Vulnerability Count

"Kimi A. Adams" wrote:
>
> George,
>
> I find it just as interesting that the number of vulnerabilities for Red
> Hat is darn near close to Windows NT. Most people think of Red Hat when
> they first start hearing about Linux and believe that it's better
> security. But as your numbers prove, it's much less secure than other
> packages. I would be very curious to see what Debian's numbers would be in
> comparison.
>
> Thanks for this info.
>
-----------------
I suppose it's comforting to believe this but I don't think that it is
necessarily true.

Redhat, Suse and Mandrake all have large install package numbers and a
good number of these exploits wouldn't apply to every setup. Also, many
of the exploits are really from open source projects that would affect
virtually all linux and bsd distro's such as wu-ftp, bind, apache, php
etc.

Heck even IIS isn't installed by default on Windows NT 4 server and the
high numbers on Win2K are undoubtedly because IIS 5.0 is automatically
installed.

It's entirely evident anyway that if security were the only issue,
openBSD is the OS as that is the main objective.

Let's face it, George had already expressed the opinion that Windows and
RedHat were security risks in the first place so it wasn't hard to find
statistics that bear that out. Besides, when all is said and done -
security is a lot more about setup, administration and detection than
simply the basic installed distribution. Consider, RedHat 7.1 installs
WU-FTPD on a server install but it is not activated at boot anymore.
Does this still count? Can you afford to activate WU-FTPD without
monitoring exploits of WU-FTPD on ANY distribution? Heck - apparently
there's a new local user exploit of sendmail prior to 8.11-4 - doesn't
that one count on just about every linux distro?

Craig