Surprise, Windows Listed as Most Secure OS

david_g17 writes "According to a Symantec study reported by Information Week, Microsoft has the most secure operating system amongst its commercial competitors. The report only covered the last 6 months of vulnerabilities and patch releases, but the results place Microsoft operating systems above Mac OS X and Red Hat. According to the article, 'The report found that Microsoft Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006.' The article continues to mention the metrics used in the study (quantity and severity of vulnerabilities as well as the amount of time one must wait for the patch to be released)."

Simply

[COMON$]

Let me simplify:

This discussion will go as follows.

Linux geeks will pound the boards about foul play and all the vulerabilities they would exploit if they werent to busy checking dependencies.

Mac fanboys will make fun of both citing how Symantec didnt like them in the first place, because Mac people dont buy Symantec products.

Windows geeks will state how this has always been the case, but because they are the more popular OS they are a bigger target.

And finally the old unix guys will flame about how none of these vulnerabilites would have happened if we would have stayed away from GUIs.

So now that we have got that out of the way we can bypass all the leg humping and mindless dribble and get down to the real discussion...can Microsoft keep it up? Personally as a network admin I have not been too nervous the last 6 months. Since the year of the blaster MS has done a pretty good job of making up for exploits and covering their asses. All is quiet on the homefront.

Re:Simply

[cyber-vandal]

Spoilsport :P

Re:

[slazzy]

Simple - someone must have r00ted internetnews.com and their IIS

Re:Simply

[eikonos]

That will teach internetnews.com to host their site on a Windows box. :P

Re:Simply

[maynard]

"And finally the old unix guys will flame about how none of these vulnerabilites would have happened if we would have stayed away from GUIs."

No. Old UNIX hackers will instead berate UNIX for being a total piece of shit [simson.net] and then endlessly whine about the downfall of Symbolics [wikipedia.org] and its old dedicated LISP machines. And they'd be right.

small addition

[caitsith01]

...someone will tag the story with "defectivebydesign" and someone else will tag it with "no".

And you should have added "Those of us who think there is room in the world for both Windows, OSX and Linux will remain on the sidelines while another round of the holy wars is inconclusively decided."

I am rather looking forward to the comments from Apple users, though, and particularly whether they can best their own record for self-righteous indignation and incredulity.

Re:small addition

[PopeRatzo]

Those of us who think there is room in the world for both Windows, OSX and Linux...

There's not only "room" for Windows, OSX and Linux, but there's a crying need for new blood in the OS arena.

Re:

[Fred_A]

I wonder if it's time to consider these systems "good enough", or if something else needs to be done?

Actually when I said "good enough", I meant from a generic user's point of view. I haven't tried it but if you polled a few users to ask them what they'd like the next version of their system to be like, I doubt they'd come up with anything revolutionary (less malware or spam would be my guess among MS users).

As for me, after over 25 years of professional computer use, I still look every now and then at w

Re:

[Anonymous Coward]

Here's your Mac user. I'd comment, but I'm still trying to recover from the hysterical laughter that occurred after reading the article. I say one thing; those Symantec PR people can sure make statistics dance!

I think the headline was misleading or perhaps edited a little too much. It should have read, "Surprise, Surprise... Windows Listed As Most Secure OS- By Symantec." It might have been more accurate if it had a few smilies tossed into it, or perhaps a [Yawn].

Intonation is everything.

Re:small addition

[v1]

The big comparison I make is the severity of the problem. A lot of the security fixes seen in OS X are related to applications, things like "a maliciously crafted quicktime movie could lead to elevated privleges". This is a whole world different than "a buffer overflow in the TCP stack allows remote code execution". The former you can get hit by if you are running malware, the latter comes and gets your computer and integrates it into another botnet while you sleep.

I'll take the former over the latter anyday. Most of the nasties windows copes with are things that will ambush you when you are doing what should be totally safe things, like browsing a web site or just plain being connected to the internet without a firewall. I don't know how anyone can claim a system that is just plain unsafe to connect to the internet without spending three hours patching it and loading up defensive software is more secure than anything

Re:

[Phroggy]

A lot of the security fixes seen in OS X are related to applications, things like "a maliciously crafted quicktime movie could lead to elevated privleges". This is a whole world different than "a buffer overflow in the TCP stack allows remote code execution".

Most of the nasties windows copes with are things that will ambush you when you are doing what should be totally safe things, like browsing a web site or just plain being connected to the internet without a firewall.

...Or watching a QuickTime movie. Should be a totally safe thing, right?

Re:

[ASkGNet]

Actually, the comparisons of the security vulnerabilities usually go as following:

Guy 1: Windows had 50 security patches last month
Guy 2: RHEL had 500 security patches last month. Out of those, 5 were for the Linux kernel and critical system software. Rest were for Frozen Bubble and GIMP
Guy 1: Who cares, nobody will know the difference, let's say RHEL had 500 security patches

Funnily enough, Windows security comparisons never take any third-party software into consideration, while all Linux security comparis

Re:

[Afrosheen]

I for one welcome our bedtime attacking ghost overlords.

Re:

[arminw]

....I am rather looking forward to the comments from Apple users.....

