Linux is safer than its competitors because developers race to fix security flaws

Gandalf_The_Grey

Level 62
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,138
Linux as a platform is a lot more secure than Microsoft Windows and Apple macOS, according to new research by Google's Project Zero. The higher rating isn’t because Linux is inherently safe and secure. It is because developers maintaining the platform are hard at work fixing security flaws.

There have been quite a few discoveries of security bugs and vulnerabilities within Linux. However, this does not mean the platform, powering millions of servers and home computers, is unsafe for daily use. Google’s Project Zero recently published results of a research that shows Linux's developers do a faster job of fixing security bugs than anyone else. Surprisingly, developers working to maintain Linux seem to be faster than Google’s own in-house team.

As we briefly noted before, the research team at Project Zero looked at fixed bugs that had been reported between January 2019 and December 2021. They discovered open-source programmers, on average, fixed Linux issues in just 25 days. Additionally, Linux's developers have been steadily reducing the days taken to patch security flaws. Back in 2019, developers patched flaws in a month’s time. Now, they often fix bugs within a fortnight.

During the same time, Apple took about 69 days, Google took 44 days, and Mozilla fixed bugs in about 46 days. Windows is currently the most popular operating system for home and office use, but it is concerning to note that Microsoft needed a little less than three months, on average, to fix security flaws.

The report also analyzed the time taken by developers to fix security vulnerabilities within mobile operating systems. Despite facing a lot more security threats, Apple managed to issues patches for iOS quicker than Google did for Android.
 

Local Host

Level 25
Verified
Top poster
Well-known
Sep 26, 2017
1,479
so misleading, velocity of fixes is just a single measure of securing the code
few vulnerabilities are reported for Linux because few researchers bother to pentest linux; there are a lot of undiscovered vulnerabilities on Linux and one cannot fix what is not discovered and reported
True, most Linux vulnerabilities date back to 10 years.
 

SpiderWeb

Level 9
Verified
Well-known
Aug 21, 2020
428
Velocity of a fix as a way to measure success is typical Google philosophy. Quantity over quality of course, of course. I rather have one great patch that takes not only fixes a vulnerability but also mitigates future attacks than a bunch of hotfixes that can be exploited.
 
  • Like
Reactions: Sorrento

wat0114

Level 7
Verified
Well-known
Apr 5, 2021
322
I rather have one great patch that takes not only fixes a vulnerability but also mitigates future attacks than a bunch of hotfixes that can be exploited.

Is there an O/S that patches for current and future vulnerabilities with one patch? :D I don't think so. Seriously though, give me Linux or Windows, and I will run either with complete confidence that neither will get infected in my daily use, no matter how so called "vulnerable" to exploits both may be. It's all mostly over hyped nonsense anyway for those home users especially who run their devices responsibly with the recommended security and safe computing practices. Most infections happen because the end user plays with fire, digitally speaking, whether they know it or not.
 
  • Like
Reactions: Sorrento

SpiderWeb

Level 9
Verified
Well-known
Aug 21, 2020
428
Is there an O/S that patches for current and future vulnerabilities with one patch? :D I don't think so. Seriously though, give me Linux or Windows, and I will run either with complete confidence that neither will get infected in my daily use, no matter how so called "vulnerable" to exploits both may be. It's all mostly over hyped nonsense anyway for those home users especially who run their devices responsibly with the recommended security and safe computing practices. Most infections happen because the end user plays with fire, digitally speaking, whether they know it or not.
I feel the safest on my M1 Macbook. Apple being in full control of hardware and software allows them to implement safety mechanisms that would break due to incompatibility and people using different hardware components on other platforms. On the other hand that makes Apple a single point of failure.
 
  • Like
Reactions: Sorrento

MacDefender

Level 16
Verified
Top poster
Oct 13, 2019
789
I find this analysis to be a little misleading. Companies like Microsoft and Apple and Google are selling large supported operating systems across hundreds if not thousands of supported models.

It’s more than likely they had a fix earlier that was going through all their internal testing before being released, while Linux distributions tend to very quickly spin a patch and push it out and make it your responsibility to test it out on your machine. I think that could easily backfire — for example, log4j took several attempts to correctly fix the bug and some of the earlier fixes created new vulnerabilities.


EDIT: I don't want to go into too much detail, but Project Zero is a little controversial. I do appreciate what they do for finding vulnerabilities, but they sometimes seem to have an ulterior motive. I have contacts who work at the Red Teams for various large tech companies and a lot of them share the sentiment that Project Zero likes to sit on bugs until right before the final release dates, even for companies like MS and Apple who release insider builds and beta builds, until it looks more like a "release candidate". And sometimes the "fixes" they suggest are misleading and cause other things to break. As a result, most of these companies have a policy against blindly taking Project Zero's analysis and instead force their own security teams to independently analyze security vulnerabilities, which takes additional time too. Remember it's a Google project and they might have ulterior motives when reporting to their competitors.
 
Last edited: