Slashdot Mirror
Comparison of Java and .NET security
prostoalex writes "The Computer Science Department at the University of Virginia has published a comparative study of security in Java and .NET in Portable Document Format. DevMktg blog on MSDN summarizes the findings saying that due to careful design process, .NET presents security advantages over Java platform in several areas." From the article: "Where Java evolved from an initial platform with limited security capabilities, .NET incorporated more security capability into its original design. With age and new features, much of the legacy code of Java still remains for backwards compatibility including the possibility of a null SecurityManager, and the absolute trust of classes on the bootclasspath. Hence, in several areas .NET has security advantages over Java because of its simpler and cleaner design."
Except it run on Windows.
D'OH!
Since starting in my new job, I had to switch from Java to .Net... so this is a little bit of good news. I guess....
I still miss the Eclipse IDE though... Visual Studio blows chunks in comparison. :(
Friends don't let Friends use Internet Explorer.
In the first page of the study they document the difference of age of .net and java. Java has been out for over 9 years, .net, 2-3. Let's see how .net is doing in number of vulnerabilities in 9 years.
Text conversion of PDF document
It's not truly cross-platform so it's out of question for any serious production environment. Sorry, but until Micro$oft releases the most important classes under a free license and port them to Linux I won't touch it with a ten foot stick. Java is closer but it's hardly fast enough. If Sun adds real OOP features like multiple inheritance, operator overloading, traits, mixins, and introduces optional strong or weak dynamical typing, I might consider using it. But right now I am stuck with Perl, Ruby, Lisp, Smalltalk, Eiffel, Scheme and Python, and what I am really looking forward is a study comparing their respective security and how the development of the Parrot VM will affect it. Of course since it's a blog on M$DN I am not holding my breath.
Karma: Positive (probably because of superiour intellect)
C is portable, fast, very complex and since 35+ years the leading standard for professional OS and APP development.
.NET??? ...amusing.
C is so successful that C++ had to be invented to get more people into OO style C programming. C++ was designed as an syntax aid for people who lacked the skill writing OO in C by disciplined use of structs and func pointers.
C is obviously too complex for the average CS student who crouch from one alternative to the next.
Java?
Well ignoring the fact that Microsoft is mean to be 'teh evil' and looking purely at the framework that their engineers have produced I have found very little to criticize.
It feels like they looked at Java and stripped out the bad and produced easy to use clean languages. The first things that spring to mind:
* Easier exception handling.
* Transparency with the whole string class/primitive issue.
* Really easy to create and catch events.
The Visual studio IDE however! Piece of HTML mangling non XHTM compliant &*$£
Security in Java is multi layered and complex, you cannot possibly cover all its faces. ".Net" managed code is very rare and all .NET applications I know of (that are real applications) use native code thus removing any sense of security. .NET has no such thing. .NET is more secure is just about the stupidest thing someone can say... Its like saying Windows is more secure than Linux since its newer than UNIX and Linux is based on UNIX.
Java has had years of full source code visibility (not open source) and had several holes plugged by the community,
Saying that
First of all, it's interesting to note that 10 of the 45 Java vulnerabilities that the researchers take in account are due to Microsoft. They are specific to the ill-famed Microsoft JVM.
.Net runtime? The researchers talk at length about the better .Net design, which is unsurprising given it was designed after many years of experience with the JVM.
.Net runtime, somehow I doubt it. Some partners might have portions of it, maybe.
.Net; maybe Microsoft did it right this time, and spent they money where it matters most in the long run.
Furthermore, 10 of the remaining 35 vulnerabilities were discovered and fixed in the first six months after the initial Java release. I consider that quickly-fixed flaws in a young product.
So, we're left with 25 vulnerabilities found in a mature product, between 2 and 3 every year. Not quite pretty, not quite a disaster either.
Now, question is, why are there no vulnerabilities discoveries in the
However, they fail to assess any impact the availability of Java source code might have on finding vulnerabilities and fixing them. The whole source code for the JVM is available (free as in beer), anybody can have a look once they register with Sun. I don't know if the same applies to the
So, availability of source code might be enough to generate two or three vulnerability discoveries per year.
Note that I'm not saying that there are six to nine vulnerabilities yet to be discovered in
I've seen the crossplatform remarks already, but no one asked the question yet about how widespread implementations are. I currently see much more .Net implementations in Intranet environments, and java when the client is less known. my guess is that those more local implementations are much less scrutinized. opposed to the much more open and directly accesible implementations in java.