You are , are you?! Well right here on /. at this time, there is a front page post on 1.2 million bot infestations. Read some of that. I bet that not even ONE of these is on a Mac under OSX. Symantec doesn't like Macs because they don't need the crap Symantec tries to sell in the disguise of anti-malware programs. If one day it came out that they promote the black hat hackers just so the can sell more of their garbage, I would not be surpr

Re:

[Eideewt]

You make it sound like arguing isn't worth doing for its own sake.

Re:

[Chmcginn]

Well, the zealotry of the ranting guy on the street is entertaining. As is a lot of the zealotry on /. . The only kind that really worries me is when it starts affecting commercial/political decision making processes.

Re:small addition

[ConceptJunkie]

"Starts" affecting?

That assumes that these decision-making processes were once made rationally.

Re:small addition

[Gilmoure]

Death to all fanatics!

Re:

[carpeweb]

Touche

I thought that was spelled with a "d"; oh; never mind.
---
Emily Latella

GUIs? Hah! Like command lines are any better

[spun]

In MY day, we toggled programs into the front panel with SWITCHES, and we LIKED IT! Now get off my lawn, you damn kids.

Re:

[couch_warrior]

SWITCHES, you had SWITCHES???

WE programmed the executable memory with JUMPERS, because it was read-only

And if we would get rid of this amazingly insecure invention called RAM, and record the OS and application executables in PROM at the factory the way God intended, there wouldn't be any computer viruses EVER AGAIN!

Re:GUIs? Hah! Like command lines are any better

[Anonymous Coward]

You had tape?

I would have killed for tape.

In my day we stored data on twigs and tree bark and we liked it.

And don't get me started on "binary". It was either zero or it wasn't. We didn't need no stinking ones.

Re:GUIs? Hah! Like command lines are any better

[nsayer]

Luxury.

We had to draw our data in the sand. We hadn't heard about zeros, so we had to write them as I-I.

Re:

[QuickFox]

You had ones? Luxury. We had neither ones nor zeros, we had nothing. Nothing! In other words, we had holes. All we could use was holes. Do you have any idea how annoying holes are? Put one in your pocket, next thing you know everything in your pocket falls out through the hole.

Re:GUIs? Hah! Like command lines are any better

[Scoldog]

In my day, I had to turn the light on for 1 and turn it off for 0.
 
Problem is, the PHB saw me doing this and told me to leave the light on. I said this would be a bad idea as it would signal the lusers that the system was in production and that they could potentially stuff the system up, especially all the batch files running that where processing data relating to the "Earth" project. The PHB ignored me and created two new limited access user accounts (Hereby called Luser1 AKA Adam and Luser2 AKA Eve).
 
Anyhoo, to cut a long story short, Luser2 managed to get the root password (due to a worm that the PHB infected the server with), shared it with Luser1 and managed to give themselves greater access to the info on the server. The PHB found out about this and got pretty mad with them. He deleted their user accounts, kicked them off the server and installed a firewall so that they could never again access the almighty server.
 
So anyway, here I am, the 21C of the "Universe" server, still watching the spawn processes of those two lusers still multiplying and changing and dealing with new problems like cooling fans starting to die.
 
I don't think I'll ever get this server right again.

Re:

[dan828]

Now picture trying to do that after being woken from a dead sleep in the middle of the night, when all the while alarms are blaring and annoying the living hell out of you. And this is not so long ago-- the US Coast Guard was still using ancient PDP8s in the early 1990s to track their LORAN timing signals. Entering the bootstrap in on the front panel binary switches was not a thing of joy.

Re:Simply

[Stanistani]

>we can bypass all the leg humping and mindless dribble and get down to the real discussion...can Microsoft keep it up?

So much sexual innuendo - so little time.

Re:Simply

[rilister]

I must be bored... a handy reference card:

"Mindless dribble" = "Mindless drivel", people. please. I see this so often and it grieveth me so.
-and, from previous Slashdot discussions...
"a mute point" = "a moot point"

and my absolute favorite...
"for all intensive purposes" (aaargh!) = "for all intents and purposes"

ok? fixed? I can go back to work now?

Re:Simply

[norminator]

I must be bored... a handy reference card:

"Mindless dribble" = "Mindless drivel", people. please. I see this so often and it grieveth me so.
-and, from previous Slashdot discussions...
"a mute point" = "a moot point"

and my absolute favorite...
"for all intensive purposes" (aaargh!) = "for all intents and purposes"

ok? fixed? I can go back to work now?

I could care less about those grammar errors...

Re:Simply

[earthbound kid]

Irregardless, the previous poster should of corrected it.

Re:

[aug24]

It's more fun annoying the spelling nazis than the grammer nazis.

J.

Re:Simply

[UbuntuDupe]

Windows is the safest OS, it's just that it has to tolerate being on unsecure networks, usage by mouth-breathers, and its overwhelming attractiveness as a target for criminals.

*please mod insightful, please mod insightful*

Re:Simply

[pogson]

I have found Windows to be exceptionally secure after I install GNU/Linux right over top of it. I have never had a failure after this procedure. I started doing it when I saw machines running Windows fail for no apparent reason, sometimes just idling and "PFFT!", dead as a BSOD. People told me it was hardware problems, but, running on the same hardware, the new installation would run for months with no downtime.

Actually

[Greyfox]

My usual response to that is to challenge the speaker to do a base install of Windows and a base install of Linux or MacOS with a machine plugged into the raw internet. Then measure how many times each OS has been pwned before it's done installing. Assuming they all three survive that test, fire up a web browser and try to find out what you need to do to do a software update for your OS (After all, that's the first thing a "normal" user does, right?) and install said software update. Again measure how many times each machine was pwned by the time you got the system installed. Finally, wander off and come back a month later to measure the amount of pwnage that has occurred.

This usually makes the "Windows is more secure" group STFU pretty quickly, for some reason. They also say "DOH!" just like Homer Simpson at least 4 times while I'm issueing my challenge. I'm really not entirely sure why...

Re:Actually

[Greyfox]

Excuses. You could still buy non-sp2 Windows install disks for months after SP2 came out. I happen to know this because I got my room mate a copy down at the local CompUSA. Microsoft didn't allow me to download the SP2 images from my Linux box either. They didn't like my web browser.

But you're right. We should just ignore all those millions of systems that won't be upgraded or patched and judged them on where they are now. [google.com] Where was that again? I know that "MS Certified" IT guys shift nervously whenever you mention doing a Windows install on the raw Internet. Vista or otherwise. I wouldn't be the least bit concerned about, say, a Debian install. I'd be somewhat more worried about doing an OSX one but I have a lot more faith in the underlying system than I do about anything Microsoft could put out.

Re:Actually

[sqlrob]

No open ports on an OS X install, so it's not a problem. When I got my Mac, first thing I did was port scan it, there was squat open.

Then I noticed the firewall wasn't even on by default at that point.

Re:

[kernelistic]

This is simply not true. If your Windows 2003 machine is on any sort of network, NetBIOS is enabled if you select the default settings.

Re:Actually

[Nasarius]

if you do an install of an OS without a firewall you are an idiot

No no, I'd say it's you who's hilariously stupid. Not every OS opens up all sorts of services by default, you know. A decent Linux workstation will have sshd, if anything. Most Linux installs should have a network source so that the latest package version gets installed. Not every OS installer is so poorly designed that it installs old, vulnerable packages, you know.

My concerns about WIndows are architectural

[einhverfr]

Basically Microsoft decided to build NT as an open system (meaning standards-compliance especially with the standards of the Open Group). Some of the standards (POSIX, for example) were only barely usable, while others (DCE/RPE) became the basis for everything. At the same time, Windows use Kerberos on Domains by default, so they never implemented the security part of the spec.

DCE/RPC underlies all DCOM calls. And OLE is built on DCOM. Note that this means that you cannot turn this network service off.

Re:

[dhasenan]

I haven't had a firewall on either of my computers in all the time I've owned them. No viruses or intrusions of any kind. You don't have to filter out packets that'll just be ignored anyway.

If Windows were properly designed, firewalls would be nearly useless.

Re:Simply

[bobcat7677]

You forgot one important group (you insensitive clod!). The sensible crowd who simply dismiss the article as hot air from a group of people who have the worst security track record of their industry in the past 5 years. I mean seriously, it's pretty bad when the antivirus software starts getting hit with viruses that would otherwise be ineffective against a system. I wouldn't trust Symantec/Norton with anything more important then a string, much less consider them an "authority" on anything security related. And no, I don't use a Mac.

Re:Simply

[Rakarra]

Norton used to be awesome as well. Norton Commander on my PC XT (the 86-88 version of nc)? It used up only a tiny portion of memory, it was fast, extremely useful. Norton Utilities (disk doctor specifically) from the same time saved my ass several times. Now? I had my mom uninstall all Symantec software from her Windows XP machine. She used a competing anti-virus problem, relied on her hardware firewall's protection (came with the ISP!), and the speed gains from the computer.. it was like night and day. Before, it took 5 minutes after bootup for the machine to become usable as Norton Internet Security did all sorts of things that you can't turn off, and it slowed the computer down during normal use as well. What a difference two decades makes!

Re:Simply

[TClevenger]

Symantec is where good software goes to die. For example: Norton Utilities, Ghost, BackupExec.

Re:Simply

[Strilanc]

... and none of them will have read the article.

If you DO read the article for the vulnerability counts:
Windows - 39, 12 severe, average 21 day fix
Mac - 49, 1 severe, average 66 day fix
Red Hat - 208, 2 severe, average 13 day fix

Now it looks to me like Windows performed the worst because of the large number of severe problems. This makes it more likely there are many more severe problems.

Re:Simply

[dgatwood]

What you really want is the number of zero-day exploits. Vulnerabilities that are patched prior to an exploit are of far less concern than vulnerabilities that are exploited (NOT counting proof-of-concept "exploits") prior to a patch becoming available. Even I have seen reports of several zero-day exploits against WIndows in my recent memory, and I don't even use Windows or pay much attention to those notices....

If we assume that the vast majority of people who find security holes do the right thing and notify the vendor, then we can conclude that the vast majority of security holes should not be exploited prior to it being patched. From this, we can conclude from the relatively high zero-day-flaws-to-patch-count ratio that the vast majority of known Windows security holes probably remain unpatched, thus making the above numbers dramatically understated. Just a hunch.

If an operating system is more secure because the vendor has made less security fixes, that would make RedHat 1.0 the most secure OS of all. It probably hasn't had any security fixes in the better part of a decade. It's roughly equivalent to saying that the Ford Pinto is the safest car made in the last thirty years because the manufacturer only released one safety recall, while my Ford Windstar (with dual airbags, rear shoulder belts, anti-lock brakes, etc.) had at least three. See how silly that argument is? :-)

Re:Simply

[Lumpy]

The funny part is these "studies" are so biased even if they TRY not to be.

they call redhat everything that was on the install Discs. Yes OSX and Windows get to only be the fricking OS.

