Surprise, Windows Listed as Most Secure OS 499
david_g17 writes "According to a Symantec study reported by Information Week, Microsoft has the most secure operating system amongst its commercial competitors. The report only covered the last 6 months of vulnerabilities and patch releases, but the results place Microsoft operating systems above Mac OS X and Red Hat. According to the article, 'The report found that Microsoft Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006.' The article continues to mention the metrics used in the study (quantity and severity of vulnerabilities as well as the amount of time one must wait for the patch to be released)."
Yes, but severity? (Score:5, Informative)
small addition (Score:5, Informative)
And you should have added "Those of us who think there is room in the world for both Windows, OSX and Linux will remain on the sidelines while another round of the holy wars is inconclusively decided."
I am rather looking forward to the comments from Apple users, though, and particularly whether they can best their own record for self-righteous indignation and incredulity.
Re:The numbers are being misread (Score:4, Informative)
Here, this will help:
"The report found that Microsoft (Quote) Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006.
During this period, 39 vulnerabilities, 12 of which were ranked high priority or severe, were found in Microsoft Windows and the company took an average of 21 days to fix them. It's an increase of the 22 vulnerabilities and 13-day turnaround time for the first half of 2006 but still bested the competition handily.
Red Hat Linux was the next-best performer, requiring an average of 58 days to address a total of 208 vulnerabilities. However, this was a significant increase in both problems and fix time over the first half of 2006, when there were 42 vulnerabilities in Red Hat and the average turnaround was 13 days.
The one bright spot in all of this is that of the 208 Red Hat vulnerabilities, the most of the top five operating systems, only two were considered high severity, 130 were medium severity, and 76 were considered low.
Then there's Mac OS X. Despite the latest TV ads ridiculing the security in Vista with a Matrix-like Agent playing the UAC in Vista, Apple (Quote) has nothing to brag about. Symantec found 43 vulnerabilities in Mac OS X and a 66 day turnaround on fixes. Fortunately, only one was high priority.
Like the others, this is also an increase over the first half of the year. For the first half of 2006, 21 vulnerabilities were found in Mac OS X and Apple took on average 37 days to fix them. "
Re:Ive seen the evidence (Score:4, Informative)
Re:Simply (Score:5, Informative)
Carefully chosen competitors (Score:4, Informative)
The Fine Print (Score:5, Informative)
And of course:
As always, the most secure computer is the one that is turned off, and unplugged from the network.
No security model is perfect, but I'd take any *nix for a web facing server any day.
Re:Actually (Score:1, Informative)
Re:Simply (Score:4, Informative)
Vista has not been out for six months (Enterprise relese was in November, commercial release was in January) so I can't really use that info for anything... "We got the most secure system... except... it is not released yet..." geee...
...and the fact that the upgrade rate to Vista are somewhere between 30% and 50% of what Microsoft estimated is also helping the statistic.
I have run NT4 and W2K for years without problems... and without reinstalling. It is possible, you just need to know what you are doing... and how to protect your system. Wait until Joe Sixpack & other lusers start to use Vista and then we will see how invincible it is.
...and btw. I do belive Vista is the most secure Windows desktop to date... but that doesn't really say very much does it ?
Re:Actually (Score:5, Informative)
Then I noticed the firewall wasn't even on by default at that point.
Gross Misappropriation of Context (Score:5, Informative)
The audit trail for this year's award for Best Distorting Headline:
However, that same section concludes "The risk of exploitation in the wild is a major driving force in the development of patches. As with previous periods, Microsoft Windows was the operating system that had the most vulnerabilities with associated exploit code and exploit activity in the wild (emphasis mine). This may have
Re:Simply (Score:5, Informative)
"Mindless dribble" = "Mindless drivel", people. please. I see this so often and it grieveth me so.
-and, from previous Slashdot discussions...
"a mute point" = "a moot point"
and my absolute favorite...
"for all intensive purposes" (aaargh!) = "for all intents and purposes"
ok? fixed? I can go back to work now?
Re:IIS (Score:3, Informative)
secure programming in general is very hard though some languages make it harder than others. Secure programming requires carefull consideration of many issues some of which span accross the application. It also requires good documentation (how should things be quoted at this interface? is the creator of this data trustworthy or should the data be treated as potentially malicious and so on).
php does have some big issues though, newbie attractiveness is one, register_globals was another (thankfully disabled by default nowadays), another less known one involves the normal way (or at least one of the normal ways) of getting headers doing some bogus merging and hence allowing breakage of the x-forwarded-for system (which is used by sites that use reverse proxies to store the real ip of a request). (see http://en.wikipedia.org/wiki/User:Brion_VIBBER/Co
Re:Actually (Score:2, Informative)
Article Has Stupid Title (Score:2, Informative)
If I make a report that says 5000 people die in swimming pools every year, and 100 people die from base jumping, that doesn't mean I am saying that swimming is more dangerous than base jumping. If internetnews comes along and says that, well, that's their misguided interpretation.
The report gives the facts. The article takes the facts and manipulates them to say something that isn't implied. Only an idiot would make those conclusions.
Survival Time Studies. (Score:3, Informative)
A more accurate measurement might be: average time to system compromise / number of attacks.
Any real world test would be better than this silly patch counting, but the number usually reported is time to ownership. People don't really care about how many attempts it takes to break a system as much as they care about how often they need to do things. It might take an attacker 100,000 tries to brute force a password, what matters is how long it took. The trick is to make sure your network looks like a typical network and to describe those conditions so others can compare.
The usual result of tests like that is that Windoze machines are taken down in as little as four minutes with a half life of 12 minutes. Red Hat, out of the box, takes three or four months.
The Honeynet Project has all sorts of studies to further enlighten you [honeynet.org]. The bottom line is the result: More than 25% of Windoze computers are part of a bot net [slashdot.org] that's screwing everyone [slashdot.org]. It happens faster than you can download patches that won't really do you any good anyway.
Re:Actually (Score:3, Informative)
Re:Simply (Score:2, Informative)
This article is purely about medium- or high-impact vulnerabilities in the OS or software that comes with the OS that were patched. Unfortunately for Linux, that means almost everything.
You can read the full report here [symantec.com]. That's a much better source than the news.
Consider the source (Score:3, Informative)
- created an anti-virus signature that filled up your hard drive with DIR000?? folders
- has such tenacious application installs it usually takes a reformat to get them removed
- recognizes other anti-virus applications as virus activity
- purchased Ghost a few years ago and has yet to move it forward AT ALL.
- purchased Veritas last year (maybe 2) and has nearly halted all progress on that product.
Yeah, Symantec knows what it's doing.
My concerns about WIndows are architectural (Score:3, Informative)
DCE/RPC underlies all DCOM calls. And OLE is built on DCOM. Note that this means that you cannot turn this network service off. If it breaks, so do all manner of other things (like, for example, parts of the control panel, the clipboard, and the like). So essentially everything in Windows goes through a message bus with inadequate security.
Firewalls only buy you so much when you are up against this.