IT Security Blog

RedHat Enterprise Linux 4 vs. Windows Server 2003

By

You will constantly see “religious” wars being fought between the camps of the above mentioned platforms. You’ll also see a lot of comparisons between the two on the net, all of which have a hint of bias in them. Well today I’m going to cover just facts between the two platforms to see which one comes out a clear winner, if any.
Let’s see when each platform launched. If we look up RedHat we’ll find that they launched version 4 of their highly acclaimed Enterprise Linux on February 15th, 2005 according to CRN. Microsoft Windows Server 2003 was released on March 28th, 2003 according to Microsoft’s own site. That’s nearly a two year gap between the two which in the IT world is nearly a lifetime of most software product versions themselves.
So Windows Server 2003 has a near 2 year head start on RedHat Enterprise Linux 4 to collect all sorts of vulnerabilities that we all know Microsoft is famous for. However, this is where it gets to be a tad bit surprising. Outside the hype and FUD (Fear, Uncertainty and Distrust), it’s not nearly as bad as the general tech community paints it out to be. A little research from Secunia reveals that it’s not bad at all.

Graph
Since its release in 2003, Windows Server has accumulated a total of 74 Secunia Advisories.

Now let us take a look at Redhat Enterprise Linux

graph

Since its release in 2005, Enterprise Linux 4 has accumulated a total of 128 advisories.

Wait, what? There must be some mistake. Well ok, perhaps the Enterprise Linux 4 vulnerabilities are a lot less severe than Windows Server 2003. A local vulnerability is a lot less severe than a remote vulnerability.

So let’s look at RedHat Enterprise Linux 4 first.

graph

Ok so 83 percent of all the vulnerabilities are able to be exploited remotely. That’s a pretty high number. Let’s take a look at Windows.

Graph

59 percent of all Windows Server 2003 Secunia Advisories are remotely exploitable.

Well now, this is fairly interesting. So far, dare I say, Windows is leading in terms of security.

Ah but wait, it’s not over yet. We have yet to see the type of impact most of these vulnerabilities have, and most importantly, the impact they have at the system level.

So let’s take a look at RedHat Enterprise Linux 4 first.

Graph

We see here that 30 percent of the vulnerabilities allow system access.

Now let’s take a look at Windows Server 2003.

Graph

We see here that Windows Server 2003 is a bit more severe in that 53 percent of their vulnerabilities allowed system access. That’s a fairly high percentage that is dangerous, especially in an enterprise environment.
Secunia also keeps track of vulnerabilities that they have discovered and are unpatched as of yet by the vendor, which gives us an idea of the rate at which each vendor responds to security.

The Secunia database currently contains 0 Secunia advisories marked as “Unpatched“, which affects RedHat Enterprise Linux AS 4.

That’s pretty decent, so we know that RedHat responds very quickly to any discovered security threats. Let’s have a look at Microsoft.

Currently, 8 out of 74 Secunia advisories, is marked as “Unpatched” in the Secunia database.

A much more dangerous number than zero. Although, to their credit, all of the “unpatched” vulnerabilities are not too critical. However, this still shows us how seriously Microsoft lags behind in their patching efforts. One could only attribute this to the massive complexity of the Windows system that Microsoft engineers must go through in contrast to the modular nature of Linux itself.

In conclusion, what we have here is a very interesting set of differences between the two platforms and neither comes out as a clear winner. (I know, you are disappointed!) However, we did uncover the fact that Windows Server 2003 is not nearly as bad as the general tech community paints it out to be and would be a fairly solid choice in an enterprise environment despite all the FUD.