Microsoft chief Steve Ballmer headlines his artfully crafted broadside: “Customer Focus: Comparing Windows with Linux and UNIX.” But when it comes to security, the honcho focuses on just four Linux disties, while avoiding specifics on Unix, and forgetting BSD altogether.
Ballmer sites a Forrester report, Is Linux More Secure than Windows?. According to Ballmer, Forrester concludes the four versions of Linux “have a higher incidence and severity of vulnerabilities, and are slower than Microsoft to provide security updates.”
Further, Ballmer says, “According to Forrester, Microsoft had the lowest elapsed time between disclosure of a vulnerability and the release of a fix.”
In addition: “According to statistics posted on the security Web site Secunia, Red Hat Enterprise Linux 3 has averaged 7.4 security advisories per month, compared with 1.7 advisories for Windows Server 2003.”
“I think it’s fair to say that no other software platform has invested as much in security R&D, process improvements and customer education as we have at Microsoft.”
To which we’d add: “Nobody invests as much in roof repair as a person with a leaking roof.”
1 comment
Comments feed for this article
February 5th, 2006 at 3:15 pm
Chad Perrin
I ran across that study when it was new, and was unimpressed. One question in particular that arose in my mind was this: How do you measure the time from “disclosure” to patch? Considering that, often enough, vulnerability discoverers are prevented from publicly disclosing what they’ve found until after Microsoft has released a patch, this can mean a period of months of vulnerability, potentially with exploits in the wild, before a patch is provided — and yet, if patch turnaround time is measured from the date of public disclosure, Microsoft’s record will show another zero-day lag.
We see now another reason for Microsoft’s relentless chastisement of anyone that discloses a vulnerability “too soon”. This isn’t about protecting customers: it’s about protecting Microsoft’s image.
That completely leaves aside problems with the Forrester study, such as the fact that Forrester is a Microsoft lackey, and that the RHEL patches include support for a great many non-Linux-specific software while Microsoft patch times only include Windows-specific software, and of that only Microsoft-distributed software.