Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Surprise, Windows Listed as Most Secure OS

Zonk posted more than 7 years ago | from the opposite-day dept.

Windows 499

david_g17 writes "According to a Symantec study reported by Information Week, Microsoft has the most secure operating system amongst its commercial competitors. The report only covered the last 6 months of vulnerabilities and patch releases, but the results place Microsoft operating systems above Mac OS X and Red Hat. According to the article, 'The report found that Microsoft Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006.' The article continues to mention the metrics used in the study (quantity and severity of vulnerabilities as well as the amount of time one must wait for the patch to be released)."

cancel ×

499 comments

Sorry! There are no comments related to the filter you selected.

Simply (5, Funny)

COMON$ (806135) | more than 7 years ago | (#18450421)

Let me simplify:

This discussion will go as follows.

Linux geeks will pound the boards about foul play and all the vulerabilities they would exploit if they werent to busy checking dependencies.

Mac fanboys will make fun of both citing how Symantec didnt like them in the first place, because Mac people dont buy Symantec products.

Windows geeks will state how this has always been the case, but because they are the more popular OS they are a bigger target.

And finally the old unix guys will flame about how none of these vulnerabilites would have happened if we would have stayed away from GUIs.

So now that we have got that out of the way we can bypass all the leg humping and mindless dribble and get down to the real discussion...can Microsoft keep it up? Personally as a network admin I have not been too nervous the last 6 months. Since the year of the blaster MS has done a pretty good job of making up for exploits and covering their asses. All is quiet on the homefront.

Re:Simply (3, Funny)

cyber-vandal (148830) | more than 7 years ago | (#18450469)

Spoilsport :P

Re:Simply (3, Funny)

slazzy (864185) | more than 7 years ago | (#18450489)

Simple - someone must have r00ted internetnews.com and their IIS

Re:Simply (5, Insightful)

maynard (3337) | more than 7 years ago | (#18450505)

"And finally the old unix guys will flame about how none of these vulnerabilites would have happened if we would have stayed away from GUIs."

No. Old UNIX hackers will instead berate UNIX for being a total piece of shit [simson.net] and then endlessly whine about the downfall of Symbolics [wikipedia.org] and its old dedicated LISP machines. And they'd be right.

Re:Simply (0)

Anonymous Coward | more than 7 years ago | (#18450561)

I'm normally quite CRITICAL of Slashot's coverage of the WINDOWS operating system, but I have to say that this STORY is completey RIDICLOUS. If don't CARE what their study has FOUND, I don't want them PLAYING near my BINS.

small addition (5, Informative)

caitsith01 (606117) | more than 7 years ago | (#18450563)

...someone will tag the story with "defectivebydesign" and someone else will tag it with "no".

And you should have added "Those of us who think there is room in the world for both Windows, OSX and Linux will remain on the sidelines while another round of the holy wars is inconclusively decided."

I am rather looking forward to the comments from Apple users, though, and particularly whether they can best their own record for self-righteous indignation and incredulity.

Re:small addition (1, Funny)

mattgreen (701203) | more than 7 years ago | (#18450795)

I rather like watching people falling over themselves to defend a computer operating system as if what they were saying actually changes something. It is fun to watch people who are so disconnected from reality.

Also, you have to love how a site billed as "news for nerds" has people adding absolutely worthless tags such as "no" to a story.

Re:small addition (0)

Anonymous Coward | more than 7 years ago | (#18451043)

If this were a story about people being who defend operating systems being connected to reality, your post would amount to a tag saying "no".

Re:Simply (1)

darkhitman (939662) | more than 7 years ago | (#18450569)

You forgot the most important part: -Posters will ignore this post and proceed with posting their aforementioned drivel.

GUIs? Hah! Like command lines are any better (4, Funny)

spun (1352) | more than 7 years ago | (#18450575)

In MY day, we toggled programs into the front panel with SWITCHES, and we LIKED IT! Now get off my lawn, you damn kids.

Re:GUIs? Hah! Like command lines are any better (2, Interesting)

RetroGeek (206522) | more than 7 years ago | (#18450785)

THAT brings back memories.

Toggling in binary (from Hex cheat sheets) to get the CPU to the BIOS, so it could read enough to be able to read the tape drive which held the program to read the DASD to read the actual program.

Re:GUIs? Hah! Like command lines are any better (5, Funny)

Anonymous Coward | more than 7 years ago | (#18450997)

You had tape?

I would have killed for tape.

In my day we stored data on twigs and tree bark and we liked it.

And don't get me started on "binary". It was either zero or it wasn't. We didn't need no stinking ones.

Re:Simply (5, Funny)

Stanistani (808333) | more than 7 years ago | (#18450579)

>we can bypass all the leg humping and mindless dribble and get down to the real discussion...can Microsoft keep it up?

So much sexual innuendo - so little time.

Re:Simply (1)

COMON$ (806135) | more than 7 years ago | (#18450725)

You are welcome :)

Re:Simply (5, Funny)

UbuntuDupe (970646) | more than 7 years ago | (#18450583)

Windows is the safest OS, it's just that it has to tolerate being on unsecure networks, usage by mouth-breathers, and its overwhelming attractiveness as a target for criminals.

*please mod insightful, please mod insightful*

Deviating from your generalizations... (1)

nortcele (186941) | more than 7 years ago | (#18450683)

It would be interesting to see a report with the number of consoles in the field (break it out by commercial and private and windows version) and what percentage belong to a bot network. Wishful thinking since it would be very difficult to do.

For the commercial customers, Microsoft has kept that bread buttered. For the private/home customer, it appears to have been less so. We'll see how Vista fairs with home users.

Actually (5, Insightful)

Greyfox (87712) | more than 7 years ago | (#18450731)

My usual response to that is to challenge the speaker to do a base install of Windows and a base install of Linux or MacOS with a machine plugged into the raw internet. Then measure how many times each OS has been pwned before it's done installing. Assuming they all three survive that test, fire up a web browser and try to find out what you need to do to do a software update for your OS (After all, that's the first thing a "normal" user does, right?) and install said software update. Again measure how many times each machine was pwned by the time you got the system installed. Finally, wander off and come back a month later to measure the amount of pwnage that has occurred.

This usually makes the "Windows is more secure" group STFU pretty quickly, for some reason. They also say "DOH!" just like Homer Simpson at least 4 times while I'm issueing my challenge. I'm really not entirely sure why...

Re:Actually (2, Insightful)

Anonymous Coward | more than 7 years ago | (#18450889)

This usually makes the "Windows is more secure" group STFU pretty quickly, for some reason. They also say "DOH!" just like Homer Simpson at least 4 times while I'm issueing my challenge. I'm really not entirely sure why...

Please get with the times. This is has no longer been the case since Windows XP SP2.

Re:Simply (5, Informative)

bobcat7677 (561727) | more than 7 years ago | (#18450737)

You forgot one important group (you insensitive clod!). The sensible crowd who simply dismiss the article as hot air from a group of people who have the worst security track record of their industry in the past 5 years. I mean seriously, it's pretty bad when the antivirus software starts getting hit with viruses that would otherwise be ineffective against a system. I wouldn't trust Symantec/Norton with anything more important then a string, much less consider them an "authority" on anything security related. And no, I don't use a Mac.

Re:Simply (1)

Endo13 (1000782) | more than 7 years ago | (#18451039)

Yeah that's pretty much where I come in.

When I started reading the summary, I got as far as "Symantec". And that was enough for me.

Let's vote on it (1, Interesting)

Anonymous Coward | more than 7 years ago | (#18450879)

Most Secure of the Following:

Windows Vista [impoll.net]
RedHat Linux [impoll.net]
Mac OS X [impoll.net]
HP UX [impoll.net]
Solaris [impoll.net]

Re:Simply (5, Interesting)

Strilanc (1077197) | more than 7 years ago | (#18450927)

... and none of them will have read the article.

If you DO read the article for the vulnerability counts:
Windows - 39, 12 severe, average 21 day fix
Mac - 49, 1 severe, average 66 day fix
Red Hat - 208, 2 severe, average 13 day fix

Now it looks to me like Windows performed the worst because of the large number of severe problems. This makes it more likely there are many more severe problems.

THIS JUST IN! (4, Funny)

pak9rabid (1011935) | more than 7 years ago | (#18451021)

Symantec's net income mysteriously increased by $10 million....In other news, Microsoft's net income shows a decrease of $10 million. Upon investigation of Microsoft's income statement, "other expenses" showed an increase of $10 million...

Come on .. don't let me down.... (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18450431)

put up the DefectiveByButtsecks tag!!!!

gHeeks Unite!!

Fewer patches... (5, Insightful)

blargfellow (948805) | more than 7 years ago | (#18450437)

Wait...I'm supposed to think that fewer patches makes for a safer operating system?

Re:Fewer patches... (1)

Lehk228 (705449) | more than 7 years ago | (#18450475)

yup. the fact that MS clumps their patches and only releases on patch day has NOTHING to do with it.


Re:Fewer patches... (0)

Anonymous Coward | more than 7 years ago | (#18450757)

And Vista was launched in January 2007.. one month after the review period. Maybe they were busy?

Re:Fewer patches... (4, Insightful)

baryon351 (626717) | more than 7 years ago | (#18450771)

That was exactly my thought.

'The report found that Microsoft Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006.'

Cool. so if I write an OS that's chock FULL of holes, and only patch three of the simplest holes in six months, patch them within an hour of being alerted to their existence, and try to keep all the others under wraps, then my OS would have fewer patches than windows and a shorter patch development time. I win. Security by obscurity wins too.

Retarded. It relies on the trust that OS vendors always patch all holes they're alerted to, AND announces every one they've patched or been alerted to. Trust like that is the beginnings of security problems in the first place.

In other unrelated news today (1)

UziBeatle (695886) | more than 7 years ago | (#18450447)


  It has been disclosed that smoking a load of crack a day keeps the doctor away.

Re:In other unrelated news today (4, Funny)

Walt Dismal (534799) | more than 7 years ago | (#18450495)

Microsoft has the most secure operating system amongst its commercial competitors.

Surely you've jumped the gun. This is March 22. April 1st isn't for a few days.

Ive seen the evidence (4, Funny)

Anonymous Coward | more than 7 years ago | (#18450457)


its a blue screen that tells you
IRQ_NOT_LESS_OR_EQUAL

never been infected while ive seen that on my screen
even in Vista !

mod parent up -- funny (1)

swschrad (312009) | more than 7 years ago | (#18450607)

or perhaps insightful ;)

maybe he's running the wrong BSD :-D

Re:Ive seen the evidence (3, Informative)

EvanED (569694) | more than 7 years ago | (#18450723)

It's probably a device driver issue. A bad kernel module will cause almost exactly the same error on Linux, only they call it a kernel panic instead of BSOD and write "sleeping function called from invalid context" instead of "IRQ_NOT_LESS_OR_EQUAL."

Sigh... (1, Funny)

Anonymous Coward | more than 7 years ago | (#18450463)

I can picture that scene from Star Wars, where Obi Wan feels a disturbance in the force, except instead of thousands of voices being silenced, it's the sound of thousands of dyed-in-the-wool Linux geeks having an aneurysm.

Just take a deep breath guys! If it's at all therapeutic, just remind everyon that Norton Antivirus sucks! :D

- Scott

Mmmmm.... (1)

Savage-Rabbit (308260) | more than 7 years ago | (#18450813)

I can picture that scene from Star Wars, where Obi Wan feels a disturbance in the force, except instead of thousands of voices being silenced, it's the sound of thousands of dyed-in-the-wool Linux geeks having an aneurysm.
.... So that's what it was? And here I was thinking it was millions of MCSEs having a spontaneous orgasm simultaneously. The only other thing it could have been is thousands of Mac users Oooohing... over a demo of the iPhone......

From Symantec? (1)

Larus (983617) | more than 7 years ago | (#18450465)

Jusdging from the wretched work computer caused by Symantec, sure they must know what they're talking about.

In other news, doctor claims beer is good for you.

Yes, but severity? (5, Informative)

Anonymous Coward | more than 7 years ago | (#18450471)

The article also notes (which the blurb does not) that Microsoft had the most critical or severe class of bugs, even by their own measurement standard. So yes, Microsoft has less fewer bugs (according to the article), but doesn't the severity of the bugs count for anything? Statements like these are why I don't use Symantec products on any of my Windows machines.

Re:Yes, but severity? (1)

ScrewMaster (602015) | more than 7 years ago | (#18450529)

I know someone that recently installed Norton Systemworks on his machine. When he was done and had rebooted the system, all but four entries had disappeared from Add/Remove Programs, apparently for good. Needless to say, he was pissed.

Re:Yes, but severity? (1)

CowboyJezus (1078993) | more than 7 years ago | (#18450827)

Gah! That's a feature. Not a bug.

Who is Symantec biggest customer? (0, Redundant)

Anonymous Coward | more than 7 years ago | (#18450477)

Isn't it windows users? Isn't windows the only OS in the world that needs the services of Symantec? Isn't Symantec releasing a study like this that finds their biggest customer the "most secure" to be fataly flawed just on the basis of conflict of interest alone?

Since when does fewer patches mean anything? (1)

sudden.zero (981475) | more than 7 years ago | (#18450481)

The only thing I take fewer patches to mean is they haven't found enough bugs yet!

what i make out of that : (3, Insightful)

unity100 (970058) | more than 7 years ago | (#18450493)

"Windows had the fewest number of patches and the shortest average patch development time of the five operating systems" = "Windows had the most trivial and easy to fix vulnerabilities that they have fixed with a few number of patches, from possible an unknown number of undiscovered vulnerabilities"

Re:what i make out of that : (1)

ResidntGeek (772730) | more than 7 years ago | (#18450855)

Or, perhaps, Windows hasn't spent the last few years adding feature after feature with too little attention to security in an effort to push Linux-on-the-desktop? Just maybe.

I guess Symantec will soon be out of a job. (5, Insightful)

bitbucketeer (892710) | more than 7 years ago | (#18450499)

After all... who needs to buy security products for the most secure commercial OS available to mankind?

The numbers are being misread (5, Insightful)

christoofar (451967) | more than 7 years ago | (#18450511)

If you are counting the number of patches... and you are saying Windows has the fewest number in the last 6 months than MacOS or RedHat... does that mean Windows is more secure?

What is this, 3rd grade?

I could stop patching Windows forever and it will be the bestest Operating System EV-ER! Like OMGWTFBBQ!

Seriously, Microsoft releases in cycles, has to perform a buttload of testing (because of the DNS patch which screwed over a lot of customers), and is slow to react to 0day problems that are brought up with theories and proofs. [They do a lot better when there is an active attack going on, I'll give you that].

I get SuSE patches for hundreds of installed packages just about every other day and install most of them automatically. The kernel I'll patch up once every 6 months or so.

