I thought it wise to start with a disclaimer: This is not a Windows vs. Linux article. God knows enough of those have been written much to the chagrin of penguin lovers. It just seems to me like Linux is slipping it terms of their bug swatting vigilance. That or Microsoft’s bug killing team is quickly closing the gap with ever increasing attentiveness. I am not referring to FUD funded propaganda stories like these by the way.
Last year it took an unusual amount of time for Kernel Developers to discover a sneaky kernel bug: someone had used the Hex identifier “0x0B00B135“. Harmless as it may be it makes you wonder how long it would take people to hunt down some of the more subtle critical bugs. True, the offending kernel code mentioned above was a cheeky joke submitted to Linux kernel developers as part of the (Virtualization) kernel code which came from Microsoft. However, since one of the most advertised strengths of Free and Open Source Software is its openness which makes it easier to audit and therefore rid it of bugs the argument that this was sabotage by Microsoft does not carry.
In 2005 Gael Delalleu discovered a critical kernel bug that enabled users to gain root privileges on Linux machines that had a graphical installation. He was not one of Linux’s big daddies so his discovery was thrown to the dog pile and wallowed there for 5 years! Five years as Linux users sat on a ticking kernel bomb. After half a decade Rafal Wojtczuk, one of the kernel inner circle monks with an unpronounceable names, discovered the bug and it was fixed within 48 hours. The fiction that anyone can submit a kernel patch is just that fiction. Linux Kingpin Linus Torvalds has quite the temper and does not mince words and even the most experienced kernel developers have not been spared: He recently told one of them to “shut the F**** up!” Patches have to be absolutely perfect as a result most people just patch their own machines and forget about it thus eliminating the million people bugs army argument.
According to a recent report by the security firm Trustwave: Vulnerabilities in the Linux kernel fixed in 2012 went unpatched for more than two years on average, more than twice as long as it took to fix unpatched flaws in current Windows Operating Systems. This has been blamed on the distributed nature of Linux which makes it difficult to roll out patches from a centralized repository. A lot of unnecessary steps are involved when a bug is being fixed in say Ubuntu. A developer submits a patch to the maintainer of the affected component say USB drivers, the maintainer cleans the code and merges it into the kernel tree- all these are critical and essential steps. The maintainers of different distributions then obtain the patch and try to modify it to fit their own kernel customizations before placing it into the repository. Different users have different update cycles and so it might be minutes or years if ever before an update is installed. A laborious cycle with the average result being that it takes 857 days to close a patch in Linux as compared to the 375days in Windows! This report is not on all vulnerabilities just Zero Days.
To be fair Windows has come a long way from those unstable versions of Windows 95 that were mere GUIs sitting on DOS. Windows XP was everyone’s darling even with its numerous warts and all. With Windows 7 and in 2012 Microsoft really took it up there. For the first time according to Kaspersky no Microsoft software made it into the top ten of vulnerabilities list. Instead Adobe’s Flash player, Shockwave and Reader all made it into the list. So did Oracle’s Java and your beloved ITunes player. In fact Adobe’s cross platform flash player and Oracle’s Java have compromised Linux.
So is Linux slipping or is Windows becoming more secure and closing the gap? It could be either or both or neither. For example Linux lovers might simply write the whole thing off as another conspiracy. Microsoft inserted the “BigBoobs” in the midst of zillions of lines of code in a bid to discredit Linux. As for the Trustwave report mentioned above maybe the vulnerabilities fixed did not really touch Linux and or maybe Microsoft just doled out a busload of worthless updates for mistakes they deliberately made so as to boost their image in the eyes of security experts. Finally perhaps the reason why there is no Microsoft product in the Kaspersky list is due to Steve Ballmer having lunch with one of the executives.
So what is your verdict is Windows becoming more secure whilst Linux is slipping? Or is it something else entirely?