Linux riskier than Windows?

Companies face greater risks if they run their Web sites on Linux rather than Windows, a Microsoft-funded study has concluded.

Last year, Web servers based on Windows Server 2003 had fewer flaws to fix than those based on Red Hat Enterprise Linux ES 3 in a standard open-source configuration, researchers said in a paper released on Tuesday.

Moreover, the study indicated that the Microsoft-based Web server had far fewer "days of risk"--a measure of the number of days that each vulnerability is known, but unpatched--than the open-source rival.

"All this study can do is give people pause, to say they shouldn't go with common wisdom over which platform has more security," said

Herbert Thompson, one of the three authors of the paper and the director of research and training at Security Innovations, a security applications company. The common belief is that Linux is more secure that Windows.

The paper has already caused controversy, as some details were presented at the RSA Conference last month. Previous studies comparing measures of security in Windows and Linux have also caused heated discussion.

"We believe there to be inaccuracies," Mark Cox, the leader of Red Hat's security response team, wrote about the recent study in a blog posted to the software company's Web site on Tuesday. He said that the study did not separate "critical" vulnerabilities from less serious ones, a comparison that would favor Red Hat.

Red Hat did not otherwise comment on the paper and referred requests for comment to the blog.

Counting the holes
For the study, researchers counted the fixes published for flaws in each Web server setup in 2004. In addition, they tallied days of risk, the cumulative number of days between the time information on a flaw is publicly released and the time the software developer patches that vulnerability.

A server using Red Hat Enterprise Linux ES 3 had more than 12,000 days of risk, while a Microsoft configuration had about 1,600, they said.

As for flaws, a Red Hat-based Web server with open-source Apache Web server software, MySQL database and the PHP scripting language had to deal with 174 holes in its default configuration, the study found. A Web server based on Microsoft Server 2003, Internet Information Server 6, Microsoft SQL Server 2000 and ASP.Net had 52 vulnerabilities in the default configuration.

The researchers also studied Red Hat and Windows Web servers in minimal configurations, taking out of consideration applications that are not needed for serving Web pages. Even in that case, Microsoft still handily beat Red Hat, with only 52 flaws, compared with 132 for the Linux software.

Red Hat's Cox countered the findings in his blog posting.

"There were only eight flaws in Red Hat Enterprise Linux 3 that would be classed as 'critical' by either the Microsoft or the Red Hat severity scales," he wrote. "Of those, three-quarters were fixed in a day, and the average was eight days."

Critical flaws are generally those that allow an attacker to remotely take control of a computer system. The study did break vulnerabilities

down into "high," "medium" and "low" severity ratings. Flaws graded as high severity include Red Hat and Microsoft's critical classifications and flaws that allow local users to gain access to system functions. Microsoft had far fewer high-severity flaws in both the default and minimal configurations, according to the paper.

Microsoft did fund the study, the researchers acknowledged. The software giant released a statement on Tuesday that indicated

the report was part of Microsoft's "Get the Facts" campaign aimed at highlighting the benefits of Windows software.

"When Security Innovations submitted a proposal to Microsoft to research ways to measure vendor software security, we evaluated the proposal and determined that this type of analysis would be useful for our customers and funded their research," the company said in the statement. "We encourage customers to review and evaluate the data in the context of their own computing environments."

Richard Ford, a computer science professor at the Florida Institute of Technology, and Fabien Casteran, a security test engineer at Security Innovations, were the authors of the report alongside Thompson. The researchers hope to stave off criticism by publishing their methods as part of the report.

"The methodology was designed to allow others to validate it for themselves--it has to be quantitative and repeatable," Thompson said. "We didn't just want to hand people the cake; we wanted to give them a recipe as well."

While both days of risk and vulnerability counts aren't true measures of security, Thompson said that they wanted to focus on a metric that mattered to system administrators. The cumulative time they had to wait for patches is a reasonable measure, he argued.

Thompson admitted, however, that security largely depends on the expertise of the administrator.

"I think either (operating system) is infinitely securable by a skilled Jedi administrator," Thompson said. "If I have a Linux guru, then I want that guy to do the Linux web server. I am more of a Window guru, so I would use Windows."