back to article And the buggiest OS provider award goes to ... APPLE?

Apple's operating systems and Linux racked up more vulnerability reports than Windows during 2014, according to research from security outfit GFI. Cupertino's OS X and iOS platforms topped the 2014 bug charts with 147 and 127 holes disclosed in each, nudging out the Linux Kernel with 119 flagged flaws, the National …

Re: Put up or shut up

>>...because of their more standardized (imo) release process.

Where did you find any standards in Microsoft release process ???

Or did you mean the patch/update release process?

0
1
Silver badge

Re: Put up or shut up

>>"Where did you find any standards in Microsoft release process ??? Or did you mean the patch/update release process?"

I was talking about software vulnerabilities and fixes so I thought the context made it clear. Yes, I'm talking about Microsoft's more standardized release process for updates.

0
0

Re: Put up or shut up

>>I was talking about software vulnerabilities and fixes so I thought the context made it clear.

Sorry, you were talking about the security in the broader sense: >>I've generally found GNU/Linux and Windows to be comparable in security (assuming competent admin in both cases)...

Since the meaning is clarified now, your

>> slight practical edge to Windows because of their more standardized (imo) release process

sounds strange to me. I would rather choose when a vulnerability fixed within hours or couple days of its discovery without any standardization, than waiting weeks for it when it's done once every month on Tuesday.

Moreover, since on GNU/Linux an update of an application barely requires a reboot of the whole system but only the application in question while many non-kernel MS Windows applications often need the complete system reboot, the practicality edge should be given to GNU/Linux.

Further, in case of the kernel update a GNU/Linux system would keep the old kernel for the user to boot into in case the new kernel is faulty, so it's hard to end up with "an unbootable MS Windows update" situation. Or, likewise, when most of the entire system installs and updates (consisting of tens of gigabytes of binaries) is standardized through a single update/install mechanism (both front and back end), like apt (aptitude, synaptic, update manager) on Debian-based distros or yum on Red Hat based ones, etc versus a tiny number of mostly MS-based software is a huge, fat practical edge right there..

1
1
TRT
Silver badge

Microsoft are doing better...

at hiding their vulnerabilities.

Of course, if you factor in uptake and deployment of the OS...

3
7
Anonymous Coward

Biased reporting

If you combine all the Windows versions together (as has been done for OS X) then Windows has 248 vulns, that's 100 more than Apple.

Linux puts in a very poor show of 119 for the **kernel alone**! How many more will Gnome, OpenSSL etc add to that number? F/OSS software is better? Far from it.

5
10
Silver badge

Re: Biased reporting

>>"If you combine all the Windows versions together (as has been done for OS X) then Windows has 248 vulns, that's 100 more than Apple."

Set theory is not your strong point. As pointed out elsewhere, nearly all of those vulnerabilities will be the same one present in multiple versions.

8
5
Anonymous Coward

Re: Biased reporting

That only becomes obvious if you go back to the original report and read the excuse the original author puts out for trying to deceive people.

If they can't be bothered to present an honest an unbiased view of the information, I can't be bothered to read their propaganda.

2
8

Numbers are irrelevant. All are completely vulnerable

The only important difference is between zero and one. Until any operating system can actually spend significant periods of time with no unpatched, in-the-wild exploited bugs, they are as bad as each other.

1
1
Silver badge
Coat

OSX and Linux

more buggy than Windows? that will ruffle some feathers.

2
0
Anonymous Coward

Re: OSX and Linux

"More buggy" maybe, but I seem to spend less time fighting it and having to fix things on it when it breaks.

A Windows license is ~$200. A day's work for me is about $250. Therefore over the course of a year, I can afford to spend a day fixing problems on Linux or spend a day's pay on a Windows license and still break even either way.

However, we know Windows is not the trouble-free experience they tout it to be, I'm more likely to spend at least a day of my time just waiting for the usual "Applying Updates, do not turn off" messages, the usual hassling that I need to reboot for an update to take effect, searching around for the exact driver, troubleshooting obscure registry problems, fending off malware, etc.

Spending an extra day of my time and keeping money in my pocket to pay for food, housing, electricity and computing hardware doesn't seem like such a bad deal now does it?

1
1
Anonymous Coward

Re: OSX and Linux

"A Windows license is ~$200. A day's work for me is about $250"

A RHEL license subscription starts at $799 per year. I use Windows wherever possible. A days work for me is about $1000. Go figure...

"I'm more likely to spend at least a day of my time just waiting for the usual "Applying Updates, do not turn off" messages"

WSUS is free and manages that for you. This is a good example of why you are only worth $250 / day.

How long do you spend assessing all the security vulnerabilities for each platform? I am interrupted several times a month to look at many more Linux ones, but only once a month on Patch Tuesday to look at Windows ones...I spend far less of my time dealing with Windows updates overall.

"searching around for the exact driver, "

That's a far larger problem for Linux. based systems.

"troubleshooting obscure registry problems"

As opposed to trouble shooting problems in multiple randomly distributed text config files?

