0

Jeff Jones is a Strategy Director in the Microsoft Security Technology Unit, part of the team trying to make Microsoft products more secure, poor guy. No surprise that he publishes a vulnerability report on his Microsoft TechNet hosted Security Blog which always seems to suggest that Microsoft Windows is far more secure than competing operating systems from Linux vendors. What is slightly surprising, however, is that this is no died in the wool Windows guy but someone who first tasted Linux running a P66 SLS machine with end-to-end tunneling to internal office Sun servers, running X as his GUI and using an X-redirector across the tunnel. This is someone who has done kernel development on Trusted Xenix. This is a guy who knows a bit more about Linux than your average Windows OS developer.

The blog in question carries a certain amount of weight with the media courtesy of being a TechNet published one, and given the position of the poster in question. “Looking at Security from All Angles” the blog banner claims, continuing “Security is not simple, so we should try not to simplify it to the point of uselessness.”

Can’t argue with that, but I sure can argue with the conclusion drawn from the colorful graphs used to simply the security argument that Windows is hugely more secure than assorted Linux distros. The assumption is based upon research data concerning vulnerabilities that required patching, or to be absolutely precise after checking the methodologies statement handily published by Jeff at a completely different site, that had actually been patched by the vendor.

I quote “The vulnerabilities included in the analysis only include those vulnerabilities for which the vendor has confirmed applicability, typically via a security advisory or patch notice. The analysis here does not include publicly disclosed vulnerabilities during the period that have not yet been fixed by the vendor.” So, let’s get this straight, that is vulnerabilities that have been patched by the vendor, not zero-day flaws or vulnerabilities that are known about but not officially confirmed via advisory no matter how long in the tooth, just the ones that the vendor has fixed.

Secunia publishes independent reports of vulnerabilities listed by both vendor and product, as well as keeping historical archives of the same. Which makes for very interesting reading, and brings a slightly different perspective to the security picture being painted.

Take XP Pro, for example, which Secunia shows has 29 Secunia advisories yet to be patched, that’s 15% of the total. Or how about Windows Server 2003 Standard Edition with an 8% unpatched rating, equating to 11 of 135 advisories? Compare this to the product flagged as being most insecure according to the Microsoft OS Vulnerability Scorecard report, Red Hat Enterprise Linux 4 Workstation. Secunia shows 311 advisories being raised since 2005, but none of them remain unpatched.

This would tend to suggest to me that Red Hat is actually more secure than Windows, if we want to follow the advice not to simplify security to the point uselessness, because the ability and willingness of a vendor to quickly fix flaws when found has to be factored into any serious look at the security argument. Indeed, vendor response times are key when everyone agrees that it is all but impossible to write 100% secure code. Getting patches out to the user is the real metric of security, and ignoring those vulnerabilities which have yet to be so patched reduces the original report to being nothing more than FUD.

By displaying graphs that show Windows products in the less than 50 zone, while Apple, Novell, Red Hat and Ubuntu all drift upwards of 100 is nothing short of misleading.

And that is the real problem that I have with this vulnerability scorecard, if you take the time to read between the lines and delve a little deeper into what is being reported you discover that what it is actually saying is that Linux vendors are more efficient (although you might substitute the word ‘honest’ if you prefer) than Microsoft when it comes to announcing flaws and actually fixing them. What it reveals to me is how slow, comparatively speaking, Microsoft is at releasing patches.

The truth is that every OS will suffer from security flaws; all that matters in the end is how those flaws are dealt with and how quickly the end user is protected from the exploits they enable. Let me state here that I am no Linux fanboy (I write a security column published at Microsoft.com if proof were needed of that) but rather an unbiased commentator on IT security issues. However, at the end of the day I have to say that from where I am sitting the true vulnerability scorecard should read:

Linux 1, Microsoft 0

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

4
Contributors
3
Replies
4
Views
10 Years
Discussion Span
Last Post by Infarction
0

Is this not the way will all polls.

If any company make a poll public they usually show they are the best at whatever. Why release one that shows you are the worse.

It is all in how the questions are asked and analysed.

It brings to mind the phrase 'there are lies and there are statistics'.

0

yes it is. It is certainly true that the majority of compromised systems in real numbers run Windows, but it's just as true that the majority of compromised systems as a percentage of installed base are running Linux (and to a lesser degree other Unix flavours).

What Davey of course wants you to believe is that Linux vendors are faster at fixing flaws than is Microsoft, something that's patently untrue, that every compromised Windows machine is due to something Microsoft failed to patch while every compromised Linux machine is due to negligence of the operator.
Neither is true, not to any degree whatsoever.

In fact the majority of flaws in Windows itself are not known before Microsoft themselves discover them and release a patch.
The same is to some extent true for Linux as well, though most Linux vendors don't bother looking for or fixing flaws, instead relying on the goodwill of their users to do it for them.

0

> In fact the majority of flaws in Windows itself are not known before Microsoft themselves discover them and release a patch.

Also, at one point, most exploits were reverse-engineered from the patches, and effected between the time the patch was released and the time users actually got around to installing it (which is why it takes longer now to get patches out, what with obfuscating the binaries etc...). But it's MSFT's fault, as always... :P

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.