Im not going to read the article but the reasons stated in the summary suggests a strong (and maybe well funded) bias. In short, the summary is basically bullshit. The quoted material on the ms blog is suspicious and the scientific study might actually be quite good (I wouldnt criticize it without reading it first).
.Net come with very similar security features. Both have finegrained role based security features. Id say Java is somewhat more flexible by providing an extensible model so that you may provide your own protocol implementations. For example, I used an oss pgp implementation recently that plugs into the default Java security api. .Net on the other hand has some nice language features like attributes. Java has null securitymanagers; .net has unmanaged code.
Security is not something you just switch on in a project. You design your project from the ground up to have security features. Both Java and
Javas security features are designed through the JCP process in which a broad range of industries and individual experts have been and continue to be involved. Indeed some of the older security features come from the earlier JDK versions developed by SUN. Overall I trust this process more than I trust the microsoft process which when it comes to security has received a lot of criticism over the past few years.
Jilles
Ok... let me get this out there first. I like the .Net framework (not all the stuff M$ tried to label as .Net after they realized that they were on the right track).
.Net 1.0 came out 6 YEARS after Java 1.0... it's not exactly fair to compare them as pure equals. Considering that they're so similar you have to take into account that M$ had time to see what was wrong w/ Java and fix it. It's kinda like saying "Well, this brand new bridge is far supperior to that one over there that was built 200 years ago. I mean, sure it's better looking, but this one is stronger AND lighter." People learn things and then implement them... is that so hard to understand?
However, this study is flawed.
Jeremy Logan's Website.
.NET ... Windows ... but not all of them.
:)
price: free, You only need to have Windows 2003 Business Server for serious work
secure: rtfa in few years to make sure
portable: it runs on many systems, like Windows and
speed: well actually speedy on Windows machine
IDE: brilliant Visual Studio, unfortunatelly no plugins
Java
price: free, well it is free
secure: most likely as secure as Your application
portable: well actually, even my SonyEricsson cell runs it
speed: a bit clumsy, but hey, almost all >1GHz desktop PC can run Java application in very responsive manner (Eclipse, Netbeans, Azureus, etc.)
IDE: Eclipse and/or Netbeans ROCKS!
This reply seems biased, but well, almost every opinion will be biased.
As a side note NASA World Wind uses .NET:
.NET, and another dialog pops up saying Direct X needs to be upgraded too. At this point, I decided not to continue. I don't fancy reading one of MS's EULAs, don't care to download one of their hulking tarballs, don't want Direct X changed in case it breaks something.
.NET is just a wrapper for Windows on the local machine, why didn't you just make native code you f**** idiots.
http://worldwind.arc.nasa.gov/
It's similar to Google Earth, except that its 180MB and once you download it it tells you you need to upgrade your version of
Piece of shit Nasa,
1) ACEGI - Aspect-orientaded-programming using a dependency injection model to replace or complement JAAS for authentication and authorization in an Application server independant way. A subproject of the Spring framework:
http://acegisecurity.sourceforge.net/docbook/acegi .html/
2) XML Encryption and XML Digital Signatures. Used in Web Service security or independently.
http://xml.apache.org/security/
http://ws.apache.org/wss4j/
3) Container managed security implemented in every servlet container on the market, including tomcat.
In short, I'd like to see a comparison of the features and availablity of what people actually use in their applications, rather than an entirely fudgable comparison of reported/unreported security flaws.
"None are more hopelessly enslaved than those who falsely believe they are free. -- Goethe"
iksrazal
That's unfortunate, because .NET does not require DCOM at all.
DCOM uses RPC which means that firewalls have to allow the entire high port range
Yes, well, you can always open DCOMCNFG, switch to the protocols tab, select the TCP/IP entry and set the port range that suits you. Wow.
MS consultant all insisted this was standard and typical
An "MS consultant" told you you needed DCOM to jump over tiers with .NET and failed to tell you that you can select a port range to play nice with your firewall over the DMZ? Crap, I would have called his boss or the TAM at the regional office and have his ass fired.
consultant strongly urged not doing multi-tiered
You know what, while I don't doubt that there's someone dumb enough to recommend something like that out there, I really doubt it was an "MS consultant". Microsoft is moving away from heavy physical tier designs to avoid the wire overhead (which admittedly makes them look slightly stupid after years of telling everyone to use as many boxes as possible), but to recommend running the application and the database server on the same box is just plain retarded. MSCS (or whomever you were supposedly talking to) has some dumb people in the file and rank, but not *that* dumb.