Does that make me less secure than Windows? I don't know. I sure feel more secure about putting a fresh openSuSE 10.2 box on the internet unfirewalled than putting a Vista box on the Internet unfirewalled [I wonder if MSFT has actually performed this test with Vista... to see how long it takes before a basic Vista install gets compromised with the software firewall turned off].

Re:The numbers are being misread (1)

Talgrath (1061686) | more than 7 years ago | (#18450665)

Actually, if you read the article, instead of just the summary (as you obviously did) you'd note that they didn't merely count patches, but looked at the number of vulnerabilities and the average time to fix each vulnerability; as well as the severity of each of the vulnerabilites on a scale of low, medium and high. Next time, read the article before you blast it.

Re:The numbers are being misread (3, Informative)

slackmaster2000 (820067) | more than 7 years ago | (#18450687)

Don't go around calling "3rd grade" if you're just going to summarize a summary. RTFA already.

Here, this will help:

"The report found that Microsoft (Quote) Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006.

During this period, 39 vulnerabilities, 12 of which were ranked high priority or severe, were found in Microsoft Windows and the company took an average of 21 days to fix them. It's an increase of the 22 vulnerabilities and 13-day turnaround time for the first half of 2006 but still bested the competition handily.

Red Hat Linux was the next-best performer, requiring an average of 58 days to address a total of 208 vulnerabilities. However, this was a significant increase in both problems and fix time over the first half of 2006, when there were 42 vulnerabilities in Red Hat and the average turnaround was 13 days.

The one bright spot in all of this is that of the 208 Red Hat vulnerabilities, the most of the top five operating systems, only two were considered high severity, 130 were medium severity, and 76 were considered low.

Then there's Mac OS X. Despite the latest TV ads ridiculing the security in Vista with a Matrix-like Agent playing the UAC in Vista, Apple (Quote) has nothing to brag about. Symantec found 43 vulnerabilities in Mac OS X and a 66 day turnaround on fixes. Fortunately, only one was high priority.

Like the others, this is also an increase over the first half of the year. For the first half of 2006, 21 vulnerabilities were found in Mac OS X and Apple took on average 37 days to fix them. "

Re:The numbers are being misread (0)

TheGratefulNet (143330) | more than 7 years ago | (#18450729)

you had me up until the barbecue part.

what was that again??

Doesn't add up (5, Interesting)

Anonymous Coward | more than 7 years ago | (#18450521)

"39 vulnerabilities, 12 of which were ranked high priority or severe, were found in Microsoft Windows"

"Symantec found 43 vulnerabilities in Mac OS X and a 66 day turnaround on fixes. Fortunately, only one was high priority"

I fail to see how this makes Windows more secure than Mac OS X.

More bundled software, more LOC, more LP bugs (4, Insightful)

evought (709897) | more than 7 years ago | (#18450769)

Redhat particularly, but also Mac, bundle more software. This means you have many more lower priority vulnerabilities because you have more LOC in userspace. Does a bug in VLC equate to an OS bug? How about Firefox? Can it be used to root your system? All grey areas. Given that, the total numbers of bugs are not surprising at all and the low number of high priority bugs is telling to the extent that patch numbers are a valid measure at all. Taking a while to fix higher numbers of low priority bugs isn't a big deal as long as the high priority bugs are dealt with quickly. That would be the obvious follow up question, which they did not apparently ask. Another obvious question is who reported the defects? Are these vendor provided numbers or third party (e.g. CERT) security alerts? Another question no one (except Sun) bothered to ask.

Re:More bundled software, more LOC, more LP bugs (1)

Volante3192 (953645) | more than 7 years ago | (#18450963)

I'm also curious if those numbers include flaws in Microsoft OFFICE that are listed as critical and can hose your system...like those five "0-day" (air quotes cause that's what people keep calling them although they're more like 53-day now) Word vulnerabilities that, if memory serves, were not patched two weeks ago tuesday.

Re:Doesn't add up (1, Flamebait)

eraser.cpp (711313) | more than 7 years ago | (#18450873)

66 days is a really long time, and assuming this includes the patches from the Month of Mac exploits [blogspot.com] held in January I'm surprised they said only 1 was high priority. Without seeing their data I wouldn't put much stock into any of this, but I do hope it will shut up some zealots who haven't noticed the playing field is a lot more level than it used to be when it comes to security.

Useless report (1)

RobertM1968 (951074) | more than 7 years ago | (#18450527)

All this proves is that MS has released the least patches and fixes - which fits with known facts such as that MS is working on a massive Service Pack for Vista to roll out a slew of them.

Re:Useless report (1)

Talgrath (1061686) | more than 7 years ago | (#18450689)

Read the article, not the summary; they looked at how fast problems were fixed and the number of vulnerabilities, not just the number of patches.

yea (4, Insightful)

Larry_Dillon (20347) | more than 7 years ago | (#18450537)

Symantec (who makes all of their profit from selling security products for Windows) says Windows is the way to go.

Patch release count is probably the worst security metric that you could come up with.

Win95 the Most Secure OS (3, Funny)

HtR (240250) | more than 7 years ago | (#18450823)

Wow. Windows 95 must be the most secure OS ever.

