Windows closing the Linux gap?

Garikai Dzoma Avatar
Microsoft

MicrosoftI thought it wise to start with a disclaimer: This is not a Windows vs. Linux article. God knows enough of those have been written much to the chagrin of penguin lovers. It just seems to me like Linux is slipping it terms of their bug swatting vigilance. That or Microsoft’s bug killing team is quickly closing the gap with ever increasing attentiveness. I am not referring to FUD funded propaganda stories like these by the way.

Last year it took an unusual amount of time for Kernel Developers to discover a sneaky kernel bug: someone had used the Hex identifier “0x0B00B135“. Harmless as it may be it makes you wonder how long it would take people to hunt down some of the more subtle critical bugs. True, the offending kernel code mentioned above was a cheeky joke submitted to Linux kernel developers as part of the (Virtualization) kernel code which came from Microsoft. However, since one of the most advertised strengths of Free and Open Source Software is its openness which makes it easier to audit and therefore rid it of bugs the argument that this was sabotage by Microsoft does not carry.

In 2005 Gael Delalleu discovered a critical kernel bug that enabled users to gain root privileges on Linux machines that had a graphical installation. He was not one of Linux’s big daddies so his discovery was thrown to the dog pile and wallowed there for 5 years! Five years as Linux users sat on a ticking kernel bomb. After half a decade Rafal Wojtczuk, one of the kernel inner circle monks with an unpronounceable names, discovered the bug and it was fixed within 48 hours. The fiction that anyone can submit a kernel patch is just that fiction. Linux Kingpin Linus Torvalds has quite the temper and does not mince words and even the most experienced kernel developers have not been spared: He recently told one of them to “shut the F**** up!”  Patches have to be absolutely perfect as a result most people just patch their own machines and forget about it thus eliminating the million people bugs army argument.

According to a recent report by the security firm Trustwave: Vulnerabilities in the Linux kernel fixed in 2012 went unpatched for more than two years on average, more than twice as long as it took to fix unpatched flaws in current Windows Operating Systems. This has been blamed on the distributed nature of Linux which makes it difficult to roll out patches from a centralized repository. A lot of unnecessary steps are involved when a bug is being fixed in say Ubuntu. A developer submits a patch to the maintainer of the affected component say USB drivers, the maintainer cleans the code and merges it into the kernel tree- all these are critical and essential steps. The maintainers of different distributions then obtain the patch and try to modify it to fit their own kernel customizations before placing it into the repository. Different users have different update cycles and so it might be minutes or years if ever before an update is installed. A laborious cycle with the average result being that it takes 857 days to close a patch in Linux as compared to the 375days in Windows! This report is not on all vulnerabilities just Zero Days.

To be fair Windows has come a long way from those unstable versions of Windows 95 that were mere GUIs sitting on DOS. Windows XP was everyone’s darling even with its numerous warts and all. With Windows 7 and in 2012 Microsoft really took it up there. For the first time according to Kaspersky no Microsoft software made it into the top ten of vulnerabilities list. Instead Adobe’s Flash player, Shockwave and Reader all made it into the list. So did Oracle’s Java and your beloved ITunes player. In fact Adobe’s cross platform flash player and Oracle’s Java have compromised Linux.

So is Linux slipping or is Windows becoming more secure and closing the gap? It could be either or both or neither. For example Linux lovers might simply write the whole thing off as another conspiracy. Microsoft inserted the “BigBoobs” in the midst of zillions of lines of code in a bid to discredit Linux. As for the Trustwave report mentioned above maybe the vulnerabilities fixed did not really touch Linux and or maybe Microsoft just doled out a busload of worthless updates for mistakes they deliberately made so as to boost their image in the eyes of security experts. Finally perhaps the reason why there is no Microsoft product in the Kaspersky list is due to Steve Ballmer having lunch with one of the executives.

So what is your verdict is Windows becoming more secure whilst Linux is slipping? Or is it something else entirely?

39 comments

  1. bluelightzero

    This article is FUD.

    Linux is distributed to all distros which is then compiled and sent to desktops. I get them all the time.

    Microsoft bugs on the other hand go unnoticed much longer. 

    What I say? Where is your proof?

    1. Garikai

      Since you are rejecting the whole article I do not know what kind of proof you want. Anyway I will attempt to be useful. I dual boot 12.04 and Win 8. Windows my computer checks for updates every start up and installs them automatically as per default settings. 12.04 simply starts update manager and informs you of the updates. Changing this behavior to install updates is asking for trouble though since one can never really foretell what will happen what a Grub2 or Kernel update will do. It could ruin everything. I love linux but even you will admit not all distros are the same. For example the bug described in the article was fixed in Suse as soon as it was discovered. (5 years b4 it was fixed in the kernel.)

