Jeff Jones is a Strategy Director in the Microsoft Security Technology Unit, part of the team trying to make Microsoft products more secure, poor guy. No surprise that he publishes a vulnerability report on his Microsoft TechNet hosted Security Blog which always seems to suggest that Microsoft Windows is far more secure than competing operating systems from Linux vendors. What is slightly surprising, however, is that this is no died in the wool Windows guy but someone who first tasted Linux running a P66 SLS machine with end-to-end tunneling to internal office Sun servers, running X as his GUI and using an X-redirector across the tunnel. This is someone who has done kernel development on Trusted Xenix. This is a guy who knows a bit more about Linux than your average Windows OS developer.
The blog in question carries a certain amount of weight with the media courtesy of being a TechNet published one, and given the position of the poster in question. “Looking at Security from All Angles” the blog banner claims, continuing “Security is not simple, so we should try not to simplify it to the point of uselessness.”
Can’t argue with that, but I sure can argue with the conclusion drawn from the colorful graphs used to simply the security argument that Windows is hugely more secure than assorted Linux distros. The assumption is based upon research data concerning vulnerabilities that required patching, or to be absolutely precise after checking the methodologies statement handily published by Jeff at a completely different site, that had actually been patched by the vendor.
I quote “The vulnerabilities included in the analysis only include those vulnerabilities for which the vendor has confirmed applicability, typically via a security advisory or patch notice. The analysis here does not include publicly disclosed vulnerabilities during the period that have not yet been fixed by the vendor.” So, let’s get this straight, that is vulnerabilities that have been patched by the vendor, not zero-day flaws or vulnerabilities that are known about but not officially confirmed via advisory no matter how long in the tooth, just the ones that the vendor has fixed.
Secunia publishes independent reports of vulnerabilities listed by both vendor and product, as well as keeping historical archives of the same. Which makes for very interesting reading, and brings a slightly different perspective to the security picture being painted.
Take XP Pro, for example, which Secunia shows has 29 Secunia advisories yet to be patched, that’s 15% of the total. Or how about Windows Server 2003 Standard Edition with an 8% unpatched rating, equating to 11 of 135 advisories? Compare this to the product flagged as being most insecure according to the Microsoft OS Vulnerability Scorecard report, Red Hat Enterprise Linux 4 Workstation. Secunia shows 311 advisories being raised since 2005, but none of them remain unpatched.
This would tend to suggest to me that Red Hat is actually more secure than Windows, if we want to follow the advice not to simplify security to the point uselessness, because the ability and willingness of a vendor to quickly fix flaws when found has to be factored into any serious look at the security argument. Indeed, vendor response times are key when everyone agrees that it is all but impossible to write 100% secure code. Getting patches out to the user is the real metric of security, and ignoring those vulnerabilities which have yet to be so patched reduces the original report to being nothing more than FUD.
By displaying graphs that show Windows products in the less than 50 zone, while Apple, Novell, Red Hat and Ubuntu all drift upwards of 100 is nothing short of misleading.
And that is the real problem that I have with this vulnerability scorecard, if you take the time to read between the lines and delve a little deeper into what is being reported you discover that what it is actually saying is that Linux vendors are more efficient (although you might substitute the word ‘honest’ if you prefer) than Microsoft when it comes to announcing flaws and actually fixing them. What it reveals to me is how slow, comparatively speaking, Microsoft is at releasing patches.
The truth is that every OS will suffer from security flaws; all that matters in the end is how those flaws are dealt with and how quickly the end user is protected from the exploits they enable. Let me state here that I am no Linux fanboy (I write a security column published at Microsoft.com if proof were needed of that) but rather an unbiased commentator on IT security issues. However, at the end of the day I have to say that from where I am sitting the true vulnerability scorecard should read:
Linux 1, Microsoft 0