Linux is as buggy as Windows

Discussion in 'Computer Security' started by Martin C.E., Sep 22, 2003.

  1. Martin C.E.

    Martin C.E. Guest

    I only cane across this slightly old article recently (see below).

    What is the conclusion - that what the author says is a true
    reflection of the situation or that he is overstating his case?



    Jan 27, 2003

    Fred Langa contends that some Linux proponents harm their cause by
    hiding from the facts--it's just as buggy as Windows XP.


    I made a private bet with myself when I ran an item in my newsletter
    called "Linux Hacks On The Rise". It cited a study of software
    problems reported by CERT--the Computer Emergency Response Team that
    impartially tracks computing security threats. (CERT is part of a
    federally funded research and development center at Carnegie Mellon
    University in Pittsburgh.)

    Among other things, the article said: "...more than 50% of all
    [CERT] security advisories ... in the first 10 months of 2002 were
    for Linux and other open-source software solutions."

    My only point in bringing up this issue was to show that no operating
    system is immune to bugs and security issues: As Linux grows in
    popularity, it will have its own full share of problems.

    It's hard to imagine a less inflammatory or more obvious assertion--
    that all operating systems have bugs and security issues--but I won
    my bet: Linux and open-source fans thought I was attacking them or
    their preferred operating system. They deluged me with E-mails, many
    irate, claiming that CERT (and I) were dead wrong.

    The two most-common arguments against the report were:

    1) There really aren't that many Linux/open source bugs, especially
    compared with, say, Microsoft Windows. Many readers argued further
    that CERT erred by counting the same bugs multiple times in different
    distributions and versions of Linux or other open-source software;
    these repeated bugs should have been counted as one meta-bug.

    2) Open source bugs, when they do occur, aren't that big a deal
    anyway because they can be fixed far faster than Windows bugs.

    Trouble is, these arguments are based on old information: Yes, there
    once was a time when both of the above statements were true, but in a
    moment I'll show you some very current, non-CERT stats and info that
    illustrate why both statements are now emphatically false. (We'll
    get to the specifics in a moment.)

    But this isn't a bad thing. Rather, I take it as a very positive
    sign of the growing maturity and mainstream appeal of Linux and open
    source software. Let me explain:

    Linux's And Open Source Software's Excellent History

    Linux (and the whole open source movement in general) got its
    reputation for solid software and rapid fixes when this software was
    used mostly by a relatively small group of extremely knowledgeable
    people. They knew what they were doing, and generally ran their
    software on stable, proven hardware platforms; or, when brand-new
    hardware was used, it was used in fairly generic ways. (For example,
    video card drivers for Linux tended not to support exotic feature
    sets; Linux video usually operated at fairly conventional resolutions
    and settings.)

    This is a benign development environment. Any software can succeed
    if it's placed only in the hands of a small group of knowledgeable
    experts who can avoid many problems in the first place, and
    participate in rapid repair of any unavoidable problems that do

    And "rapid repair" was a very real thing: The open source arena
    tended to attract some of the best and brightest of the world's
    computing community; people who wanted to do good, and whose
    contributions were almost always positive, focused on the continual
    improvement of their software.

    But things changed. The open source community has fragmented into
    myriad competing segments, each with its own different, and
    increasingly quasi-proprietary, distributions of software. Huge
    numbers of new users of all skill levels have entered what once had
    been an experts-only enclave. (Even Wal-Mart now sells cheap PCs
    with Linux and open source applications preinstalled.) It's much
    harder to produce software for an audience of all skill levels
    running who-knows-what hardware, than for an audience only of experts
    running a limited subset of known-good hardware.

    And, not trivially, as the Linux/open source segment has grown, it's
    finally attracted the attention of crackers (malicious hackers). You
    see, crackers like to aim at the fat part of the bell curve because
    that's where the most potential victims are. That's one of the
    primary reasons why more people try to hack Microsoft software than
    any other: If a malicious hacker wants fame or notoriety, Microsoft
    software is the obvious target because more people use Microsoft
    software than any other.