I'm gonna have to call bullshit on your apocryphal story here, unless by "MS consultant" you mean some random dude that has an MCSD and has read "Software Fortresses" five times while moving his lips.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
Whatever that would be. Use an operating system that gives you memory protection, and even better: capabilities (rights to read/write files and other things), and you can run ANY program, written in ANY language, without the programs even being ABLE to do any harm.
Oh, that would be too much of progress, wouldn't it?
Well, I use .NET to build web apps which run on our corporate intranet. These are HR, purchasing, scheduling and budgeting apps that run a medium-sized film production company. We have a mix of clients (600+) - Linux, OSX and Windows - in roughly equal numbers that access these applications. Ironically, I picked .NET simply becaue we had the hardware and license resources available after consolidating a lot of W2K3 servers into a few Netapp filers. The browser we use is Firefox because it's the only one that really works in a uniform fashion across all platforms in a way you can predict and work with.
.NET has not meant lock-in to MS products, it's actually allowed us to use the best tools for the jobs in hand; .NET for the back-end code, Firefox as a browser, and any OS you need for your particular job. Has it locked us in to MS products? No.
So, my apps run on a bunch of Windows boxes behind the scenes, but ultimately using
I'd agree with you about Mono though, it reminds me of many hair-losing moments I had a few years ago converting someone's classic ASP code to run on that Chilisoft approximation. Bits worked, bits didn't, and this is what I'd expect from Mono. YMMV though.
The gall to put into account vulnerabilitys from Microsofts own JWM in a comparison to Microsofts .Net is astonoshing. What a way to belittle your competitor, make crappy implementation of their product and call them unsecure.
I lack words.
HTTP/1.1 400
Wow, look at their nice graph will you. Their first graph shows 'vunerabilities found' in Java VM's... nothing mentioned about patches... and 0 in .net...
.NET's design is fundamentally more secure than Java's
.Net.
.NET platform's apparent lack of security vulnerabilities. .NET is a less desirable platform for attackers to compromise than Java so it has .NET .NET, the .NET platform presents an attractive target.
.net runs on 15% of that figure.
Now look at this: In this paper we explore the more optimistic hypothesis that
So they have a bent from the start to discredit Java. Onto my point:
Java is 10 years old. There are groups of people looking at Java VM code and multiple versions of VM's, all of which are bunged in here. These 'vunerabilities' are not even reflections on the fundemental paradigm of the Java security model.
This article is FUD, and bad FUD to counter Goslings stand against the 'untrusted code' model of the
No, quoting JNI is not relevant in that argument because JNI still works within the seucrity model, yet it allows native code to be interfaced with, that is a seperate issue, and akin to making a network call, and running code on another server.
They then mark up 9 security vunerabilities listed with Microsoft 'but because the way they classify them they do not count for this paper' (paper is the new word, because papers sound academic, not like paid research).
There are many possible explanations for the
One possibility is that
not received the scrutiny necessary to reveal vulnerabilities. This is unlikely, however, since the
framework is now provided as a Windows update. Since Windows has over 90% of the desktop market
with a large number of machines using
Well, yes, windows runs on 90% of desktops, I would say
From the available information, the one implementation that did have many of its own
unique vulnerabilities was Microsoft's Java implementation,
They even try and discredit sources that go against their ideas. 'from the available information' or is the a way of saying 'this might be worse than we imply'.
I didn't want to dig deeper, I found the single statement copied into a marketting guys website (fuck the word blog) rather twatish of the guy.
This is FUD, yet the people this is aimed at are those who will read the '.Net found to be more secure than Java!!!!111OMGLOL!!' on [insert one of the many microsoft run 'news' farms that are used to infect propoganda into the media].
pteeesh.
To confirm you're not a script,
please type the word in this image: binomial
random letters - if you are visually impaired, please email us at pater@slashdot.org
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
This is news? ONJava did a detailed, four-part analysis of .Net and Java security a year or so ago:
In this world nothing is certain but death, taxes and flawed car analogies.
writing oo in c when you have c++ is stupid, you entirely fundamental basics of oo-concepts such as inheritance, encapsulation and the like.
