News > Security

By Robert Lemos, CNET News.com
Wednesday, March 23, 2005 11:03 AM

Companies face greater risks if they run their Web sites on Linux rather than Windows, a Microsoft-funded study has concluded.

Last year, Web servers based on Windows Server 2003 had fewer flaws to fix than those based on Red Hat Enterprise Linux ES 3 in a standard open-source configuration, researchers said in a paper released on Tuesday.

Moreover, the study indicated that the Microsoft-based Web server had far fewer "days of risk"--a measure of the number of days that each vulnerability is known, but unpatched--than the open-source rival.

"All this study can do is give people pause, to say they shouldn't go with common wisdom over which platform has more security," said

Herbert Thompson, one of the three authors of the paper and the director of research and training at Security Innovations, a security applications company. The common belief is that Linux is more secure that Windows.

The paper has already caused controversy, as some details were presented at the RSA Conference last month. Previous studies comparing measures of security in Windows and Linux have also caused heated discussion.

"We believe there to be inaccuracies," Mark Cox, the leader of Red Hat's security response team, wrote about the recent study in a blog posted to the software company's Web site on Tuesday. He said that the study did not separate "critical" vulnerabilities from less serious ones, a comparison that would favor Red Hat.

Red Hat did not otherwise comment on the paper and referred requests for comment to the blog.

Counting the holes
For the study, researchers counted the fixes published for flaws in each Web server setup in 2004. In addition, they tallied days of risk, the cumulative number of days between the time information on a flaw is publicly released and the time the software developer patches that vulnerability.

A server using Red Hat Enterprise Linux ES 3 had more than 12,000 days of risk, while a Microsoft configuration had about 1,600, they said.

As for flaws, a Red Hat-based Web server with open-source Apache Web server software, MySQL database and the PHP scripting language had to deal with 174 holes in its default configuration, the study found. A Web server based on Microsoft Server 2003, Internet Information Server 6, Microsoft SQL Server 2000 and ASP.Net had 52 vulnerabilities in the default configuration.

The researchers also studied Red Hat and Windows Web servers in minimal configurations, taking out of consideration applications that are not needed for serving Web pages. Even in that case, Microsoft still handily beat Red Hat, with only 52 flaws, compared with 132 for the Linux software.

Talkback 0 comments

• security protocols QA VPN, IPsec, L2TP
• Security Specialist Juniper/Internet
• Risk and Compliance Auditor
• Head of Risk & Compliance
• (Finance) Head of Risk & Compliance

TechGuides

Create your own yum repository

Learn how to create your own yum repository with the createrepo tool. One thing it allows you to do is distribute specialized packages within an organization.

Read more »

Latest from Blog Central

Unnecessary distraction

Read more »

Cutting-edge technology from premium sponsors

Monitor your Business Performance and KPIs at-a-Glance

with Xcelsius data visualization software

Interact with your data with next generation visual tools

Test Drive LIVE Dashboards

So easy to use, create dashboards in just 5 minutes

View Online Demos

Get instant access to information for effective decision making

Read Whitepaper

Brought to you by:

More Tech Showcases:

SAP Xcelsius

Oracle Technology

LG Network Monitor