If Linux is "what your distro ships with", then you should cut it some slack, because last I checked distros didn't ship with broken (exploitable) PHP code on a public facing webserver.
Yes and this is part of the flaw if PHP code is constantly being exploited doesn't it mean that the language has an issue??
PHP != Linux. PHP also runs on windows. PHP also isn't the only language you can write exploitable code in.
It would be interesting to see how much is user code exploits and how much is old software exploits (e.g. how Ubuntu local servers got hacked). I suspect a lot more of the latter as you can easily use scripts to find these.
Local exploits still need a vector to get onto the system. These vectors are most often either poor password security or vulnerable web apps.
Microsoft has put a lot of effort into lowering the attack space with Longhorn and Linux distros could probably learn from this.
I don't really agree with this point, but I'm willing to be swayed. Can you give an example of something that MS is doing that usefully improves security, and which could be applied to a linux server system?
I'm thinking of a couple of things offhand: - Server 2008 (and to a lesser degree 2003) has roles where it preselects the components, and only the components, needed for a role.
Ubuntu, Debian, Redhat, SuSE, all have "roles" where it preselects the components, and only the components, needed for that role. I'm sure other distros do as well. Gentoo just doesn't install anything - it's entirely up to the admin to install stuff. As an historical note, Debian has followed this model since Woody at least. I can't remember the potato installer, but I think it didn't have the tasksel stuff, just dumped you into dselect.
- other software when installed still won't work (or be hacked) unless you configure it.
Modern distros give services a basic configuration, and this typically involves limiting servers to only listen on localhost. There aren't a hell of a lot of services installed anyway.
I wasn't claiming Microsoft is more secure than Linux at all. I'm saying we can learn from Microsoft, just as they can learn from Linux. Microsoft does some things extremely badly and would be better off doing it the Linux way - e.g. user account security and it can't really be fixed despite attempts like UAC.
I understand that you're not claiming that MS in more secure. I'm disputing your claim that linux isn't already doing the same things MS is doing to limit vulnerabilities, where such techniques can actually be applied. Security is a concern for linux distributions, but I think they're doing a reasonably good job of it. Default security is definitely nothing like it was in the late 90's - RedHat 6.0 was a complete disaster, for example. Security is also a concern for the administrators, and that goes for windows admins as well as linux. Perhaps the problem here is that because linux is becoming "easier" to use and to run a server on, people are doing so without regard for security. This isn't a fault the distribution can fix - unless you don't allow your users to install anything at all, ever, in which case they'll just go run gentoo instead and screw themselves six kinds of sideways. Distributions can't protect against administrative stupidity.