Inheritance (at least single-inheritence) is easy in C, you can just create the first member of your object (struct) be an instance of another object. Thus, you can cast up (by dereferencing that member), the only difference being that the cast up is explicit (not necessarily such a bad thing!). And you can cast down implicitly by using casted function pointers that take the subclass pointer (works because it is the first member in the struct).
As for encapsulation, you get that in C simply by encapsulating all you want in the same module. Hiding the data and code you want in the C side and exposing what you want in the H side. Sure, you can't enforce the hiding the private data in your struct, but you can hide it by convention.
Also note that in C++, you can't really enforce the data hiding either, i.e:
#define private public
#include "some_class.h"
I couldn't agree more. And I've been around long enough to know, look at my user ID.
/. article posted about how much it has been going down hill.
/. seriously needs to return to the site of "Stuff that matters." Instead there are 20 articles posted a day and only a few of them are actually worthy of posting. Maybe there should be a recycling bin page you can go to which has all the drivel, leaving just the good stuff on the front... like a newspaper -- the crap should be shuffled to page 2 or more.
Why is it when you have an unpopular view point, you're considered a troll. Granted the opinion expressed didn't apply to the article directly, so it might be better modded as "off-topic", but it isn't as if there will be a
How else is one going to express their viewpoint?
Time flies like an arrow;
Fruit flies like a bananna
MSFT has ported the .NET Framework to FreeBSD themselves!
.GNU run on many platforms (Linux, Windows, BSD, OSX and Solaris). As long as you don't use System.Windows (the desktop app stuff), you can do cross-platform development in many languages!
AND, Mono and
I have written GTK# apps in VS.NET and run it on my Windows and SuSE box with ZERO modifications.
If you want to bash something, you should probably learn a bit more about it. That's the reason I read the Bible multiple times: so I can refute Bible thumpers' arguments.
---- It puts the lotion on its skin or else it gets the hose again. It does this whenever it's told.
- Java interoperability is extremely important. It's not about running the same code on different platforms, though. It's more about being able to switch out the platform when we need to (e.g. going from Wintel servers, to Linux and z/OS)
- .NET is not knocking the socks off of Java. They are both shaping up to find their places. In our org, anything we write is Java (any tier, including clients where balls-to-the-wall performance is required). When we buy stuff, we look at Java (very few products) and
.NET (more products).
- Web Services are simply grand. But someone please wake me up when there's a full-featured implementation that's interoperable. Until then, Java has not lost any advatange here (if there ever was an advantage here).
- your comments about 'beloved Linux desktops' simply describes the power of a Web interface, which is not specific to ASP.NET. Incidently, a Web interface is not always the right solution, so how does the Linux front-end play with the Windows back-end there?
Not trying to diss you here. Just trying to give some perspective from this corner.CrazyLegs
"Pork!!" said the Fish, and we all laughed.
How many companies are purely Windows shops? I would think that given that one fact (and ignoring mono,
Don't get me wrong, I'm not a
And as far as running cel phones to an existing application, we decided to go the web-based route. There is no Java front-end or back-end requirement. Hell, you could easily have a Java front-end and C# back-end if you wanted, but we went with html front-end and C# back-end (though I was pushing for PHP
And if you work in a mixed shop tat does require application functionality that is exactly the same across multiple platforms, I can see your point. However, in a Microsoft house you have the option of choosing your tools to fit the job. Maybe Java will be the best fit or maybe
Whee signature.
Microsoft did an excellet job with .NET. While we all like to make fun of Ballmer jumping up and down and saying "Developers...", Microsoft actually means it.
Their tools, concepts, and design are *way* ahead of, say Xcode and Objective-C. It's painful for me when I have to do Mac development because everything's so backward.
I would love it if other companies starting implementing C#/.NET/CLR products based on the ECMA standard (unlike Java, C#/.NET has been accepted by a neutral standards committee)...this would prevent Microsoft from changing the language drastically from release to release.
Best Buy can have you arrested
.NET is Free source (as in free speech, mono or dotGNU)
Java isn't
- -- Truth addict for life.
The main reason to use Java is that its cross-platform. If you think Microsoft's plan is to lure over Java developers to a platform that's locked into Windows from a platform that runs on who knows how many platforms, you have another thought coming to you.
