Re: Windows vulnerability vs Linux vulnerability [Re: Would a firewall

From: Lars M. Hansen (
Date: 05/06/04

Date: Thu, 06 May 2004 11:20:23 -0400

On Thu, 06 May 2004 10:20:40 -0400, Rowland spoketh

>1. Windows has far more security problems than Linux or other Unix
>variants. Microsoft' defenders have about half a dozen excuses for this
>and none of them impress me.

Last time I counted, which is about 2 years ago, Red Hat 7.x had just
about as many security patches as Windows 2000, and that's only counting
the core components, not stuff like Exchange and sendmail, Apache and

The Linux defenders seems to jump on the "Microsoft is worse" bandwagon
pretty fast as their main defense, and that doesn't impress me much
either. It simply shows a lack of understanding on how to properly
secure a Windows computer.

The biggest issue isn't Windows Network administrators, it's the home
user who just got his/her computer from Dell or Gateway, and just plugs
it in without knowing that things are not kosher. I admit (as both a MS
and Linux proponent) that there are default settings in Windows that are
plain and simply set wrong. Services are running that in most cases
shouldn't be and registry settings that could prevent some exploits are
not set correctly. The registry fix for the recent DCOM vulnerability
takes about 10 seconds to fix (plus reboot)...

>2. Linux and other Linux variants have many vulnerabilities. Fewer than
>Microsoft's operating systems, but still too many.

See above.

>3. The majority of Linux/Unix vulnerabilities have to do with buffer
>overflows. So do a large chunk of Windows vulnerabilities. So there
>are two problems here: Microsoft, and buffer overflows.

No, the problem is bad programming by everyone. Unless programmers
suddenly get perfect over night, we'll end up with buggy software on all

>4. The solutions to both these problems, are simple, but not easy. The
>solution to the Microsoft problem is to migrate to non-Microsoft
>software. That's best done gradually. Start by running open source or
>Java software on a WIndows OS, get comfortable with that, and only then
>switch to a non-Windows OS. The solution to buffer overflows is avoid
>running software that's been written in C or C++. C and C++ are what
>enable buffer overflows. They're a pointer-based family of languages,
>and stray pointers are behind all buffer overflows. The trouble is,
>nearly all the high performance Internet software out there is in C.
>The Microsoft monoculture has got to go. And C/C++ have got to go, or
>at least be used for far fewer things.
>Anyway, that's my opinion.

The solution to a broken tailpipe is never to throw away the car, but to
seek out someone who knows how to fix it. For larger organizations to
migrate away from Windows is too expensive. The sheer cost of retraining
every one to use a new operating system and new software is not
something that many companies would be willing to eat.

There is nothing wrong with C or C++, only with how some people write
their code. Seems like too many people have gotten some bad habits with
regards to static vs dynamic buffer lengths...

Lars M. Hansen
(replace 'badnews' with 'news' in e-mail address)