@7up wrote:
Years ago despite people like yourself claiming that linux was super secure it transpired that it was the most hacked OS on the planet due to the number of webservers being attacked that were running various linux distros.
Microsoft vulnerabilites; 5151: https://www.cvedetails.com/vendor/26/Microsoft.html
Linux vulnerabilities; 1934: https://www.cvedetails.com/vendor/33/Linux.html
Look at the number of the "gain privilege" column totals. Or I can save you the trouble. MS: 589 Linux: 245. An even more important breakdown that isn't stated there would be the number of remote vs physical access privilege escalations there are. Linux has a high number with 245, but many of them require physical local access to the device, not remote. Those metrics ARE available to see when you investigate the above pages further though.
Look at the number of the "# of exploits" column totals for the above two links. Or again I can save you the trouble. MS: 196 Linux: 33.
Microsoft 196 vulnerability list; see the "access" column: https://www.cvedetails.com/vulnerability-list/vendor_id-26/hasexp-1/Microsoft.html
Linux 33 vulnerability list; see the "access" column: https://www.cvedetails.com/vulnerability-list/vendor_id-33/hasexp-1/Linux.html
Remote means you do not require physical access to the machine for the exploit. Local means you do. The Linux kernel has ONE remote exploit for ipv6 (something created by the IETF, not Linus Torvalds and the Linux Kernel programmers). Back in 2008. On the 2.6 kernel. We're now up to kernel 4.x.
Also note the "gained access level" column. In particular how many times the word "admin" appears. It appears twice for Linux (again, on the 2.6 kernel). It appears considerably more for Microsoft.
Top 50 vulnerable list; Microsoft 1st. Linux 8th: https://www.cvedetails.com/top-50-vendors.php
Linux is a kernel. Not an operating system. The suite of tools on top of Linux are what make an operating system. That's why Richard Stallman has his "GNU/Linux" meme.
Back in the day most Linux servers were exploited because of the software on top (actually they still are). SSH was one such piece of software. That exploit even famously made it's way into the Matrix Reloaded film. Other forms of attacks were on web serving software (such as Apache) or website software (written in PHP), that does not detract from Linux kernel security.
The thing about open source software is people can see bugs and holes and patch them before they get spotted by others and a CVE is even required. Most of the time however, security researches find a bug or hole and create a proof of concept, they notify the software authors, the software authors write and issue a patch and then the security researcher announces their exploit and the CVE for it. But it doesn't matter, since the software has already had a patch rolled out. The only people who sit on exploits are 'the bad guys'.
Closed source software on the other hand doesn't have to announce anything. Microsoft only announces CVEs when they're highly critical, or already being exploited. As we saw with WannaCry, they will also willingly sit on patches they have created for security holes they know exist and are critical, and SHOULD have deployed to all versions of their OS the vulnerability was related to. But only did so when the risk of public relations disaster blow back became so bad they had to release them.
It turned out that windows suffered far less hacks though it suffered from more viral / malware attacks.
Food for thought..
Are you implying that viral and malware attacks are any less severe than kernel based attacks?
