14 DAY TRIAL // According to Microsoft, one distribution of Linux passed the 1,000 security vulnerabilities milestone in just over two years on the market. Linux, alongside the UNIX-based Mac OS, are operating systems perceived as secure by default, and at the opposite pole of what Microsoft is offering with Windows. The perception extends to the perspective where Linux is not only an epitome of security but also a foolproof product. This is of course not the case. There is no silver bullet solution for security, and in this respect, the code of Mac OS X, Linux and Windows is equally vulnerable, via software design flaws.
Ever since Windows Vista hit the shelves in January 2007, Jeff Jones, Microsoft Strategy Directory Security Technology Unit, began compiling monthly Operating System Vulnerability Scorecards, indicating the evolution of the volume of security flaws in Windows Vista, Windows XP, Mac OS X 10.4 Tiger and Linux distributions from Red Hat, Canonical and Novell. In the first seven months of 2007, Mac OS X 10.4 Tiger cumulated in excess of 130 vulnerabilities, Red Hat Enterprise Linux 5 Desktop also accounted for approximately 130 flaws, with Novell SUSE Linux Enterprise Desktop 10 going as high as 145 security holes, followed by the Ubuntu distribution of Linux with over 150 and Red Hat Enterprise Linux 5 Workstation with 180.
Of course that the actual volume of vulnerabilities is by no means a comprehensive measure of security. In fact, security flaws are merely an aspect of the overall level of protection delivered by a specific product. Security is essentially a combination of multiple factors such as code quality (the lack of vulnerabilities), an immature threat environment (lack of malicious code designed for a piece of software or a platform) and a market position that catalyzes little to no exploits. Although Linux and Mac OS X are impacted by a consistent number of vulnerabilities, there is virtually no malware affecting the two operating systems, as both platforms have an obscure market share. The same is not valid for Windows, dominating over 93% of the operating system market.
However, Jones downplayed Linux security, underlining the immense mass of vulnerabilities plugged by Red Hat in over two years for a single distribution of the Linux operating system. "According to my calculations, in July 2007, the Red Hat Enterprise Linux 4 team fixed their 1000th unique security vulnerability. Now, 164 of these were Low severity and 479 were Medium severity, but still, that is a ton of work accomplished by that team, especially given that the product only shipped in February of 2005. To put that in context, (again by my calculations) Microsoft has fixed only 649 security vulnerabilities for all supported products across the company since the year 2000", Jones stated. (emphasis added)