Slashdot Mirror
Surprise, Windows Listed as Most Secure OS
david_g17 writes "According to a Symantec study reported by Information Week, Microsoft has the most secure operating system amongst its commercial competitors. The report only covered the last 6 months of vulnerabilities and patch releases, but the results place Microsoft operating systems above Mac OS X and Red Hat. According to the article, 'The report found that Microsoft Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006.' The article continues to mention the metrics used in the study (quantity and severity of vulnerabilities as well as the amount of time one must wait for the patch to be released)."
Wait...I'm supposed to think that fewer patches makes for a safer operating system?
"Windows had the fewest number of patches and the shortest average patch development time of the five operating systems" = "Windows had the most trivial and easy to fix vulnerabilities that they have fixed with a few number of patches, from possible an unknown number of undiscovered vulnerabilities"
Read radical news here
After all... who needs to buy security products for the most secure commercial OS available to mankind?
"And finally the old unix guys will flame about how none of these vulnerabilites would have happened if we would have stayed away from GUIs."
No. Old UNIX hackers will instead berate UNIX for being a total piece of shit and then endlessly whine about the downfall of Symbolics and its old dedicated LISP machines. And they'd be right.
If you are counting the number of patches... and you are saying Windows has the fewest number in the last 6 months than MacOS or RedHat... does that mean Windows is more secure?
What is this, 3rd grade?
I could stop patching Windows forever and it will be the bestest Operating System EV-ER! Like OMGWTFBBQ!
Seriously, Microsoft releases in cycles, has to perform a buttload of testing (because of the DNS patch which screwed over a lot of customers), and is slow to react to 0day problems that are brought up with theories and proofs. [They do a lot better when there is an active attack going on, I'll give you that].
I get SuSE patches for hundreds of installed packages just about every other day and install most of them automatically. The kernel I'll patch up once every 6 months or so.
Does that make me less secure than Windows? I don't know. I sure feel more secure about putting a fresh openSuSE 10.2 box on the internet unfirewalled than putting a Vista box on the Internet unfirewalled [I wonder if MSFT has actually performed this test with Vista... to see how long it takes before a basic Vista install gets compromised with the software firewall turned off].
Symantec (who makes all of their profit from selling security products for Windows) says Windows is the way to go.
Patch release count is probably the worst security metric that you could come up with.
Competition Good, Monopoly Bad.
*Symantec* released the report. How many products does Symantec make for non-Windows OSs? Or was their research "Windows XP with Norton Internet Security Suite 2007 installed"?
This is not news. This is a Symantec marketing campaign disguised as a press release disguised as a research report.
Never mind the false conclusion that fewer patches = more secure. Never mind that both OS X (which had MOAB) and RHEL both include a lot more software than the base OS for Windows.
The road to tyranny has always been paved with claims of necessity.
Bot herders has named Windows as the most reliable operating system for hosting botnets and spam machines.
Congratulations all around Microsoft.
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
"The total number of reported vulnerabilities for Windows was lower than for others, therefore it is the most secure."
Wow. That kind of logic would get you a failing grade in any undergraduate class. When TFA actually goes into the breakdown of "severe" versus "not severe." The article even says: and: So having 2 severe vulnerabilities makes it less secure than Windows having 12 severe vulnerabilities? Something doesn't add up. That's even assuming their numbers are correct, which I sincerely doubt. Another flaw in logic (that we've seen many times) is that the total number of publically disclosed vulnerabilities turns out to be higher for the development model that involves full-disclosure, rather than the one that involves hiding information as much as possible. This isn't exactly surprising, and says nothing about how many vulnerabilities actually exist.
Counting vulnerabilities seems like a very silly way to gauge security. It seems like a truer test would be to set up a machine (or rather, a statisically significant bunch of machines) and measure the average time to system compromise. Even this technique has its flaws, of course, but at least it's better than some arbitrary counting technique.
Like the total count of all vulnerabilities, including all the little impossible to exploit ones, is important. Let's focus on the serious ones mentioned in their data.
High-severity security vulnerabilities in 2006
Windows: Q1/2=5 Q3/4=12 Total=17
RedHat Linux: Q1/2=1 Q3/4=2 Total=3
Mac OS X: Q1/2=3 Q3/4=1 Total=4
Now that's a summary I can agree with.
Ethiopians are the healthiest people in the world because they see the fewest number of health care professionals.
