I consider Bob Thompson a good friend, as well as being a very knowledgeable guy. We’ve had a number of friendly debates about various things (hey, Bob, you still owe me a 3-liter bottle of caffeine-free diet Coke for this one!) We’re now engaged in a religious battle about Microsoft’s security. You can get the backstory of this particular debate here.
Greg Lincoln chimed in thusly:
It really annoys me when people call OpenSSH or Apache or “insert app that just happens to run on Linux here” vulnerabilities “Linux” vulnerabilities. OpenSSH and Apache are NOT Linux. They are applications that run on Linux. They also run on Windows and quite a few other OSes.
Most of the recent reports against Windows are in the media player or IE, or some other component which is considered by Microsoft as part of Windows and can not be removed. Therefore, they are holes in Windows.
Well, OK, I can see why that would bug Greg, but I think he’s wrong. Is Apache installed by default on the most common Linux distros? Yes. How about OpenSSH? I am less sure, but I’d bet the answer is “yes”. The issue isn’t whether or not they can be removed, but whether or not they’re default parts of the OS. Point being, of course, if I install a new Windows or Linux box, am I getting vulnerabilities without my knowing it? In addition, let’s not forget that one key feature in Windows XP SP1 is compliance with the consent decree requiring increased modularity in Windows. (And, FWIW, you can certainly remove, or not install, the Windows Media Player; I don’t have it installed on any of my boxen.)
The SecurityFocus stats should not be used for comparison with Windows. The reason is that a RedHat Linux system comes with *far* more software than a Windows XP distribution.
Does it really? This is a fascinating argument, since I’d bet that a careful examination would reveal that server versions of Windows have more KLOC and more discrete components than Linux. More executables, no; more callable objects (e.g. the COM equivalents of all those cool little *nix command-line tools), yes. I wouldn’t be surprised to find that Windows has more function points, too.
Then Greg Lincoln again:
Sorry to bug you again, but this just hit a sore spot with me.
That link he sent you to is a common trick used in FUD. So common that the page’s author put this at the top in bold:
“The numbers presented below should not be considered a metric by which an accurate comparison of the vulnerability of one operating system versus another can be made.”
He explains why this is the case above the bold text.
I ordinarily would have let this pass, but it disheartens me to see someone as knowledgable as Greg resort to labeling my argument as FUD. I guess it’s uncomfortable to hear that the Emporer’s clothes may be a little tattered around the edges. The SecurityFocus guys may not believe that their numbers are useful for vulnerability comparisons, but I disagree. The “explanation” above the bold text has a few problems, namely that “subcomponents such as Explorer” that SF says may screw up the bug counts are actually included in Windows! How can you say on one hand that an IIS bug counts against Windows but that an Apache bug doesn’t count against Linux when Apache is installed by default? (I also wonder why the “site migration” issue mentioned on the SecurityFocus page hasn’t been resolved yet; that seems a little curious).
Paul's Down-Home Page 
There’s a huge massive difference between “installed by default” and nonremovable. When we’re talking about the security of an operating system, the assumption is that the installer of the OS cares about security! The installer of a system that asks them whether they want a webserver who cares about security will answer accurately.
openSSH has had an incredibly small number of remote unauthenticated-user exploits. Apache, on the other hand, used to be full of them, and is still not safe running as root. Fedora doesn’t run it as root by default, though.
Apache is not installed by default on “desktop” installs of Fedora GNU OS, or SuSE “desktop” installs, or on most other mainstream distributions. so if your argument is instead which OS is safer for non-sysadmins, then Linux wins by a landslide. Server installs are a different matter though. It’s alot closer. But in which one is the source code a secret because it’s so full of bugs?
Lastly, Redhat != Linux. Redhat makes a GNU-based OS that runs on the linux kernel. Calling it Linux is like calling Mac OS X by it’s kernels name Mach. You don’t blame the Mach developers for holes in Mac OS X Server daemons, do you?
Email: el eigh dee at el eigh dee dot cee cee