Giving redhat a mark because there was a sendmail security fix is complete utter BS.

a fairer comparison would be redhat to all microsoft products rolled together. Because that is what redhat is. It's Windows XP, windows server 2003 IIS SQL sourcesafe exchange access word excel media server media center outlook media player, etc... all together. Oh dont forget Visual studio 2005 and all it's plugins as redhat out of the box has a full development kit installed.

Call me when they do that or ignore all the server apps and other apps that come on the CD. These nimrods at symantec simply looked at errata published duting the time. redhat supports 100X more apps in the core OS than micorosft sells all together and issues fixes and errata for all of those. Microsoft tells you to pound sand when your virus scanner eats your PC.

Big difference.

Even more spectacular is the conclusion

[mangu]

12 severe for windows and 2 severe for Linux is farking spectacular

The strange thing here is that they say Windows has six times as many severe vulnerabilities and conclude "... therefore Windows is *more* secure than Linux ...". WTF? Have they changed the definition of "more"? Where can I get a patch for my English dictionary?

Re:

[gig]

Actually Symantec's place on the Mac is that every six months or so they do a big FUD campaign against Mac security, trying to scare up demand for an all-purpose software package that will "secure your Mac." Their best argument is always "you never know".

I love how Symantec's current position is that Windows should stay broken and insecure so that it doesn't destroy the Windows utilities market.

THIS JUST IN!

[pak9rabid]

Symantec's net income mysteriously increased by $10 million....In other news, Microsoft's net income shows a decrease of $10 million. Upon investigation of Microsoft's income statement, "other expenses" showed an increase of $10 million...

IIS

[lseltzer]

Someone else mentioned IIS and I thought it was worth mentioning, appropos of parent's remarks, that it's been years since the last really serious IIS vulnerability. In the last two years or so it actually has a better security record than Apache, especially Apache with PHP installed (Apache of course has a really good security record too, but IIS has been stellar).

Look at Secunia's page on IIS 6.0 [secunia.com], which is 3 or 4 years old: 3 vulnerabilities total, all patched and none of them seriously critical.

Re:

[morgan_greywolf]

especially Apache with PHP installed

I'm not convinced it's entirely PHP's fault, either. PHP (esp. in combination with MySQL) is the VB of the Web. Just as most VB programmers often had a blatant disregard for writing clean, secure and reliable code, so do most PHP programmers. The problem with PHP is that, like VB, the learning curve is simply too low for non-programmers. Languages like C force the programmer to learn to program. Now, C is so flexible that it doesn't force good programming habits, but with C you have to learn how to wr

Re:

[petermgreen]

no with C writing bad code is the default mode, pointer aritmetic and standard apis like prinf require extreme care to avoid writing insecure code.

secure programming in general is very hard though some languages make it harder than others. Secure programming requires carefull consideration of many issues some of which span accross the application. It also requires good documentation (how should things be quoted at this interface? is the creator of this data trustworthy or should the data be treated as poten

What were Symantic thinking?

[taniwha]

I mean they are basically saying "we're in the wrong business" - great way to drive your stock price down and end up with a whole bunch of investor law suits ....

Re:

[Niten]

I don't know, I sort of saw it the other way around:

"Hey all you guys, listen up. I know some of you were thinking of switching to Linux or the Mac or something for improved security, but really, you're better off staying put with Windows. And by the way, did I mention that our products run on Windows?"

Maybe I'm just cynical today...

Re:Simply

[Hymer]

Well... I think you should talk to that norwegian bank wich was down for a week (11,000 PC's and 1,000+ servers) a couple weeks ago about how secure Windows is... so no, not really "All quiet".
Vista has not been out for six months (Enterprise relese was in November, commercial release was in January) so I can't really use that info for anything... "We got the most secure system... except... it is not released yet..." geee...
...and the fact that the upgrade rate to Vista are somewhere between 30% and 50% of what Microsoft estimated is also helping the statistic.
I have run NT4 and W2K for years without problems... and without reinstalling. It is possible, you just need to know what you are doing... and how to protect your system. Wait until Joe Sixpack & other lusers start to use Vista and then we will see how invincible it is.
...and btw. I do belive Vista is the most secure Windows desktop to date... but that doesn't really say very much does it ?

Re:Simply

[Rei]

You BETTER keep them AWAY from your CAPS LOCK as well, ZIPPY!

(I have no problem with the post -- only with Slashdot's title for it. I would recommend something more like "Windows Is Most Secure OS, Say Flying Pigs")

Fewer patches...

[blargfellow]

Wait...I'm supposed to think that fewer patches makes for a safer operating system?

Re:

[Lehk228]

yup. the fact that MS clumps their patches and only releases on patch day has NOTHING to do with it.

Re:Fewer patches...

[baryon351]

That was exactly my thought.

'The report found that Microsoft Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006.'

Cool. so if I write an OS that's chock FULL of holes, and only patch three of the simplest holes in six months, patch them within an hour of being alerted to their existence, and try to keep all the others under wraps, then my OS would have fewer patches than windows and a shorter patch development time. I win. Security by obscurity wins too.

