Slashdot Mirror

← Back to Stories (view on slashdot.org)

Surprise, Windows Listed as Most Secure OS

Posted by Zonk on from the opposite-day dept.

david_g17 writes "According to a Symantec study reported by Information Week, Microsoft has the most secure operating system amongst its commercial competitors. The report only covered the last 6 months of vulnerabilities and patch releases, but the results place Microsoft operating systems above Mac OS X and Red Hat. According to the article, 'The report found that Microsoft Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006.' The article continues to mention the metrics used in the study (quantity and severity of vulnerabilities as well as the amount of time one must wait for the patch to be released)."

28 of 499 comments (clear)

  1. Simply by COMON$ · · Score: 5, Funny
    Let me simplify:

    This discussion will go as follows.

    Linux geeks will pound the boards about foul play and all the vulerabilities they would exploit if they werent to busy checking dependencies.

    Mac fanboys will make fun of both citing how Symantec didnt like them in the first place, because Mac people dont buy Symantec products.

    Windows geeks will state how this has always been the case, but because they are the more popular OS they are a bigger target.

    And finally the old unix guys will flame about how none of these vulnerabilites would have happened if we would have stayed away from GUIs.

    So now that we have got that out of the way we can bypass all the leg humping and mindless dribble and get down to the real discussion...can Microsoft keep it up? Personally as a network admin I have not been too nervous the last 6 months. Since the year of the blaster MS has done a pretty good job of making up for exploits and covering their asses. All is quiet on the homefront.

    --
    CS: It is all sink or swim...oh and did I mention there are sharks in that water?
    1. Re:Simply by maynard · · Score: 5, Insightful

      "And finally the old unix guys will flame about how none of these vulnerabilites would have happened if we would have stayed away from GUIs."

      No. Old UNIX hackers will instead berate UNIX for being a total piece of shit and then endlessly whine about the downfall of Symbolics and its old dedicated LISP machines. And they'd be right.

    2. Re:Simply by Stanistani · · Score: 5, Funny

      >we can bypass all the leg humping and mindless dribble and get down to the real discussion...can Microsoft keep it up?

      So much sexual innuendo - so little time.

      --
      You can't talk about Wikipedia's flaws on Wikipedia
    3. Re:Simply by UbuntuDupe · · Score: 5, Funny

      Windows is the safest OS, it's just that it has to tolerate being on unsecure networks, usage by mouth-breathers, and its overwhelming attractiveness as a target for criminals.

      *please mod insightful, please mod insightful*

      --
      Apology to Ubuntu forum.
    4. Re:Simply by bobcat7677 · · Score: 5, Informative

      You forgot one important group (you insensitive clod!). The sensible crowd who simply dismiss the article as hot air from a group of people who have the worst security track record of their industry in the past 5 years. I mean seriously, it's pretty bad when the antivirus software starts getting hit with viruses that would otherwise be ineffective against a system. I wouldn't trust Symantec/Norton with anything more important then a string, much less consider them an "authority" on anything security related. And no, I don't use a Mac.

    5. Re:Simply by Strilanc · · Score: 5, Interesting

      ... and none of them will have read the article.

      If you DO read the article for the vulnerability counts:
      Windows - 39, 12 severe, average 21 day fix
      Mac - 49, 1 severe, average 66 day fix
      Red Hat - 208, 2 severe, average 13 day fix

      Now it looks to me like Windows performed the worst because of the large number of severe problems. This makes it more likely there are many more severe problems.

    6. Re:Simply by eikonos · · Score: 5, Funny

      That will teach internetnews.com to host their site on a Windows box. :P

    7. Re:Simply by rilister · · Score: 5, Informative

      I must be bored... a handy reference card:

      "Mindless dribble" = "Mindless drivel", people. please. I see this so often and it grieveth me so.
      -and, from previous Slashdot discussions...
      "a mute point" = "a moot point"

      and my absolute favorite...
      "for all intensive purposes" (aaargh!) = "for all intents and purposes"

      ok? fixed? I can go back to work now?

      --
      'This writing business. Pencils and what-not. Over-rated if you ask me. Silly stuff. Nothing in it' - Eeyore
    8. Re:Simply by Lumpy · · Score: 5, Insightful

      The funny part is these "studies" are so biased even if they TRY not to be.

      they call redhat everything that was on the install Discs. Yes OSX and Windows get to only be the fricking OS.

