MS Security Chief Says Windows is Safer Than Linux

Kip Winger writes "Mike Nash, Microsoft's Chief Security Executive, has made claims that Windows is more secure than Linux. In a recent online chat, he staunchly defended Microsoft's record on security, basing part of his argument on how Windows Server 2003's 15 patches in the past year are far less than what RedHat or SuSE have had to endure." He also mentioned the recent purchase of Sybari and their Antivirus product.

What about

[beatdown]

the patched that they should have done?

Re:What about

[halivar]

Apparently, Microsoft policy is only to release patches for vulnerabilities that are currently being exploited.

And yes, this is flamebait. M$ can't (or won't) secure a paper sack, much less an operating system. More patches from Linux vendors means they're actually working on the freaking problem.

Re:What about

[NoMoreNicksLeft]

Isn't this a bit like claiming you are more healthy than someone else, because you've been to the hospital 40 days this year for your last-ditch chemotherapy? "Look at linux, it hasn't seen a doctor in over 10 years!".

Re:What about

[Shkuey]

Apparently, Microsoft policy is only to release patches for vulnerabilities that are currently being exploited.

What about some of the biggest issues in recent history like blaster or code red? Both were patched by Microsoft well in advance of their outbreak. Irresponsible PC users cause a lot of the major security issues in this connected world; you can't put all the blame on Microsoft.

Re:What about

[Dolda2000]

More patches from Linux vendors means they're actually working on the freaking problem.

While that's true, there's another implication as well.

While the patches for Windows includes faults in, precisely, Windows (which is what I'm guessing that he's referring to by saying "15 patches"), the patch count for Linux distros include patches for all programs in the distro. That includes not only the core parts of the operating system. In the @RISK newsletter I'm recieving from SANS, I see almost only patches for more seldomly used software, such as ncpfs, Konversation, Dillo, xdvizilla, mpg321, and so on.

Considering how a Linux distro probably contains at least 10 times as many software packages as a Windows installation (the vast majority of which are optional to install), I can't see how it would be in Microsoft's favor that they're issuing one third as many patches as Linux distributors do.

Re:What about

[sg_oneill]

I'd say verry few of them.

What microsoft miss, is empirically and objectively your system is in a much higher danger of ACTUALLY getting hacked or virussed or whatever.

Lets see. Comparison time. When was the last virus outbreak that trashed linux systems world wide.

oh ...

Anyway, to be more fair, the other point is that most of these security bulletins for linux have been of the 'running nethack as root could break system' type pap that doesnt actually increase the chance of a break in in any sensible way. This is compared to the preponderance of serious worm inducing flaws in windows.

Microsoft can bleat as much as they like, and look I'll be honest, props for the fact that modern windows is probably safer than older windows, but this doesnt distract from a simple home truth:
Linux , Solaris and BSD is your best bet for a secure system. VMS if your a complete paranoid freak.

Statistics trumps rhetoric everytime

Re:What about

[LnxAddct]

Also don't forget that often times,the OSS vulnerabilities are typically theoretical.For example, you see something like a strcpy to an unchecked char pointer somewhere deep in the code. You may not know when its called, why its called, and what series of events might set it off, but you fix it anyway and out goes the patch. Your system then gets patched whether or not that code could have ever even been exploited.

With Windows on the other hand, everything is a severe and serious vulnerability because if some company, or university, or just your typical hacker finds something, it definitly works and can be exploited simply because they found it. It couldn't have been found without them actually executing the exploit.

There are a million other things though to take into consideration, like what you said about how RH and Suse have tons of other software bundled with them. An interesting thing is that RH, Fedora, and Suse are all (according to secunia) patched from all known vulnerabilities. Windows XP Home and Pro both have 18 unpatched vulnerabilities, at least one of them being "highly critical", and Windows 2003 also has 5 unpatched (out of 44). Software will have bugs, we should try our best to code securely, but its never going to work 100%. What is more important is not how many patches were sent out, but how many haven't been taken care of yet. In RH and Suse's case, they seem to be just fine, but Windows has tons of open flaws. OSS also tends to get patches out way quicker. Whats even cooler is that if RH patches something, then Suse can just use that, and vice versa, talk about efficiency.
Regards,
Steve

I think that I can say for most people here...

