Slashdot Mirror
Surprise, Windows Listed as Most Secure OS
david_g17 writes "According to a Symantec study reported by Information Week, Microsoft has the most secure operating system amongst its commercial competitors. The report only covered the last 6 months of vulnerabilities and patch releases, but the results place Microsoft operating systems above Mac OS X and Red Hat. According to the article, 'The report found that Microsoft Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006.' The article continues to mention the metrics used in the study (quantity and severity of vulnerabilities as well as the amount of time one must wait for the patch to be released)."
"Symantec found 43 vulnerabilities in Mac OS X and a 66 day turnaround on fixes. Fortunately, only one was high priority"
I fail to see how this makes Windows more secure than Mac OS X.
It's interesting to note that while OS X had 43 vulnerabilities(1 severe) and windows had 39 vulnerabilities(12 severe). So windows had more big threat security holes than OS X by 12 times. Maybe OS X's average patch time is higher because the vulnerabilities they had were less important to patch?
Mod me up, mod me down, do your worst you modding clown.
The interesting questions are:
If I've carefully kept up with updates on my servers, what percentage of the time have my machines been vulnerable?
What is the statistical probability that my servers will be broken into? Surely we can get pretty good data to answer this question.
Ask these questions for:
- RedHat with everything installed
- RedHat with minimal packages for running a web server (no gui, etc)
- Windows (gotta have that GUI!)
- OSX (ditto)
Yet another meaningless study. So Windows had fewer vulnerabilities in the latter half of 2006 and/or Microsoft got the patches out the fastest. No consideration for the severity of the vulnerabilities. When was the patch time counted from? When the vulnerability was first known to the vendor, or when it was first publicly disclosed?
All these studies are the same. They draw conclusions from stats that have only a tenuous relation to security. Why not try to measure something usable, like time for an unattended box to be owned, or the percent of installations of the OS that have been owned, etc.
THAT brings back memories.
Toggling in binary (from Hex cheat sheets) to get the CPU to the BIOS, so it could read enough to be able to read the tape drive which held the program to read the DASD to read the actual program.
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
Most Secure of the Following:
Windows Vista
RedHat Linux
Mac OS X
HP UX
Solaris
... and none of them will have read the article.
If you DO read the article for the vulnerability counts:
Windows - 39, 12 severe, average 21 day fix
Mac - 49, 1 severe, average 66 day fix
Red Hat - 208, 2 severe, average 13 day fix
Now it looks to me like Windows performed the worst because of the large number of severe problems. This makes it more likely there are many more severe problems.
I think it was in Jan 2004 when Windows 2003 just got really in general release and people started using it. The reps from Microsoft stated they were really focusing on security and he mentioned (I kid you not) that the corporate culture at MS to lean towards usability vs security would be tough to change and it would be like 'turning the Titanic'. Pretty funny.
But the real funny aspect / announcement was that MS was so focused on security that they would really make an effort to issue less security announcements and releases in the coming year. That's right - they decided to use the metric of announcements of security flaws as something they were going to use to measure their security improvements. So, as long as they issue less 'leaks' on the problems, they would be achieving their goals of being more secure.
This sort of 'study' seems to validate the MS thinking. Ignorance is bliss. I think I will go break the fuel gauge on my car so I will never run out of gas and kick the dashboard in to break the speedometer so I will never get a speeding ticket. Woo hoo!
Someone else mentioned IIS and I thought it was worth mentioning, appropos of parent's remarks, that it's been years since the last really serious IIS vulnerability. In the last two years or so it actually has a better security record than Apache, especially Apache with PHP installed (Apache of course has a really good security record too, but IIS has been stellar).
Look at Secunia's page on IIS 6.0, which is 3 or 4 years old: 3 vulnerabilities total, all patched and none of them seriously critical.
Well, the zealotry of the ranting guy on the street is entertaining. As is a lot of the zealotry on /. . The only kind that really worries me is when it starts affecting commercial/political decision making processes.
Have you been touched by his noodly appendage?
Now picture trying to do that after being woken from a dead sleep in the middle of the night, when all the while alarms are blaring and annoying the living hell out of you. And this is not so long ago-- the US Coast Guard was still using ancient PDP8s in the early 1990s to track their LORAN timing signals. Entering the bootstrap in on the front panel binary switches was not a thing of joy.
There's not only "room" for Windows, OSX and Linux, but there's a crying need for new blood in the OS arena.
You are welcome on my lawn.
So Mac OS X, which had only one vulnerability rated high priority and none rated severe, lost to Windows, which had 12? This makes no sense to me. I'm open minded, but this seems like the real surprise is these peoples' definition of "most secure." Mac OS X had more total vulnerability, but the vast majority were non-severe, moderate or low priority, compared to Microsoft's offering, more than 25% of whose vulnerabilities were severe or high priority. I'd like to know how long it took apple to fix its one high priority vulnerability. I'll bet it was fast. Anyhow, this is a crazy analysis.
Currently hooked on AMP
I don't know, I sort of saw it the other way around:
"Hey all you guys, listen up. I know some of you were thinking of switching to Linux or the Mac or something for improved security, but really, you're better off staying put with Windows. And by the way, did I mention that our products run on Windows?"
Maybe I'm just cynical today...
There was so much love that weekend, I tell you. So much.
Mike Hoye
What are you smoking? Are you ok?
What was your point? Blaster and Code Red were both MS worms...
Here's your Mac user. I'd comment, but I'm still trying to recover from the hysterical laughter that occurred after reading the article. I say one thing; those Symantec PR people can sure make statistics dance!
I think the headline was misleading or perhaps edited a little too much. It should have read, "Surprise, Surprise... Windows Listed As Most Secure OS- By Symantec." It might have been more accurate if it had a few smilies tossed into it, or perhaps a [Yawn].
Intonation is everything.
Actually Symantec's place on the Mac is that every six months or so they do a big FUD campaign against Mac security, trying to scare up demand for an all-purpose software package that will "secure your Mac." Their best argument is always "you never know".
I love how Symantec's current position is that Windows should stay broken and insecure so that it doesn't destroy the Windows utilities market.
I searched the CVE and found the following results within the same time period that Symantec did there report:
HP-UX 14 vulnerabilities
OS X 5 vulnerabilities
Microsoft Windows 59 vlnerabilities
Solaris 8 vulnerabilities
A search of US-CERT produces the following results:
HP-UX 14 vulnerabilities
OS X 1454 vulnerabilities
Microsoft Windows 459 vulnerabilities
Solaris 28 vulnerabilities
These were the exact terms I searched
Now think why a security company would overinflate that amount of ulnerabilities that have been found in various operating systems, perhaps because they sell security products and it is in the interest of their business model?
On the bottom of page 39 they define the Red Hat operating systems as: "Red Hat Linux (including enterprise versions and Red Hat Fedora)" No wonder it came out with the most vulnerabilities. One vulnerability would be counted 7 times (RHEL 2.1, 3, 4 and Fedora 3, 4, 5, and 6) instead of the one instance it should have been counted as. I don't understand why Fedora would be lumped under the Red Hat flag either. Its obviously going to have more vulnerabilities simply because it has code that's closer to the cutting edge. Red Hat waits for Fedora to flush out many of these types of bugs so they can offer a secure OS to its customers. Secondly Red Hat doesn't offer support of Fedora and doesn't have an obligation to release patches for it. Counting those numbers in their totals really skews the counts.