Posted by: Amker
« on: 25. June 2007., 12:39:35 »Jeffrey R. Jones, a self-described "security guy" who works at Microsoft's security division, has published his latest report (PDF) comparing the number of fixed and unfixed vulnerabilities of various operating systems, including Windows Vista, Windows XP, Red Hat Enterprise Linux 4 Workstation, Ubuntu Linux 6.06 LTS, Novell SUSE Linux Enterprise Desktop 10, and Mac OS X 10.4.
The report looks at the number of known vulnerabilities (both patched and unpatched) that existed in each operating system six months after it was released. It is a follow-up to Jones' earlier report that looked at the same operating systems three months after each shipped. The numbers show that Windows Vista has the lowest number of vulnerabilities in both the three- and six-month time frames, with Windows XP (somewhat surprisingly) coming in second place. Mac OS X was in third, with the various Linux distributions having significantly more vulnerabilities.
Critics of similar studies carried out in the past have pointed out that a typical Linux distribution contains significantly more software than what is provided with a standard Windows or Mac OS X install, and Jones did make an effort to account for this in his calculations. He excluded any component that was not installed by default, which included all optional server components, and also excluded Thunderbird, The GIMP, and OpenOffice.org from the final tallies.
While it might be easy to dismiss a report from any OS company that puts its own product in the most favorable light as being biased, it is important to remember that the data source from which Jones has made his graphs is based on publicly-available information from the National Institute of Standards (NIST), which keeps track of software vulnerabilities in the National Vulnerability Database.
However, a valid criticism of the study is that it only looks at the total number of vulnerabilities found in an operating system, which is not a complete assessment of how "secure" one OS is over another. None of the listed operating systems, even when fully patched, can prevent the deliberate installation of malware disguised as useful software by an end user, which is the attack vector most commonly used by attackers today. Also, the number of malware programs written to exploit each vulnerability has a large impact on the safety of using one OS over another, even if it isn't technically a measure of how secure it is.
In addition, the study also doesn't take into consideration architectural changes between operating systems and new versions of third-party software, such as the feature of Internet Explorer 7 on Windows Vista that runs the entire web browser in a low-rights mode. What the study really shows is how well Microsoft does today in writing secure code when compared to other software companies. Given the concerted effort that took place at Microsoft to educate its programmers about the dangers of insecure programming practices around the time of Windows XP SP2, this is not too surprising a result at this early stage.
[attachment deleted by admin]
[attachment deleted by admin]
The report looks at the number of known vulnerabilities (both patched and unpatched) that existed in each operating system six months after it was released. It is a follow-up to Jones' earlier report that looked at the same operating systems three months after each shipped. The numbers show that Windows Vista has the lowest number of vulnerabilities in both the three- and six-month time frames, with Windows XP (somewhat surprisingly) coming in second place. Mac OS X was in third, with the various Linux distributions having significantly more vulnerabilities.
Critics of similar studies carried out in the past have pointed out that a typical Linux distribution contains significantly more software than what is provided with a standard Windows or Mac OS X install, and Jones did make an effort to account for this in his calculations. He excluded any component that was not installed by default, which included all optional server components, and also excluded Thunderbird, The GIMP, and OpenOffice.org from the final tallies.
While it might be easy to dismiss a report from any OS company that puts its own product in the most favorable light as being biased, it is important to remember that the data source from which Jones has made his graphs is based on publicly-available information from the National Institute of Standards (NIST), which keeps track of software vulnerabilities in the National Vulnerability Database.
However, a valid criticism of the study is that it only looks at the total number of vulnerabilities found in an operating system, which is not a complete assessment of how "secure" one OS is over another. None of the listed operating systems, even when fully patched, can prevent the deliberate installation of malware disguised as useful software by an end user, which is the attack vector most commonly used by attackers today. Also, the number of malware programs written to exploit each vulnerability has a large impact on the safety of using one OS over another, even if it isn't technically a measure of how secure it is.
In addition, the study also doesn't take into consideration architectural changes between operating systems and new versions of third-party software, such as the feature of Internet Explorer 7 on Windows Vista that runs the entire web browser in a low-rights mode. What the study really shows is how well Microsoft does today in writing secure code when compared to other software companies. Given the concerted effort that took place at Microsoft to educate its programmers about the dangers of insecure programming practices around the time of Windows XP SP2, this is not too surprising a result at this early stage.
[attachment deleted by admin]
[attachment deleted by admin]