"fending off malware,"

Try running Windows and Linux based internet facing servers. The Linux ones get attacked and compromised far more often. I have never seen malware on a Windows server - only ever on a desktop. But I have seen lots of Linux based server boxes compromised to serve up malware, private FTP sites, Bit Torrent seeds, botnet CC servers, etc, etc...

2
2

Re: OSX and Linux

"A days work for me is about $1000. Go figure."

Said the AC who could claim anything !

2
2
Anonymous Coward

Re: OSX and Linux

"A Windows license is ~$200. A day's work for me is about $250"

A RHEL license subscription starts at $799 per year.

Who says I buy RHEL? Gentoo costs $0. Debian costs $0. Ubuntu costs $0.

All three generally JustWork for my needs. Gentoo having the best flexibility, thus what I choose for my own personal gear. At work it has traditionally been Ubuntu, but lately we're moving to Debian for some of our appliances.

I use Windows wherever possible. A days work for me is about $1000. Go figure...

"I'm more likely to spend at least a day of my time just waiting for the usual "Applying Updates, do not turn off" messages"

WSUS is free and manages that for you. This is a good example of why you are only worth $250 / day.

Tell me, can I get a Linux version of WSUS? We don't have a Windows server, and not being traned in managing Windows, it would be lunacy to expect me to manage one.

All the Linux boxes are happy to just do their downloads via a HTTP proxy. The downloads are cryptographically signed using GnuPG and the files are cached so they only get downloaded once. Simple, effective.

How long do you spend assessing all the security vulnerabilities for each platform? I am interrupted several times a month to look at many more Linux ones, but only once a month on Patch Tuesday to look at Windows ones...I spend far less of my time dealing with Windows updates overall.

apt-get dist-upgrade is usually done for me in less than 10 minutes and rarely needs a reboot. The fixes come as they're released, not when the vendor feels it's time to push an update. I apply the updates when I feel I want to, not when the vendor thinks I should.

"searching around for the exact driver, "

That's a far larger problem for Linux. based systems.

I have a laptop on my desk that identified 100% of the hardware from the Ubuntu LiveCD. Windows 7 64-bit OEM (self-installed, not the OEM image which was 32-bit) still fails to recognise some hardware.

I've never had a problem with server or industrial hardware, generally our concern there ends with ensuring storage, network and serial interfaces work. Then again, we're in the SCADA/energy management business, so SATA/SAS and gigabit Ethernet is good enough, and the most "obscure" we get is talking Modbus to an RS-485 bus.

Probably the hardest case I've struck was interfacing to a railway weighbridge and an Allen Bradley PLC. In both cases, it was a case of port the driver: we had the source code for the former, and we were able to get in touch with the company that did the latter. That was moving a system from SCO OpenServer 5 to Ubuntu Linux 12.04.

The biggest issue being the difference between SCO's libc and default serial settings to glibc and Linux serial settings. Easily fixed once we knew what was going on.

"troubleshooting obscure registry problems"

As opposed to trouble shooting problems in multiple randomly distributed text config files?

grep works with text files, not with binaries. Two places does not count as "randomly distributed" to me either. Usually they're in one of two places: $HOME or /etc.

"fending off malware,"

Try running Windows and Linux based internet facing servers. The Linux ones get attacked and compromised far more often. I have never seen malware on a Windows server - only ever on a desktop. But I have seen lots of Linux based server boxes compromised to serve up malware, private FTP sites, Bit Torrent seeds, botnet CC servers, etc, etc...

Have done for years. In 2001 I set up my first internet-facing server. Over the years the hardware has been replaced and the OS updated/replaced. Never had a breech.

This isn't to say my box is bulletproof, it isn't, there's no such thing. Just that I'm not a high-value target.

1
0
Anonymous Coward

Re: OSX and Linux

"Tell me, can I get a Linux version of WSUS?"

Yes - Red Carpet.

"All three generally JustWork for my needs"

But have no commercial support. If you run a real business that's generally not an option.

"apt-get dist-upgrade is usually done for me in less than 10 minutes and rarely needs a reboot. The fixes come as they're released, not when the vendor feels it's time to push an update. I apply the updates when I feel I want to, not when the vendor thinks I should."

So uncontrolled / without formal testing, tracking and evaluation then.

0
0
Silver badge

Who has paid for the survey?

I've never seen Windows without IE and it's not really possible to really remove it (but surely standalone numbers look better).

1
0
Anonymous Coward

Re: Who has paid for the survey?

I don't remember IE on Windows 3.1.

0
0
Silver badge

Re: Who has paid for the survey?

well, as far as I recall I've never seen 3.1

0
0
Silver badge
FAIL

Re: Who has paid for the survey?

Does any Linux distro come without a browser? Should we factor in Firefox CVEs? Over 100 vulns in 2014.

1
1
Anonymous Coward

Re: Who has paid for the survey?

"I've never seen Windows without IE and it's not really possible to really remove it "

Windows Server core install has been an option since Server 2008 - no IE at all.

3
0
Anonymous Coward

Re: Who has paid for the survey?

Does any Linux distro come without a browser?

