Mailbag: Strong opinions flare around U.S. CERT’s Linux/Unix vs. Windows summary

Last week’s newsletter about Linux/Unix vs. Windows vulnerability statistics generated plenty of reader feedback – as such reports often do. The newsletter reported on a year-end vulnerability summary from the quasi-governmental United States Computer Emergency Readiness Team (U.S. CERT), which said that there were significantly fewer vulnerabilities reported for Windows than the number of warnings issued for the combined category of Linux/Unix operating systems.

One key disclaimer in the summary: Many readers took exception to U.S. CERT’s methodology, mainly, the lumping together of all Unix and Linux flavors, then comparing those with Windows in general.

“This is a pretty silly metric to read this much into,” one reader wrote. “There are a lot of variables – a lot of the security patches in Linux … have to do with applications, not the core operating system. And the open source community is much more transparent than either Apple or Microsoft about its vulnerabilities.”

Another reader said: “The ’25 Mac OS X’ vulnerabilities are included in the Unix/Linux count, and only refer to the entries that specifically affect Mac OS X in the title. By that measure SuSE is safer because it is only listed 14 times. In fact, numerous other vulnerabilities listed under the Unix/Linux column affect Mac OS X. Finally, individually counted updates include posting notification of the vulnerability as well as a vendor updating to announce the location that they posted their vendor specific patch.”

“Your brief presentation is essentially incoherent,” another reader said. One issue this reader brought up was the disclaimer at the top of the U.S. CERT summary, which stated: “Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, so the information should not be considered the result of US-CERT analysis.”

The reader added: “To interpret what you present as a challenge to the alleged superiority of Linux/Unix security strongly suggests a [Microsoft] bias.”

Another reader put things in a different perspective: “This all pretty much misses the point,” wrote the reader. “In information systems, what is most important is to protect is THE DATA. Security in the operating system protects the operating system, which is a container for the data. Similarly, link and packet level security measures in the network protect the network infrastructure. But all of it doesn’t protect the data.” The reader said widespread use of Secure Shell for data access SSL for data encryption are more of a key issues than the vulnerability horse race.

“If you secure the data, then most of the OS security measures tend to recede in criticality,” the reader wrote.