Menu
MS wrong on security claims: Red Hat

MS wrong on security claims: Red Hat

RED Hat is accusing Microsoft of getting its facts wrong in its latest attack on Linux security.

In an update on security at Microsoft’s recent worldwide partner conference, the company’s security head Mike Nash took aim at Linux and singled out Red Hat.

Nash says between January and June this year, Microsoft released 38 security bulletins for Windows Server 2003, while in the same period 234 were issued for Red Hat’s Enterprise Linux 3.

But Mark Cox, head of Red Hat’s security response team based in London, says a simple comparison of the number of advisories issued is misleading.

Microsoft neglects to note that in this period only two of the vulnerabilities affecting Red Hat Enterprise Linux 3 were critical, says Cox.

“On the Microsoft scale a critical vulnerability is one that would allow a remote attacker to take control of your machine over the internet,” he says.

“Windows Server 2003 in the same period had eight critical vulnerabilities, four times as many.”

Microsoft’s Nash also pointed to a study commissioned by Microsoft and conducted by application security testing specialist Security Innovation, which compared the security of database servers.

Released in June, the study compared Microsoft Windows Server 2003 running Microsoft SQL Server 2000 Service Pack 3 with Red Hat Enterprise Linux 3 running both MySQL and Oracle 10g database servers.

It measured the number of reported vulnerabilities that affected each platform from March 2004 to February 2005.

The results of the study are published on Microsoft’s Get the Facts web portal and on Security Innovation’s website.

It found the Windows system came out ahead with 63 vulnerabilities, compared with 116 on the Red Hat MySQL system and 207 on the Red Hat Oracle system.

Of the vulnerabilities found on Windows, 27 were considered high risk, compared with 41 and 73 on the MySQL and Oracle bundles, respectively.

But Cox says such reports are relatively useless in determining the security of one platform compared with another.

The main metrics of the Security Innovation study treated all vulnerabilities as equal, regardless of their risk to users and did not take into account how fast vendors repair vulnerabilities, he says.

This impacts on the number of days of risk, Cox says.

The study found 61 days of risk for the Red Hat Enterprise Linux 3 installation with MySQL server, but Cox says if the data is filtered using the Microsoft scale for determining severity, there are only three critical issues.

These were all fixed on the same day they were made public, resulting in no days of risk, says Cox.

“Red Hat prioritises all vulnerabilities and fixes those that matter the most first,” he says.

“Days-of-risk statistics only tell a small part of the story: studies show consumers take some time to apply patches even after a vendor has produced a security update. At Red Hat we continue to work on ways to help people keep their machines up to date.” Last year it added Exec-Shield to Red Hat Enterprise Linux 3, which included support for processor EDB (execute disable bit) and NX (no execute) technology, while this year Red Hat Enterprise Linux 4 shipped with Security Enhanced Linux turned on by default, says Cox.

“These technology innovations are designed to reduce the risk of security issues,” he says.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments