The safest OS?

rizzix · **Posted:** Sun Jan 08, 2006 5:27 pm

Yep, check out this article: http://www.technewsworld.com/story/48145.html

Kudos to windows!

Hikaru79 · **Posted:** Sun Jan 08, 2006 7:33 pm

That's the worst possible way to make a conclusion. Those are counting REPORTED bugs. If Microsoft is known for anything, its for NOT announcing its bugs. The WMF vulnerability has actually been known among the Bugtraq community for about 7 months before it became exploited enough for MS to take notice -- and look what's happened now. It's even in the mainstream media.

Overall, the comparison of counting bugs on a sort of tit-for-tat scale is stupid. MS should simply never announce or fix or admit to bugs, and then they'll be INVULNERABLE! Very Happy

MysticVegeta · **Posted:** Sun Jan 08, 2006 7:49 pm

The article is just full of BS. I 2nd that Hikaru.

Dan · **Posted:** Sun Jan 08, 2006 10:16 pm

Arg so many things wrong with this. You can not rate a sysems security based on the number of expolites reported. This is exteramly unsigatifical for a number of reasons; 1. most linux/unix distors are open sorce, meaning that it is alot easyer to find, report and a fix expoits in the software. Also such bugs will be found and fixed faster since any one can do so. 2. there are alot more versons of linux/unix distors then there are windows, each distror can have difrentrent software and slight chages to the code, each have the posiblity of adding new seucity falws thos making the number way higher then windows. (it whould be like comapre how many times one person makes a mistake to 100 peoleop, of corse 100 peoleop will make more mistakes then one). 3. as mentioned above linux/unix reports there bugs openly and windows dose not also chaging the stats. 4. i could have an os with 1000000 falws but if they are fixed it is still better then a system with 10 that are not fixed.

Now if we look at the systems in a way not based on an meaning nummber we will see fundemental difrences in the way they are set up. Linux/unix systems noramly (if not allmost allways) run with limited users and the root user should never be used (unless with a sudo comand or seting things up at 1st). This way even if there is a security falw and a user acount is comprimesd, there control over the system is limited and can not affect the system as a hole. tho the user acount may be lost. Windows has tryed to copy this in xp but has failed since windows progames are not made to run as a limted user and force peoeop to run normal actives on an admistaor acount.

Inaddtion i realy question the knowgale of the person writing this artical, i mean they even admint to the fact that thess numbers they keep stating are meaningless in the artical. Hostly i think the idea of this hole artical was just to get peoleop to go to there site, it contatins not real information and dose not even look in to the seurity of the systems at all.

wtd · **Posted:** Sun Jan 08, 2006 10:25 pm

There's also the issue of severity of vulnerabilities, and how widespread they are.

[Gandalf] · **Posted:** Sun Jan 08, 2006 11:58 pm

Indeed. Some Linux distro could have 200 vulnerabilities, and yet the likelyhood of someone exploiting it are miniscule, unlike if someone found a vulnerability in Windows. Also, those exploits would be found and fixed at a much faster rate than any Windows security hole. Besides, if something is open-source of course people are going to feel better reporting a bug to the developers than to some huge corporation to whom your report is likely meaningless.

rizzix · **Posted:** Mon Jan 09, 2006 2:33 am

Hacker Dan wrote:

You can not rate a sysems security based on the number of expolites reported.

Actually this prove to be a better way to test a system's security. If an exploit is fixed it is no longer reported, but if it isin't it adds to the exploit count. Basically the OS's with the largest count have the greatest risk to be attacked.

Dan · **Posted:** Mon Jan 09, 2006 7:19 am

rizzix wrote:

Hacker Dan wrote:

You can not rate a sysems security based on the number of expolites reported.

Actually this prove to be a better way to test a system's security. If an exploit is fixed it is no longer reported, but if it isin't it adds to the exploit count. Basically the OS's with the largest count have the greatest risk to be attacked.

I blive i posted serveral reasons above why your statment is unture and wtd and gandalf added to them......

Tony · **Posted:** Mon Jan 09, 2006 11:25 am

Well as the article admits

Quote:

It should be noted that US-CERT did not distinguish between Unix/Linux vulnerabilities and OS X vulnerabilities.

So... anything based on Unix is grouped together.. If one really wanted to fudge those numbers, you just report a kernel bug as 1*number_of_linux_distros Laughing

Throw in BSD (since it's a UNIX clone) in there... and then all variations of that.. Confused

Microsoft tends to conceal news of their exploits until it spils into media.. even then Microsoft has a history of delaying patches, sometimes in favour of grouping updates together as to reduce the total quantative number of patches released.

wtd · **Posted:** Mon Jan 09, 2006 1:27 pm

[Gandalf] wrote:

Indeed. Some Linux distro could have 200 vulnerabilities, and yet the likelyhood of someone exploiting it are miniscule, unlike if someone found a vulnerability in Windows. Also, those exploits would be found and fixed at a much faster rate than any Windows security hole. Besides, if something is open-source of course people are going to feel better reporting a bug to the developers than to some huge corporation to whom your report is likely meaningless.

As to severity, is it a "someone has to have their hands on your computer, know your password, and enter a very specific series of obscure commands, and then they can change your desktop background image" exploit, or is it a, "if you're running Windows as it ships out of the box, and you click on this link on a web page, it'll hose your system" exploit.

md · **Posted:** Mon Jan 09, 2006 5:16 pm

Tony wrote: