaps can be put through automated testing and parsing of
the source for signatures of these problems. Allocate enough resources
to security audits and reviews of the code from a security perspective.
Design simple checklists for your coders (junior and senior) which point
out the 10 most likely security failings for the platform/language/development
paradigm you are developing your project under. It's easy stuff. Avoid
complex security jargon, or excessive overtones of ideas or terminology
which overshadows the many simple automaton-like things that can be done
to improve information system security; it just scares developers away.
Now, onto a rebuttal of some of the points raised by Paul Thurrott,
and a hint to others who have tried to run the vulnerability numbers through
the analysis wringer. There is one crucial concept which seems to have
gone missing from all the mainstream discussion to date, which I will present
here. Thurrott claims that through sheer raw number of vulnerabilities
calculated by BugTraq, Linux is less secure than Windows. Now, keeping
in mind all we have said above about how the security of a system or network
is linked to the process the system administrator uses, rather than the
OS in question, let us proceed. Thurrott states:
 If you break down those numbers by Linux
distribution (despite the fact that
 Windows 2000 and Windows NT are lumped
together), Win2K/NT had 42
 vulnerabilities in 2001 (data is through
August only), and the leading Linux
 distribution, Red Hat, had 54. In 2000,
Win2K/NT had 97 and Red Hat Linux had
 95.
These numbers may in toto, be accurate. I don't dispute them. They appear
to be slightly in Windows' favour. However, as mentioned above, what has
not been discussed widely, reviewed and broadly digested (to my amazement),
is that none of these industry observers has taken into account the substantial
disparity in system functionality which is shipped on each platform, and which forms the software basis from which vulnerabilities arise . Let me
elaborate. I reviewed the broadly categorised functionality packages which
ship with Windows 2000 Server, presuming it be a reasonable superset of
a generally available Microsoft platform, bundling most of the sub-systems
which are needed by a user or  business. The list of features is quite reasonable,and is shown by Microsoft here 
I count approximately 120 sub-systems in Windows 2000 Server.  These
include such this as Internet Information Services web server,  Active Server Pages (ASP) Programming Environment,  XML Parser etc. Now,
to compare, I quickly researched a list of sub-systems which are shipped
with a modern Linux distro. SuSe seemed to have such a list readily available
for their 7.3 Professional release, so I used theirs.  You too can
view this list here 
I'm sure the Red Hat, Debian et al. lists are similar. The weight-in? Just under 2600 packages. This means that based on just this simple analysis,
a modern Linux distribution ships with approximately 20 times more functionality
in the box than Microsoft ships with Windows 2000 Server. Note, this is
just a count of approximate  functionality. With the hundreds of millions
of lines of source code shipping for these platforms, a much deeper analysis would be un-tenable. When one does a quick and dirty calculation therefore,
Linux on a per-atomic-functionality basis, can be viewed as being
20 times more secure t

• Reply to comment
• Reply to story
• Report offensive content

MS's approach to security is t ...Anonymous -- 28/03/02

MS's approach to security is that things only get fixed if they can not keep it a secret. Their determinant for fixing security issues is how much bad publicity they would get if they don't fix it.

Security itself doesn't concern MS, only how much they save on not fixing problems.

• Reply to comment
• Reply to story
• Report offensive content

I think Lachlan was right on t ...Andrew Mason -- 28/03/02

I think Lachlan was right on the money. I dont think it is a matter of simply counting the security breaches more counting how easy the exploits are enable. Linux,UNIX,solaris and especially BSD are very hard to exploit unless you know what your doing and in most cases require you to know C or TCP/IP to even think about attempting a security breach. Also, purely by the way UNIX systems work, it is very hard to do any major damage simply because you dont have the access. Sure u may be able to flood a system, which is serious, but by doing so you haven't compromised any data. The other major problem with XP /NT and MS products in general is the nature of the bugs...they tend to be tiered bugs. You can exploit one feature which then gives you access to another exploit or in the worst cases a few exploits. This is where MS systems fall down. Basically any kid that does his research get do alot of damage to an MS system. For example in one version of MS Messenger, the password was stored UNENCRYPTED in the registry. That means you get access to their .NET passport and hotmail address (assuming they have one). You can then hi-jack a .NET session, big whoop, but think of all of the exploits you can run from having a simple username , Password and a gullable user, and i am not a hacker.

Just to top it off...how much is XP going for these days? Oh thats right Linux is free/ $79.00 Aus if you want support...So you have two products supposedly as secure as each other, one is free, the other is $300 and the free one is faster...hmm hard choice guys.

• Reply to comment
• Reply to story
• Report offensive content

I agree that bot Microsoft and ...Anonymous -- 11/04/02

I agree that bot Microsoft and Open Source will have the same security. To me the major difference between open source and closed source is trust and freedom not security. You can trust open source software because the code is there for you all to see and criticise and it gives you freedom because you have the flexibility to change what you don't like. Closed Source doesn't give you this trust and freedom and as a result it's up to them to fix all the problems.

But when you say MS vs Open Source: Security's the same I believe Microsoft's main problems with security is due to ignorance and being complacent towards security. It's no surprise that until recently Microsoft didn't give a second thought to security and as a result got more flaws then any other operating system.

But then again you have OpenBSD who conduct security audits in their source code prior to releasing it and there default install has been found to have no security valunabilities for four years running and their source code is open.

The point here is it's not so much about whether the source is open or closed it's about the people behind the source and the intentions that those people built the software with a developer who is more concerned about security is going to write more secure code than one's that not!

• Reply to comment
• Reply to story
• Report offensive content

As Open Source operating syste ...Anonymous -- 20/04/02

As Open Source operating systems are Unix based, they do tend to have greater complexity than the simpler Windows operating system. That complexity however gives you power if you know how to use it, to switch off all but the services necessary to run, greatly reducing the chances of break-ins. However in the wrong hands it is possible that a unix box could have as many security problems as a windows machine.

I personally don't mind the extra complexity of setting up an Open Source or Free Software *nix, once the initial work of configuration is done, they are a lot more reliable.

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials