Friday, June 09, 2006

Can the anti-virus industry be trusted?

Joe Barr writes on News Forge about the computer security industry:

Internet security is big business. Microsoft Windows and Office vulnerabilities have made major contributions to making it -- and keeping it -- that way. Today, players like McAfee, Symantec, and dozens of other firms fight for a share of a market worth tens-of-billions of dollars a year. I would like to think that this industry displays the same high degree of ethical standards and integrity shown by other first-responders: our police forces, firefighters, and paramedics. Sure, there are bad apples in the bunch now and then, but on the whole they are a admirably honest and trustworthy group. I don't think nearly as highly of the computer security industry.

Here's why.

Barr describes why Linux vulnerabilities are over-counted: a security vulnerability in the Linux kernel may be reported by dozens of distributions, and counted as a separate vulnerability for each one. ("Here's a hole in Red Hat Linux, and Gentoo Linux, and Slackware Linux, and Ubuntu Linux -- that's four, and I've only begun!")

He also details the habit of anti-virus vendors trying to turn the molehill of minor security issues in Apple Mac OS X and Linux into the mountain range of a virus threat equal to that against Windows.

In his criticism of US-CERT's dodgy numbers, one factor Barr either missed or skipped is that the typical Linux distribution contains literally hundreds, even thousands in some cases, of software applications. Not all of these are created equal. When a vulnerability is discovered in some such application, it is counted by US-CERT as a vulnerability in Linux, even though it is not part of Linux at all. By comparison, the typical version of Windows comes with perhaps a dozen different software applications, and most of them pretty simple: Notepad, Calculator and similar. So, you do the maths: 2000+ so-called Linux vulnerabilities, spread over perhaps a few thousand applications, versus 800+ Windows vulnerabilities, spread over perhaps a dozen applications.

Which set of software has the most security holes per application?

No comments: