Flaws in Windows trail behind open source vulnerabilities

US-CERT recorded more than 5,000 security vulnerabilities in 2005, with nearly half of the total affecting the Linux, Unix and Unix-based Mac OS X platforms. Linux/Unix bugs outnumbered Windows flaws by nearly three to one, according to US-CERT.

Meanwhile, security firm Secunia reported similar proportions of advisories, but found that a number of critical Windows flaws had been left unpatched, while a typical Linux distribution had no unpatched vulnerabilities.

The security organisation said a total of 5,198 vulnerabilities were reported, including 2,328 for Linux and Unix, or about 45 percent of the total.

Windows was affected by 812 flaws, and a further 2,058 were cross-platform. The vulnerabilities include applications such as Web browsers and music players as well as operating system components.

The figures may come as a surprise considering Windows' ongoing reputation for security problems, but doesn't necessarily reflect the overall security of the platform. For example, the Linux/Unix figures include large numbers of updated vulnerability advisories, while the Windows list includes only a handful of updates.

The raw figures also don't indicate the impact of a flaw. No Unix/Linux/Mac bug has caused anywhere near the panic currently being generated by the unpatched WMF flaw in Windows, partly because of Windows' near-complete dominance of the desktop PC market.

Secunia's figures offer more detail, though they tally up vulnerabilities differently from US-CERT. Secunia counted 45 vulnerabilities affecting Windows XP for 2005, up from 29 in 2004.

That total includes ten unpatched bugs, among which are the WMF bug and another unpatched, highly critical bug from April affecting the Jet Database Engine.

Over the same period, Secunia counted 136 flaws in Red Hat's flagship operating system, Red Hat Enterprise Linux Advanced Server 4. The discrepancy is partly accounted for by the inclusion of applications - such as Thunderbird and Firefox - in the Linux list; Windows applications aren't included in the Windows list.

There were a similar proportion of flaws in 2005 marked "highly critical" or "extremely critical" - 24 percent for Red Hat and 31 percent for Windows XP. But in contrast to the Windows flaws, none of the Linux bugs were left unpatched, according to Secunia.

Apple's Mac OS X was the subject of 22 advisories in 2005, Secunia said. However, some of those advisories were for Mac updates covering several vulnerabilities. Two less-serious flaws from December are as yet unpatched. Forty percent of the Mac advisories covered "highly critical" or "extremely critical" bugs.

Suse Linux Enterprise Server 9 was the subject of 77 advisories last year, many of which, as with Apple, were cumulative updates covering several flaws. None of the flaws were unpatched.

Debian 3.1, a highly popular but less commercial distribution, was the subject of 181 advisories last year, of which one less-serious bug was not patched. Thirteen other flaws were only partially fixed, according to Secunia.

The subject of Linux's security compared with that of Windows is a thorny one, and there are no figures offering a one-to-one comparison. Besides the difference in market share, Windows is mainly used on the desktop while Linux is most popular on servers, presenting quite different security issues.

Several studies, some sponsored by Microsoft, have questioned Linux's security, but most such reports have been debunked as inaccurate.

A report from Yankee Group last year showed that in the midst of such propaganda efforts, Linux is still seen as more secure than Windows.