Wednesday, September 12, 2007

Is open source is more secure than windows?

To be truth the total number of vulnerabilities is one measure of the security of an operating system. Windows Server 2003 is released with fewer initial vulnerabilities than either Red Hat ES 3 or Red Hat ES 4, and has many fewer total vulnerabilities throughout the product lifecycle. Upon release, one vulnerability was identified for Windows Server 2003, compared to 27 for Red Hat ES 4 and eight for Red Hat ES 3.

The higher number of vulnerabilities at release for Red Hat ES 3 and 4 is likely explained by their being open-source products, which allows more people to search for and identify vulnerabilities prior to release. At the time of this analysis, Windows Server 2003 had 110 identified vulnerabilities, Red Hat ES 4 had 241, and Red Hat ES 3 had 320.

Windows Server 2003 has been in release for 1337 days, Red Hat ES 4 has been in release for 670 days, and Red Hat ES 3 has been in release for 1167 days. Windows Server 2003 has less than half the vulnerabilities either version of Red Hat has despite being in release twice as long as Red Hat ES 4 and six months longer than Red Hat ES and these is data was collected from Secunia (, a leading independent source of vulnerability intelligence. Secunia was used because they do not rely on a single source for vulnerability information, and their source data is highly transparent.

Secunia not only performs their own security research but also collects and verifies security bulletins and announcements from a large base of external sources: vendors, internet forums, newsletters, security analyst bug reports, CERT, and web sites maintained by unaffiliated individuals who are tracking security issues for each platform.1 For each operating system, Secunia tracks all vulnerabilities that affect a full installation of all components and packages included in the current release.