I haven't seen any patches for it in ages!

Re:yea (3, Insightful)

Larry_Dillon (20347) | more than 7 years ago | (#18451017)

The real problem is that a modern Linux disrto comes with hundreds of applications, all of which are counted against "Liunx" security vulnerabilities.

But when they count Windows vunerabilities, they don't count all of the third party apps you have to load to get the same functionality. They usually just count the base OS.

Further, Linux folks release a patch when they see a problem, M$ releases a patch when forced to by someone who's published exploit code.

deleted remarks from the end of the survey (1)

boldi (100534) | more than 7 years ago | (#18450539)

If we only count basic O/S errors, eg. standard windows installation and linux kernel with a bash shell, we found

-0 patches and discovered vulnerabilities for Linux
-5 for windows

No it won't get through, o.k., I get it:

If we count all the O/S errors and all the optional packages

-824234627876884595 (excluding minor ones) patches and 45348475623599439543534598245 serious errors for windows (including all the ported linux programs, e.g. cygwin based stuff also)

-591 errors for linux

no, no, that's a no go result.

Ok, wait,

Just mix the two together.

We found 0 O/S errors for windows
and fount 591 errors in linux including optional garbage nobody takes care and neighter installs them.

Of course it's more secure.. (4, Funny)

GonzoTech (613147) | more than 7 years ago | (#18450541)

Steve Ballmer's chair throwing corps makes sure they get good reviews.. or else.

Gee, what a surprise (4, Insightful)

Bacon Bits (926911) | more than 7 years ago | (#18450545)

*Symantec* released the report. How many products does Symantec make for non-Windows OSs? Or was their research "Windows XP with Norton Internet Security Suite 2007 installed"?

This is not news. This is a Symantec marketing campaign disguised as a press release disguised as a research report.

Never mind the false conclusion that fewer patches = more secure. Never mind that both OS X (which had MOAB) and RHEL both include a lot more software than the base OS for Windows.

In other news (4, Insightful)

eclectro (227083) | more than 7 years ago | (#18450549)

Bot herders has named Windows as the most reliable operating system for hosting botnets and spam machines.

Congratulations all around Microsoft.

Norton for Mac (1)

javacowboy (222023) | more than 7 years ago | (#18450553)

(rolls eyes) So that's why I should put down some cash for Norton Anti-Virus for Mac, right?

Correlations that are left out (4, Interesting)

GiovanniZero (1006365) | more than 7 years ago | (#18450565)

It's interesting to note that while OS X had 43 vulnerabilities(1 severe) and windows had 39 vulnerabilities(12 severe). So windows had more big threat security holes than OS X by 12 times. Maybe OS X's average patch time is higher because the vulnerabilities they had were less important to patch?

Really (2, Interesting)

Anonymous Coward | more than 7 years ago | (#18450577)

The interesting questions are:

If I've carefully kept up with updates on my servers, what percentage of the time have my machines been vulnerable?

What is the statistical probability that my servers will be broken into? Surely we can get pretty good data to answer this question.

Ask these questions for:

- RedHat with everything installed
- RedHat with minimal packages for running a web server (no gui, etc)
- Windows (gotta have that GUI!)
- OSX (ditto)

Again? (5, Insightful)

kebes (861706) | more than 7 years ago | (#18450581)

How many times are we going to have a "news item" that uses the same old technique to "prove" that Windows is the most secure. I'll save you the trouble of reading the article, the executive summary is something like:

"The total number of reported vulnerabilities for Windows was lower than for others, therefore it is the most secure."

Wow. That kind of logic would get you a failing grade in any undergraduate class. When TFA actually goes into the breakdown of "severe" versus "not severe." The article even says:

39 vulnerabilities, 12 of which were ranked high priority or severe, were found in Microsoft Windows
and:

of the 208 Red Hat vulnerabilities, the most of the top five operating systems, only two were considered high severity
So having 2 severe vulnerabilities makes it less secure than Windows having 12 severe vulnerabilities? Something doesn't add up. That's even assuming their numbers are correct, which I sincerely doubt. Another flaw in logic (that we've seen many times) is that the total number of publically disclosed vulnerabilities turns out to be higher for the development model that involves full-disclosure, rather than the one that involves hiding information as much as possible. This isn't exactly surprising, and says nothing about how many vulnerabilities actually exist.

Counting vulnerabilities seems like a very silly way to gauge security. It seems like a truer test would be to set up a machine (or rather, a statisically significant bunch of machines) and measure the average time to system compromise. Even this technique has its flaws, of course, but at least it's better than some arbitrary counting technique.

Re:Again? (1)

Talgrath (1061686) | more than 7 years ago | (#18450799)

They also took into account how long, on average, it took for the vulnerabilities to be fixed. Personally, I think all this report shows is that none of these OSes are significantly more secure than the other; the key is just cover your ass as much as possible. Microsoft fixes its vulnerabilities faster, Mac and Red Hat have fewer severe vulnerabilities; in the end it's all a wash, just cover your ass and investigate if your computer starts acting funny. Not too hard, is it?