Pelé!
The study authors say "Since a security policy cannot be enforced on unmanaged code, we only consider managed code." Given that most C# applications use unmanaged code, they are potentially vulnerable to buffer overflow attacks and the like.
C# has been criticised repeatdely in the security community for this feature. Java always runs in safe or managed mode and is therefore more secure than C#.
For more on what unsafe code means see http://msdn.microsoft.com/library/default.asp?url= /library/en-us/dncscol/html/Csharp10182001.asp
That the authors of the paper make conclusions about C# security, while deliberatley excluding a gaping hole, and the papers appearance on an MS site leads me to the belief that the paper was probably sponsored by MS and they directed the study authors to exclude unmanaged code from the scope.
Bill Caelli, one of the world's leading security experts, humiliated a Microsoft representative over unsafe code and stated that "Microsoft had missed an historic opporunity to improve security in their products".
There are at least 9 security flaws in .NET. The paper conveniently dismisses them all as not being part of the framework even though Microsoft classifies them as such on their Knowledge Base. This is only to justify their pretty little chart in the introduction showing that .NET has zero security flaws.
If .NET has zero security flaws... nevermind. The paper is deception.
Java runs on Solaris/SPARC, Solaris/X86, Windows, MacOS, and Linux. As soon as Microsoft starts supplying .NET for those platforms, on similar terms to what Sun offers, then I'll consider using it. In addition, a GPL compatible RFND patent license for every 'invention' required to implement .NET and the framework would give them a step up on Java. Until then, I'll pass, thanks anyway.
... i see you never used Borland Delphi.
Having used many development tools like Emacs, VIM, SciTe, kate, Eclipse, Visual Studio.Net and Delphi, i gotta say Delphi is the best IDE i've used hands down.
Simplicity and high productivity is the key here.
You don't have tons of floating dialogues, icons, buttons and drop-downs poluting your interface just for no other reason than to show off and make you feel like your investment was well worth it
No, just the right form designer, object inspector and class hierarchies, along with the project manager. Less bloat and complexity, more productivity...
KISS.
I don't feel like it...
I'm not sure a language forcing security is a good thing. It seems to me writing secure systems is really the responsibility of the development team. Especially since different situations call for different security levels and methodologies.
at first, mono is no imaginable way more secure than java, java is being tested by millions of programmers, thats why flaws are detected, if mono would have millions of users, it would definetly have an enormous bug database :D
... i doubt that even the licence agreement of .net itself would fit in there ... .net and mono are completely different from java in every sense, this is a pointless comparision, just the same as if you would compare a rocket with a jet.
.Net definetly is .Not the answer for most of them. so why go on some fresh born platform when you can choose something that works ?
and now to the real world part, what should i do with that thing you call mono or the windows executable on my 104 node sun server ? stick it up it's ventilation shaft ? read my lips : your toy doesnt scale nor probably even run on it.
or should i just try to fit your mono into my mobile phone with 1 meg of ram
people who cant handle java choose something else. people who dont need java choose something else. i know that java has many flaws but
bush is more similar with adolf than java is with dotNet.
I'd tell you the chances of this story being a dupe, but you wouldn't like it.
With all due respect for the author(s), I have the following questions:
Why the mis-leading chart so early in the paper? I believe a table may have been more appropriate.
Why not have more peer-reviewed references? I see plenty of references from MSDN, and some from some conferences. But it looks like most of the arguments are being supported by non-peer reviewed sources.
Why are there a SMALL number of peer-reviewed articles directly related to JAVA?
Why are the peer-reviewed articles on JAVA so old? And most likely no longer relevant?
What is the deployment history of .NET vs. Java? Market share? Security incidents (in the wild)?
Why the microscopic view of JAVA's flaws and the lack of depth in .NET?
Why isn't the dangers of native code discussed (.NET or JNI)?
I do however like the information in Table 3... but what practical advantages do the "finer grained" security functions provided by .NET give the programmer or the end-user?
I think it is a decent paper that maybe was turned in for an assignment. BTW, if the author has asbestos underwear and reads slashdot. Don't forget a short biography at the end of the paper next time. This gives the paper extra creditability.
