Comments on: How Microsoft Stacks The Deck When Comparing Windows and Linux Vulnerabilities

by: Todd G

Thu, 03 Aug 2006 12:15:52 +0000

Red Hat blew the studies off.

“The main metrics of the Security Innovation study treated all vulnerabilities as equal, regardless of their risk to users and did not take into account how fast vendors repair vulnerabilities.”

Reseller News: MS wrong on security claims: Red Hat

by: BJ Gillette

Wed, 02 Aug 2006 21:26:52 +0000

Like I said, guys, the deck was stacked.

Having said that, it was mighty decent of Security Innovation and Microsoft to share their methodology.

Frankly, I’m amazed that Red Hat and SuSE haven’t responded with detailed counter-studies of their own.

by: Grant

Wed, 02 Aug 2006 20:48:03 +0000

He also neglected to include Internet Explorer. Secunia counts it seperate, even though you can’t remove it, while the Firefox vulnerabilities count against any Linux distribution that includes it.

by: grouch

Wed, 02 Aug 2006 16:39:13 +0000

Just check unpatched vulnerabilities.

http://secunia.com/product/22/
“Microsoft Windows XP Professional with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical”

‘Currently, 29 out of 144 Secunia advisories, are marked as “Unpatched” in the Secunia database.’

http://secunia.com/product/2535/
“The Secunia database currently contains 0 Secunia advisories marked as “Unpatched”, which affects RedHat Enterprise Linux ES 3.”

‘Currently, 0 out of 291 Secunia advisories, are marked as “Unpatched” in the Secunia database.’

Which numbers make you feel more secure, 29 out of 144 or 0 out of 291?

by: cyber_rigger

Wed, 02 Aug 2006 15:42:44 +0000

Anyone know how many packages in MS Windows XP,
(that would be subject to a vulnerability report)?

by: BJ Gillette

Wed, 02 Aug 2006 14:38:00 +0000

Hi tweakt.
I think you and cyber_rigger are largely saying the same thing.

Nobody cares how many vulnerabilities are in all the brands of software loaded onto a Linux distie, any more than they care about all the books Amazon sells.

That’s just stinkin’ thinkin’.

Having said that, bookstores with reputations for selling better books sell more books… ideally, ideally.

by: BJ Gillette

Wed, 02 Aug 2006 14:15:14 +0000

Hi cyber_rigger.
Agreed. It’s much like comparing an individual book publisher like Prentice Hall to Amazon Books.

by: tweakt

Wed, 02 Aug 2006 14:09:23 +0000

And with 50 packages installed, I’d get owned just about once every year…

Don’t play games with numbers, it doesn’t make sense, and it sounds like Microsoft logic. Besides, what qualifies as a “software package” in a linux distribution varies wildly, from small utilities like gpm, to entire office suites like openoffice.

by: cyber_rigger

Wed, 02 Aug 2006 02:09:08 +0000

One could look at the average vulnerability rate per each software package.

Assume that a Linux distro has 18,000 software packages (Debian, Ubuntu).

If this whole Linux distro had 1 vulnerability per day
that would mean each package
would have an average of 1 vulnerability per every 49 years.

As far as I know Windows XP doesn’t ship with 18,000 software packages.