MS Security Chief Says Windows is Safer Than Linux

Kip Winger writes "Mike Nash, Microsoft's Chief Security Executive, has made claims that Windows is more secure than Linux. In a recent online chat, he staunchly defended Microsoft's record on security, basing part of his argument on how Windows Server 2003's 15 patches in the past year are far less than what RedHat or SuSE have had to endure." He also mentioned the recent purchase of Sybari and their Antivirus product.

Saying things makes them true.

[bigtallmofo]

If you can just manage to say something that gets picked up by major news organizations, then it might make it come true.

Or at the very least, you might at least fool some people enough to continue to give you money.

User experience

[Matey-O]

(This is not a rant, merely a description of what happened to me receintly:)
1. reboot computer - It'd hung running something the rhymes with Titborrent.
2. Login prompt -log in
3. Get a start button, click on it to start a browser
3a. lose focus as MS is saying AVG isn't turned on. (It's not?)
4. Hit start again to get a browser
4a. Lose focus again as AVG says it's not working.
5. Press start to start a browser.
5a. Lose focus as the UPS monitoring tool adversises that it's HERE! PRESENT! ACCOUNTED FOR!
6. Press Start to get a browser.
6a. Lose focus AGAIN as MS spyware gives me a status update.
7. go over to the iBook, it doesn't Constantly Interrupt Your Train of Thought At Every Opportunity!

Perhaps Apples to Apples

[WoodSmoke]

I cannot seem to find a good list of the vulerabilites found in SuSe Enterprise Linux 9, which he is comparing to Win2003. I wonder how many vulerabilites are in non-core applications, which would make comparing Windows 2003, the OS, with SuSE EL 9.0 a little unbalanced. Does anyone have a link to the SEL 9.0 vuln list so that we can compare for ourselves?

Re:What about

In the last ~2 years there have been no security vulnerabilities reported for IIS6.

The same cannot be said for apache which averages about 2 per month.

I would conclude that IIS6 is a secure product, from Microsoft.

Re:Of course the don't include...

[aug24]

2005-to-date appears to be a unique time in history that he can make this claim vaguely valid, but when you just look at the totals for the systems you get different into.

Secunia totals are...

Server 2003; 5 unpatched of 44
Office; 2 unpatched of 7
Exchange 2003; 1 unpatched of 3
IIS 6; 1 unpatched of 3
SQL Server 2000; 1 unpatched of 10
Total; 10 unpatched of 67

Justin.
Apologies for the crap formatting, /. should let me use tabs. So there.

Re:Apples/Oranges

[3Suns]

Not to mention the fact that Windows bundles their bugfixes in a few patches, whereas Linux fixes each problem separately. You could argue that the former option makes it easier for administrators, but with a proper Linux system, most patches will be applied automatically (or at least effortlessly). MS patches tend to require a system reboot, while security upgrades in Linux usually only require a restart of the program being patched. Besides, patching each bug individually allows for much faster response, and makes tracking easier.

Re:What about

[pbrammer]

How many of those 24 vulns for Red Hat were operating system specific?

Wait a minute

[baggins2002]

Okay I'd like to play devils advocate today (I don't really want to have my a%% torched, but I expect it). Everytime the security issue is brought up the number of patches is brought in as an argument (I agree this is ridiculous for a number of reasons already pointed out, basically I don't think the number of patches has anything to do with how secure a system is). But the real FUD line which keeps bring brought up is, if 50% of the computers on the internet were Linux, would linux users have the same problems as Windows users. If linux was targeted more often would linux users have the same problem.
I have some concerns that Firefox is going to be used as the test for this argument. Currently the argument is that Firefox is a more secure browser. The counter argument is that currently the reason it is a more secure browser is nobody targets it. My big concern being that once Firefox is targeted it starts displaying a lot of problems. From then on the argument would be, see as long as nobody uses Open Source they are secure. But once they gain in popularity and become targets they fail.
So can someone point me to the simple golden bullet argument that says Linux is and will continue to be more secure than Windows?