[rednip]

rofl

Microsoft is basing that claim by number of patch distributions, not by size for severity, cute. So, just because they (usually) wait up to a month to release a patch, somehow they are better FUD never had so much meaning. I'd be outraged, but words like this are so expected.

Re:I think that I can say for most people here...

[Zab+UvWxy]

Ah, but you're missing an important part of the original posting; the reference was to Win2k3 only.

So, you state the words spoken between the lines, M$ is saying "forget our track record, forget what we said before, and ignore everything happening on our desktop systems; our server r0x0rs!", or something to that effect.

It's easy to say that one version of a server OS, that is becoming less and less like its' notoriously hole-ridden desktop bretheren, is so much better than *anything* the competition can offer. It's much harder to actually do something about it; considering they've been saying essentially the same thing for several years now, they're not much closer to achieving the goal of a "trusted, secure" OS.

Saying things makes them true.

[bigtallmofo]

If you can just manage to say something that gets picked up by major news organizations, then it might make it come true.

Or at the very least, you might at least fool some people enough to continue to give you money.

All true

[ArsonSmith]

My linux computer is so over run with spyware and viruses that it is completely unusable and it is firewalled.

I connect my fresh installed XP system directly to the internet and I can go months before I get any malicous programs on my computer.

hmm, or do I have that backwards?

Credibility and Redmond?

[basking2]

We see these posts trumpeted by entities like Slashdot. It it warrented? Does Redmond have any credibility on things like this left? Should we be paying any more attention to this sort of behavior than to just consider what MS is doing? :\ I'm more interested in the well thought out comments all-y'all have.

Request new Slashdot Section

[Neil+Watson]

I think we need a new section for these stories. I propose we call it 'Flamebait'.

Not Surprised

[PhreakinPenguin]

"Mike Nash, Microsoft's Chief Security Executive"

What does everyone think he's supposed to say? Windows security is inferior to linux? He'd lose his job.

And later..

[salvorHardin]

...when the world stopped laughing, it was revealed this person might have some sort of conflict of interest, being that he works for MS and all....

Windows and Red Hat

[bruceleekick]

Windows 2003 Currently, 5 out of 44 Secunia advisories, is marked as "Unpatched" in the Secunia database. Red Hat rrently, 0 out of 133 Secunia advisories, is marked as "Unpatched" in the Secunia database. I think I would rather take a system that is all patched then one that is Unpatchable.

no patches available?

[RealityMogul]

If there's only 15 for 2003, then why does that secunia link list 44?

Notably, the RedHat and Suse links list a higher number of vulnerabilities, but also state that there are ZERO unpatched security holes.

Surprisingly, the Windows 2003 product still has unpatched holes.

User experience

[Matey-O]

(This is not a rant, merely a description of what happened to me receintly:)
1. reboot computer - It'd hung running something the rhymes with Titborrent.
2. Login prompt -log in
3. Get a start button, click on it to start a browser
3a. lose focus as MS is saying AVG isn't turned on. (It's not?)
4. Hit start again to get a browser
4a. Lose focus again as AVG says it's not working.
5. Press start to start a browser.
5a. Lose focus as the UPS monitoring tool adversises that it's HERE! PRESENT! ACCOUNTED FOR!
6. Press Start to get a browser.
6a. Lose focus AGAIN as MS spyware gives me a status update.
7. go over to the iBook, it doesn't Constantly Interrupt Your Train of Thought At Every Opportunity!

If Internet Explorer is any indication ...

[reporter]

For 2 reasons, I doubt the veracity of Mike Nash's claims that Windows is more secure than Linux. First, due to the open nature of Linux development, Linux enjoys far more testers than Windows. More eyeballs means that more bugs will be found and fixed.

