Is Linux Next Security Target?

Unexploited vulnerabilities in the core Linux kernel are on the rise. And despite lots of debate over just how vulnerable Linux is, now's the time for businesses to ensure that their open-source software is secure. Waiting could be dangerous.

A recent study sparked controversy when it tallied 2,328 vulnerabilities in Linux and Unix combined, compared with 812 in Microsoft Windows. The Computer Emergency Readiness Team stats were criticized for possible double counting and including problems not related to the core Linux operating system (see story, "Linux Backers Question CERT Vulnerability Stats"). But CERT isn't alone in concluding that the threat level is rising for Linux.

The National Vulnerability Database maintained by the National Institute of Standards and Technology also shows signs of potential problems with Linux. Last year, 119 vulnerabilities were reported in the core Linux kernel, the one used by all versions of the operating system, compared with 61 published vulnerabilities for Windows XP, says Peter Mell, the database's administrator. Moreover, the trend isn't encouraging. There were 47 vulnerabilities in 2004 and 11 in 2002, Mell says.

The numbers can be confusing, because there are different ways of counting vulnerabilities in the open-source community compared with how Microsoft or other vendors keep tabs on them, and security problems are defined differently from one group to the next. Still, the numbers point to a trend that IT managers need to be aware of.

Keep Problems At Bay
Most businesses pay to have versions of Linux and related applications developed and supported by established vendors such as Red Hat and Novell. They ensure that their products are free of problems and quickly patch any that appear. Red Hat even ensures the security of, and provides patches for, the third-party Linux apps it sells, says Michael Ferris, director of security products.