Linux/Unix more flawed than Windows, CERT says

The U.S. Government has reported that fewer vulnerabilities were found in Windows than in Linux/Unix operating systems in 2005.

Linux/Unix-based operating systems--a set that includes Mac OS X, as well as the various Linux distributions and flavours of Unix--had more than twice as many vulnerabilities as Windows, according to the United States Computer Emergency Readiness Team (US-CERT).

The report, the Cyber Security Bulletin 2005, was published last week and found that out of 5,198 reported flaws, 812 were Windows operating system vulnerabilities, while 2,328 were Unix/Linux operating bugs. The remaining 2,058 were multiple operating system vulnerabilities.

However, the popularity of Windows means it is still much more likely to be attacked than Linux, security firm McAfee said Thursday.

"In the Windows versus Unix debate, the number of vulnerabilities is less relevant than the amount that are turned into successful attacks. We see far more successful attacks against Windows, because it's the most common environment," Greg Day, security analyst at McAfee, said.

"As Linux becomes more common, we'll see more attacks against it," Day added.

McAfee recommended companies look more at the probability of attack, rather than whether an attack is possible.

CERT's report did not include figures for how quickly vulnerabilities are patched once they are discovered. According to security provider Secunia, 124 of its security advisories relate to flaws in Windows XP Professional. Some 29 of these flaws are unpatched--which lands Microsoft's operating system with a "highly critical" security rating.

In contrast, Red Hat 9 is covered by 99 Secunia warnings, but only one of these flaws has not been patched by Red Hat. Suse Linux Enterprise Server 9 is covered in 91 advisories, but every one has been patched by the vendor. Both products get a "not critical" rating.