This usually makes the "Windows is more secure" group STFU pretty quickly, for some reason. They also say "DOH!" just like Homer Simpson at least 4 times while I'm issueing my challenge. I'm really not entirely sure why...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
More secure than VMS, i5OS, or z/OS?
Redhat particularly, but also Mac, bundle more software. This means you have many more lower priority vulnerabilities because you have more LOC in userspace. Does a bug in VLC equate to an OS bug? How about Firefox? Can it be used to root your system? All grey areas. Given that, the total numbers of bugs are not surprising at all and the low number of high priority bugs is telling to the extent that patch numbers are a valid measure at all. Taking a while to fix higher numbers of low priority bugs isn't a big deal as long as the high priority bugs are dealt with quickly. That would be the obvious follow up question, which they did not apparently ask. Another obvious question is who reported the defects? Are these vendor provided numbers or third party (e.g. CERT) security alerts? Another question no one (except Sun) bothered to ask.
The summary is that over the last 6 months, Windows had the fewest number of bugs (regardless of severity) and took the shortest amount of time to fix them.
a)What is not mentioned is that Windows had the most number of severe bugs. Windows had 12, OS X 1. But it didn't mention how many severe bugs Linux had.
b. Also what isn't noted is methodology. The time between bug and patch is mentioned but not whether time is between the bug being discovered or being announced. With open source, almost all bugs are announced when they are discovered. With closed source, it is not the same. MS has in the past sat on bugs for months, years before announcing them much less working on them.
c. This only covers the last 6 months. Why only 6 months? Surely a more representative sample would be years. In this case, MS doesn't look so good. Didn't BSD have it's 2nd bug in a decade recently?
Well, there's spam egg sausage and spam, that's not got much spam in it.
As others have pointed out: Symantec is in business to sell "security" software for the Windows platform. Nothing more needs to be said in that regard.
Also, as others have pointed out, the metric of "Number of Patches" released is pretty much worthless. If this was a serious security test of Vista, it would have employed port scanners, malicious web pages, and assorted other threats stacked up against a default installation of the OS, on known hardware, with Vista's "security" features enabled in a known way.
For consistency's sake, the same attacks would need to be carried out against default installs of not just Linux, but OpenBSD, FreeBSD, NetBSD, and others. Then, and ONLY then, if Windows came out unscathed ahead of all those others (HA!) could it possibly be considered "most secure."
For that matter, the term "most secure" is meaningless without context. Most secure as a server? A workstation? With what skill level of user behind it?
This study seems to be, as the Immoral Bird might have put it, "lots of sound and fury, signifying nothing."
In fact, if it showed up on Usenet, it would most likely be considered a lame attempt at trolling, and subsequently killfiled.
Keep the peace(es).
Bruce Lane, KC7GR,
Blue Feather Technologies
Since it's so secure, I will stop buying Simantec products on al my 340 Windows equipped computers, such a great OS don't need Simantec solutions anymore.
Symantec says that Windows is the most secure operating system. Why, then, would a windows user buy Symantec's products if that user is running the most secure commercial OS?
How is the number of patches that Microsoft chooses to fix a good metric? I doubt this is the case, but what if the engineers were sitting around saying "holy crap, these problems are all hard! who wants to get some coffee?" and never got around to releasing patches?
Oh, a lesson in history from Mr. I'm my own grandpa.
While I don't think Windows is the most secure OS, its not fair to compare the number of patches released by a Linux packaging system to the number released by Microsoft for their base OS. The various repositories include every conceivable type of software for Linux and updates for that software while I assume Symantec (no I didn't read the article) is referring to updates just for Windows, not every piece of software on Windows. Your comparison only makes sense if you compare the SUSE repository software updates with every Windows software update.
I mean they are basically saying "we're in the wrong business" - great way to drive your stock price down and end up with a whole bunch of investor law suits ....
What you really want is the number of zero-day exploits. Vulnerabilities that are patched prior to an exploit are of far less concern than vulnerabilities that are exploited (NOT counting proof-of-concept "exploits") prior to a patch becoming available. Even I have seen reports of several zero-day exploits against WIndows in my recent memory, and I don't even use Windows or pay much attention to those notices....
If we assume that the vast majority of people who find security holes do the right thing and notify the vendor, then we can conclude that the vast majority of security holes should not be exploited prior to it being patched. From this, we can conclude from the relatively high zero-day-flaws-to-patch-count ratio that the vast majority of known Windows security holes probably remain unpatched, thus making the above numbers dramatically understated. Just a hunch.