That's just because (0)

slapout (93640) | more than 7 years ago | (#18450605)

we haven't had "Windows Bug a Day Month" yet.

Re:That's just because (0)

Anonymous Coward | more than 7 years ago | (#18451019)

Every day is windows bug a day month.

Re:That's just because (1)

Monokeros (200892) | more than 7 years ago | (#18451025)

That's every month.

yet another meaningless "study" (1, Interesting)

Anonymous Coward | more than 7 years ago | (#18450613)

Yet another meaningless study. So Windows had fewer vulnerabilities in the latter half of 2006 and/or Microsoft got the patches out the fastest. No consideration for the severity of the vulnerabilities. When was the patch time counted from? When the vulnerability was first known to the vendor, or when it was first publicly disclosed?

All these studies are the same. They draw conclusions from stats that have only a tenuous relation to security. Why not try to measure something usable, like time for an unattended box to be owned, or the percent of installations of the OS that have been owned, etc.

Translation Follows: (4, Funny)

Chris Mattern (191822) | more than 7 years ago | (#18450627)

"We don't sell any anti-virus or firewall software when people buy Linux."

Chris Mattern

A more useful summary (5, Insightful)

greg1104 (461138) | more than 7 years ago | (#18450667)

Like the total count of all vulnerabilities, including all the little impossible to exploit ones, is important. Let's focus on the serious ones mentioned in their data.

High-severity security vulnerabilities in 2006

Windows: Q1/2=5 Q3/4=12 Total=17

RedHat Linux: Q1/2=1 Q3/4=2 Total=3

Mac OS X: Q1/2=3 Q3/4=1 Total=4

Now that's a summary I can agree with.

You are being listed as the most secure OS. (3, Funny)

FMota91 (1050752) | more than 7 years ago | (#18450693)

Cancel or Allow?

Re:You are being listed as the most secure OS. (2, Funny)

Starburnt (860851) | more than 7 years ago | (#18450749)

You have selected Allow. Cancel or Allow?

Meat is the new bread (1)

dsdtzero (137612) | more than 7 years ago | (#18450701)

From 30 Rock:
Tracy Jordan: "Dr. Spaceman, is it true that bread eats away at your brain"
Dr. Spaceman: "We have no way of knowing , because the powerful bread lobby won't let me complete my research" ...
Tracy J.: "Well folks, bread will never maybe attack your brain again"

Seriously, what is up with this article. Is it an attempt at the Jedi mind trick?

Logic (5, Insightful)

volpe (58112) | more than 7 years ago | (#18450707)

Microsoft has the most secure operating system amongst its commercial competitors [because] Microsoft Windows had the fewest number of patches [...]

Ethiopians are the healthiest people in the world because they see the fewest number of health care professionals.

Re:Logic (1)

X-treme-LLama (178013) | more than 7 years ago | (#18450909)

Also because they consume the fewest amount of calories. :)

You're kidding, right? (1)

oatworm (969674) | more than 7 years ago | (#18450713)

I'll admit, I'm not too worried about Windows security these days, though it does disturb me a little when I walk into my bank and find it full of XP terminals.

So, where did the numbers come from? The original article makes it sound like Symantec got the numbers by counting the number of patches, but it's worse than that. According to the whitepaper [symantec.com] , it's coming from volunteers (page 38):

Symantec operates one of the most popular forums for the disclosure and discussion of vulnerabilities on the Internet, the BugTraq(TM) mailing list, which has approximately 50,000 direct subscribers who contribute, receive, and discuss vulnerability research on a daily basis. Symantec also maintains one of the world's most comprehensive vulnerability databases, currently consisting of over 20,000 vulnerabilities (spanning more than a decade) affecting more than 45,000 technologies from over 7,000 vendors. The following discussion of vulnerability trends is based on a thorough analysis of that data.
So, in short, Symantec chose the vulnerabilities based on what people in their mailing list told them. Later in the paper, it also discloses that they also got to pick the severity:

Symantec classified four percent of all vulnerabilities disclosed during this period as high severity, 69 percent were medium severity, and 27 percent were low severity.
So, what did they find, using self-generated vulnerability counts and self-generated severity levels? That's right - the one operating system that actually uses Symantec products is, of course, the one with the fewest vulnerabilities and shortest patch times.

Following the "number of patches = number of vulnerabilities" school of thought, though, does lead me to conclude that my Ubuntu box must be highly insecure and buggy - it keeps trying to update some random package or other almost daily!

specious metrics (1)

Hognoxious (631665) | more than 7 years ago | (#18450727)

The report found that Microsoft Windows had the fewest number of patches
So let me get this straight. It's better, because they never bother to fix anything? I can fix any machine by tearing the out-of-order sign off.

in other news (1)

fermion (181285) | more than 7 years ago | (#18450735)

Ford and GM releases a report that fossil fuels are the cleanest form of energy, and burning them in big cars actually helps the environment.

The RIAA releases a study that proves illegal downloading is the "gateway drug" to violent crime.

Dow Corning released a report that recommends that all women have breasts removed and get implants because the risk of cancer is significantly greater than the risk of the implants.

