Linux vs. Windows: Which Is More Secure?

By Steven J. Vaughan-Nichols
March 30, 2004

In a new report, Is Linux More Secure Than Windows? from Forrester Research Inc., based in Cambridge, Mass., Computing Infrastructures Senior Analyst Laura Koetzle finds that both Windows and Linux can be deployed securely. Microsoft Corp., however, fixes security problems the quickest—which is a good thing, since it also has the most major security holes.

Forrester found that many IT professionals believe that Linux is more secure than Windows, but Koetzle found that the real-world answer is more complicated than that simplistic analysis.

Koetzle believes, based on a survey of past security vulnerabilities, that security vulnerabilities follow a timeline—in other words, that they have a lifespan.

In this lifetime, real vulnerabilities to attack are usually born with a public disclosure of the problem in a form like the Bugtraq security mailing list. Next, the ISVs or open-source developers prioritize the vulnerability and build a stable fix for it.

Lagging behind these developers, unscrupulous hackers then start exploiting the vulnerability. However, it's only after one of them builds an automated script tool for unskilled vandals (aka script kiddies) that the number of attacks really takes off.

The real period of enterprise vulnerability is after these script-kiddy tools appear and before customers apply the patch. In other words, most real-world security breaches on either operating system could be fixed with timely patch management.

But the fault doesn't lie entirely with sloppy system administration, according to Koetzle. "It's up to the customer to apply it (the patch)," she writes. "But doing so isn't a simple task: Because few firms stick to consistent platform configurations and most lack robust testing and deployment procedures, patch application can take months—or longer. For example, for the nine highest-profile Windows malicious code incidents as of March 2003, Microsoft's patches predated major outbreaks by an average of 305 days, yet most firms hadn't applied the patches."

Article continued at: http://www.eweek.com/article2/0,1759,1557459,00.asp