    And to me, this is a key thing: When the Linux/open source community
    was tiny, few hackers bothered to look for exploitable issues there.
    It simply wasn't an attractive target. In other words, it wasn't so
    much that Linux and similar software were truly free from exploitable
    holes, but simply that no one was trying to find them.

    But again, that all changed as Linux and open source software entered
    the mainstream. Now that this software is a fully viable alternative
    to conventional commercial software, an inevitable consequence is
    that more problems will come to light. As novice users, funky
    hardware mixes, and active cracking all come into play, the bug
    counts are going up. In fact, way up.

    Counting Bugs

    There's no perfect, 100% reliable way of comparing bugs across
    operating systems, especially in an environment where operating
    systems usually ship with bundled software that may have its own,
    separate quality issues. But let's start by looking just at the
    operating system itself:

    We can avoid CERT's problem of counting the same bug more than once
    if we compare the security patch/update counts for one popular
    distribution and version of Linux to one popular version of Microsoft
    Windows. In this way, we won't have the Linux count skewed by the
    same bug cropping up in hundreds of other versions and distributions;
    or have the Windows count skewed by bugs in other Windows versions or
    software products from Microsoft.

    To further refine the comparison, let's look at operating system
    versions that came to market at about the same date. This way, both
    operating systems would have a more or less equal time during which
    problems could come to light.

    It turns out that Microsoft Windows XP and Red Hat Linux 7.2 were
    released within a few weeks of each other. Both are still current
    and are actively supported by their respective vendors. So, let's
    take a look, starting on each vendor's patch/update pages:

    For Red Hat Linux 7.2, you go to the Red Hat "errata" page https:// and from there to the page specific to version
    7.2 . There, you'll
    see that, to date, Red Hat has issued 151 patches and updates (mostly
    for security issues; that's what the "broken lock" icon means) for
    that Linux version. For a very crude sense of scale, that works out
    to an average of around 2.3 patches per week.

    Next, let's do the same thing for XP Professional, starting on
    Microsoft's errata page, the "HotFix & Security Bulletin Service";
    use the pull-down menu to isolate just the XP-related items. You'll
    see that the page lists 21 XP-specific patches and updates to date.
    That's an average 0.35 patches per week.

    But wait: Maybe that's not a fair count. After all, XP is the
    newest Windows version, but RH 7.2 isn't the newest Linux version.
    Red Hat's newest version is actually version 8.0, so let's look at
    that. Its errata page lists 27 patches and bug fixes issued in the
    four months the operating system has been available, an average of
    around 1.6 patches per week, so far. That's a rate significantly
    less than Red Hat's 7.2's, but still more than XP's.

    These numbers may surprise you because we've all seen a veritable
    blizzard of patches and updates issued from Redmond. But Microsoft
    currently has 157 software products under active support, and a
    typical PC may have not only a Microsoft operating system but also a
    Microsoft browser, mail program, media player, office suite, and
    more. In the aggregate, the total number of bugs and patches to keep
    up with for all this software is daunting. And some of the issues
    have indeed been severe. (For example, Outlook Express was for years
    the very worst security hole on most PCs.)

    But, if it's unfair to lump all open source software together for
    bug- counting purposes, it's also unfair to do the same thing for all
    Microsoft software. (Otherwise, to get an accurate assessment for
    Linux systems, you'd have to include the bugs from open source
    browsers and all other normal system add-ins or add-ons, on top of
    Linux's own bugs.) Instead, to avoid an apples/oranges comparison,
    it's better to look at specific brands, types, and builds of products
    across similar amounts of time: That's the only accurate way to see
    how, say, operating systems compare, or browsers compare, or E- mail
    programs compare, and so on.

    But what about the types or severity of bugs? In fact, I hear this a
    lot from Linux partisans, that Microsoft bugs are "worse" than Linux
    bugs. There's a lot of subjectivity in better or worse comparisons,
    of course. But as a quick example, here's a Red Hat Linux 7.2 bug as
    described on the Red Hat page:

    A vulnerability has been found in the ptrace code of the kernel
    (ptrace is the part that lets program debuggers run) that could be
    abused by local users to gain root privileges.

