RealTime IT News

CERT's Best-Worst Vulns of 2005

Which operating system logged the most vulnerabilities in 2005?

According to the United States Computer Emergency Readiness Team (US-Cert) 2005 year-end index, Unix/Linux racked up more reports of vulnerabilities compared to Windows.

Security professionals, however, argue that the numbers alone don't tell the full story, and that a properly configured Unix/Linux server is likely more secure than a Windows server.

US-CERT's year-end compilation found 5198 reported vulnerabilities in 2005. Of that number, 2328 of them were for Unix/Linux (45 percent), 2058 were multiple operating system vulnerabilities (40 percent), and 801 were for Windows (15 percent).

Notably absent from US-CERT's index, however, is the recent zero day WMF metafile issue for which Microsoft has promised a patch this coming Tuesday .

Panda Software CTO Patrick Hinojosa said he doesn't think the raw numbers tell the whole story.

"*nix vulnerabilities cover a wide range of actual OS's and that would tend to mitigate the ability to exploit these," Hinojosa told internetnews.com. "In addition, when I examined the vulnerabilities listed, the ones in Windows are probably more problematic given that the given Windows user is going to be much less security aware that the typical *nix user," he said. "Considering all factors, I would feel more confident in a Unix server that is locked down than in a Windows server."

According to Ken Dunham, director of the rapid response team at iDefense, it's also a question of risk. Dunham noted that risk associated with vulnerabilities must be determined. Risk is identified based upon two primary factors, likelihood and impact.

"Historically, risk is much higher with Windows operating systems than Unix/Linux," Dunham said. "How can I say that, look at all the major attacks. Which ones had the greatest likelihood and impact for 2005? Windows hands down."

Dunham compared the Unix/Linux versus Windows security debate to the one between Microsoft Internet Explorer and Mozilla Firefox. Both have critical vulnerabilities. Both have been exploited before.

"So which has a higher risk? Again, historically, IE threats were widely exploited on a large scale while the few Firefox attacks were minimal at best over 2005," Dunham argued.

Overall though when looked at from a strict vulnerability sense, Dunham stated that there are many vulnerabilities in both Windows and Unix/Linux operating systems that have the potential to lead to a serious security incident.

"From a risk perspective, the threat landscape is very different when you factor in multiple variables impacting likelihood and impact."