      Giving redhat a mark because there was a sendmail security fix is complete utter BS.

      a fairer comparison would be redhat to all microsoft products rolled together. Because that is what redhat is. It's Windows XP, windows server 2003 IIS SQL sourcesafe exchange access word excel media server media center outlook media player, etc... all together. Oh dont forget Visual studio 2005 and all it's plugins as redhat out of the box has a full development kit installed.

      Call me when they do that or ignore all the server apps and other apps that come on the CD. These nimrods at symantec simply looked at errata published duting the time. redhat supports 100X more apps in the core OS than micorosft sells all together and issues fixes and errata for all of those. Microsoft tells you to pound sand when your virus scanner eats your PC.

      Big difference.

      --
      Do not look at laser with remaining good eye.
    9. Re:Simply by norminator · · Score: 5, Funny

      I must be bored... a handy reference card:

      "Mindless dribble" = "Mindless drivel", people. please. I see this so often and it grieveth me so.
      -and, from previous Slashdot discussions...
      "a mute point" = "a moot point"

      and my absolute favorite...
      "for all intensive purposes" (aaargh!) = "for all intents and purposes"

      ok? fixed? I can go back to work now?

      I could care less about those grammar errors...
  2. Fewer patches... by blargfellow · · Score: 5, Insightful

    Wait...I'm supposed to think that fewer patches makes for a safer operating system?

  3. Yes, but severity? by Anonymous Coward · · Score: 5, Informative

    The article also notes (which the blurb does not) that Microsoft had the most critical or severe class of bugs, even by their own measurement standard. So yes, Microsoft has less fewer bugs (according to the article), but doesn't the severity of the bugs count for anything? Statements like these are why I don't use Symantec products on any of my Windows machines.

  4. I guess Symantec will soon be out of a job. by bitbucketeer · · Score: 5, Insightful

    After all... who needs to buy security products for the most secure commercial OS available to mankind?

  5. The numbers are being misread by christoofar · · Score: 5, Insightful

    If you are counting the number of patches... and you are saying Windows has the fewest number in the last 6 months than MacOS or RedHat... does that mean Windows is more secure?

    What is this, 3rd grade?

    I could stop patching Windows forever and it will be the bestest Operating System EV-ER! Like OMGWTFBBQ!

    Seriously, Microsoft releases in cycles, has to perform a buttload of testing (because of the DNS patch which screwed over a lot of customers), and is slow to react to 0day problems that are brought up with theories and proofs. [They do a lot better when there is an active attack going on, I'll give you that].

    I get SuSE patches for hundreds of installed packages just about every other day and install most of them automatically. The kernel I'll patch up once every 6 months or so.

    Does that make me less secure than Windows? I don't know. I sure feel more secure about putting a fresh openSuSE 10.2 box on the internet unfirewalled than putting a Vista box on the Internet unfirewalled [I wonder if MSFT has actually performed this test with Vista... to see how long it takes before a basic Vista install gets compromised with the software firewall turned off].

  6. Doesn't add up by Anonymous Coward · · Score: 5, Interesting
    "39 vulnerabilities, 12 of which were ranked high priority or severe, were found in Microsoft Windows"

    "Symantec found 43 vulnerabilities in Mac OS X and a 66 day turnaround on fixes. Fortunately, only one was high priority"

    I fail to see how this makes Windows more secure than Mac OS X.

  7. small addition by caitsith01 · · Score: 5, Informative

    ...someone will tag the story with "defectivebydesign" and someone else will tag it with "no".

    And you should have added "Those of us who think there is room in the world for both Windows, OSX and Linux will remain on the sidelines while another round of the holy wars is inconclusively decided."

    I am rather looking forward to the comments from Apple users, though, and particularly whether they can best their own record for self-righteous indignation and incredulity.

    --
    Read Pynchon.
    1. Re:small addition by PopeRatzo · · Score: 5, Interesting

      Those of us who think there is room in the world for both Windows, OSX and Linux...

      There's not only "room" for Windows, OSX and Linux, but there's a crying need for new blood in the OS arena.
      --
      You are welcome on my lawn.
  8. Again? by kebes · · Score: 5, Insightful
    How many times are we going to have a "news item" that uses the same old technique to "prove" that Windows is the most secure. I'll save you the trouble of reading the article, the executive summary is something like:

    "The total number of reported vulnerabilities for Windows was lower than for others, therefore it is the most secure."