    Now here's an XP bug, as described on the Microsoft site:

    Flaw in Windows WM_TIMER Message Handling Could Enable Privilege
    Elevation: A security issue has been identified that could allow an
    attacker to compromise a computer running Microsoft Windows and gain
    complete control over it.

    Which is "worse?" I actually think these are about the same--either
    way, someone can take over your PC. But some Linux partisans will
    insist that the Microsoft bug is somehow "worse." I disagree, but
    don't take my word for it: Read the descriptions of some bugs from
    the XP list and some from the Red Hat list, and make up your own

    Does all this mean Linux is terrible? Not at all! Complex software
    will always have bugs and security problems, and I consider Linux's
    bugs to be in the fully normal range and not worth getting agitated
    over. What's more, it's great to see such active bug-fixing as the
    Red Hat pages indicate: There always will be bugs in any software,
    and the rational thing to do is to fix them, rather than try to
    convince others that the bugs aren't real or somehow don't count.

    Does all this mean XP is inherently wonderful? Nope. XP's bugs are
    fewer than Red Hat Linux 7.2, but also within the normal range, and
    likewise merit neither ecstasy nor apoplexy. And, as I said before,
    there's other Microsoft software--some of it bundled with XP--that
    has much worse records.

    So here's what it does mean: Linux is a normal operating system; so
    is XP. Both have bugs, some major, some minor. Anyone who tells you
    that Linux is "inherently more secure" or "much less buggy" than XP
    simply isn't working from current facts. The reality is that bugs
    happen, even in Linux: Get over it.

    Speed Of Fixes

    The second most-cited argument in reader mail was along the lines of:
    "Open Source bugs aren't that big a deal because they can be fixed
    far faster than Windows bugs."

    Yes, under the very best and limited circumstances, this can be true:
    A raw, initial fix can be posted online sometimes within hours of a
    bug coming to light, and that's wonderful, when it happens. But that
    initial posting is often in source code, or in a form that requires
    that parts of the operating system or software be rebuilt or
    recompiled by the user. And it's usually posted in special
    developer-only portions of open- source Web sites. In other words,
    the patch may be useful to a handful of expert users. That's great
    for them, but what about everyone else?

    Most patches take much longer to appear, and longer still to become
    generally available to all affected users, in finished, tested,
    easily installable form--even if, technically speaking, the initial
    instance of the bug was stomped out very quickly. Given the growing
    fragmentation of the open source community and the increasingly
    quasi-proprietary distributions of Linux, how could it be otherwise?
    It has to take time to get patches out.

    Consider just two cases in point: The Open Source Mozilla project
    ran three years late in development, and that was just a browser, not
    an entire operating system. Linux itself took about 7 years before
    it was even remotely ready for prime time. In the face of software
    gestations this lengthy, I think it's hard to argue that open
    source's supposed "fast fixes" actually mean much in real world

    This is a big chunk of Microsoft's problem, of course--it takes time
    to release a finished, auto-installing patch for all versions and
    builds of all affected in-use Microsoft software. This often makes
    Microsoft patches appear weeks or months after a bug comes to light.
    But as Linux and other open-source software face the same kinds of
    market problems, their pace is slowing, too. It's inevitable. The
    more complex and fragmented a software market is, the longer it will
    take for fixes to diffuse out to all builds and versions. Complex
    software takes time to write and debug: Get over it.

    Put Down Those Flamethrowers

    Don't get me wrong: I think the open source movement is a good
    thing, and I like Linux--it's running right now on two of my office
    PCs. And none of the above excuses or lessens the seriousness of
    Windows' own problems with bugs and security issues.

    But, as much as the partisans wish it were so, open sourcing isn't a
    magic solution to the problems of bugs and security issues. As Linux
    and other open-source software grow in popularity and extend into a
    fragmented, uncontrolled mass marketplace, they will inevitably have
    their own full share of bugs and security problems, same as with any
    other software.

    Anyone who tells you differently, or tries to convince you that their
    favorite operating system is somehow immune to market forces, human
    error, and plain malice, is doing both you and the operating system
    they espouse a disservice.

