Oh? Even more surprising, Aberdeen Group reckons that there have been no viruses and Trojan horses affecting Microsoft products this year, and that the Redmond IT giant’s poor security track record is due to “popular misconception” and that it’s a “myth”.
The report is free, but you have to register at Aberdeen Group’s website to read it. And read it you should, if you’re involved in open source in any way, as the report is likely to be quoted to you.
Has your head finished spinning yet? Somehow, Aberdeen Group jumped to the above conclusions by looking at data from a single source only, namely from Carnegie Mellon University’s Computer Emergency Response Team, CERT.
I guess it all depends on how you count things: tallying up the open source items in the CERT summaries for 2002 shows that there are currently 17 advisories issued that affect open source software. Microsoft software accounted for seven advisories, with Sun and other proprietary vendors making up for the rest (31 in total).
Is it really that simple then? Just group all the open source developers and software houses into one homogenous entity and compare them to Microsoft, and conclude that the latter has won the security battle because one source says there haven’t been quite as many security incidents this year?
Of course not. The devil’s in the details here, and the Aberdeen report makes no effort to look at how serious each vulnerability is and how many users it affects. I’d speculate that an exploit that allows worms to propagate via Internet Explorer and internet-enabled Windows programs on millions of non-IT savvy users’ desktops is far more serious than a hard-to-exploit buffer overflow in a DNS resolver library on systems in the hands of (one hopes) more seasoned Unix admins.
Even a casual perusal of the CERT summaries reveals that in 2002 we’ve had the BadTrans, SQLsnake and Kaiten worms (although BugBear isn’t mentioned for some reason), and we see advisories such as “multiple vulnerabilities in Microsoft IIS” listing no fewer than 10 separate vulnerabilities. Windows security bod Thor Larholm reckons there are 31 unpatched security holes in Internet Explorer alone, making me wonder how on earth the Aberdeen Group could with good conscience give Microsoft the security crown.
However, there are some concerns for open source software users that should have been highlighted in the report but aren’t: this year, there have been three Trojan horses affecting commonly used open source software (OpenSSH, Sendmail and tcpdump/libpcap).
It’s not the first time that Trojanised open source software appears (remember Wietse Wenema’s tcpwrapper?), but the increased frequency is a worry, and a real pity — you can no longer afford to be naïve and assume that what you download is safe, even when it comes from the official distribution/mirror sites. Some form of package verification beyond MD5 sums and PGP signatures is urgently needed.
Toward the end, the authors of the report undermine the initial premise that Microsoft rules the security roost by stating that “One of these realities [of internet computing] is that no one vendor or supplier is more at fault than another” and encourages speedy security notifications and responses.
Let’s see. So the general idea of the report is: “Keep a wary eye on any internet-connected system, no matter which platform, and ensure they’re up to date or you’ll get rogered”. Didn’t we all know that already?