Retarded. It relies on the trust that OS vendors always patch all holes they're alerted to, AND announces every one they've patched or been alerted to. Trust like that is the beginnings of security problems in the first place.

Ive seen the evidence

[Anonymous Coward]

its a blue screen that tells you
IRQ_NOT_LESS_OR_EQUAL

never been infected while ive seen that on my screen
even in Vista !

Re:Ive seen the evidence

[EvanED]

It's probably a device driver issue. A bad kernel module will cause almost exactly the same error on Linux, only they call it a kernel panic instead of BSOD and write "sleeping function called from invalid context" instead of "IRQ_NOT_LESS_OR_EQUAL."

Yes, but severity?

[Anonymous Coward]

The article also notes (which the blurb does not) that Microsoft had the most critical or severe class of bugs, even by their own measurement standard. So yes, Microsoft has less fewer bugs (according to the article), but doesn't the severity of the bugs count for anything? Statements like these are why I don't use Symantec products on any of my Windows machines.

what i make out of that :

[unity100]

"Windows had the fewest number of patches and the shortest average patch development time of the five operating systems" = "Windows had the most trivial and easy to fix vulnerabilities that they have fixed with a few number of patches, from possible an unknown number of undiscovered vulnerabilities"

I guess Symantec will soon be out of a job.

[bitbucketeer]

After all... who needs to buy security products for the most secure commercial OS available to mankind?

The numbers are being misread

[christoofar]

If you are counting the number of patches... and you are saying Windows has the fewest number in the last 6 months than MacOS or RedHat... does that mean Windows is more secure?

What is this, 3rd grade?

I could stop patching Windows forever and it will be the bestest Operating System EV-ER! Like OMGWTFBBQ!

Seriously, Microsoft releases in cycles, has to perform a buttload of testing (because of the DNS patch which screwed over a lot of customers), and is slow to react to 0day problems that are brought up with theories and proofs. [They do a lot better when there is an active attack going on, I'll give you that].

I get SuSE patches for hundreds of installed packages just about every other day and install most of them automatically. The kernel I'll patch up once every 6 months or so.

Does that make me less secure than Windows? I don't know. I sure feel more secure about putting a fresh openSuSE 10.2 box on the internet unfirewalled than putting a Vista box on the Internet unfirewalled [I wonder if MSFT has actually performed this test with Vista... to see how long it takes before a basic Vista install gets compromised with the software firewall turned off].

Re:The numbers are being misread

[slackmaster2000]

Don't go around calling "3rd grade" if you're just going to summarize a summary. RTFA already.

Here, this will help:

"The report found that Microsoft (Quote) Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006.

During this period, 39 vulnerabilities, 12 of which were ranked high priority or severe, were found in Microsoft Windows and the company took an average of 21 days to fix them. It's an increase of the 22 vulnerabilities and 13-day turnaround time for the first half of 2006 but still bested the competition handily.

Red Hat Linux was the next-best performer, requiring an average of 58 days to address a total of 208 vulnerabilities. However, this was a significant increase in both problems and fix time over the first half of 2006, when there were 42 vulnerabilities in Red Hat and the average turnaround was 13 days.

The one bright spot in all of this is that of the 208 Red Hat vulnerabilities, the most of the top five operating systems, only two were considered high severity, 130 were medium severity, and 76 were considered low.

Then there's Mac OS X. Despite the latest TV ads ridiculing the security in Vista with a Matrix-like Agent playing the UAC in Vista, Apple (Quote) has nothing to brag about. Symantec found 43 vulnerabilities in Mac OS X and a 66 day turnaround on fixes. Fortunately, only one was high priority.

Like the others, this is also an increase over the first half of the year. For the first half of 2006, 21 vulnerabilities were found in Mac OS X and Apple took on average 37 days to fix them. "

Apples = Oranges apparently

[wwahammy]

While I don't think Windows is the most secure OS, its not fair to compare the number of patches released by a Linux packaging system to the number released by Microsoft for their base OS. The various repositories include every conceivable type of software for Linux and updates for that software while I assume Symantec (no I didn't read the article) is referring to updates just for Windows, not every piece of software on Windows. Your comparison only makes sense if you compare the SUSE repository software updates with every Windows software update.

Doesn't add up

[Anonymous Coward]

"39 vulnerabilities, 12 of which were ranked high priority or severe, were found in Microsoft Windows"

"Symantec found 43 vulnerabilities in Mac OS X and a 66 day turnaround on fixes. Fortunately, only one was high priority"

I fail to see how this makes Windows more secure than Mac OS X.

More bundled software, more LOC, more LP bugs

[evought]

Redhat particularly, but also Mac, bundle more software. This means you have many more lower priority vulnerabilities because you have more LOC in userspace. Does a bug in VLC equate to an OS bug? How about Firefox? Can it be used to root your system? All grey areas. Given that, the total numbers of bugs are not surprising at all and the low number of high priority bugs is telling to the extent that patch numbers are a valid measure at all. Taking a while to fix higher numbers of low priority bugs isn't a big deal as long as the high priority bugs are dealt with quickly. That would be the obvious follow up question, which they did not apparently ask. Another obvious question is who reported the defects? Are these vendor provided numbers or third party (e.g. CERT) security alerts? Another question no one (except Sun) bothered to ask.

Re:

[Llywelyn]

1) How many of those vulnerabilities on MacOS X are impossible to exploit?