Regards, Bill
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
This is a really blatantly biased study. I wonder where his grant money is coming from.......??? There is some major flaws with his theory....... He is focusing on .NET framework vulnerabilities. Microsoft tries to act as though the languages and .net api's have had no vulnerabilities. Here is just a few ASP.NET vulnerabilites:
" Microsoft ASP.NET URI Canonicalization Unauthorized Web Access Vulnerability (Vulnerabilities) Rank: 1000
Last modified on: 2004-10-05 18:00:00 MDT
URL: http://www.securityfocus.com/bid/11342
2 Microsoft Ships Nimda To Korea in .NET (News) Rank: 952
Last modified on: 2002-06-13 18:00:00 MDT
URL: http://www.securityfocus.com/news/480
3 Microsoft ASP.NET StateServer Cookie Handling Buffer Overflow Vulnerability (Vulnerabilities) Rank: 944
Last modified on: 2002-06-05 18:00:00 MDT
URL: http://www.securityfocus.com/bid/4958
4 Microsoft Visual Studio .NET Debugger Privilege Enforcement Weakness (Vulnerabilities) Rank: 932
Last modified on: 2004-04-15 18:00:00 MDT
URL: http://www.securityfocus.com/bid/10161
5 Microsoft Visual Studio .NET Korean Version Nimda Infected File Vulnerability (Vulnerabilities) Rank: 907
Last modified on: 2002-06-12 18:00:00 MDT
URL: http://www.securityfocus.com/bid/5012
6 Microsoft Visual Studio .NET msdds.dll Remote Code Execution Vulnerability (Vulnerabilities) Rank: 885
Last modified on: 2005-08-17 00:00:00 MDT
URL: http://www.securityfocus.com/bid/14594
7 Microsoft Visual C++ 7/Visual C++.Net Buffer Overflow Protection Weakness (Vulnerabilities) Rank: 882
Last modified on: 2002-02-13 17:00:00 MST
URL: http://www.securityfocus.com/bid/4108
8 Microsoft ASP.NET Unicode Character Conversion Multiple Cross-Site Scripting Vulnerabilities (Vulnerabilities) Rank: 879
Last modified on: 2005-02-15 17:00:00 MST
URL: http://www.securityfocus.com/bid/12574
9 Microsoft ASP.NET RPC/Encoded Remote Denial Of Service Vulnerability (Vulnerabilities) Rank: 871
Last modified on: 2005-07-11 18:00:00 MDT
URL: http://www.securityfocus.com/bid/14217
10 Microsoft ASP.NET Request Validation Null Byte Filter Bypass Vulnerability (Vulnerabilities) Rank: 871
Last modified on: 2003-09-07 18:00:00 MDT
URL: http://www.securityfocus.com/bid/8562
11 Multiple Vulnerabilities found in Microsoft .Net Passport Services Rank: 871
Last modified on: 2003-05-07 18:00:00 MDT
URL: http://www.securityfocus.com/archive/82/320989
12 Multiple Vulnerabilities found in Microsoft .Net Passport Services Rank: 871
Last modified on: 2003-05-07 18:00:00 MDT
URL: http://www.securityfocus.com/archive/1/320808"
So the idea that there is no vulnerabilites in .net is bunk at best.....
Another problem is that because of the MSDN EULA there has not been any hack challenges or external without Microsoft's permission. A few months ago Windows NT Pro magazine hosted a IIS6 hack challenge and it was mysteriously pulled fromt their site. I tried contacting them, but they never responded to my questions about the hack challenges.
The big issue however is that there is architectual flaws in the Windows architecture Microsoft's Blind Spot (http://news.com.com/2010-1071-831385.html
It is how you define your criteria as to what is "vulnerable" and what is "safe".
They would have done a LOT better in just sticking to the design of each instead of counting admitted vulnerabilities and patches.
Microsoft has been known to sit on vulnerabilities for a LONG time (http://www.eeye.com/html/research/upcoming/index
Security starts with the security model. Here is where you'll see patches to disable stuff in a flawed model. You cannot just count the patches here, but they are useful for evaluating the model itself.
Then that model has to be implemented in code. This is where you'll see bug fixes for code errors.
The last thing to look at is any application built by someone else on that platform.
And one last item to consider. Any platform is only as "secure" as the level beneath it. If
Here is where they get it wrong on Java: So, if Windows is compromised and code inserted to Java to run, then Java is at fault
Either you count it as a flaw in both, or you don't count it for either.