The US released study proving that the Iraq war has been won and any further battles or deaths are merely a figment of the deranged liberal imagination, as are all other issues of corruption or drug abuse.

Yeah but... (1)

scronline (829910) | more than 7 years ago | (#18450753)

I'm reminded of a story someone once gave when talking about issues like this....

Two shipping company owners were talking over drinks one night comparing their businesses. This is the conversation they had...

One: "Last year we only had 3 accidents all year long"
Two: "We had 30"
One: "Wow, that's really bad. What are you doing to fix it?"
Two: "Let me ask you this. How many trucks do you have on the road?"
One: "10"
Two: "I have over 1000"

So sure, "other" commercial apps may have more flaws in a given month. But those "other" commercial apps have 100 times more applications that come packaged with the OS. So, if you do the actual math and come down with the number of flaws averaged against the amount of software packages available with the OS, I'll bet money that you're going to see that MS loses... again.

Carefully chosen competitors (3, Informative)

mandelbr0t (1015855) | more than 7 years ago | (#18450755)

What a pointless comparison. All that we see is that Windows has finally caught up with other Desktop OSs in security. Desktop systems are insecure, period, so who really cares about which one is more secure. I see that there's no BSD in the list, not a single IBM OS, VMS, or any other Mainframe OS. This report completely fails to illustrate any useful information. Insecure machines can be protected with firewalls which run secure OSs, none of which were in this list (OpenBSD, anyone?). About all that can be said is that Windows has finally found a way to protect itself from the meddling of idiots, at the cost of the most annoying security system ever invented. All that, and I still doubt that any sort of stability could be achieved on a network running these three OSs exclusively, without the protection of at least one OS not in this report.

More secure... (2, Insightful)

Daishiman (698845) | more than 7 years ago | (#18450767)

More secure than VMS, i5OS, or z/OS?

The Fine Print (5, Informative)

nixNscratches (957550) | more than 7 years ago | (#18450779)

Pulled from the actual Report itself (Internet Scurity Threat Report XI) from Symantec -

With the exception of Microsoft, all vendors were affected by longer turnarounds for patches for third- party components that are distributed with each operating system. Upon examining the sample set of vulnerabilities during this period, Symantec has observed that vulnerabilities with longer patch development times generally affected third-party components. The previous issue of the Symantec Internet Security Threat Reportcommented on the relevance of this issue for commercial UNIX vendors such as HP and Sun,but it holds true for all vendors of UNIX/Linux-based operating systems.

And of course:

As with previous periods, Microsoft Windows was the operating system that had the most vulnerabilities with associated exploit code and exploit activity in the wild. This may have pressured Microsoft to develop and issue patches more quickly than other vendors. Another pressure that may have influenced Microsoft's relatively short patch development time is the development of unofficial patches by third- parties in response to high-profile vulnerabilities.

As always, the most secure computer is the one that is turned off, and unplugged from the network.

No security model is perfect, but I'd take any *nix for a web facing server any day.

Latest Security Update for XP2: FUMS (1)

ks*nut (985334) | more than 7 years ago | (#18450781)

So the little shield appeared on my desktop imploring me to update my XP2 system. Went through a validation check that didn't work with my default web browser (Firefox) because it doesn't support ActiveX controls (duh). The result - a shameless ad for Vista and Microsoft security applications! I keep this windows box to play around on while I dabble in Ubuntu and plan for my next computer - from Apple!

Sigh (0, Troll)

Enoch Root (57473) | more than 7 years ago | (#18450793)

This sort of pointless flamebait article, and the Linux/Mac drivel that's sure to follow, is the reason why I'm this close to deleting Slashdot's feed from my feed reader. No wonder Slashdot is out of fashion now.

Translated to Consumer English (1)

3seas (184403) | more than 7 years ago | (#18450829)

Microsoft makes our security software business very secure, says Semantics.

In other news, MS also makes the best MS Paint (1)

pla (258480) | more than 7 years ago | (#18450841)

Microsoft has the most secure operating system amongst its commercial competitors.

Hello Captain Obvious - Microsoft has no (viable) commercial competitors.

OS/2 died long ago. Macs don't actually compete with Microsoft (their user base not only doesn't overlap much, but largely counts as antagonistic toward one another). Linux and BSD don't count as "commercial" OSes, however much Novell and RedHat might want to pretend. What exactly does that leave?

Money would have been better spent... (0)

Anonymous Coward | more than 7 years ago | (#18450843)

Money would have been better spent on fixing the client upgrade for their corporate SAV product. 7+ years and over 4 versions is a bit long.

And before anybody says they've never had a problem: I have and it is not consistent. Symantec support knows about it and they've acknowledged it as an on-going problem. They have tools, public and private, that are supposed to help but they don't always work.

