Slashdot Mirror

← Back to Stories (view on slashdot.org)

Surprise, Windows Listed as Most Secure OS

Posted by Zonk on from the opposite-day dept.

david_g17 writes "According to a Symantec study reported by Information Week, Microsoft has the most secure operating system amongst its commercial competitors. The report only covered the last 6 months of vulnerabilities and patch releases, but the results place Microsoft operating systems above Mac OS X and Red Hat. According to the article, 'The report found that Microsoft Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006.' The article continues to mention the metrics used in the study (quantity and severity of vulnerabilities as well as the amount of time one must wait for the patch to be released)."

12 of 499 comments (clear)

  1. Yes, but severity? by Anonymous Coward · · Score: 5, Informative

    The article also notes (which the blurb does not) that Microsoft had the most critical or severe class of bugs, even by their own measurement standard. So yes, Microsoft has less fewer bugs (according to the article), but doesn't the severity of the bugs count for anything? Statements like these are why I don't use Symantec products on any of my Windows machines.

  2. small addition by caitsith01 · · Score: 5, Informative

    ...someone will tag the story with "defectivebydesign" and someone else will tag it with "no".

    And you should have added "Those of us who think there is room in the world for both Windows, OSX and Linux will remain on the sidelines while another round of the holy wars is inconclusively decided."

    I am rather looking forward to the comments from Apple users, though, and particularly whether they can best their own record for self-righteous indignation and incredulity.

    --
    Read Pynchon.
  3. Re:The numbers are being misread by slackmaster2000 · · Score: 3, Informative

    Don't go around calling "3rd grade" if you're just going to summarize a summary. RTFA already.

    Here, this will help:

    "The report found that Microsoft (Quote) Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006.

    During this period, 39 vulnerabilities, 12 of which were ranked high priority or severe, were found in Microsoft Windows and the company took an average of 21 days to fix them. It's an increase of the 22 vulnerabilities and 13-day turnaround time for the first half of 2006 but still bested the competition handily.

    Red Hat Linux was the next-best performer, requiring an average of 58 days to address a total of 208 vulnerabilities. However, this was a significant increase in both problems and fix time over the first half of 2006, when there were 42 vulnerabilities in Red Hat and the average turnaround was 13 days.

    The one bright spot in all of this is that of the 208 Red Hat vulnerabilities, the most of the top five operating systems, only two were considered high severity, 130 were medium severity, and 76 were considered low.

    Then there's Mac OS X. Despite the latest TV ads ridiculing the security in Vista with a Matrix-like Agent playing the UAC in Vista, Apple (Quote) has nothing to brag about. Symantec found 43 vulnerabilities in Mac OS X and a 66 day turnaround on fixes. Fortunately, only one was high priority.

    Like the others, this is also an increase over the first half of the year. For the first half of 2006, 21 vulnerabilities were found in Mac OS X and Apple took on average 37 days to fix them. "

  4. Re:Ive seen the evidence by EvanED · · Score: 3, Informative

    It's probably a device driver issue. A bad kernel module will cause almost exactly the same error on Linux, only they call it a kernel panic instead of BSOD and write "sleeping function called from invalid context" instead of "IRQ_NOT_LESS_OR_EQUAL."

  5. Re:Simply by bobcat7677 · · Score: 5, Informative

    You forgot one important group (you insensitive clod!). The sensible crowd who simply dismiss the article as hot air from a group of people who have the worst security track record of their industry in the past 5 years. I mean seriously, it's pretty bad when the antivirus software starts getting hit with viruses that would otherwise be ineffective against a system. I wouldn't trust Symantec/Norton with anything more important then a string, much less consider them an "authority" on anything security related. And no, I don't use a Mac.

  6. Carefully chosen competitors by mandelbr0t · · Score: 3, Informative

    What a pointless comparison. All that we see is that Windows has finally caught up with other Desktop OSs in security. Desktop systems are insecure, period, so who really cares about which one is more secure. I see that there's no BSD in the list, not a single IBM OS, VMS, or any other Mainframe OS. This report completely fails to illustrate any useful information. Insecure machines can be protected with firewalls which run secure OSs, none of which were in this list (OpenBSD, anyone?). About all that can be said is that Windows has finally found a way to protect itself from the meddling of idiots, at the cost of the most annoying security system ever invented. All that, and I still doubt that any sort of stability could be achieved on a network running these three OSs exclusively, without the protection of at least one OS not in this report.

    --
    "Please describe the scientific nature of the 'whammy'" - Agent Scully
  7. The Fine Print by nixNscratches · · Score: 5, Informative
    Pulled from the actual Report itself (Internet Scurity Threat Report XI) from Symantec -

    With the exception of Microsoft, all vendors were affected by longer turnarounds for patches for third- party components that are distributed with each operating system. Upon examining the sample set of vulnerabilities during this period, Symantec has observed that vulnerabilities with longer patch development times generally affected third-party components. The previous issue of the Symantec Internet Security Threat Reportcommented on the relevance of this issue for commercial UNIX vendors such as HP and Sun,but it holds true for all vendors of UNIX/Linux-based operating systems.

    And of course:

    As with previous periods, Microsoft Windows was the operating system that had the most vulnerabilities with associated exploit code and exploit activity in the wild. This may have pressured Microsoft to develop and issue patches more quickly than other vendors. Another pressure that may have influenced Microsoft's relatively short patch development time is the development of unofficial patches by third- parties in response to high-profile vulnerabilities.