    Wow. That kind of logic would get you a failing grade in any undergraduate class. When TFA actually goes into the breakdown of "severe" versus "not severe." The article even says:

    39 vulnerabilities, 12 of which were ranked high priority or severe, were found in Microsoft Windows
    and:

    of the 208 Red Hat vulnerabilities, the most of the top five operating systems, only two were considered high severity
    So having 2 severe vulnerabilities makes it less secure than Windows having 12 severe vulnerabilities? Something doesn't add up. That's even assuming their numbers are correct, which I sincerely doubt. Another flaw in logic (that we've seen many times) is that the total number of publically disclosed vulnerabilities turns out to be higher for the development model that involves full-disclosure, rather than the one that involves hiding information as much as possible. This isn't exactly surprising, and says nothing about how many vulnerabilities actually exist.

    Counting vulnerabilities seems like a very silly way to gauge security. It seems like a truer test would be to set up a machine (or rather, a statisically significant bunch of machines) and measure the average time to system compromise. Even this technique has its flaws, of course, but at least it's better than some arbitrary counting technique.
  9. A more useful summary by greg1104 · · Score: 5, Insightful

    Like the total count of all vulnerabilities, including all the little impossible to exploit ones, is important. Let's focus on the serious ones mentioned in their data.

    High-severity security vulnerabilities in 2006

    Windows: Q1/2=5 Q3/4=12 Total=17

    RedHat Linux: Q1/2=1 Q3/4=2 Total=3

    Mac OS X: Q1/2=3 Q3/4=1 Total=4

    Now that's a summary I can agree with.

  10. Logic by volpe · · Score: 5, Insightful

    Microsoft has the most secure operating system amongst its commercial competitors [because] Microsoft Windows had the fewest number of patches [...]

    Ethiopians are the healthiest people in the world because they see the fewest number of health care professionals.
  11. Actually by Greyfox · · Score: 5, Insightful
    My usual response to that is to challenge the speaker to do a base install of Windows and a base install of Linux or MacOS with a machine plugged into the raw internet. Then measure how many times each OS has been pwned before it's done installing. Assuming they all three survive that test, fire up a web browser and try to find out what you need to do to do a software update for your OS (After all, that's the first thing a "normal" user does, right?) and install said software update. Again measure how many times each machine was pwned by the time you got the system installed. Finally, wander off and come back a month later to measure the amount of pwnage that has occurred.

    This usually makes the "Windows is more secure" group STFU pretty quickly, for some reason. They also say "DOH!" just like Homer Simpson at least 4 times while I'm issueing my challenge. I'm really not entirely sure why...

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

    1. Re:Actually by Nasarius · · Score: 5, Insightful

      if you do an install of an OS without a firewall you are an idiot
      No no, I'd say it's you who's hilariously stupid. Not every OS opens up all sorts of services by default, you know. A decent Linux workstation will have sshd, if anything. Most Linux installs should have a network source so that the latest package version gets installed. Not every OS installer is so poorly designed that it installs old, vulnerable packages, you know.
      --
      LOAD "SIG",8,1
  12. The Fine Print by nixNscratches · · Score: 5, Informative
    Pulled from the actual Report itself (Internet Scurity Threat Report XI) from Symantec -

    With the exception of Microsoft, all vendors were affected by longer turnarounds for patches for third- party components that are distributed with each operating system. Upon examining the sample set of vulnerabilities during this period, Symantec has observed that vulnerabilities with longer patch development times generally affected third-party components. The previous issue of the Symantec Internet Security Threat Reportcommented on the relevance of this issue for commercial UNIX vendors such as HP and Sun,but it holds true for all vendors of UNIX/Linux-based operating systems.

    And of course:

    As with previous periods, Microsoft Windows was the operating system that had the most vulnerabilities with associated exploit code and exploit activity in the wild. This may have pressured Microsoft to develop and issue patches more quickly than other vendors. Another pressure that may have influenced Microsoft's relatively short patch development time is the development of unofficial patches by third- parties in response to high-profile vulnerabilities.

    As always, the most secure computer is the one that is turned off, and unplugged from the network.

    No security model is perfect, but I'd take any *nix for a web facing server any day.

  13. Re:GUIs? Hah! Like command lines are any better by Anonymous Coward · · Score: 5, Funny

    You had tape?

    I would have killed for tape.

    In my day we stored data on twigs and tree bark and we liked it.

    And don't get me started on "binary". It was either zero or it wasn't. We didn't need no stinking ones.

  14. Re:GUIs? Hah! Like command lines are any better by nsayer · · Score: 5, Funny

    Luxury.

    We had to draw our data in the sand. We hadn't heard about zeros, so we had to write them as I-I.