    Martin C.E., Sep 22, 2003
    1. Advertisements

  2. Martin C.E.

    Frans Meijer Guest

    The author makes the wrong comparision, the "Linux-count" includes
    patches for a wide range of applications (like Apache/PHP, gaim clients,
    mICQ etc ...) while the "XP-count" focusses on the core functionality of
    the OS.

    You could easily have checked this out for yourself by actually visiting
    those pages.
    Frans Meijer, Sep 22, 2003
    1. Advertisements

  3. No OS is perfect and no OS is ever going to be perfect. But for me (note
    that I said 'for me' before you blow a gasket) there is no comparison
    between Linux and Windows. Linux is by far and away the best operating
    system I've ever used. I'd be using it right now if it was up to me what OS
    to put on this computer.
    Indigo Moon Man, Sep 22, 2003

  4. Sure. XP is a decent desktop. Microsoft in turn, isn't mature enough to
    be a real-world Internet server. Neither a Microsoft desktop or server
    should be allowed a raw connection, un-firewalled, to the Internet.

    As for the portion of the post I left above, 1) Microsoft desktops DO
    NOT come with a compiler, as do most Linux distros, therefore, you can't
    simply "compile and install" from source code on a Windows machine
    (typically, unless you've actively added a compiler, etc) 2) Microsoft
    users, as a whole, are less likely to be computer savvy and don't have
    the experience to know "what to do" during the first hours of a 0day
    exploit. Basically, MS users need to be spoon-fed in order to know what
    to do.

    Linux, IMHO *is* a better OS, for me, a computer professional. The Linux
    desktop isn't ready for the masses, yet. Rome wasn't built in a day, but
    it's still Rome, it's still there and it will be around for as long as
    it matters.

    Colonel Flagg

    Privacy at a click:

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Sep 22, 2003
  5. Martin C.E.

    Don Kelloway Guest

    Don Kelloway, Sep 22, 2003
  6. That's an important distinction: a Red Hat distribution contains
    hundreds of packages, which for Windows wouldn't be provided by

    Additionally, outside companies, Windows is often used as
    Administrator, because it's much more convenient that way. That means
    there's not even any need for privilege-escalation---any trojan the
    user runs (by explicit execution or one of the bugs in OE) means the
    box is 0wned.

    Essentially, though, I suspect Windows is more dangerous because it's
    a monoculture. Windows XP, or (even better) Windows 2003 is probably
    a reasonably secure operating system, provided you use it safely (for
    example, as a non-privileged user, most of the time). But even then,
    95% of users are going to use Outlook Express with its default
    settings, so a bug in that can allow a worm to spread like wildfire.

    There are lessons in that for GNU/Linux users, of course. Diversity
    (while causing problems---which is why distributions tend to make it
    just a bit awkward to change window manager and so on) is worthwhile
    for many reasons.

    We should worry about trends for more and more people to use (say)
    Evolution as their email client, for example. Well, we ought to worry
    about that once GNU/Linux has conquered the world, anyway.
    Bruce Stephens, Sep 22, 2003
  7. Martin C.E.

    Ted Davis Guest

    <long rant removed>

    One difference between Windows vulnerabilities and Linux
    vulnerabilities is that I get announcements of Linux updates as they
    become available, almost always before an exploit has appeared, but MS
    prefers to announce it's patches on the Wednesday *after* an exploit
    or almost at the same time as the exploit. Another is that the Linux
    patches almost never break anything and the Windows patches often
    break something that doesn't even seem to be closely related to the
    vulnerability. I apply Linux patches without much thought, but I
    cringe when applying one to Windows.

    Yes, both are buggy, but there is a difference in the extent of the
    bugs: Linux bugs tend to be localized and MS bugs tend to affect the
    entire OS package, or at least large sections of it.

    As a final note, most of what you are calling Linux bugs are not in
    Linux at all, but in the GNU utilities packaged with it, so it would
    be more accurate to say that Linux has very few bugs but that there
    are many bugs in the individual GNU utilities, each of which is a
    separate program, but no one or even many of them have nearly as many
    as the one integrated Windows program. You can run Linux without Most
    of the GNU utilities, but you can't run Windows without any of its
    buggy parts.

