Look – I’ll be honest – I’m a “Windows guy.” I use Windows machines every day for work and home, but I can and do appreciate what Linux (and Unix) systems have done for computing. These systems are very stable and if you take the time to learn how they work, they are extremely powerful machines.
On to the topic of this article. I have people frequently tell me, “Linux is way more secure; using Windows is like security Swiss cheese.” I usually don’t have anything snappy to say, so I shrug and move on to the next discussion. For this article, I wanted to take that statement and see if it’s true… or at least try to get a picture of just how vulnerable Windows and Linux systems are.
In order to do any kind of comparison I need to set some boundaries as to what I am comparing. I decided to compare Windows (all editions) against Ubuntu Linux. Here is my methodology:
- Compare two popular Operating Systems – Windows to Ubuntu Linux
- Include all editions of Windows and versions of Ubuntu
- Examine number and severity of vulnerabilities using the Common Vulnerability and Exposures (CVE) database hosted by Mitre.org. Statistics gathered by using the National Vulnerability Database (NVD) hosted by NIST.gov.
- Limit search to CVE issued between January 2011 and October 2014
Between January 2011 and October 2014, there have been 1,190 CVE issued involving Windows products. This accounts for 5.6% of all CVE issued during this period. As you can see in Figure 1, 2011 saw the most CVE issued with about 400. So far, 2014 is on track to fall a bit shorter than 2012 and 2013.
Next, let’s look at the severity of CVE issued during the 2011-2014 period. You can see the results in Figure 2. Of particular note – The majority of CVE issued were medium and high priority – only a handful of CVE were issued with a low severity.
If we do the same search for Ubuntu in the NVD during the same period, we see a slightly higher number of CVE issued. Ubuntu had about 1,445 CVE issued and accounts for 6.7% of all CVE issued during this time (Figure 3).
Let’s look at vulnerabilities by severity now. As you can see in Figure 4, Ubuntu has a higher percentage of low and medium CVE issued and fewer high severity CVE.
What Does It All Mean?
Although Ubuntu appears to have more reported vulnerabilities –about 255 more– Windows tends to have the more severe vulnerabilities, meaning they are easier to exploit or cause more damage when exploited. Look at it this way: Windows and Ubuntu both have many vulnerabilities, over 2600 between the two of them in the 3.5-year period we looked at. That’s a lot of vulnerabilities!
What can you do? Be sure to move off of unsupported Operating Systems. (Pssst… still running on XP? Microsoft doesn’t support it anymore!) Instead of arguing about who has the most secure system, take your time to keep your machines up to date. Both Ubuntu and Microsoft offer free updates for their systems so there’s little reason not to keep up to date.
Besides, everyone knows Macs are the most secure.
- Mitre: Common Vulnerabilities and Exposures List
- National Vulnerability Database: CVE and CCE Statistics Query Page