The way I see it, the author of the article just saw sheer numbers and drew a conclusion. If you follow the link he provided to his source (http://securityfocus.com/vulns/stats.shtml), right at the top, there is:

Several things should be taken into consideration when interpreting these numbers:

These numbers are dated; the collection and calculation of data stopped in early August 2001 due to a site migration issue. We are currently working on this issue and should have it resolved in the near future.

There is a distinct difference in the way that vulnerabilities are counted for Microsoft Windows and other operating systems. For instance, applications for Linux and BSD are often grouped in as subcomponents with the operating systems that they are shipped with. For Windows, applications and subcomponents such as Explorer often have their own packages that are considered vulnerable or not vulnerable outside of Windows and therefore may not be included in the count. This may skew numbers.

This is a simple raw count of the vulnerabilities in our database that are associated directly with an operating system. The factors mentioned above were not taken into consideration when generating these graphs.

The numbers presented below should not be considered a metric by which an accurate comparison of the vulnerability of one operating system versus another can be made.

What's missing here, is what part of the vulnerabilities are for the kernel and which part is for the applications (both Linux and Windows). Many (most?) Linux distributions include over 2000 applications. I'm sure I can find at least 5 FTP servers in SuSE 7.3 - so it's possible that a single bug be repeated 5 times, though only one of them concerns an administrator.

And I think there is another important factor: in the Linux community, when bugs are discovered, they are reported, not hidden! How many vulnerabilities have Microsoft found (or had reported to them) which they never said anything about? I keep reading on the various BugTrack mailing lists things like "I send an email to Microsoft security center 2 months ago and never heard anything since".

Final point: just because an OS is open source or is called Linux doesn't make it automagically secure. A Linux installation runned by a newbie sysadmin will probably be less secure than a Windows installation runned by a veteran sysadmin. That beeing said, I think Linux has the potential to be more secure than Windows, if administered correctly, and with security in mind. Unfortunatly, it's almost a full-time job just to keep up with the BugTrack mailing lists!


>http://www.wininformant.com/Articles/Index.cfm?ArticleID=23958
>Rajesh