    T.E.D. ( - e-mail must contain "T.E.D." or my .sig in the body)
    Ted Davis, Sep 23, 2003
  8. Martin C.E.

    Dave Guest

    It's overstated, not a fair comparison.

    Langa's conclusion that Linux is "just as buggy" as XP seems obviously wrong
    to me as a user of both systems. I use Windows XP for office and business
    stuff, and Red Hat Linux 8.0 for Python development. I like Windows for its
    usability and Linux for its openness and robust architecture. I would be
    very happy to see Microsoft fix XP, or even start from scratch with
    "Longhorn" and this time get it right. Then I could avoid the coming
    painful "migration" of all my office and business stuff to Linux. XP doesn'
    t need perfect security. Just good enough that I don't have to waste any
    more time on security issues, like this last three weeks dealing with bugs
    in McAfee Antivirus and an onslaught of the Swen virus. Also, I really don'
    t care about the cost of M$ software. It is insignificant compared to one
    day of my time.

    The Linux patch counts may look bad to a bean counter, but as a user I feel
    good seeing the occasional email from Red Hat when one of these patches is
    relevant to my system. It is usually some fix to an obscure problem that
    might be a vulnerability, but probably isn't. I schedule the patch
    immediately, and never think about it again. Maybe I'm wrong, but my gut is
    telling me that Linux is going to keep its high-security status, even as it
    becomes more popular among less sophisticated users, and even as it acquires
    thousands of buggy applications. I don't know if Windows will ever reach
    the level of security I need.

    Why do I think this way? I'm no expert, but here is my take. Linux / Unix
    was developed by some very bright people working independently of commercial
    pressures, and focused totally on "doing what is right" to make a robust and
    versatile operating system. Windows was developed under intense commercial
    pressures, which led to many compromises, the two most important being time
    vs perfection of code, and bundling vs modularity and clean interfaces.
    This means that Linux now rests on a very solid foundation, and Windows is a
    bloated mess that will be very costly to fix.

    Counting patches is not a good way to compare systems when one is
    open-source and the other is commercial. Open-source developers are highly
    motivated to discover and report bugs. Commercial developers report only
    the ones they have to. Red Hat should get credit, not criticism, for the
    number of patches they have provided.

    I'll bet Microsoft would pay $1B if they could just make their security
    problems go away.

    - Dave
    Dave, Sep 23, 2003
  9. Martin C.E.

    Chris Guest

    Some of the new Linux distro's are a bit buggy,/Bloated. Redhat 9, Mandrake
    9.1. They seem to have went out of their way to make them user friendley,
    and easy to install.

    Here is an example: My friend Richie got Mandrake 8.2 I think, I installed
    slackware. We both have the same computer, same hardware. My pc was running
    at least 4 times faster than his was. BUT his was easy to install, where I
    had to do xf86config to even get to my desktop. His was pretty secure out
    of the box, slack was wide open. I had to learn how to setup IPtables and
    all that fun stuff that Newbies hate. So you have a choice,easy use and a
    sluggish machine, or something that's a bit harder to setup but runs much

    I switched over to FreeBSD 4.8 and would never go back to Linux. You can use
    the same desktops that you have on Linux, KDE/Genome and a few others to
    choose from..BSD freaking flys, It seems to be real lean.
    Chris, Sep 23, 2003
  10. Martin C.E.

    BoB Guest

    BoB, Sep 23, 2003
  11. Martin C.E.

    Martin C.E. Guest

    It seems to me that XP is as close to right as Bill Gates has managed
    to get.

    And it is not a bad effort either. In fact I find that XP is
    surprisingly good. Not perfect but good enough to give the Linux
    world something to keep an eye on.

    ISTR Microsoft used some of the design team from Digital Equipment
    Corporation and ISTR that luminaries like Gordon Bell was one of

    I think it is too simplistic to say that everything that MS puts out
    is crap (not that you are saying that in your posting). Some of it
    is indeed crap. And some of it is quite good.
    Martin C.E., Sep 23, 2003
  12. :ISTR Microsoft used some of the design team from Digital Equipment
    :Corporation and ISTR that luminaries like Gordon Bell was one of

    Yes, at the time of the original NT.

