Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, April 05, 2004

Forrester questions Linux security

A new study from Forrester Research has concluded that the Linux operating system is not necessarily more secure than Windows.

The report finds that on average, Linux distributors took longer than Microsoft to patch security holes, although Microsoft flaws tended to be more severe.

But leading Linux vendor Red Hat said that while Forrester’s underlying figures were sound, its conclusions didn’t give an accurate idea of relative security, as they failed to distinguish between patch times for critical updates and routine, obscure problems.

The report arrives in the midst of a fierce debate around the relative merits of Linux and Windows, and follows a number of reports perceived to have been slanted in Microsoft’s favor.

Last October, Forrester forbade its customers to publicize studies they had commissioned; it made the move partly because of criticism of a report from Forrester subsidiary Giga Research that found some companies saved money by developing with Windows rather than Linux.

A new tactic in that battle has been to compare how long it takes for various operating system vendors to patch flaws—the “days of risk” for each operating system.

Microsoft took on average 25 days to release a patch; Red Hat and Debian 57, SUSE 74 and MandrakeSoft 82, Forrester said.

“Microsoft’s average of 25 days between disclosure and release of a fix was the lowest of all the platform maintainers we evaluated,” wrote analyst Laura Koetzle in the report.

The figures Forrester uses for “all days of risk” are arrived at by averaging the number of days needed to fix a flaw, without distinguishing between critical flaws and harmless ones.

Thus, if a vendor took six months to patch a low-risk bug, it would make them appear to have a slow security response time overall, even if all critical bugs had been fixed instantly.

Using Microsoft’s own definition of a critical flaw as a bug which could allow a worm to propagate without user interaction, only 13 Red Hat vulnerabilities were critical during the one-year time period, and they took an average of just over a day to fix, Cox said.;554502920;fp;2;fpid;1

Posted on 04/05