2) How many of them deal with applications which are bundled but disabled by default (e.g., Apache, OpenSSH)?

3) What constitutes a "critical" vulnerability? What is the relative threat level?

4) How many of those exploits were "in the wild" in terms of use?

Your method of generating "unpatched days" is also suspect. First, severity doesn't factor into the number of days and is a *really* bad multiplier in this case. It exaggerates w

yea

[Larry_Dillon]

Symantec (who makes all of their profit from selling security products for Windows) says Windows is the way to go.

Patch release count is probably the worst security metric that you could come up with.

Re:yea

[Larry_Dillon]

The real problem is that a modern Linux disrto comes with hundreds of applications, all of which are counted against "Liunx" security vulnerabilities.

But when they count Windows vunerabilities, they don't count all of the third party apps you have to load to get the same functionality. They usually just count the base OS.

Further, Linux folks release a patch when they see a problem, M$ releases a patch when forced to by someone who's published exploit code.

Re:

[John Betonschaar]

But when they count Windows vunerabilities, they don't count all of the third party apps you have to load to get the same functionality. They usually just count the base OS.

Also, though I haven't read TFA (I'm allergic to reports like this), I assume they meant 'Windows is the most secure commercial OS, when used in combination with a good firewall and virusscanner'. Which they coincidentally happen to sell (well, at least they think its good)...

Of course it's more secure..

[GonzoTech]

Steve Ballmer's chair throwing corps makes sure they get good reviews.. or else.

Gee, what a surprise

[Bacon Bits]

*Symantec* released the report. How many products does Symantec make for non-Windows OSs? Or was their research "Windows XP with Norton Internet Security Suite 2007 installed"?

This is not news. This is a Symantec marketing campaign disguised as a press release disguised as a research report.

Never mind the false conclusion that fewer patches = more secure. Never mind that both OS X (which had MOAB) and RHEL both include a lot more software than the base OS for Windows.

Re:Gee, what a surprise

[Knara]

Well, Windows XP Pro's standard install media doesn't include 2 RDBMS packages, two different full-featured email clients, a couple different window manager package sets, a couple of widget packages, support for at least 2 programming languages, libraries to run code originally intended for another operating system's primary development framework, and two(Abiword counts?) office suites (part of the standard install for RHEL, mind you, but typically not considered "part of Windows XP")

In order for it to be an accurate comparison, we'd need to figure out what the "standard" Windows XP Professional install would be for the test, and then install (and consider) only those equivalent packages on the RHEL machine. Likewise with OS X. Both of the latter may require not-insignficant pruning of software to match the stereotypical XP+Office desktop setup (i.e. GIMP is far more complex than Paint, so it isn't really the same thing unless we were to install some arbitrary Photoshop-like-application on the XP machine).

Why Symantic Says "Windows is Good"

[twitter]

Tell me again how a more secure Windows OS becomes good news for Symantec.

Because you have to believe Windoze can be secure before you waste money on it or Symantic.

In other news

[eclectro]

Bot herders has named Windows as the most reliable operating system for hosting botnets and spam machines.

Congratulations all around Microsoft.

Correlations that are left out

[GiovanniZero]

It's interesting to note that while OS X had 43 vulnerabilities(1 severe) and windows had 39 vulnerabilities(12 severe). So windows had more big threat security holes than OS X by 12 times. Maybe OS X's average patch time is higher because the vulnerabilities they had were less important to patch?

Again?

[kebes]

How many times are we going to have a "news item" that uses the same old technique to "prove" that Windows is the most secure. I'll save you the trouble of reading the article, the executive summary is something like:

"The total number of reported vulnerabilities for Windows was lower than for others, therefore it is the most secure."

Wow. That kind of logic would get you a failing grade in any undergraduate class. When TFA actually goes into the breakdown of "severe" versus "not severe." The article even says:

39 vulnerabilities, 12 of which were ranked high priority or severe, were found in Microsoft Windows

and:

of the 208 Red Hat vulnerabilities, the most of the top five operating systems, only two were considered high severity

So having 2 severe vulnerabilities makes it less secure than Windows having 12 severe vulnerabilities? Something doesn't add up. That's even assuming their numbers are correct, which I sincerely doubt. Another flaw in logic (that we've seen many times) is that the total number of publically disclosed vulnerabilities turns out to be higher for the development model that involves full-disclosure, rather than the one that involves hiding information as much as possible. This isn't exactly surprising, and says nothing about how many vulnerabilities actually exist.

Counting vulnerabilities seems like a very silly way to gauge security. It seems like a truer test would be to set up a machine (or rather, a statisically significant bunch of machines) and measure the average time to system compromise. Even this technique has its flaws, of course, but at least it's better than some arbitrary counting technique.

Survival Time Studies.

[twitter]

A more accurate measurement might be: average time to system compromise / number of attacks.

Any real world test would be better than this silly patch counting, but the number usually reported is time to ownership. People don't really care about how many attempts it takes to break a system as much as they care about how often they need to do things. It might take an attacker 100,000 tries to brute force a password, what matters is how long it took. The trick is to make sure your network looks like a t

Translation Follows:

[Chris Mattern]

"We don't sell any anti-virus or firewall software when people buy Linux."

Chris Mattern

A more useful summary

[greg1104]

Like the total count of all vulnerabilities, including all the little impossible to exploit ones, is important. Let's focus on the serious ones mentioned in their data.