      1. bluelightzero

        I have been updating for a year strait and the only problems I have had are purely preferences.

        How much do you get payed to write this garbage?

        1. Garikai Dzoma

          Y the usual. Surface tablets, win 8 phones and XboX games. 🙂

        2. mk

          Yes everyone wants to read the kernel source code and apply patches using the patch command before running make and make install. Oh wait what about kernel recompilation. Trust me sir u have been lucky that nothing breaks during updates.

  2. Tapiwa ✔

    Article starts of with

    This is not a Windows vs. Linux article

    , but ends with

    So what is your verdict is Windows becoming more secure whilst Linux is slipping?

    Did the intention change somewhere in the middle of the article, or was the author trying to be disingenuous?

    Applying a bit of critical thinking says the only difference is Microsoft’s bug-list is not visible to the world. Yes, Windows’ security has improved as of Longhorn, but that doesn’t mean Linux security has slipped – why can’t both have improved? That’s a false dichotomy.

    1. Garikai

      I respect your opinion but still feel this is not one of those general “Linux vs Windows article” those tend to be accompanied by emotional screaming in the comment sections usually with words like “evil” and “cavemen” somewhere in the mix. The first line is meant to preclude such raving whilst the last line defines the scope in which the Linux Windows comparison rather than the word versus which implies something is going against something. I will have to admit the word versus itself also means contrasting but that meaning is secondary. I would be inclined to believe that I have at least achieved some success in eliminating some of rantings as your calm logical analysis and the very rational comments in this article seems to suggest.

    2. mk

      Yeah maybe both improved.

  3. Tapiwa ✔

    <sarcasm>That’s probably why 94% of the world’s fastest supercomputers run Linux… I can’t believe they spend millions on hardware and skimp on the OS </sarcasm>
    https://www.linux.com/news/enterprise/high-performance/147-high-performance/666669-94-percent-of-the-worlds-top-500-supercomputers-run-linux-

    1. Garikai

      Sigh! Your arguments are wild, strange and not backed by evidence! Linux is not user friendly and it’s easy to create a virus for Linux are the most outrageous things I have ever heard. Can you please provide us with facts to justify this.

      1. siya

        Talk about the pot calling the pot black. You decorated your article with a number of links but there is nothing that suggests there is some closing of a gap or slipping. You’re just as guilty

        1. mk

          Well I think he did; just click on the word Trust wave. I do not agree with the assertion myself.

        2. Garikai Dzoma

          To be fair even you wld have to admit the Blue Screen of Death has become less common and Windows 7 was a drastic improvement in terms of security. Besides one of the articles quoted http://www.zdnet.com/linux-trailed-windows-in-patching-zero-days-in-2012-report-says-7000011326/ does justify my asking the question as you will note the title is a question not an assertion as @disqus_NZz2WjG6zB:disqus claims

    2. mk

      And I have a supercomputer in my basement that I use to watch movies and surf the internet.

  4. Anand Radhakrishnan

    http://lwn.net/Articles/400746/ – Linux Weekly Network had an article published couple of years backabout the vulnerability. Linus style of kernel administration is well-known and there is no reason to fuss about it. I have read the whole debate in /. and all in the community know that he runs a tight ship for good reasons.

    http://www.zdnet.com/linux-windows-and-security-fud-7000011417/ – looks like Trustwave as a Co is not all that trustworthy.

    1. Garikai

      The linked LWN article states “The problem was discovered by Rafal Wojtczuk..” It conveniently omits to state that the vulnerabilities had been discovered 5 years earlier. Which is my point exactly the elitist approach adopted in the Kernel Team might lead to some patches being ignored even if they are critical.

      1. tinm@n

        Linus has faced alot of criticism because of that elitism. There are merits to it and disadvantages too. I am in the camp that agrees that the Kernel should not have rapid release cycles, which would likely occur if dev was readily open to other developers.

        1. Garikai

          I have to agree. The elitist approach works well but it limits the pool of available talents to a select few even if there are other capable programmers out there. I guess Stallman’s FOSS ideology is just a dream.

  5. Concern Shoko

    Just try to run and mantain a windows server on the internet and you will come and delete this article.

    1. macdchip

      He is a keyboard warrior, a rubble raiser with no real world wounds.

  6. macdchip

    Our MS servers are only used for lighter loads like domain controllers and all jobs for small boys.

