See Full Story
Beneath all the noise generated by the latest security holes in Microsoft's Windows operating system, experts have warned of two open-source security flaws that could allow intruders to corrupt memory, take control of systems and launch a denial-of-service (DoS) attack. Software affected by the most serious flaw includes releases of the widely used Sendmail software, a mail transfer agent used in many Unix and Linux systems for processing and managing e-mail.
The open source community is and has always been aware of bugs in their software and has never denied there are any. This is software, software has bugs. Security is not only about NOT having bugs but about the way and the speed the users are informed about them and the speed and the quality of _fixes_. Microsoft has been known for being extremely lazy and careless about fixing (and introducing) bugs in their software - some of them have been left untouched for years before a patch appeared. Add to this arrogance of this company which has the guts to inform their users that the software they vend is secure. As you say, there exists a notion (a legend) in the community that Unix is more secure but the notion is not forced upon people by any (or at least not many) Unix vendor out there, instead the Unix/OpenSource community is taking every measure to fix and inform its clientele about the security hazards in the software. Sendmail you mention as an example, has been known to be buggy for more years than the OpenSource security has existed. I would recommend reading a book titled "Coockoo's Egg" which, among others, tells a story of the first Internet worm which was spreading all accross the Internet in the 80's using... a flaw in sendmail. Having said that, please take a look also at another issue - flaws in the Microsoft software are much more exposed to exploitation since they are found in the very core of the MS operating systems, in the software that is ubiquitously used on every MS desktop (Outlook, Internet Explorer) which paired with the inherent insecurity of the MS OS design (there is no real separation of the userspace from the kernel space - transitions are many and insecure) leads to much graver impact of the bugs than the bugs exposed in (most) of the Open Source software. OpenSSH is a key element of the OS, but it is _not_ part of the OS core (the kernel, whatever it is - freebsd, openbsd, netbsd, linux, solaris, hp-ux etc. etc.). I'm yet to see a good analysis and comparison of the gravity of MS vs OpenSource bugs followed by the comparison of the speed the bugs are fixed in - not in the span of months but in the span of the last 10 years. I hope you will be the first person to report about such analysis. To recap - software is buggy and it will always be, but the security lies in the way the bugs are handled and in the security awareness of the software users. Training users to download patch from windows update blindly is far from educating them about the problems and hazards.