High-severity security vulnerabilities in 2006

Windows: Q1/2=5 Q3/4=12 Total=17

RedHat Linux: Q1/2=1 Q3/4=2 Total=3

Mac OS X: Q1/2=3 Q3/4=1 Total=4

Now that's a summary I can agree with.

Re:

[WilliamSChips]

9/10 dentists recommend using [insert toothpaste brand] over becoming a serial murderer.

Logic

[volpe]

Microsoft has the most secure operating system amongst its commercial competitors [because] Microsoft Windows had the fewest number of patches [...]

Ethiopians are the healthiest people in the world because they see the fewest number of health care professionals.

Carefully chosen competitors

[mandelbr0t]

What a pointless comparison. All that we see is that Windows has finally caught up with other Desktop OSs in security. Desktop systems are insecure, period, so who really cares about which one is more secure. I see that there's no BSD in the list, not a single IBM OS, VMS, or any other Mainframe OS. This report completely fails to illustrate any useful information. Insecure machines can be protected with firewalls which run secure OSs, none of which were in this list (OpenBSD, anyone?). About all that can be said is that Windows has finally found a way to protect itself from the meddling of idiots, at the cost of the most annoying security system ever invented. All that, and I still doubt that any sort of stability could be achieved on a network running these three OSs exclusively, without the protection of at least one OS not in this report.

More secure...

[Daishiman]

More secure than VMS, i5OS, or z/OS?

The Fine Print

[nixNscratches]

Pulled from the actual Report itself (Internet Scurity Threat Report XI) from Symantec -

With the exception of Microsoft, all vendors were affected by longer turnarounds for patches for third- party components that are distributed with each operating system. Upon examining the sample set of vulnerabilities during this period, Symantec has observed that vulnerabilities with longer patch development times generally affected third-party components. The previous issue of the Symantec Internet Security Threat Reportcommented on the relevance of this issue for commercial UNIX vendors such as HP and Sun,but it holds true for all vendors of UNIX/Linux-based operating systems.

And of course:

As with previous periods, Microsoft Windows was the operating system that had the most vulnerabilities with associated exploit code and exploit activity in the wild. This may have pressured Microsoft to develop and issue patches more quickly than other vendors. Another pressure that may have influenced Microsoft's relatively short patch development time is the development of unofficial patches by third- parties in response to high-profile vulnerabilities.

As always, the most secure computer is the one that is turned off, and unplugged from the network.

No security model is perfect, but I'd take any *nix for a web facing server any day.

Context and methodology

[UnknowingFool]

The summary is that over the last 6 months, Windows had the fewest number of bugs (regardless of severity) and took the shortest amount of time to fix them.

a)What is not mentioned is that Windows had the most number of severe bugs. Windows had 12, OS X 1. But it didn't mention how many severe bugs Linux had.

b. Also what isn't noted is methodology. The time between bug and patch is mentioned but not whether time is between the bug being discovered or being announced. With open source, almost all bugs are announced when they are discovered. With closed source, it is not the same. MS has in the past sat on bugs for months, years before announcing them much less working on them.

c. This only covers the last 6 months. Why only 6 months? Surely a more representative sample would be years. In this case, MS doesn't look so good. Didn't BSD have it's 2nd bug in a decade recently?

Bad metric, questionable source

[KC7GR]

As others have pointed out: Symantec is in business to sell "security" software for the Windows platform. Nothing more needs to be said in that regard.

Also, as others have pointed out, the metric of "Number of Patches" released is pretty much worthless. If this was a serious security test of Vista, it would have employed port scanners, malicious web pages, and assorted other threats stacked up against a default installation of the OS, on known hardware, with Vista's "security" features enabled in a known way.

For consistency's sake, the same attacks would need to be carried out against default installs of not just Linux, but OpenBSD, FreeBSD, NetBSD, and others. Then, and ONLY then, if Windows came out unscathed ahead of all those others (HA!) could it possibly be considered "most secure."

For that matter, the term "most secure" is meaningless without context. Most secure as a server? A workstation? With what skill level of user behind it?

This study seems to be, as the Immoral Bird might have put it, "lots of sound and fury, signifying nothing."

In fact, if it showed up on Usenet, it would most likely be considered a lame attempt at trolling, and subsequently killfiled.

Keep the peace(es).

A couple of things

[Philodoxx]

Symantec says that Windows is the most secure operating system. Why, then, would a windows user buy Symantec's products if that user is running the most secure commercial OS?

"The report found that Microsoft Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006."

How is the number of patches that Microsoft chooses to fix a good metric? I doubt this is the case, but what if the engineers were sitting around saying "holy crap, these problems are all hard! who wants to get some coffee?" and never got around to releasing patches?

Street Cred

[dr_strang]

Symantec has all the street cred of a pimply-faced 17-year old driving his mom's Lexus SUV. Seriously.

Strange analysis in article

[wealthychef]

So Mac OS X, which had only one vulnerability rated high priority and none rated severe, lost to Windows, which had 12? This makes no sense to me. I'm open minded, but this seems like the real surprise is these peoples' definition of "most secure." Mac OS X had more total vulnerability, but the vast majority were non-severe, moderate or low priority, compared to Microsoft's offering, more than 25% of whose vulnerabilities were severe or high priority. I'd like to know how long it took apple to fix its one high priority vulnerability. I'll bet it was fast. Anyhow, this is a crazy analysis.

