A few months ago a study was released showing that the average survival time for a freshly installed unpatched Windows machine was 20 minutes, less time than it took to download and install the required patches.
Red Hat just released a similar study. The net result is that the Red Hat machine has been running unpatched since Nov 2003.
Red Hat just released a similar study. The net result is that the Red Hat machine has been running unpatched since Nov 2003.
These two studies cannot be directly equated. The windows study is based on a collection of statistics over a period of time. By contrast the Red Hat study uses theoretical reasoning to infer its survivability.
Here's a quote from the Red Hat post:
Here's a quote from the Red Hat post:
"So a full install of a Red Hat Enterprise Linux 3 box that was
connected to the internet in November 2003 even without the firewall
and without receiving updates would still remain uncompromised (and
still running) to this day.
It's not to say that a RHEL3 user couldn't get compromised - but
that's not the point of the survivability statistuc. In order to get
compromised, a user would have to have either enabled anonymous rsync,
SWAT, or be running an open CVS server, none of which are default or
common. Or a user would have to take some action like visiting a
malicious web site or receiving and opening a malicious email."
This is all too theoretical, but still convincingly so, so here's a slightly watered down and partially defiant "Neener neener neener" to Microsoft.
I wrote the comment below in response to a slashdot post asking how long the average user has to patch their machine before it is compromised. Beyond the usual Windows vs Linux survivability, it is quite an interesting gage of the state of security.
Tracked: Dec 09, 13:14