RSA: Security Experts Debate Linux Vs. Microsoft

In a town hall-style debate Wednesday at RSA 2008 in San Francisco, Jeff Jones, a director in Microsoft's Trustworthy Computing group, and Dr. Richard Ford, a professor at the Florida Institute of Technology and a longtime Linux advocate, examined some of the canards that have settled around both sides of the issue over the years.

Both Ford and Jones agreed that the issue of default configurations plays a major role in security. "What you install, and how you install by default, turns out to be incredibly relevant to security," said Ford.

Jones agreed, noting that the security improvements that followed Microsoft's decision to turn automatic updates on by default, and to change the default setting for Windows Firewall to on in Windows XP service pack 2.

From there, however, the discussion turned to debate, although never going beyond the level of friendly repartee. Jones, who has stirred the pot in the past with claims that Windows Vista is more secure than Linux and OS X, showed figures that indicate Linux has a higher number of overall vulnerabilities than Vista.

Ford said the difficulty with comparing operating systems is that it's often an apples and oranges comparison, and that "raw vulnerability counts really don't give you a good picture," although they can't be discounted entirely.

Besides, argued Ford, even if Linux has more overall vulnerabilities, these vulnerabilities have traditionally been less severe than those affecting Windows. He defined severity as consequence plus ease of exploitation.

"Every time Windows gets a vulnerability, someone immediately writes a rootkit or a worm," said Ford. Linux, in contrast, has fewer critical issues, he added.

What's important to note, replied Jones, is that all vulnerabilities should theoretically be patched, not just critical ones, which speaks to a greater need for administrator activity around Linux.

The debate then turned to the difficulty of rating severity in an industry where different vendors use widely disparate criteria. Some vendors give higher vulnerability ratings to flaws that lead to propagation of malware, while others rate denial of service issues as more severe, noted Jones.

The National Vulnerability Database, which aims to standardize threat scoring through the use of the Common Vulnerability Scoring System (CVSS), shows more more total vulnerabilities for Red Hat than Microsoft, Jones said.

Ford chalked this up to "significant corrections" that the NVD has instituted in terms of how it rates Linux flaws, and the reality that the same bug doesn't have the same severity on every platform.

Ford also took aim at Microsoft's past admission that it silently fixes vulnerabilities. Linux is more transparent, and this causes vulnerability data to be skewed, Ford argued. " I believe that vulnerability counting is inherently stacked against open source projects," he said.

Jones countered by suggesting that other vendors silently patch flaws in their products, and that it's impossible for anyone to know for sure without examining source code. "Can you say that there have been no Linux updates where they didn't address some security issues, inadvertently or otherwise?"

The speed with which the open source community fixes vulnerabilities in Linux far exceeds that of Microsoft, Ford said. But Jones discounted the importance of speed when it comes to issuing patches.

"Microsoft could release alpha patches, but that wouldn't be acceptable because small errors could have a major impact," Jones said.

Added Jones: "Microsoft is still consistently faster, except in a few narrow, edge cases, and does as good a job as the best of the Linux vendors in getting patches out."