  15. Gross Misappropriation of Context by carpeweb · · Score: 5, Informative
    Well, you have to go a long, loooooooong way to reach the conclusion that "Microsoft has the most secure operating system"!

    The audit trail for this year's award for Best Distorting Headline:
    1. The post links to a report on internetnews.com, not Information Week, as reported.
    2. The InternetNews.com report links to the Symantec summary web page, which does not mention Microsoft at all . Moreover, it is a report on Internet Security, not operating systems. (A bit more about that next.)
    3. The report itself is a 104 page (PDF) document (including 24 pages of appendices), which mentions Microsoft mostly in minor points, and in the following contexts:
      1. The Executive Summary does not mention Microsoft at all, nor does the Internet Security Threat Report Overview.
      2. The first mention of Microsoft comes in the Attack Trends Highlights of the Executive Summary Highlights, and it is not flattering: "Microsoft Internet Explorer was targeted by 77 percent of all attacks specifically targeting Web browsers."
      3. Similarly, under Vulnerability Trends Highlights (also under Executive Summary Highlights), the next mention is also not flattering: "Symantec documented 54 vulnerabilities in Microsoft Internet Explorer, 40 in the Mozilla browsers, and four each in Apple Safari and Opera."
      4. The next mention of Microsoft comes on page 19, under the heading, Threats posed to Windows Vista becoming evident. This comes after an Executive Summary Discussion that does not mention Microsoft anywhere in its ten pages. So far, I'm not feeling the "surprise" factor mentioned by david_g17.
      5. The first conclusion reached in the discussion of threats to Vista is that "Microsoft's Security Development Lifecycle, while thorough, does not necessarily identify all potential vulnerabilities." I am starting to feel some surprise, but it relates to how david_g17 interpreted this story.
      6. The discussion of threats to Vista identifies vulnerabilities, malicious code and attacks against the Teredo protocol. It simply does not say anything to indicate that Symantec believes Vista to be in any way superior to other operating systems with respect to security.
      7. The next mention of Microsoft comes under the section on Attack Trends, and concludes: "Microsoft Internet Explorer was targeted by 77 percent of all attacks specifically targeting Web browsers."
      8. The next mention of Microsoft is essentially a footnote that singles out two Microsoft vulnerabilities in attributing a peak in bot activity. This is not necessarily a criticism of Microsoft, but it would hardly lead one to think of Microsoft as superior to other vendors.
      9. Next, under Vulnerability Trends, "Symantec documented 54 vulnerabilities in Microsoft Internet Explorer, 40 in the Mozilla browsers, and four each in Apple Safari and Opera." Um ... doesn't this mean that Microsoft is less than other vendors? Yes, I know, it's about browsers, not operating systems. Wait. Didn't Microsoft blur this distinction a little bit with their bundling strategy?
      10. Finally ... in the subsection, Patch development time for operating systems, almost halfway through the report, Symantec does give david_g17 his fodder: "Microsoft Windows had the shortest average patch development time of the five operating systems in the last six months of 2006".
        However, that same section concludes "The risk of exploitation in the wild is a major driving force in the development of patches. As with previous periods, Microsoft Windows was the operating system that had the most vulnerabilities with associated exploit code and exploit activity in the wild (emphasis mine). This may have
  16. How perfectly Orwellian by BlackSabbath · · Score: 5, Funny

    War is Peace
    Ignorance is Strength
    Windows is Secure

    and

    Windows is the most secure operating system. Windows has ALWAYS been the most secure operating system.

  17. Re:GUIs? Hah! Like command lines are any better by Scoldog · · Score: 5, Funny

    In my day, I had to turn the light on for 1 and turn it off for 0.
     
    Problem is, the PHB saw me doing this and told me to leave the light on. I said this would be a bad idea as it would signal the lusers that the system was in production and that they could potentially stuff the system up, especially all the batch files running that where processing data relating to the "Earth" project. The PHB ignored me and created two new limited access user accounts (Hereby called Luser1 AKA Adam and Luser2 AKA Eve).
     
    Anyhoo, to cut a long story short, Luser2 managed to get the root password (due to a worm that the PHB infected the server with), shared it with Luser1 and managed to give themselves greater access to the info on the server. The PHB found out about this and got pretty mad with them. He deleted their user accounts, kicked them off the server and installed a firewall so that they could never again access the almighty server.
     
    So anyway, here I am, the 21C of the "Universe" server, still watching the spawn processes of those two lusers still multiplying and changing and dealing with new problems like cooling fans starting to die.
     
    I don't think I'll ever get this server right again.

    --
    This space for rent