If an operating system is more secure because the vendor has made less security fixes, that would make RedHat 1.0 the most secure OS of all. It probably hasn't had any security fixes in the better part of a decade. It's roughly equivalent to saying that the Ford Pinto is the safest car made in the last thirty years because the manufacturer only released one safety recall, while my Ford Windstar (with dual airbags, rear shoulder belts, anti-lock brakes, etc.) had at least three. See how silly that argument is? :-)
Check out my sci-fi/humor trilogy at PatriotsBooks.
Norton used to be awesome as well. Norton Commander on my PC XT (the 86-88 version of nc)? It used up only a tiny portion of memory, it was fast, extremely useful. Norton Utilities (disk doctor specifically) from the same time saved my ass several times. Now? I had my mom uninstall all Symantec software from her Windows XP machine. She used a competing anti-virus problem, relied on her hardware firewall's protection (came with the ISP!), and the speed gains from the computer.. it was like night and day. Before, it took 5 minutes after bootup for the machine to become usable as Norton Internet Security did all sorts of things that you can't turn off, and it slowed the computer down during normal use as well. What a difference two decades makes!
Tell me again how a more secure Windows OS becomes good news for Symantec.
Because you have to believe Windoze can be secure before you waste money on it or Symantic.
Friends don't help friends install M$ junk.
Ahhaaahhaaaaahhaaaaaaaaahhhhaaaaaaa
Guess who wants in on Vista
Windows - 39, 12 severe, average 21 day fix
0 209.html
Mac - 49, 1 severe, average 66 day fix
Red Hat - 208, 2 severe, average 13 day fix
I know that Red Hat is patching more than just the OS, we are talking about people who patch little things like gaim or libfoo.so (microsoft still hasn't patched Office since Feb. http://research.eeye.com/html/alerts/zeroday/2007
Wow, I don't care what they claim in the report. Hats off to Red Hat!
Bringing liberty to the masses. - http://freetalklive.com/
The funny part is these "studies" are so biased even if they TRY not to be.
they call redhat everything that was on the install Discs. Yes OSX and Windows get to only be the fricking OS.
Giving redhat a mark because there was a sendmail security fix is complete utter BS.
a fairer comparison would be redhat to all microsoft products rolled together. Because that is what redhat is. It's Windows XP, windows server 2003 IIS SQL sourcesafe exchange access word excel media server media center outlook media player, etc... all together. Oh dont forget Visual studio 2005 and all it's plugins as redhat out of the box has a full development kit installed.
Call me when they do that or ignore all the server apps and other apps that come on the CD. These nimrods at symantec simply looked at errata published duting the time. redhat supports 100X more apps in the core OS than micorosft sells all together and issues fixes and errata for all of those. Microsoft tells you to pound sand when your virus scanner eats your PC.
Big difference.
Do not look at laser with remaining good eye.
"Starts" affecting?
That assumes that these decision-making processes were once made rationally.
You are in a maze of twisty little passages, all alike.
Symantec is where good software goes to die. For example: Norton Utilities, Ghost, BackupExec.
That's a bad assumption. I would suggest that the percentage of people who maliciously exploit Linux after finding a flaw is lower than the number of people who maliciously exploit Windows after finding a flaw. Part of that is that Linux supports peer review, so anyone who finds a flaw can also fix it in short order, and gain geek cred by getting their name commented into the source, or whatever the Linux community does to honor contributors. If you find a flaw in Windows, it's probably not something that's user fixable. If it is, and you tell Microsoft about the flaw and the fix, there will be a waiting period of a couple weeks while they review the code, and then it might be anonymously attached in a Windows Update.
People who spend this kind of time and effort on something generally like to be recognized for it, and the easy path on Windows is to release an exploit in the wild, rather than telling the authorities. This is less a technology issue than a psychology issue.
I see your informative link, and raise you a pithy comment.
The big comparison I make is the severity of the problem. A lot of the security fixes seen in OS X are related to applications, things like "a maliciously crafted quicktime movie could lead to elevated privleges". This is a whole world different than "a buffer overflow in the TCP stack allows remote code execution". The former you can get hit by if you are running malware, the latter comes and gets your computer and integrates it into another botnet while you sleep.
I'll take the former over the latter anyday. Most of the nasties windows copes with are things that will ambush you when you are doing what should be totally safe things, like browsing a web site or just plain being connected to the internet without a firewall. I don't know how anyone can claim a system that is just plain unsafe to connect to the internet without spending three hours patching it and loading up defensive software is more secure than anything
I work for the Department of Redundancy Department.
