http://www.theregister.co.uk/security/security_report_windows_vs_linux/

MS's "responsible disclosure" policies also include (IIRC) wanting to charge people who release exploits. This policy is criticised for allowing them to not release fixes when a problem is found.

Of course, as everyone knows you can make the numbers say anything.

http://it.slashdot.org/article.pl?sid=05/03/26/1428259&tid=172&tid=109&tid=98

You fail to mention that the report was funded by Microsoft. Of course it's going to look favorable for them.

As I originally said, you need to look THROUGH the politics.

I didn't fail to mention who funded it. It didn't matter to me, because the methodology used is well documented, and you are free to reproduce the results on your own using it.

Microsoft may have paid for the research, but they had no say in the methodology or the results of the study. Yes it looks favorable to them. So what. The results are still the same. And would be if you or I do the research.

Cut through the crap and focus on the content. I notice no one seems to be challenging the actual findings... just who paid money to get it done. Novell loves doing their "Unbending the Truth" campaign (http://www.novell.com/linux/truth/). Why don't they get together with RedHat and commission a study on their own from the same guys? They will of course have their angle on it, but I would bet you would get similar results. Why not exact? Because both RedHat and Novell have their own methodology at looking at things.

So the facts remain. In this scenerio, the Windows platform has less cumulative days of risk and vulnerability counts than the RedHat server. Feel free to debunk that research with your own findings. Just publish the methodology so we can reproduce it.

http://www.theregister.co.uk/security/security_report_windows_vs_linux/

The first commenter posted a link to an excellent article, It is a long article, but it does debunk the methodology used. The following is a snippet from
the above link, it is quite a good read...

"We queried the United States Computer Emergency Readiness Team (CERT) database, and the CERT data confirms our conclusions by a more dramatic margin. When we queried the database to present results in order of severity from most critical to least critical, 39 of the first 40 entries in the CERT database for Windows are rated above the CERT threshold for a severe alert. Only three of the first 40 entries were above the threshold when we queried the database about Red Hat. When we queried the CERT database about Linux, only 6 of the first 40 entries were above the threshold.

Consider also that both the Red Hat and Linux lists include flaws in software that runs on Windows, which means these flaws apply to both Linux and Windows. None of the alerts associated with Windows affect software that runs on Linux."

The article you point to has flaws in getting the facts of comparing Srv03 to RHE3 properly. As an example, they spend a great deal of time talking about the CERT database and their queries. However, if you look closely, they continue to point out issues Microsoft is said 'not to fix'. It's for NT 4! At that point the comparision should be against RedHat 3!

The big problem here is what is considered a 'critical' vulnerability. In the past, Microsoft measured security bulletins differently in Windows 2000 and Windows Server 2003. In the days of Windows 2000 Microsoft only had three ratings: Critical, Moderate and Low; and during the Windows XP and later timeframe they introduced a fourth level - Important, which sits in between Critical and Moderate.

If a fair comparision is to be made, lets compare it with the right stuff, using the same rating system on what is critical.

I don't wish to get into an OS debate here. My point was that Microsoft is "getting better" at this security thing. The fact remains, in the first 320 days of the release of Windows Server 2000 Microsoft released 40 important or critical security bulletins. For Windows Server 2003, there were 9. Thats a major improvement. Is 9 acceptable? Probably not. But it does show progress.

"Microsoft develops and releases all of the components in their web server stack. This allows Microsoft more control over release cycles and vulnerability disclosures than the distributed development model."

This implies that MS controls the source, and as such, is able to contain many vulnerability announcements. So, how do we KNOW that the number of 90+ day bugs are fewer in number? It's easy to work on a bug internally, announcing that the bug was found only AFTER producing a patch, testing it, and packaging it for release; resulting in a lower "time to fix" stat.

Comparing RedHat9 to Windows 2003... hell, you can't even get security updates for that release from RedHat... May as well compare Fedora Core 3 to Windows NT 4.

I agree that Windows 2003 is for sure more secure then its predecessors. At work, we have implemented quite a number of Win2003 systems, and few/none of them have had issues yet. Granted, none of them are directly facing untrusted networks, except for SMTP and some HTTP.

However, the platform comparison and aspects thereof are flawed.

1) PHP is a scripting language, not an application framework. Tomcat/JSP vs. ASP.NET is a better comparison.

2) MySQL is not a real database and should not be compared to SQL Server 2000. Oracle or PostgreSQL is a better candidate.

3) The Redhat server should really have had some basic hardening done. For example, use mod_security to provide a jailed environment via chroot, lock down the awful defaults in php.ini, and so forth.

4) As the article briefly alludes to, egress packet filtering is VITAL for web servers. Over the last 3 months, I've analyzed/cleaned several rooted Linux (Redhat 7/8/9) web (PHP/MySQL) servers. In almost all situations, the risk of a successful attack would have been eliminated by filtering outgoing connections. There's no reason that CGI programs (whether written in PHP/Perl/C/what have you) should be running wget, ping, ftp, etc. Many worms utilize wget to obtain the rest of their nasty payload.

Dana - I disagree with your assertion that who does or funds the research has no affect on the results. I think that when you do this sort of thing you start with a hypothesis and bascially create your case for it. In the Reg study they started with the assumption that Linux is better than Windows, and went out to prove it, and in the study you noted, they probably started with the opposite assumption and went out to prove it. Maybe the fact that MS funds the study has no influence on the hypothesis, but maybe they do. If they go to a "ms shop" chances are the company has chosen MS because they believe them to be better (or more useful, or whatever), which will affect the results of their study. This would be why MS hasn't given gobs of money to a linux shop to do a study for them (which I'd like to see) or why Redhat doesn't go to redmond to get their studies for them :)