Security Lies, Linux, and Statistics

Microsoft's recent announcement that it will focus on security rather than new features was, perhaps, overdue. And although we'll have to wait to see whether this new initiative has any tangible effect on the company's products, the news has had the desired results. With the exception of some sneering from the Linux camp, Microsoft's security announcement—which came in the form of a leaked email from Microsoft Chairman and Chief Software Architect Bill Gates—garnered cheers from the IT community. Since that leak, several interesting developments have occurred that might challenge some assumptions about Microsoft, the security of its products, and how the company fares when compared with the competition.

I've been using Linux in one way or another since late 1994, when I first installed an early Slackware distribution of the OS. Linux has made strong gains since then, especially in the small-server market, which single-purpose boxes such as Web servers and file and print servers dominate. But Linux's biggest success has been one of perception: Many users assume that Linux is more secure, stable, and reliable than Windows. Likewise, users increasingly see open-source development as a superior alternative to closed-source development at companies such as Microsoft.

The most interesting aspect of these assumptions is the way that the Linux press and community rip apart Windows success stories, yet trumpet Linux and other open-source success stories without closely scrutinizing the stories. Meanwhile, these same Linux success stories barely register in the Windows world.

Drawing conclusions based on all the informational clutter about Linux and Windows is frustrating, tiring, and ultimately impossible. Here's a classic example: We've all heard that the open-source Apache Web Server has about 57 percent of the Web server market, compared with Microsoft IIS, which has 31 percent. Open-source partisans point to this statistic as a victory, but Microsoft can show that more top e-commerce sites use IIS than use competing products and that more Forbes 500 companies use IIS than use Apache.

Let's examine a more recent example. In Friday's WinInfo Daily UPDATE newsletter, I mentioned a set of statistics from BugTraq, a reputable security-information provider, that shows how various OSs compare securitywise. The statistics show a surprising trend: When you aggregate all the Linux distributions, Linux, not Windows, has had the most security vulnerabilities, year after year.

If you break down those numbers by Linux distribution (despite the fact that Windows 2000 and Windows NT are lumped together), Win2K/NT had 42 vulnerabilities in 2001 (data is through August only), and the leading Linux distribution, Red Hat, had 54. In 2000, Win2K/NT had 97 and Red Hat Linux had 95.

I believe that the number of vulnerabilities in a given OS is tied, in part, to its usage. That is, more popular OSs are hacked more often because they're more viable targets. Therefore, Red Hat is the right Linux distribution to compare with Windows because it's the most popular. And because fewer servers run Red Hat Linux than Windows, yet the number of vulnerabilities in both OSs is similar, arguably, Linux is less secure. When you factor in usage, Windows doesn't look so bad.

I read a lot of articles on Linux Web sites that describe Windows as "on the ropes," but major corporations around the world use Windows servers every day, and the servers, for the most part, work well. I'm not saying Microsoft has done a good job of securing its products, and the company's recent decision to focus on security is long overdue. But statements that "Linux is more secure than Windows" are definitely not true.

So Microsoft's announcement that the company will focus on security is good news for its customers. And Microsoft's plans to place a 1-month moratorium on new coding to shore up its existing products (see related story under Hot Off the Press) likely will meet with the same applause. After all, the world's most important systems—yours—are running Windows and other Microsoft products. And despite the noise from the open-source community, the Windows camp is the place to be.