Gross Misappropriation of Context

[carpeweb]

Well, you have to go a long, loooooooong way to reach the conclusion that "Microsoft has the most secure operating system"!

The audit trail for this year's award for Best Distorting Headline:

1. The post links to a report on internetnews.com, not Information Week, as reported.
2. The InternetNews.com report links to the Symantec summary web page [symantec.com], which does not mention Microsoft at all . Moreover, it is a report on Internet Security, not operating systems. (A bit more about that next.)
3. The report itself is a 104 page (PDF) document [symantec.com] (including 24 pages of appendices), which mentions Microsoft mostly in minor points, and in the following contexts:
   1. The Executive Summary does not mention Microsoft at all, nor does the Internet Security Threat Report Overview.
   2. The first mention of Microsoft comes in the Attack Trends Highlights of the Executive Summary Highlights, and it is not flattering: "Microsoft Internet Explorer was targeted by 77 percent of all attacks specifically targeting Web browsers."
   3. Similarly, under Vulnerability Trends Highlights (also under Executive Summary Highlights), the next mention is also not flattering: "Symantec documented 54 vulnerabilities in Microsoft Internet Explorer, 40 in the Mozilla browsers, and four each in Apple Safari and Opera."
   4. The next mention of Microsoft comes on page 19, under the heading, Threats posed to Windows Vista becoming evident. This comes after an Executive Summary Discussion that does not mention Microsoft anywhere in its ten pages. So far, I'm not feeling the "surprise" factor mentioned by david_g17.
   5. The first conclusion reached in the discussion of threats to Vista is that "Microsoft's Security Development Lifecycle, while thorough, does not necessarily identify all potential vulnerabilities." I am starting to feel some surprise, but it relates to how david_g17 interpreted this story.
   6. The discussion of threats to Vista identifies vulnerabilities, malicious code and attacks against the Teredo protocol. It simply does not say anything to indicate that Symantec believes Vista to be in any way superior to other operating systems with respect to security.
   7. The next mention of Microsoft comes under the section on Attack Trends, and concludes: "Microsoft Internet Explorer was targeted by 77 percent of all attacks specifically targeting Web browsers."
   8. The next mention of Microsoft is essentially a footnote that singles out two Microsoft vulnerabilities in attributing a peak in bot activity. This is not necessarily a criticism of Microsoft, but it would hardly lead one to think of Microsoft as superior to other vendors.
   9. Next, under Vulnerability Trends, "Symantec documented 54 vulnerabilities in Microsoft Internet Explorer, 40 in the Mozilla browsers, and four each in Apple Safari and Opera." Um ... doesn't this mean that Microsoft is less than other vendors? Yes, I know, it's about browsers, not operating systems. Wait. Didn't Microsoft blur this distinction a little bit with their bundling strategy?
   10. Finally ... in the subsection, Patch development time for operating systems, almost halfway through the report, Symantec does give david_g17 his fodder: "Microsoft Windows had the shortest average patch development time of the five operating systems in the last six months of 2006".
       However, that same section concludes "The risk of exploitation in the wild is a major driving force in the development of patches. As with previous periods, Microsoft Windows was the operating system that had the most vulnerabilities with associated exploit code and exploit activity in the wild (emphasis mine). This may have

How perfectly Orwellian

[BlackSabbath]

War is Peace
Ignorance is Strength
Windows is Secure

and

Windows is the most secure operating system. Windows has ALWAYS been the most secure operating system.

Windows is competely secure

[edwardpickman]

All you have to do is max out the firewalls and not allow anything to be installed. If you are still having problems just disconnect it form the internet. Turning it off makes a Windows machine even more secure.

Why does anyone bother to report this?

[shaitand]

Symantec has been rambling nonsense about how windows and proprietary software are more secure for a couple years now. How long ago was their last shocking report about how insecure open source and linux are?

Symantec has invested millions to get in bed with Microsoft and gain insider information into the workings of the OS. They are tied to the platform. Not to mention they are an anti-virus company and windows is the only platform with a large enough virus problem to keep them in business. If any other platform came to dominate the market Symantec would be out of business.

Other than that, they aren't biased at all.

So Where is Symantec AV for Unix?

[NatteringNabob]

Oh, yeah, that' right *it doesn't exist expect to protect Windows boxes*. You know, when reality is in total opposition to your theory and/or study, maybe there is something wrong with your methodology? Is it possible that you just aren't measuring the right things? Because if Symantec is right, they are missing a huge market opportunity. On the other hand, given AV companies history of alarmist headlines, perhaps they are trying to create a new market to replace the old one that Microsoft is eating for lunch?

Consider the source

[Avatar8]

"Windows is secure" coming from the company that did the following:

- created an anti-virus signature that filled up your hard drive with DIR000?? folders
- has such tenacious application installs it usually takes a reformat to get them removed
- recognizes other anti-virus applications as virus activity
- purchased Ghost a few years ago and has yet to move it forward AT ALL.
- purchased Veritas last year (maybe 2) and has nearly halted all progress on that product.

Yeah, Symantec knows what it's doing.

Re:In other unrelated news today

[Walt Dismal]

Microsoft has the most secure operating system amongst its commercial competitors.

Surely you've jumped the gun. This is March 22. April 1st isn't for a few days.