Context and methodology (4, Insightful)

UnknowingFool (672806) | more than 7 years ago | (#18450865)

The summary is that over the last 6 months, Windows had the fewest number of bugs (regardless of severity) and took the shortest amount of time to fix them.

a)What is not mentioned is that Windows had the most number of severe bugs. Windows had 12, OS X 1. But it didn't mention how many severe bugs Linux had.

b. Also what isn't noted is methodology. The time between bug and patch is mentioned but not whether time is between the bug being discovered or being announced. With open source, almost all bugs are announced when they are discovered. With closed source, it is not the same. MS has in the past sat on bugs for months, years before announcing them much less working on them.

c. This only covers the last 6 months. Why only 6 months? Surely a more representative sample would be years. In this case, MS doesn't look so good. Didn't BSD have it's 2nd bug in a decade recently?

Questions You Need To Ask (0)

Anonymous Coward | more than 7 years ago | (#18450877)

First, was the scope of comparison unfair? For example, did they include Thunderbird security holes for Linux while ignoring Outlook for Windows?

Second, is RedHat's patch speed representative of the most popular Linux distros? For example, how does Debian's or Ubuntu's speed compare?

Third, when claiming an OS as "most secure", shouldn't a big disclaimer indicate that others such as Debian, FreeBSD, OpenBSD, etc. would probably score higher?

Symantec (0)

Anonymous Coward | more than 7 years ago | (#18450881)

Yeah, but it's Symantec. I don't know anyone *with a brain* (key point) in the IT biz that trusts those guys anymore. The number of times their "research" and "advacements" have failed and caused my entire campus to go down for days at a time is uncanny. I certainly wouldn't believe that, nor would anyone actually concerned with security engineering.

There's a REASON government offices are banning their products.

How about Vista? (1)

VisceralLogic (911294) | more than 7 years ago | (#18450885)

So in a few months, how will Vista compare? Will it have to have a lot of patches that take awhile to develop, because it's new? According to this metric, that would make it less secure than XP, contradicting MS's claims. But, hey, maybe it won't need lots of patches, after all.

Now it's all clear (1)

noewun (591275) | more than 7 years ago | (#18450905)

Apparently the Windows machine in question had its power cable knocked out by the cleaning crew about six months ago. . .

my plan (0)

Anonymous Coward | more than 7 years ago | (#18450933)

dick sucking faggots should all move to europe

Bad metric, questionable source (2, Insightful)

KC7GR (473279) | more than 7 years ago | (#18450959)

As others have pointed out: Symantec is in business to sell "security" software for the Windows platform. Nothing more needs to be said in that regard.

Also, as others have pointed out, the metric of "Number of Patches" released is pretty much worthless. If this was a serious security test of Vista, it would have employed port scanners, malicious web pages, and assorted other threats stacked up against a default installation of the OS, on known hardware, with Vista's "security" features enabled in a known way.

For consistency's sake, the same attacks would need to be carried out against default installs of not just Linux, but OpenBSD, FreeBSD, NetBSD, and others. Then, and ONLY then, if Windows came out unscathed ahead of all those others (HA!) could it possibly be considered "most secure."

For that matter, the term "most secure" is meaningless without context. Most secure as a server? A workstation? With what skill level of user behind it?

This study seems to be, as the Immoral Bird might have put it, "lots of sound and fury, signifying nothing."

In fact, if it showed up on Usenet, it would most likely be considered a lame attempt at trolling, and subsequently killfiled.

Keep the peace(es).

Reminds me of a Microsoft Security Forum I went to (2, Interesting)

mergy (42601) | more than 7 years ago | (#18450961)

I think it was in Jan 2004 when Windows 2003 just got really in general release and people started using it. The reps from Microsoft stated they were really focusing on security and he mentioned (I kid you not) that the corporate culture at MS to lean towards usability vs security would be tough to change and it would be like 'turning the Titanic'. Pretty funny.

But the real funny aspect / announcement was that MS was so focused on security that they would really make an effort to issue less security announcements and releases in the coming year. That's right - they decided to use the metric of announcements of security flaws as something they were going to use to measure their security improvements. So, as long as they issue less 'leaks' on the problems, they would be achieving their goals of being more secure.

This sort of 'study' seems to validate the MS thinking. Ignorance is bliss. I think I will go break the fuel gauge on my car so I will never run out of gas and kick the dashboard in to break the speedometer so I will never get a speeding ticket. Woo hoo!

Wait wait wait... (1)

Drakin020 (980931) | more than 7 years ago | (#18450965)

The report found that Microsoft Windows had the fewest number of patches
And this makes an OS the most secure?

joke day (1)

l3v1 (787564) | more than 7 years ago | (#18451007)

the fewest number of patches and the shortest average patch development time

I think some people might happen to agree on the first part of this claim - although a low number of patches doesn't mean there hasn't been a larger number of problems that should've been patched. The second part... well, let's put it this way, time is relative, thus a period of time might seem shorter to ones than to some others, more so if there's nothing to compare to, which is not the case. So, let's just change that claim to something like a number of patches and an average patch development time.
 

If it's so secure I will stop buying Simantec (2, Insightful)

uomolinux (838417) | more than 7 years ago | (#18451011)

Since it's so secure, I will stop buying Simantec products on al my 340 Windows equipped computers, such a great OS don't need Simantec solutions anymore.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?