    We chew some serious terabytes of data everyday copying and working with it live on network.

    We couldnt do it before we took Linux server isilon http://www.emc.com/industry/energy-solutions/oil-and-gas/exploration-production-oil-gas.htm because windows was not able to handle it. We had to copy everythin local

    Do yu ever wonder why cern public.web.cern.ch/public/ have chosen linux as there OS, l understand them from experience

    1. Garikai

      Thanx 4 the feedback. You will note that I did not say Windows is better than Windows! I am wondering whether Windows has improved to narrow (not close) the security gap between itself and Linux. There are many reasons why Linux is more suited for the bigger tasks or even the desktop I am not even arguing against that.

      1. bluelightzero

        No. Just shoot the diseased ash cow.

  7. tinm@n

    Zero Days usually go unreported within the ERT circles because they are big money. In the underground, they are the basis for new viruses and vectors of attack. Whether it is MS or Linux, having a better record of patching 0-day vulnerabilities is in no way a reflection of just how secure the OS is. Just relflects how many disclosures there are on the vulnerabilities.

    Historically MS has been the most vulnerable. It, improving its patching frequency of critical vulnerabilities is a good thing. Actually its expected. The other side of the coin could mean that it is also getting more vulnerable.

    Highly biased article though. Despite a vain attempt to distance yourself from being impartial

    1. Garikai

      I appreciate your contribution but you should note that the title is presented as a question. I am wondering is the gap still as wide as it was between Windows and Linux? No doubt Windows has improved. But has Linux slipp ed to narrow the gap? The infamous “Windows is targeted because it’s popular” theory is certainly significant but not as foolproof as you think. Servers are critical points of weakness highjack a server and people whatever OS system the user uses you can steal their private data e.g. you can steal Credit Card numbers without the user being wiser. Indeed you can use the same server to distribute malware based on the user agent string presented by the browser.

      1. tinm@n

        The infamous “Windows is targeted because it’s popular” theory is certainly significant but not as foolproof as you think.

        Theory? Numbers and simple logic. Higher market share = higher likelihood of direct user-targetting attacks. Its is a null argument and is fact

        Bill Gates himself said:
        “Of course we are the largest target, simply because we have the most widely disseminated system”

        1. mk

          You are quoting William Gates; really? It’s like when people asking you if you think you are smart. Of course you think you are smart!

        2. Garikai Dzoma

          A Theory is a contemplative and rational type of abstract or generalizing thinking, or the results of such thinking.

          1. tinm@n

            You’re still not getting it. The numbers(in Windows desktop adoption) attract motivation(from malicious people) to find vulnerabilities in the software, which will always be found. No piece of software(desktop,server or other) is 100% secure.

            1. Garikai Dzoma

              I understand what you are saying. Windows is the most popular OS (numbers) and it is also the most infected. You say that it is because hackers target it more often because it is popular and as a result much more profitable. I am saying that is one explanation for the scenario. There could be another explanation: I question the profitability in numbers model by pointing out that Linux servers are high value targets. Which would you rather have a million Windows machines or the paypal server? It would be reasonable to conclude that perhaps the reason why Windows is so often infected is because it is less secure than Linux (which as you point out is not 100%.) People cannot attack a Linux server without considerable skills.It can be concluded therefore that the popularity of Windows has no bearing to its being a target.

  8. JamesM

    Thanks Garikai the cheque is in the mail love Steve Balmer, keep up the good work!

    1. Garikai

      Oh thank you James. I love M$! Just please dont tell him I am using Mark’s awesome Latest LTS. Those late night phone calls to Redmond can get very awkward. 😉

    2. Garikai Dzoma

      Oh thanx James! Please dont tell Steve that I am using Mark’s lovely LTS these days. Those late night calls to Redmond might become awkward.

  9. fiend

    Just rambling FUD. A collection of several articles and made it your own.

    1. Garikai

      Hi, I am a schizophrenic! I been off my meds I am very sorry for the trouble I caused by laying it out as it is. Rest assured it will happen again. I hope I have been of great assistance to you.

    2. Garikai

      I am a diagonised schizophrenic. I apologize for causing you trouble by asking questions and laying out as it is.

    3. Garikai Dzoma

      I am a digonised schizophrenic. I apologize for the trouble I caused for laying it out as it is and asking questions.

    4. mk

      now if the truth is FUD then it is what then this is FUD.

  10. mk

    Some pple just think criticizing Linux and pressing Windows is FUD. Grow up!

Join Waitlist We will inform you when the product arrives in stock. Please leave your valid email address below.