Last year, Web servers based on Windows Server 2003 had fewer flaws to fix than those based on Red Hat Enterprise Linux ES 3 in a standard open-source configuration, researchers said in a paper released on Tuesday.
Moreover, the study indicated that the Microsoft-based Web server had far fewer "days of risk"--a measure of the number of days that each vulnerability is known, but unpatched--than the open-source rival.
"All this study can do is give people pause, to say they shouldn't go
with common wisdom over which platform has more security," said
The paper has already caused controversy, as some details were presented at the RSA Conference last month. Previous studies comparing measures of security in Windows and Linux have also caused heated discussion.
"We believe there to be inaccuracies," Mark Cox, the leader of Red Hat's security response team, wrote about the recent study in a blog posted to the software company's Web site on Tuesday. He said that the study did not separate "critical" vulnerabilities from less serious ones, a comparison that would favor Red Hat.
Red Hat did not otherwise comment on the paper and referred requests for comment to the blog.
Counting the holes
For the study, researchers counted the
fixes published for flaws in each Web server setup in 2004. In
addition, they tallied days of risk, the cumulative number of days
between the time information on a flaw is publicly released and the
time the software developer patches that vulnerability.
A server using Red Hat Enterprise Linux ES 3 had more than 12,000 days of risk, while a Microsoft configuration had about 1,600, they said.
As for flaws, a Red Hat-based Web server with open-source Apache Web server software, MySQL database and the PHP scripting language had to deal with 174 holes in its default configuration, the study found. A Web server based on Microsoft Server 2003, Internet Information Server 6, Microsoft SQL Server 2000 and ASP.Net had 52 vulnerabilities in the default configuration.
The researchers also studied Red Hat and Windows Web servers in minimal configurations, taking out of consideration applications that are not needed for serving Web pages. Even in that case, Microsoft still handily beat Red Hat, with only 52 flaws, compared with 132 for the Linux software.
Play video
There are currently no comments for this post.