1) How many of those vulnerabilities on MacOS X are impossible to exploit?
2) How many of them deal with applications which are bundled but disabled by default (e.g., Apache, OpenSSH)?
3) What constitutes a "critical" vulnerability? What is the relative threat level?
4) How many of those exploits were "in the wild" in terms of use?
Your method of generating "unpatched days" is also suspect. First, severity doesn't factor into the number of days and is a *really* bad multiplier in this case. It exaggerates without providing any useful information.
Second, if I have a trivial "vulnerability" that is impossible to exploit and a real show stopper arrive on my desk at the same time, and I fix the critical one first but let the other linger for 4 months, it gives me an average right between the two... despite that one of them was a trivial issue that never gets exploited in the wild.
My competitor, on the other hand, fixes the trivial bug first and the critical bug in two months. In the meantime an exploit goes into the wild. His "average" is better than mine and he'll show up as better using the pseudometrics you are using with multipliers. Which is more secure?
Attempting to generate bad metrics from bad metrics doesn't seem like the way to go here.
Integrate Keynote and LaTeX
....I am rather looking forward to the comments from Apple users.....
/. at this time, there is a front page post on 1.2 million bot infestations. Read some of that. I bet that not even ONE of these is on a Mac under OSX. Symantec doesn't like Macs because they don't need the crap Symantec tries to sell in the disguise of anti-malware programs. If one day it came out that they promote the black hat hackers just so the can sell more of their garbage, I would not be surprised in the least. I don't understand why anyone pays attention to such self-serving drivel from that company.
You are , are you?! Well right here on
All theory is gray
Symantec has been rambling nonsense about how windows and proprietary software are more secure for a couple years now. How long ago was their last shocking report about how insecure open source and linux are?
Symantec has invested millions to get in bed with Microsoft and gain insider information into the workings of the OS. They are tied to the platform. Not to mention they are an anti-virus company and windows is the only platform with a large enough virus problem to keep them in business. If any other platform came to dominate the market Symantec would be out of business.
Other than that, they aren't biased at all.
I'm surprised no one has bothered to point out the fact that it is in Symantec's interest for people to use windows. They don't sell their products to *nix/OSX users.
So they say Windows is more secure to convince a few gullible people to buy into the platform. Then those sorry souls who believed them get infected and end up needing an antivirus product (if they haven't bought one already). Oh, gee.... look who they might go to with their cash at that point.
Oh, yeah, that' right *it doesn't exist expect to protect Windows boxes*. You know, when reality is in total opposition to your theory and/or study, maybe there is something wrong with your methodology? Is it possible that you just aren't measuring the right things? Because if Symantec is right, they are missing a huge market opportunity. On the other hand, given AV companies history of alarmist headlines, perhaps they are trying to create a new market to replace the old one that Microsoft is eating for lunch?
Actually, the comparisons of the security vulnerabilities usually go as following:
Guy 1: Windows had 50 security patches last month
Guy 2: RHEL had 500 security patches last month. Out of those, 5 were for the Linux kernel and critical system software. Rest were for Frozen Bubble and GIMP
Guy 1: Who cares, nobody will know the difference, let's say RHEL had 500 security patches
Funnily enough, Windows security comparisons never take any third-party software into consideration, while all Linux security comparisons do.
As for me, after over 25 years of professional computer use, I still look every now and then at what's going on in the research arena. However, as much as it pains me to admit it, Unix (as in Linux/BSD) is good enough for me. It's not great and quite kludgy in places but it now has all the apps I need for day to day use, even the office apps. It still has the problem solving tools I've come to rely on when I need to script stuff (with new and better ones coming along every now and then). And I can more or less understand what's happening in it (and if I don't I know it at least has a fair chance of being vaguely documented somewhere) which is more than I can say about Windows which I have now relegated to a purely gaming platform.
The only thing I miss is pie menus which I still think are a great interface which are really underused (or rather not used at all).
So while I find the research systems interesting from an intellectual point of view, at the end of the day, they're a bit like CPUs, I don't really care what runs my apps any more as long as it works and I more or less understand how to make it do its thing my way.
May contain traces of nut.
Made from the freshest electrons.
You mean people actually BELIEVE these ratings issued by a company that has a vested interest in selling security software? Obviously, Symantec is still keen to spook Mac and Linux users into buying its redundant software.