That is a very short sighted statement.

First of all, Linux is more widely deployed as web, mail and DNS servers for Internet facing services than Windows by a large margin. Check the netcraft page www.netcraft.com if you want to see microsoft's margin share in the webserver market.

http://news.netcraft.com/archives/web_server_survey.html

Yet, compare the number of vulnerabilities in Apache's stable release with that of IIS and you'll notice a disturbing trend. Despise greater market share Apache has considerably lower numbers of vulnerabilities. Lets also touch on the fact that Apache is open source, which means ANYONE can look at the source code and find vulnerabilities. Netcraft is not biased in any way and they simply accomplish their results by doing scans.

Also, you need to understand the Linux security model a little better before you spout off by implying "Linux will get hacked too as soon as it gets more market share". That is weak and you obviously have no concept of the extent and strength of the Unix/Linux security architecture.

Linux vulnerabilities are nowhere near as serious in general when compared with Windows vulnerabilities because of the security mechanisms Linux has in place. For instance, on Linux you can "chroot" a service and lock the user into a kernel-enforced jail. Plus, SELinux has MBAC capabilities, unlike windows, that allows it to achieve b1 certification (top secret clearance) and windows can ONLY achieve c2. Additionally, apache, BIND etc are open source applications , which means they can be hardened with tools like propolice to prevent buffer overflows, the number one source of vulnerabilities in remote services, with windows these tools simply don't exist, nor does a person have the capability to harden a windows app because they don't have the source code. Basically, what all this equates to is Linux is innately less vulnerable because of the security tools it has on hand.

Understand that Linux cannot and will not ever be plagued with the security problems you see with MS Windows because security is handled and enforced in a more vigilant, robust fashion.

Take qmail and djbdns for example. Here are two applications that are massively deployed throughout the Internet. Qmail is actually the #2 MTA next to sendmail, exchange is #3. Qmail and DJBDNS are around 7 years old, open source and the author of the applications offers a $500 cash reward to the first person that can supply a working exploit for either of those applications. Seven years later that reward goes unclaimed. DJBDNS and qmail are secure because they enforce security in a logical fashion rather than taking a monolithic "patch it up" approach. These applications use solid, modular security approaches that minimize required priveleges and delegate task to individual "components' rather than providing a single monolithic application with full access. This is a concept completely foreign and nearly unachievable on the windows platform. In turn, this is once again why Windows is only c2 certified.

I'd like to see Bill Gates raise the stakes and give the same challenge that DJB has proposed. After all he has claimed Microsoft software is the most secure on the planet, yet its an obvious logical fallacy if you read any vulnerability database like cert, x-force, packetstorm or securityfocus.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/9004/27224#27224