Study finds Windows more secure than Linux

SAN FRANCISCO — Believe it or not, a Windows Web server is more secure than a similarly set-up Linux server, according to a study presented yesterday by two Florida researchers at this weeks RSA conference.

The researchers, appearing at the RSA Conference of computer-security professionals, discussed the findings in an event, “Security Showdown: Windows vs. Linux.” One of them, a Linux fan, runs an open-source server at home; the other is a Microsoft enthusiast. They wanted to cut through the near-religious arguments about which system is better from a security standpoint.

“I actually was wrong. The results are very surprising, and there are going to be some people who are skeptical,” said Richard Ford, a computer-science professor at the Florida Institute of Technology who favors Linux.

– Mike

Comments (9)

  1. Senkwe says:

    I guess the obvious question is…who paid for the study?

  2. Mike says:

    Why is that an obvious question (note that I don’t know the answer) – There’s a Windows and Linux guy presenting, why would the Linux guy present that the Windows Web Server was more secure unless he really believed that was the case ?

    – Mike

  3. Senkwe says:

    Well its an obvious question because it will be the first question asked when the story hits slashdot. It’s also an obvious question because the slashdot crowd will assume the Linux guy was "bought" so to speak (expect there to be lots of digging around for proof of the guys incompetence with reagards to Linux for example). In other words, you can’t win.

    By the way, I read a slightly different article on vnunet at which strongly implies that the study was independent. Just don’t expect that to be the OSS community concensus 🙂

  4. Mike says:

    Senkwe, thanks for the link, there are some interesting comments in the article – the article does imply that this is independent research. Some extracts below.

    "Vulnerability counts are much higher with Red Hat than with Microsoft," said Dr Ford. "I am a huge Linux fan, and I have a Linux server in my basement. The first time I saw the statistics I thought someone had mucked about with my database."

    The pair examined the number of vulnerabilities reported in both systems and the actual and average time it took to issue patches. In all three cases Windows Server 2003 came out ahead, with an average of 30 "days of risk" between a vulnerability being identified and patched compared to 71 from Red Hat.

    But the academics acknowledged that some intangibles, including the relative attractiveness of Windows as a target for hackers, could skew the results. Nevertheless, many attacks these days are aimed at Linux servers rather than Windows systems.

    What’s interesting here is the last comment around skewing the results, if Windows is the more atractive target then you would expect more attacks, and perhaps longer to patch the O/S – with this being the case it would appear that Linux is still taking longer to patch.

    – Mike

  5. Mike says:

    oh, and just to follow up on the "you just can’t win" statement – I suggested a few weeks ago that developers should look at Windows Embedded operating systems and compare with Linux because of the technical merits of the operating system – it would appear in many cases that the Linux crowd wouldn’t even consider looking at Windows CE or Windows XP Embedded simply because they are from Microsoft – this makes no sense to me, if the operating systems have the technologies and services you need for your product, provide a quicker time to market, then why wouldn’t you consider them ?

    – Mike

  6. Daniel Auger says:

    Although the stories are a little foggy on this, it sounds like they used nearly default settings/installations. As far as the number of patches issued goes, I think it’s more an idicator of the vulns/exploits in Linux being out in the open right away as opposed to when MS or cracker groups reveal the vulns/exploits to the public. I’d also like to see if they weighted anything on the type and severity of the problems. Were remote exploits given more weight than local?

    As someone who uses both OSes on a daily basis, I don’t really find the study to be too shocking.

  7. Thiago A. says:

    Totally wrong information on this article.. probably a microsoft guy was trying to do some propaganda.

  8. Mike says: which strongly implies that the study was independent.