    As always, the most secure computer is the one that is turned off, and unplugged from the network.

    No security model is perfect, but I'd take any *nix for a web facing server any day.

  8. Re:Simply by Hymer · · Score: 4, Informative

    Well... I think you should talk to that norwegian bank wich was down for a week (11,000 PC's and 1,000+ servers) a couple weeks ago about how secure Windows is... so no, not really "All quiet".
    Vista has not been out for six months (Enterprise relese was in November, commercial release was in January) so I can't really use that info for anything... "We got the most secure system... except... it is not released yet..." geee...
    ...and the fact that the upgrade rate to Vista are somewhere between 30% and 50% of what Microsoft estimated is also helping the statistic.
    I have run NT4 and W2K for years without problems... and without reinstalling. It is possible, you just need to know what you are doing... and how to protect your system. Wait until Joe Sixpack & other lusers start to use Vista and then we will see how invincible it is.
    ...and btw. I do belive Vista is the most secure Windows desktop to date... but that doesn't really say very much does it ?

  9. Re:Actually by sqlrob · · Score: 4, Informative

    No open ports on an OS X install, so it's not a problem. When I got my Mac, first thing I did was port scan it, there was squat open.

    Then I noticed the firewall wasn't even on by default at that point.

  10. Gross Misappropriation of Context by carpeweb · · Score: 5, Informative
    Well, you have to go a long, loooooooong way to reach the conclusion that "Microsoft has the most secure operating system"!

    The audit trail for this year's award for Best Distorting Headline:
    1. The post links to a report on internetnews.com, not Information Week, as reported.
    2. The InternetNews.com report links to the Symantec summary web page, which does not mention Microsoft at all . Moreover, it is a report on Internet Security, not operating systems. (A bit more about that next.)
    3. The report itself is a 104 page (PDF) document (including 24 pages of appendices), which mentions Microsoft mostly in minor points, and in the following contexts:
      1. The Executive Summary does not mention Microsoft at all, nor does the Internet Security Threat Report Overview.
      2. The first mention of Microsoft comes in the Attack Trends Highlights of the Executive Summary Highlights, and it is not flattering: "Microsoft Internet Explorer was targeted by 77 percent of all attacks specifically targeting Web browsers."
      3. Similarly, under Vulnerability Trends Highlights (also under Executive Summary Highlights), the next mention is also not flattering: "Symantec documented 54 vulnerabilities in Microsoft Internet Explorer, 40 in the Mozilla browsers, and four each in Apple Safari and Opera."
      4. The next mention of Microsoft comes on page 19, under the heading, Threats posed to Windows Vista becoming evident. This comes after an Executive Summary Discussion that does not mention Microsoft anywhere in its ten pages. So far, I'm not feeling the "surprise" factor mentioned by david_g17.
      5. The first conclusion reached in the discussion of threats to Vista is that "Microsoft's Security Development Lifecycle, while thorough, does not necessarily identify all potential vulnerabilities." I am starting to feel some surprise, but it relates to how david_g17 interpreted this story.
      6. The discussion of threats to Vista identifies vulnerabilities, malicious code and attacks against the Teredo protocol. It simply does not say anything to indicate that Symantec believes Vista to be in any way superior to other operating systems with respect to security.
      7. The next mention of Microsoft comes under the section on Attack Trends, and concludes: "Microsoft Internet Explorer was targeted by 77 percent of all attacks specifically targeting Web browsers."
      8. The next mention of Microsoft is essentially a footnote that singles out two Microsoft vulnerabilities in attributing a peak in bot activity. This is not necessarily a criticism of Microsoft, but it would hardly lead one to think of Microsoft as superior to other vendors.
      9. Next, under Vulnerability Trends, "Symantec documented 54 vulnerabilities in Microsoft Internet Explorer, 40 in the Mozilla browsers, and four each in Apple Safari and Opera." Um ... doesn't this mean that Microsoft is less than other vendors? Yes, I know, it's about browsers, not operating systems. Wait. Didn't Microsoft blur this distinction a little bit with their bundling strategy?
      10. Finally ... in the subsection, Patch development time for operating systems, almost halfway through the report, Symantec does give david_g17 his fodder: "Microsoft Windows had the shortest average patch development time of the five operating systems in the last six months of 2006".
        However, that same section concludes "The risk of exploitation in the wild is a major driving force in the development of patches. As with previous periods, Microsoft Windows was the operating system that had the most vulnerabilities with associated exploit code and exploit activity in the wild (emphasis mine). This may have
  11. Re:Simply by rilister · · Score: 5, Informative

    I must be bored... a handy reference card:

    "Mindless dribble" = "Mindless drivel", people. please. I see this so often and it grieveth me so.
    -and, from previous Slashdot discussions...
    "a mute point" = "a moot point"

    and my absolute favorite...
    "for all intensive purposes" (aaargh!) = "for all intents and purposes"

    ok? fixed? I can go back to work now?

    --
    'This writing business. Pencils and what-not. Over-rated if you ask me. Silly stuff. Nothing in it' - Eeyore
  12. Re:Actually by kernelistic · · Score: 3, Informative

    This is simply not true. If your Windows 2003 machine is on any sort of network, NetBIOS is enabled if you select the default settings.