Friday, January 18, 2008

More nonsense about Open Source vulnerabilities

Computer World is claiming that Red Hat Linux and Firefox are "more buggy" than Microsoft Windows.

That at least is the conclusion you are supposed to draw from the article's title, the summary and the opening paragraph:

Windows not that bad after all
By Matthew Broersma, Techworld

Secunia has found that the number of security bugs in the open source Red Hat Linux operating system and Firefox browsers far outstripped comparable products from Microsoft last year.

So they say. But if you read on to midway down the second page of the article, you get a very different picture:

Red Hat [Linux] was found to have by far the most vulnerabilities, at 633, with 99 percent found in third-party components. ...

Windows had only 123 bugs reported, but 96 percent of those were found in the operating system itself.

So let's see how that works. Red Hat Linux, which ships with multiple hundreds of third party applications, almost all of which are non-critical and don't even get installed, has about six vulnerabilities in the operating system. Windows, which ships with a handful of applications, has about 118 vulnerabilities in the OS. According to Computer World, an OS with six vulnerabilities is more buggy than one with 118 vulnerabilities.

Yeah, right. Sure it is. Just how much advertising does Microsoft do with Computer World?

The article goes on:

In the browser field, Firefox led the way with 64 bugs, compared to 43 for Internet Explorer, and 14 each for Opera and Safari.

However, in an examination of zero-day flaws - reported by third parties before a patch was available - Secunia found that Firefox tended to get more patches, sooner, compared to IE.

Out of eight zero-day bugs reported for Firefox in 2007, five have been patched, three of those in just over a week. Out of 10 zero-day IE bugs, only three were patched and the shortest patch time was 85 days.

You got that? The shortest time IE was vulnerable to known security bugs was nearly three months, compared to just over a week for Firefox.

But IE only looks as good as it does because ActiveX bugs are counted separately: IE had no fewer than 339 ActiveX bugs in 2007. If you include them in the count for IE, as you should, then you're comparing 382 for IE versus 64 for Firefox.

You almost -- almost -- have to admire the journalist's gall in trying to push a whopper of this size. Sadly, this sort of behaviour is very common: half-truths and deceptive statements in paragraph one, the actual facts buried deep in the article. That way you're not lying, because all the facts are there.

The people doing this know that there is a strong correlation between the number of readers and how close to the top of the article: for each extra paragraph you bury something under, you reduce the number of readers by a surprisingly large percentage.

I've written about the tendency of the IT press and security industry to make misleading if not dishonest comparisons between Linux and Windows before.

No comments: