MS Security Chief Says Windows is Safer Than Linux

Kip Winger writes "Mike Nash, Microsoft's Chief Security Executive, has made claims that Windows is more secure than Linux. In a recent online chat, he staunchly defended Microsoft's record on security, basing part of his argument on how Windows Server 2003's 15 patches in the past year are far less than what RedHat or SuSE have had to endure." He also mentioned the recent purchase of Sybari and their Antivirus product.

What about

[beatdown (788583)]

the patched that they should have done?

Re:What about

[halivar (535827)]

Apparently, Microsoft policy is only to release patches for vulnerabilities that are currently being exploited.

And yes, this is flamebait. M$ can't (or won't) secure a paper sack, much less an operating system. More patches from Linux vendors means they're actually working on the freaking problem.

Re:What about

[NoMoreNicksLeft (516230)]

Isn't this a bit like claiming you are more healthy than someone else, because you've been to the hospital 40 days this year for your last-ditch chemotherapy? "Look at linux, it hasn't seen a doctor in over 10 years!".

I think that I can say for most people here...

[rednip (186217)]

rofl

Microsoft is basing that claim by number of patch distributions, not by size for severity, cute. So, just because they (usually) wait up to a month to release a patch, somehow they are better FUD never had so much meaning. I'd be outraged, but words like this are so expected.

Re:I think that I can say for most people here...

[Zab UvWxy (694326)]

Ah, but you're missing an important part of the original posting; the reference was to Win2k3 only.

So, you state the words spoken between the lines, M$ is saying "forget our track record, forget what we said before, and ignore everything happening on our desktop systems; our server r0x0rs!", or something to that effect.

It's easy to say that one version of a server OS, that is becoming less and less like its' notoriously hole-ridden desktop bretheren, is so much better than *anything* the competition can offer. It's much harder to actually do something about it; considering they've been saying essentially the same thing for several years now, they're not much closer to achieving the goal of a "trusted, secure" OS.

Re:Apples/Oranges

[drew (2081)]

regardless of how many programs you install on your server, comparing the number of patches realeased by redhat/suse in a given time frame, which covers all applications in the entire distribution regardless of whether you have them installed, to the number of patches released for windows server 2003, which pretty much only covers the os, web browser, and web server, is beyond ridiculous.

not to mention microsofts tendency to roll up multiple patches into one, something redhat/suse can't do because they don't know which packages you have installed, so bugs that affect different packages can't be compbined.

Re:Apples/Oranges

[Daengbo (523424)]

From here: http://www.honeynet.org/papers/trends/life-linux.p df [honeynet.org]:

Recent data from our honeynet sensor grid reveals that the average life expectancy to compromise for an unpatched Linux system has increased from 72 hours to 3 months. This means that a unpatched Linux system with commonly used configurations (such as server builds of RedHat 9.0 or Suse 6.2) have an online mean life expectancy of 3 months before being successfully compromised.

Compared to unpatched Windows boxes with life expectancies of minutes.

Saying things makes them true.

[bigtallmofo (695287)]

If you can just manage to say something that gets picked up by major news organizations, then it might make it come true.

Or at the very least, you might at least fool some people enough to continue to give you money.

All true

[ArsonSmith (13997)]

My linux computer is so over run with spyware and viruses that it is completely unusable and it is firewalled.

I connect my fresh installed XP system directly to the internet and I can go months before I get any malicous programs on my computer.

hmm, or do I have that backwards?

Credibility and Redmond?

[basking2 (233941)]

We see these posts trumpeted by entities like Slashdot. It it warrented? Does Redmond have any credibility on things like this left? Should we be paying any more attention to this sort of behavior than to just consider what MS is doing? :\ I'm more interested in the well thought out comments all-y'all have.

Re:Credibility and Redmond?

[CrankyFool (680025)]

Redmond has significant credibility within the sector that actually gives purchasing approval (rather than, perhaps, purchasing recommendations). When they come up with something like "look, we only released 15 patches instead of Linux's 1028426," that's a very simple message that many people will have problems seeing through. These people will go away from reading this story believing, simply, that Microsoft is right. Sadly, some of them will likely be influenced by their unwillingness to believe a company representative would utter such a bald faced lie (and of course, in some respects he's not lying. Linux has had a ton of patches; WS2003 has not. Those are the facts. What they mean, of course, is exactly the opposite from what he claims they mean).

Worst of all, though, is that if Information Week or any other "I'm an important IT person and I read industry publications" magazine carries a story on the front page that says "Microsoft Security Chief: Windows More Secure Than Windows," than 3-4 days after they saw the story (and maybe not even read it), your average PHB will just remember the "You know, I seem to remember recently that someone came out and said Windows was more secure than Linux. I don't remember how they proved it or where I saw it, but I distinctly remember it..."

Which is why I do think there's value in a vigorous response and a careful analysis of the claims in an effort to make sure we're ready to vehemently argue against this insanity.

Request new Slashdot Section

[Neil Watson (60859)]

I think we need a new section for these stories. I propose we call it 'Flamebait'.

Not Surprised

[PhreakinPenguin (454482)]

"Mike Nash, Microsoft's Chief Security Executive"

What does everyone think he's supposed to say? Windows security is inferior to linux? He'd lose his job.

From TFA...

[jskiff (746548)]

"Year-to-date for 2005, Microsoft has fixed 15 vulnerabilities affecting Windows Server 2003. In the same time period, for just this year, Red Hat Enterprise Linux 3 users have had to patch 34 vulnerabilities and SuSE Enterprise Linux 9 users have had to patch over 78 vulnerabilities."

This actually brings up an interesting point. Does Windows have less bugs (I know, I know) than these Linux distros? Or are Red Hat and Novell more proactive to fix the bugs they do have? Unfortunately, my guess is most PHBs would think the former.

And later..

[salvorHardin (737162)]

...when the world stopped laughing, it was revealed this person might have some sort of conflict of interest, being that he works for MS and all....

Windows and Red Hat

[bruceleekick (548999)]

Windows 2003 Currently, 5 out of 44 Secunia advisories, is marked as "Unpatched" in the Secunia database. Red Hat rrently, 0 out of 133 Secunia advisories, is marked as "Unpatched" in the Secunia database. I think I would rather take a system that is all patched then one that is Unpatchable.

no patches available?

[RealityMogul (663835)]

If there's only 15 for 2003, then why does that secunia link list 44?

Notably, the RedHat and Suse links list a higher number of vulnerabilities, but also state that there are ZERO unpatched security holes.

Surprisingly, the Windows 2003 product still has unpatched holes.

User experience

[Matey-O (518004)]

(This is not a rant, merely a description of what happened to me receintly:)
1. reboot computer - It'd hung running something the rhymes with Titborrent.
2. Login prompt -log in
3. Get a start button, click on it to start a browser
3a. lose focus as MS is saying AVG isn't turned on. (It's not?)
4. Hit start again to get a browser
4a. Lose focus again as AVG says it's not working.
5. Press start to start a browser.
5a. Lose focus as the UPS monitoring tool adversises that it's HERE! PRESENT! ACCOUNTED FOR!
6. Press Start to get a browser.
6a. Lose focus AGAIN as MS spyware gives me a status update.
7. go over to the iBook, it doesn't Constantly Interrupt Your Train of Thought At Every Opportunity!

If Internet Explorer is any indication ...

[reporter (666905)]

For 2 reasons, I doubt the veracity of Mike Nash's claims that Windows is more secure than Linux. First, due to the open nature of Linux development, Linux enjoys far more testers than Windows. More eyeballs means that more bugs will be found and fixed.

Second, comparing Internet Explorer (IE) and Firefox indicates that Windows is likely more bug ridden than major open-source software like Linux. I have used both IE and Firefox. From my experience of visiting thousands of pornographic sites laden with naked women beckoning you to "enter" their site (and other things), I can definitely say that IE is chock full of security problems. After 1 week of pornographic surfing with IE, my entire system (browser and OS) becomes infected with malware -- to the point that I must reload Windows. I have yet to experience the same problem with Firefox.

