NOTE:  I am not asserting that my vulnerability analysis demonstrates that Windows is more secure.  Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows.  The "unsupported" part of that bothers me, so I check for myself.  What I keep finding is that Linux distributions have more vulnerabilities, more serious vulnerabilities and the data does not support the assertions of security superiority for Linux and Open Source software. Also, this is my own work and any mistakes and opinions are mine and not necessarily those of Microsoft.

Well, the first half of 2006 is behind us and I've completed an initial vulnerability comparison between Windows Server 2003 (WS2003) and the two enterprise server versions of Red Hat that have shipped since WS2003 became available - Red Hat Enterprise Linux 3 and 4 (Advanced Server).  I'm going to start with the basic data and then udpate this blog entry as clarification or further analysis is necessary.

Whether you look at the all up total vulnerabilities, look at high severity vulnerabilities, or look at the weighted Workload Vulnerability Index, it is hard to argue against the fact that Red Hat 3 server admins required less vuln work than Red Hat 4, and Windows Server 2003 required less than either.

Read this FAQ if you have questions about the analysis.  If you still have questions, ask away and I'll update as needed.

First, let's start with the basic vulnerability counts.  I've charted the totals for the six month period in chart 1, but will also lay out various details.

The breakdown of totals data is as follows:

 

ws2003

rhel3as

rhel4as

low

12

59

83

medium

7

12

20

high

19

26

34

total

38

97

137

I also calculated days-of-risk by severity to see if the higher severity issues were given priority and generally they were, except in the case of RHEL4, where low severity issues faired better than medium:

 

ws2003

rhel3as

rhel4as

low

25

152.66

93.9

medium

7

101.75

105.35

high

3.95

75.77

80.12

total

11.16

125.75

92.15

So, if anybody wanted to do a "red hot candy" demo for the first six months of the year, the differences would be pretty significantly in Windows favor over Red Hat servers, either 3 or 4.  However, as Mr. Cox likes to point out, that's not the whole story as lots of low severity issues are not equal to lots of high severity issues.

With that in mind, I also calculated and charted a monthly Workload Vulnerability Index as defined by NIST and similar to that introduced by Mark Cox in Red Hat RHEL4 Risk Report.  I did use the NIST ratings rather than vendor ratings in order to use a more objective, common source of rating.  Read the FAQ for more info on why. 

Here is the WVI, a more normalized comparison of the severity-rated issues affecting all three platforms over the past 6 months:

Stay tuned for more soon, including a similar posting with data and analysis of Windows XP SP2, Red Hat Desktop 3 and Red Hat Desktop 4 and some discussion of the role-based comparisons and all-products comparisons.  UPDATE:  You may want to also read Apples, Oranges and Vulnerability Metrics for a discussion of issues related to comparing OSes having different sets of applications.

Regards ~ Jeff