MS wrong on security claims : Red Hat

06 Sep 2005

Red Hat is accusing Microsoft of getting its facts wrong in its latest attack on Linux security.

In an update on security at Microsoft's recent world-wide partner conference, the company's security head Mike Nash took aim at Linux to single out Red Hat.

Nash says between January and June this year, Microsoft released 38 security bulletins for Windows Server 2003, while in the same period 234 were issued for Red Hat's Enterprise Linux 3.

But Mark Cox, head of Red Hat's security response team based in London, says a simple comparison of the number of advisories issued is misleading.Microsoft neglects to note that in this period only two of the vulnerabilities affecting Red Hat Enterprise Linux 3 were critical, says Cox.

"On the Microsoft scale a critical vulnerability is one that would allow a remote attacker to take control of your machine over the internet," he says. "Windows Server 2003 in the same period had eight critical vulnerabilities, four times as many."

Microsoft's Nash also pointed to a study commissioned by Microsoft and conducted by application security testing specialist, Security Innovation, which compared the security of database servers.

Released in June, the study compared Microsoft Windows Server 2003 running Microsoft SQL Server 2000 Service Pack 3 with Red Hat Enterprise Linux 3 running both MySQL and Oracle 10g database servers.

It measured the number of reported vulnerabilities that affected each platform from March 2004 to February 2005.The results of the study are published on Microsoft's Get the Facts web portal and on Security Innovation's website.

It found the Windows system came out ahead with 63 vulnerabilities, compared with 116 on the Red Hat MySQL system and 207 on the Red Hat Oracle system.

Of the vulnerabilities found on Windows, 27 were considered high risk, compared with 41 and 73 on the MySQL and Oracle bundles, respectively. But Cox says such reports are relatively useless in determining the security of one platform compared with another.

The main metrics of the Security Innovation study treated all vulnerabilities as equal, regardless of their risk to users and did not take into account how fast vendors repair vulnerabilities, he says. This impacts on the number of days of risk, Cox says.

The study found 61 days of risk for the Red Hat Enterprise Linux 3 installation with MySQL server, but Cox says if the data is filtered using the Microsoft scale for determining severity, there are only three critical issues. These were all fixed on the same day they were made public, resulting in no days of risk, says Cox.

"Red Hat prioritises all vulnerabilities and fixes those that matter the most first," he says.

"Days-of-risk statistics only tell a small part of the story: studies show consumers take some time to apply patches even after a vendor has produced a security update. At Red Hat we continue to work on ways to help people keep their machines up to date."

Last year it added Exec-Shield to Red Hat Enterprise Linux 3, which included support for processor EDB (execute disable bit) and NX (no execute) technology, while this year Red Hat Enterprise Linux 4 shipped with Security Enhanced Linux turned on by default, says Cox.

"These technology innovations are designed to reduce the risk of security issues," he says.