    I haven't followed closely enough to know which members of that team
    are still onboard.
    Walter Roberson, Sep 23, 2003
  13. Martin C.E.

    Jeff Guest

    The key phrase of an accurate comparison being that last sentence. And
    the point that the author of the test seems to have lost sight of.

    Bingo! What he really compared was many open source programs from
    multiple sources against one closed source program.

    Windows XP is an operating system only, with no added programs.
    Unless you count minesweeper and the like as added programs. :) Of those
    21 patches, do those cover all of the bugs, or is that simply the only
    patches that have been made available? (Keep in mind that just because a
    program is flawed, there is no guarantee that anyone at Microsoft has any
    intention of fixing that bug. Remember the Windows calculator bug that
    would give incorrect answers for a simple arithmetic operation? That
    existed unchanged in every version of Windows until Win95. Plus the fact
    that there were security holes in IE for years that remained unpatched by
    Microsoft as they didn't feel that it was a large enough threat to be
    bothered with a patch fix. These little details can skew the results of
    the above comparison).

    RedHat 7.2 contained several window managers, office suites, cd burning
    programs, web browsers and email programs, server daemons, and much more.
    How many of those 151 patches were for items *other* than the OS itself?
    Or for services that XP does not contain or support?

    The only way for a comparison like the one above to have any degree of
    relevency is if only the bare operating systems themselves are compared.
    Either that, or add the equivalent number and types of additional
    offerings so that the comparison is equal.

    The moral of the story is that most comparisons are biased, whether or
    not it is intentional.
    Jeff, Sep 23, 2003
  14. Martin C.E.

    Fred_McGriff Guest

    For Red Hat Linux 7.2, you go to the Red Hat "errata" page https://
    This is a really old article. I have both Windows XP Pro and SUSE Linux 7.2
    installed. The logic used by the author is flawed because some of the
    Windows XP patches referred to conatin multiple patches in a single file.
    People, like myself, who try keep their OS up to date installed many more
    patches than implied by the article. I contacted the author with an actual
    count from the "readme" files for the XP Pro patches, but was ignored.
    Fred_McGriff, Sep 24, 2003
  15. Martin C.E.

    Jeff Guest

    That doesn't surprise me at all, since the "Langalist" is virtually a
    dedicated Windows tweak and patch howto disguised as a newsletter. I
    really doubt that Fred Langa has even seen a Linux system in use. :)
    Jeff, Sep 26, 2003
  16. Martin C.E.

    Dave Guest

    This reminds me of the reaction we got from the MIS ( IBM 360 ) staff when
    we tried to introduce Unix at a universtiy in 1979. They showed me an
    article in "Datamation" ( I'm not sure of the title). It was a cover story
    with a cartoon on the front cover, showing the "Road to Unix", marked with
    signs reading "grep", "awk", etc. - the point being Unix is unusable because
    the commands are not in English!

    These people live in a different world!

    - Dave
    Dave, Sep 26, 2003
  17. Martin C.E.

    Leythos Guest

    That's funny - I remember those days and the arguments, much like the
    ones today, about Unix, CPM, COBOL, etc.... It was amazing that we ever
    got any computing done back then :)
    Leythos, Sep 26, 2003
  18. I remember arguments about BASIC generating too much
    "spaghetti code" and the "structured languages" being better
    options for that reason. While that was true to a point, the
    BASIC programming language required the programmer to
    have clue in order to produce efficient compiled code. The
    "structured" languages allowed programmers with less clue
    to program, and more less clueful programmers to hold jobs.
    We've traded spaghetti for swiss cheese because less clueful
    programmers have jobs where there is little or no quality
    control. Open source projects yield better code because
    there is an ongoing QC and programmers who program
    for the love of programming.
    FromTheRafters, Sep 26, 2003
  19. Martin C.E.

    Just-Dave Guest

    with this I definitely agree...
    Just-Dave, Sep 26, 2003
  20. Things like, JCL, IEBGENER, and IDCAMS, are English?
    David W. Hodgins, Sep 26, 2003
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.