Re:What about

[cranktheguy]

yesterday i spent an hour fixing a windows 2000 pc. worst case of spyware i have ever seen. it wouldn't let me end the processes i knew were infected. they were running as system services. they reinstalled themselves before as windows finished booting (as in, when adaware runs before you get to windows)! the quote from my roommate: "i didnt install anything." he had been using ie and running as administrator. let's see them patch that.

Trail by fire

[fdicostanzo]

ok so his comments might be taken with a grain of salt. but, it does give me an idea that may have implications for Linux/ other OSs.

Windows is currently getting attacked more because it is more popular. There are many people searching for ways to get at it. As they are successful, Windows (eventually) patches the problem and (theoretically) learns a little bit more about security.

Linux et al is not facing the same level of attack and therefore is not getting the same "education" about security. Granted, people are reviewing the code, but not as many as are attacking Windows and not, I would bet, with the same motivation as the Windows miscreants.

What happens when/if Linux gains the same popularity and suddenly is found to be suffering from the same set of problems that Windows worked through years before? Perhaps, at that point, Windows might be considered more battle-hardened and thereby more "secure"

fdc

A big difference

[einhverfr]

IANAL, IAAFMSE (I am a former Microsoft Employee), etc... Microsoft has been shown in court (in the EU at least, iirc) to bundle software with their system in order to damage competitors, especially those which threaten their monopoly or in areas where they want to extend their monopoly. For example, Internet Explorer to kill Netscape, Media Player to kill Real. If they can control these core areas, then people will be locked into their system.

This was NOT the case with the Windows Firewall (which is poorly designed anyway and will never be a real firewall product-- even though it is stateful, ipchains was far superior to it). But many of us questioned it simply because of Microsoft's anticompetitive track record.

Now, compare that to the pro-competitive nature of Linux app bundling.... With Fedora, I can install KDE, GNOME, and/or KDE if I want. Which browser do I want today? Do I want any? Which email program do I want today? Should I use elvis, vim, or emacs? This bundled software encourages competition between the external communities and drives all the distros forward.

I don't have a complaint with bundling as such. What I and many others complain about is how Microsoft tries to lock users into their system. Such a lock-in does not exist in the Linux world among distros composed entirely of Free Software.

Re:What about

[Kombat]

For example, you see something like a strcpy to an unchecked char pointer somewhere deep in the code.

The problem is, as a couple studies have shown, nobody is actually looking at that code except those that are trying to find exploits. It's not like the vast armies of Open Source coders (guffaw) are constantly combing and re-reading 10-year-old code looking for things they can randomly improve. How many of those coders are actually skilled, experienced, and intelligent enough to both fully understand the vast quantities of code they are reading, and competent enough to actually modify the code without breaking anything else?

I think you underestimate the sheer quantity of open source code that ships with a Linux install, while simultaneously vastly overestimating the frequency with which established, working Open Source libraries are inspected and reviewed for bugs.

The truth is, the overwhelming majority of Open Source contributers are working on new projects. Projects which, for the most part, will never be finished. In reality, nobody is looking at the old code that already works satisfactorily. Nobody is going through the C framework, looking for unchecked pointers and array overruns, except people who are looking for something to exploit. In all honesty, there aren't really that many people working on maintaining the existing Open Source codebase that comprises the bulk of a default Linux install. There's a very active kernel group, but aside from that, it's much more stagnant than you might expect.

Truth and the source.

[DigitalEntropy]

No matter who or what you are talking about, when there is interest involved, you cannot believe or take directly to heart, the statements of those who can benefit from such statements. Ever. Even if RedHat were to say something so crass as "We're safer than Windows" you could not place credible value in their statements alone.
Third parties which are completely objective, and have nothing to gain from the truth, are the only trustworthy source. Everybody is caught up in this dramatic bullshit that makes it analagous to a presidential debate. The fact is, that you MUST require the view points of many sources outside of Linux, Windows, and Macs altogether to know which, if any, are safer than the others.

Such views exist. And the only ones, with facts and data and evidence, that cheer for M$... are the ones that get paid by them. That alone should be enough to make any analytical intelligence give pause to joining a bandwagon.

Choose ye this day which OS shall serve you, but for me and my house, we shall run Debian.

(This also means you should tollerate the ignorance and free-will of others, regardless of whether or not YOU or I think ill of their choices.)