Gentoo doesn't.

Debian doesn't unless you install the desktop environment.

Ubuntu doesn't unless you install the desktop environment.

OpenWRT doesn't.

Linux From Scratch doesn't.

1
0
Silver badge

Re: Who has paid for the survey?

>>"Gentoo doesn't. Debian doesn't unless you install the desktop environment. Ubuntu doesn't unless you install the desktop environment. OpenWRT doesn't. Linux From Scratch doesn't.

And none of those are the distros listed in this report. I mean, Ubuntu is, for example, but not "Ubuntu without a DE". If they're separating out Windows 8 and 8.1 when they are certainly separating out Ubuntu and Ubuntu Server.

0
0
Anonymous Coward

Re: Who has paid for the survey?

And none of those are the distros listed in this report. I mean, Ubuntu is, for example, but not "Ubuntu without a DE". If they're separating out Windows 8 and 8.1 when they are certainly separating out Ubuntu and Ubuntu Server.

They don't list "Ubuntu with a DE" either… They just list Ubuntu, and with Ubuntu, it is a user choice (default: enabled) as to whether a web browser is installed or not.

Firefox is generally bundled because it happens to be one of the better ones. Maybe Chromium might take its place some day. If you install Kubuntu instead, it comes with Konqueror rather than Firefox.

1
0
Silver badge

Re: Who has paid for the survey?

>>"They don't list "Ubuntu with a DE" either… They just list Ubuntu, and with Ubuntu, it is a user choice (default: enabled) as to whether a web browser is installed or not."

Then why don't you drop the author of the study a line. It is apparent to me that they meant default installs and I would imagine pretty clear to everyone else but if you think it's ambiguous just email them. They've been responding to questions pretty quickly. I'll happily backtrack if they say that they meant Ubuntu non-Server with the desktop environment deliberately unselected. But that's not going to happen.

This is a study of default installs. That's why it can include third party at all and why, as they said, they separated out the kernel as its own category.

EDIT: I say they've been responding to comments, I should say the polite ones to be clear. There are a lot of nasty and abusive comments on there which I hope they will ignore.

0
0
Anonymous Coward

Re: Who has paid for the survey?

Then why don't you drop the author of the study a line. It is apparent to me that they meant default installs and I would imagine pretty clear to everyone else but if you think it's ambiguous just email them. They've been responding to questions pretty quickly. I'll happily backtrack if they say that they meant Ubuntu non-Server with the desktop environment deliberately unselected. But that's not going to happen.

This is a study of default installs. That's why it can include third party at all and why, as they said, they separated out the kernel as its own category.

Ahh, because I'm not the one questioning whether there's a Linux distribution that ships without a web browser. That was Sandtitz 3 days ago. I gave a few examples, then you replied.

The article mainly focussed on MacOS X vulnerabilities, I challenge you to find a mention of the word "Ubuntu" anywhere in the article, as you rightly point out, they do not mention "Ubuntu Server".

They do mention a few distributions in the actual report, where they also state that the MacOS X statistics exclude Safari, so presumably they also exclude Firefox/Chromium. So the argument is entirely academic.

0
0
Silver badge

Only need to read one thing to see this "research" is worthless

They claim the Linux KERNEL has all these vulnerabilities. No, Linux distributions do, but not the kernel. Kernel exploits are extremely rare (for any kernel, not just Linux) OpenSSH may ship with Linux distributions and up Linux's count for vulnerabilities, but that is not part of the Linux kernel.

These idiots don't even know that much - they actually listed "Linux kernel" in the vulnerability listing, that wasn't (as I expected) a Reg journalist error!

1
3
Anonymous Coward

Re: Only need to read one thing to see this "research" is worthless

"Kernel exploits are extremely rare (for any kernel, not just Linux)"

Not for the Linux kernel they are not. Over 1200 vulnerabilities to date just in the Linux kernel.

http://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33

1
2
Silver badge

@AC

Only a moron would quote such a link without actually checking it!

Go to 2015, and look at the entries. The first one lists a security hole in Google Chrome. Somehow that's a flaw in the Linux kernel? If you look at their security list for Windows for 2015 and look at the first entry - same flaw in Google Chrome! In fact, a lot of the flaws listed for 2015 are from Chrome. That has nothing do with the Linux kernel, or Windows since Microsoft doesn't ship it with Chrome.

In other words, your link is as stupid as the article.

2
0
Anonymous Coward

Re: @AC

"Go to 2015, and look at the entries. The first one lists a security hole in Google Chrome."

Looks like 1 month in 215 is cross referenced incorrectly. That's a whole 6 vulnerabilities.

0
0

Article is flawed in its numbers

OS X is various versions of OS X lumped into one while Windows is separate! Since IE is part of the OS IE should then be included with Windows OS if they want to play that game. Separate OS X or combine Windows numbers to equal things out! Same goes for Linux and iOS!!

0
0
Anonymous Coward

Re: Article is flawed in its numbers

"OS X is various versions of OS X lumped into one while Windows is separate"

No that's like lumping Windows Service packs together - which they have done.

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018