Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Forrester questions Linux security

Study fires up debate around patch times.

Article comments

A new study from Forrester Research has concluded that the Linux operating system is not necessarily more secure than Windows. The report, Is Linux more secure than Windows? finds that on average, Linux distributors took longer than Microsoft to patch security holes, although Microsoft flaws tended to be more severe.

But leading Linux vendor Red Hat said that while Forrester's underlying figures were sound, its conclusions didn't give an accurate idea of relative security, as they failed to distinguish between patch times for critical updates and routine, obscure problems.

The report arrives in the midst of a fierce debate around the relative merits of Linux and Windows, and follows a number of reports perceived to have been slanted in Microsoft's favour. Last October, Forrester forbade its customers to publicise studies they had commissioned; it made the move partly because of criticism of a report from Forrester subsidiary Giga Research that found some companies saved money by developing with Windows rather than Linux. Forrester said it stood by the integrity of the study, but had erred in allowing Microsoft to use it in anti-Linux advertising.

Forrester's report may lend credibility to Microsoft's ongoing efforts to play down security concerns about its software. A new tactic in that battle has been to compare how long it takes for various operating system vendors to patch flaws - the "days of risk" for each operating system. Microsoft's argument is simple, said Bradley Tipp, Microsoft’s National Systems Engineer for the UK, last autumn: "Open source systems are likely to be at risk for more days than Windows systems."

Indeed, Forrester found that, between 1 June 2002 and 31 May 2003, Microsoft had the lowest average "all days of risk", the time between the public disclosure of a patch and the time that patch is released by the operating system maintainer, compared with the Red Hat, Debian, MandrakeSoft and SUSE Linux distributions.

Microsoft took on average 25 days to release a patch; Red Hat and Debian 57, SUSE 74 and MandrakeSoft 82, Forrester said. "Microsoft’s average of 25 days between disclosure and release of a fix was the lowest of all the platform maintainers we evaluated," wrote analyst Laura Koetzle in the report. "Microsoft also addressed all of the 128 publicly disclosed security flaws in Windows during our 12-month evaluation period."

Koetzle noted, however, that 67 percent of Windows flaws had been rated "critical", under the US's National Institutes for Standards and Technology's ICAT project standard for high-severity vulnerabilities, compared with 63 percent for SUSE, 60 percent for MandrakeSoft, 57 percent for Debian and 56 percent for Red Hat.

Since Linux distributions are compilations of large numbers of independent components, the study also examined lag-times between the release of a patch for a Linux component and the release of the same fix by the operating system vendor, what Forrester called "distribution days of risk". Debian scored best in this metric, with 32 days, followed by Red Hat with 47 days, SUSE with 54 days and MandrakeSoft with 56 days.

Red Hat said the figures Forrester relied on for Linux distributions were above reproach, as various Linux distributors worked with the analyst firm on weeding out errors. But the conclusions drawn from those figures are nearly useless, the Linux company said. "A simple average doesn't give you a good picture at all," said Red Hat security response team lead Mark Cox. "It wastes the work put into the raw data."

The figures Forrester uses for "all days of risk" are arrived at by averaging the number of days needed to fix a flaw, without distinguishing between critical flaws and harmless ones. Thus, if a vendor took six months to patch a low-risk bug, it would make them appear to have a slow security response time overall, even if all critical bugs had been fixed instantly.

Using Microsoft's own definition of a critical flaw as a bug which could allow a worm to propagate without user interaction, only 13 Red Hat vulnerabilities were critical during the one-year time period, and they took an average of just over a day to fix, Cox said. "If you add denial of service attacks and privelege escalations, there were 47 issues in total, which took seven days on average to fix," he added.

"We fix issues that are critical to users first," he said. "When a remote exploit comes out, we drop everything to make sure it comes out quickly. That's more important than a bug in some obscure package no one uses. The report really doesn't take that into account. It's a shame because the raw data is there."

Cox also took issue with the perception that there is necessarily a lag between a module patch and a distribution patch - Forrester's "distribution days of risk". If a bug is critical, it will be released by the Linux vendor immediately, he said; if module maintainers haven't yet released a patch, Red Hat and other distributors do it themselves.

Cox said Red Hat is taking measures to deal with the lag time between the release of a patch and users' implementation of it, including making each Red Hat machine slightly different and a kernel programme called exec-shield. Red Hat and other distributors are also participating in the Security Enhanced Linux project.

Microsoft is in the midst of a highly-publicised security push, which has involved an in-depth code review and a switch to a monthly patch release schedule, designed to ease enterprise patch installation.


More from Techworld

More relevant IT news



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *