About a year ago, I wrote a column about which platform -- Windows or Linux -- could claim bragging rights for the richest, most functional security tools. That's a worthy award, but having good security tools is only part of the game here. In light of recent events, a more timely and significant question might be: Which is easier? Patching Windows or patching Linux.
"Days of risk" is defined as the number of days between a public announcement of a security vulnerability and its first manufacturer-issued patch. Forrester Research Inc. released a report last spring measuring days of risk, the percentage of the vulnerabilities actually patched and the percentage of the vulnerabilities rated as "high" by the U.S. government's National Institute for Standards and Technology's ICAT project.
Forrester, which is based in Cambridge, Mass., found that Microsoft did the best job of releasing patches quickly and making a thorough effort at patching all vulnerabilities. However, the margin was slim, and leading Linux distributions like SuSE, Red Hat and Debian obtained 97% and 99% numbers against Microsoft's 100% (the company patched all public vulnerabilities during the period of examination). Forrester was quick to point out that it was almost equally easy to apply said patches among all the operating systems. One notable quote: "The bottom line? Any of these platforms can be operated securely," said Laura Koetzle, a senior analyst with Forrester.
There are many, many reports -- most of which conflict in some way with all the other reports -- circulating these days about how many serious vulnerabilities there are in Windows vs. Linux. And it's hard to get a true, apples-to-apples count because there are so many different distributions of Linux, all with different software. Do you count a vulnerability in Evolution against Novell's Linux Desktop product? Or do you count it against Linux in general? What about a vulnerability in one particular service that one distribution installs by default and the other doesn't? And do you count IIS (Microsoft Internet information server) vulnerabilities against the Windows core product? How about Office problems?
It's a muddy issue with muddy results, and it's not likely to get clearer anytime soon. So instead of arguing about Microsoft versus open source operating systems, let's take the essence of the problem and try to work with and apply the conclusions we come up with. To me, it boils down to two questions:
- Which platform requires more patching?
- On that platform, is patching easy enough to make up for the fact that it's required in the first place?
The answer to number one, I think, is Windows any way you look at it. While the number of vulnerabilities is in dispute, the majority of desktops in a corporate environment run Windows, so even a couple of distinct vulnerabilities require waves of patching. It is either more Windows PCs with fewer vulnerabilities, or more with more. Either way, Windows requires more patching.
As for number two, Microsoft has improved the patching process by leaps and bounds over the way it used to be. Do you want direct control over updating? Install Windows Server Update Services, approve patches and set up a group policy object directing your computers to that machine. You can target systems or groups of computers or set up staging. Once you set it up, it's a cinch. Of course, there's always Microsoft Update for smaller networks and home users, and SMS 2003 for big networks with more concerns than just patching Windows and Office. Patching can be pain-free. On Linux, where is the distributed patching mechanism? And is it this easy?
My answer to those questions: I don't know, and I doubt it.
About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book RADIUS (O'Reilly & Associates) is a guide to the RADIUS authentication protocol and offers suggestions for implementing RADIUS and overall network security. Ask Hassell a hardening Windows question today.
Toby O. writes: Just a comment on your Windows vs. Linux patching article:
As background, I manage 350+ machines through SMS 2003. I have done workstation management (builds, patching, updates, application deployment, etc.) for over 9 years now (much of that using SMS 1.2 SP4 with NT 4.0, but more recently with SMS 2003 SP1 and Windows XP). My turnaround time on Patch Tuesday is usually around 4 hours. I have a fairly strong handle on DSUW in SMS, deal with patching for all the applications I have deployed, etc. My Linux experience is limited to having run Linux on one of my home machines since I was in college in 1993.
I currently run Fedora Core 4 on my home server, and patching under FC4 is trivial. If you don't want to keep a human in the loop, you simply turn on automated patch deployment and it will check nightly for updates. As it is, I prefer to stay in the loop, so I have a simple cron job that runs nightly to look for patches and it lets me know if there is anything required. When there is, I simply run "yum update," answer yes, and I'm done.
That said, I do see considerably more updates with FC4 than I do for Windows. On the other hand, because I don't run any non-FC4 software on that box, I don't have to worry about checking for patches from other sources. With Windows, I have to keep on top of SunJRE updates (can't use the automated system since I don't run with local Admin), Adobe Reader, Real Player, WinAmp, Office, Flash, not to mention the OS updates. With FC4, everything I use is included in the core package system or in the FC4-extras collection, and so the patching for all of that is covered by the same system. That makes the constant stream of security updates much easier to deploy.
If I ran FTP, SSH, HTTP, HTTPS, IMAPD, and WebMail on a Windows box, I'd have to be checking weekly for all of those services to see if there were security updates. With FC4, I get all of that in one patch/update distribution mechanism.
While the Windows world has made dramatic advances in the last year, there are still plenty of headaches. The last three Patch Tuesdays have been marred by Microsoft screw-ups (false alarms in the MSSecure.xml file for June, a mis-signed MSSecure.xml file for July, and a mis-signed IE patch posting for August) that cost me valuable time frantically retrying downloads over and over again in the hopes that Microsoft would finally fix their packages.
In the future, before making claims about Linux, you might spend a little more time investigating. Both the Windows and Linux worlds have much to learn from each other.
Thanks for the comment, Toby. I still stand by what I said, though, but it's nice to hear other varying viewpoints. I never meant the piece to be expository or investigative, just a passing along of my opinions.
More information from SearchWindowsSecurity.com
This was first published in August 2005