The only thing that I hate about Firefox is that it is very slow, probably due to the fact that my computer system has limited DRAM and that Firefox must swap to disk more often than IE. Such is the price that I must pay to enjoy porn.

just think

[justforaday (560408)]

Just think...If MS were to not release *any* security patches at all, they could use that figure as absolute proof that Windows is more secure than anything else out there!

Mandatory Access Controls

[Coryoth (254751)]

Hopefully the Linux community can move forward with SELinux, or some other system that has mandatory access controls. Once that is properly in place Linux will have a significant tangible security advantage over Windows.

Yes Fedora currently has SELinux in the default install. Unfortunately they have had to use a fairly permissive policy because too many applications and libraries don't properly respect the sort of security bounds that ought to be in place. Right now SELinux on Fedora is like user account permissions on Windows. While it is technically there, the majority of applications simply aren't written with it in mind (eg. all those Windows apps that need to run as Administrator), so in practice it doesn't do much.

SELinux is done though, and Fedora has integrated it in nicely (including into the rpm system). What is needed now is for all those open source developers out there to realise that there is a new level of security, other than just filem permissions, that they need to consider and respect. If they can just restrict where they write files to, and what files they want to access to the minimum required that would be great. If they can compartmentalize operations so that each can run as a seperate process with least privilege all the better. This is work that needs to be done though.

Once such things are seriously in place all this harping by Microsoft about "Windows being more secure" will be so obviously the hot air that it is that we won't even have to worry about it anymore.

Jedidiah.

Linux Vs Windows

[KingBahamut (615285)]

This is an argument that can largely be debated on a variety of levels. Honestly? Linux and ultimately unix of any flavor has just as many vulnerabilities as Windows does. Difference -- typically most of those vulnerabilities are patched and assessed before they take affect.

Just do a search for Sendmail Vulnerabilities on google.

Result =
Results 1 - 10 of about 143,000 for Sendmail Vulnerabilities. (0.39 seconds).

for Microsoft
Result =
Results 1 - 10 of about 364,000 for Microsoft Exchange Vulnerabilities. (0.18 seconds).

You can have this discussion for days on end, and really, what the *nix community has up on the M$ community is knowledge and ability. No, there arent any viruses that are successfully written for *nix. Spyware isnt even remotely a concept to a linux user. And most vulnerabilities get patched as quickly as they are given POC. Does this mean that linux users patch any more or less than Windows users, no. But we do it more effeciently and with greater success.

Stability wise , come on. Ive got a redhat 7.3 box that baring powerfailures hasnt been rebooted in over a year. Its a good box, it would probably take an Arkady Rossovich low yeild nuke on its head and still live, and I dont know of any windows box thats able to admit that.

Yet another example

[DarkMantle (784415)]

Here's another example of making stats say what you want.

Sure, WINDOWS only had 15 patches in the last year however. IE6 had how many (at least anotehr 18-24), Remote desktop connection on 2k3 Server had 2 security fixes, IIS had about 6 patches....

Need I continue?

Fact is, yes, Windows had 12 updates in a year, but it's components had many more.

And also looking at the time from exploit discovery to fix, not lookin good for them there either.

The numbers game: thanks Microsoft!

[Morganth (137341)]

Perfect, let's start rating the security of our products by how many patches have been written and applied. What does this kind of numbers game encourage?

(1) Don't write a patch, since that admits failure or insecure products.

or

(2) Wait a long time before writing and committing a patch, so you can do it as "one big patch" (otherwise known as, haha, a Service Pack!).

Thanks Microsoft! Just your STATEMENTS make systems less secure (nevermind your engineering).

Re:Of course the don't include...

[aug24 (38229)]

2005-to-date appears to be a unique time in history that he can make this claim vaguely valid, but when you just look at the totals for the systems you get different into.

Secunia totals are...

Server 2003; 5 unpatched of 44
Office; 2 unpatched of 7
Exchange 2003; 1 unpatched of 3
IIS 6; 1 unpatched of 3
SQL Server 2000; 1 unpatched of 10
Total; 10 unpatched of 67

Justin.
Apologies for the crap formatting, /. should let me use tabs. So there.