Second, comparing Internet Explorer (IE) and Firefox indicates that Windows is likely more bug ridden than major open-source software like Linux. I have used both IE and Firefox. From my experience of visiting thousands of pornographic sites laden with naked women beckoning you to "enter" their site (and other things), I can definitely say that IE is chock full of security problems. After 1 week of pornographic surfing with IE, my entire system (browser and OS) becomes infected with malware -- to the point that I must reload Windows. I have yet to experience the same problem with Firefox.

The only thing that I hate about Firefox is that it is very slow, probably due to the fact that my computer system has limited DRAM and that Firefox must swap to disk more often than IE. Such is the price that I must pay to enjoy porn.

Linux Vs Windows

[KingBahamut]

This is an argument that can largely be debated on a variety of levels. Honestly? Linux and ultimately unix of any flavor has just as many vulnerabilities as Windows does. Difference -- typically most of those vulnerabilities are patched and assessed before they take affect.

Just do a search for Sendmail Vulnerabilities on google.

Result =
Results 1 - 10 of about 143,000 for Sendmail Vulnerabilities. (0.39 seconds).

for Microsoft
Result =
Results 1 - 10 of about 364,000 for Microsoft Exchange Vulnerabilities. (0.18 seconds).

You can have this discussion for days on end, and really, what the *nix community has up on the M$ community is knowledge and ability. No, there arent any viruses that are successfully written for *nix. Spyware isnt even remotely a concept to a linux user. And most vulnerabilities get patched as quickly as they are given POC. Does this mean that linux users patch any more or less than Windows users, no. But we do it more effeciently and with greater success.

Stability wise , come on. Ive got a redhat 7.3 box that baring powerfailures hasnt been rebooted in over a year. Its a good box, it would probably take an Arkady Rossovich low yeild nuke on its head and still live, and I dont know of any windows box thats able to admit that.

The numbers game: thanks Microsoft!

[Morganth]

Perfect, let's start rating the security of our products by how many patches have been written and applied. What does this kind of numbers game encourage?

(1) Don't write a patch, since that admits failure or insecure products.

or

(2) Wait a long time before writing and committing a patch, so you can do it as "one big patch" (otherwise known as, haha, a Service Pack!).

Thanks Microsoft! Just your STATEMENTS make systems less secure (nevermind your engineering).

Re:Apples/Oranges

[Daengbo]

From here: http://www.honeynet.org/papers/trends/life-linux.p df:

Recent data from our honeynet sensor grid reveals that the average life expectancy to compromise for an unpatched Linux system has increased from 72 hours to 3 months. This means that a unpatched Linux system with commonly used configurations (such as server builds of RedHat 9.0 or Suse 6.2) have an online mean life expectancy of 3 months before being successfully compromised.

Compared to unpatched Windows boxes with life expectancies of minutes.

Re:Apples/Oranges

[Bastian]

But a Windows tends to roll a lot of stuff into single programs, whereas the Unix world has a culture of heavy factoring of software tools.

With all of these different tools, and the admin's freedom to install only the tools he/she feels are needed, the Linux world ends up having to create separate security updates for separate tools, where Microsoft tends to release gargantuan security packs that are really a whole mess of patches rolled into one package.

On a similar note, most of the Linux tools come from all sorts of sources operating more or less independently. This would make it all but impossible for you to find a file that includes security updates for both, say, wu-ftpd and Apache.

And the list goes on. The reality is, the model for releasing seucurity updates in Windows is vastly different from the model for releasing them in Linux, and one is natually going to create at least one order of magnitude more discrete security updates. (If I started seeing updates for my software on Linux only as often as I was seeing security updates from Windows, I would think that something is seriously wrong.) What Mr. Nash really needs to be comparing is the relative advantages of the two different models of releasing security updates.

But of course, you're not going to see that since such an analysis can't be plotted in an Excel spreadsheet.

Re:No Real Surprise...

[freemacmini]

MS like most corporations know that the truth does not matter to Americans. Americans believe what they want to believe no matter what the facts are.

History also shows that any lie that is repeated enough becomes indistinguishable from the truth.

This is true in politics, it's true in entertainment and it's true in business.

MS employee says Windows is safer because...

[LoverOfJoy]

MS employee says Windows is safer because using Linux puts him in danger of being fired.