SecurityFocus On MS Security "Hole"

friday2k writes "There is an interesting writeup at SecurityFocus that puts the latest security 'hole' in XP into perspective. It is a worthy read and should remind us all of the real issues out there." And it collects into one place much of the flak I caught after posting about the claimed security hole opened by the XP Recovery Console.

Ubiquitousness doesn't explain MS vulnerabilities

[Infonaut]

If as many people tried as hard to find security holes in OSX or Linux, there'd be reports for those daily as well.

That's patently untrue. It's a well-known fact that Microsoft's security problems are not due to exposure alone.

Microsoft's development model is fundamentally flawed from a security perspective, because it squarely places featureset additions above security. The corporate culture at Microsoft is and always has been more about gaining marketshare than about anything else.

It seems that there are differences in security, above and beyond the monopoly domination Microsoft enjoys. How many ISPs use FreeBSD to run their servers? Hmm.. I wonder if there's more to it than just speed and the fact that FreeBSD is Open Source.

I'm not alone in my assesment. There's this security guru named Bruce Schneier. Perhaps his name has crossed your desktop at some point. He's contemplating getting a Mac, because he is tired of hassling with security problems on his Windows machines.

Open-source vs. Microsoft security? Apache vs. IIS

[hkmwbz]

It is difficult to prove this one way or the other. First, the source code for Linux is available, and as such more people can study it, and they probably do. Windows might be more widespread, but how many Windows users are actually knowledgeable enough to even find a security hole?

It doesn't matter how many users it has because they users won't be looking for security holes in the first place. So if you put 10 Windows users in a room, none of them would know much about these things. Putting 10 Linux users in a room, and you increase the chance that you'll find a real hacker. I'm a Windows user myself, so I'm not trying to sound like an elitist bastard. I haven't even uncovered any security holes in my life.

But it is difficult to determine this case, as there are a lot of questions and too few answers.

Let us instead look at a piece of software where the numbers are reversed - where Microsoft's product has only a small part of the market.

I am talking about the open-source Apache HTTP server, vs. Microsoft's IIS.

Apache has 60-70 per cent of the web server market. IIS has less than 30 at the moment. Yet, despite these figures, Apache has had far fewer known security issues than ISS. How does this fit with your question? Obviously, there are a lot more eyes on Apache due to its large market share?

So how does IIS come out so crappy when it comes to security?

I think we can come to the conclusion that your "it's not as frequently used so very few are looking for security holes"-like statement simply does not make sense. It is a myth. FUD?