Windows

Study claims Microsoft Windows has fewer (but bigger) flaws


What would you say if I told you that, out of all commercial operating systems, Microsoft Windows has the lowest number of vulnerabilities and the fastest turnaround time for patches? When you stop laughing, check out this news article: "Study: Windows has fewest security holes."

Here are some stats from the study:

  • Thirty-nine security holes were discovered in Windows during the second half of 2006, with an average patch development turnaround time of 21 days, up from the 22 Windows holes found in the first six months of the year.
  • Red Hat Linux had 208 vulnerabilities for the same period with an average patch time of 58 days, a huge increase on the 42 patched vulnerabilities for the first half of the year.
  • Apple's Mac OS X had 43 vulnerabilities - more than double the number for the first half of 2006 - and an average patch time of 66 days.

Are you surprised by the results of Symantec's study? What shouldn't surprise you is that Windows also wins the prize for having the most critical flaws. "Almost one-third of the 39 Windows holes were high severity, and 20 were medium severity. Just two of the 208 Red Hat Linux security holes discovered were high severity, with 130 medium severity and 70 low severity. Only one of the Mac OS X holes was considered high severity, with 31 classed as medium and 11 as low severity."

What are your thoughts about this classic "quality vs. quantity" debate? Would you rather have a few really big flaws or a bunch of flaws that aren't very severe?

About

Sonja Thompson has worked for TechRepublic since October of 1999. She is currently a Senior Editor and the host of the Smartphones and Tablets blogs.

16 comments
jmgarvin
jmgarvin

So, Vista is supposed to be secure because of UAC, but let's look at how many users are just turning it off because it's annoying. How about looking at the Red Hat flaws and filtering out the apps verses the kernel. A little different view then.... So basically it boils down to the fact that MS has a poor security model that they keep pushing and until it is fixed we'll see more and more issues with zombified Windows boxes, poorly secured Windows servers, and the nightmare of having to deal with malware.

Neon Samurai
Neon Samurai

Either: It's complete FUD and manipulated statistic indicating the ongoing pressure Linux is applying to Redmond by simply existing. Or: It's true indicating that Linux is maturing at a much faster rate than the compared Windows version. With Windows your dealing with more critical flaws so every update is a patch to cover bad programming in the same application version. With Linux distros, each patch is an updated version of a software application including both flaw corrections and whatever further refinement and addition of code has come out of the project. An interesting statistic may be number and severity of flaws found vs developer and tester base. Flaws to developers within Windows vs flaws to developers within whatever generic Linux distro cropped down to the equivalent software Windows ships with. Still, a bigger number for linux is good because it means more updates, more active project communities and more support. It continues to evolve and harden quite nicely.

trainer
trainer

that study is one sided my experince MS never have a clue whats going on with thier products. I find guys out side of ms know more about the product

trainer
trainer

that study is one sided my experince MS never have a clue whats going on with thier products. I find guys out side of ms know more about the product

simon
simon

Let's face it, how many times have you ever heard of a DDOS or spambot network running on Linux? Or on Macs? Now what about on Windows? You can drum up as many numbers of vulnerabilities as you like. Windows has less flaws than (insert OS here). Brilliant. And what policy does MS have about allowing the millions of dodgy copies of windows to update with the latest security patches so they stop attacking my network? Thought so. And how many Windows users PCs are actually doing the updating as frequently as they ought to? As low as that? Wow... The problem is not that windows has less flaws or more flaws. The problem is that when my aunt / neighbour / friend asks for pc help 9 times out of 10 their pc hasn't done windows update since the day they got it home from PC World. And in many cases they had the PC built by the local PC shop who aren't a Microsoft OEM reseller and installed a dodgy copy of Windows on there. Take it back and they give you some flannel about how it was legal, honest, but Microsoft have updated this and changed that and now you have to pay for the "upgrade" (aka legal version). The problem is PC builders scamming users and users being generally useless - and Microsoft releasing software on the world which hasn't been properly tested. The problem is that there are millions of windows boxes out there with legs spread wide apart and a "come and get me" sign dangling above them. If Microsoft can come to their senses and help us sort out THAT problem then I will believe them - yes they are serious about security and have less vulnerabilities. It won't happen though.

Absolutely
Absolutely

If I think of my OS as a ship that I'm trying to keep afloat, a small number of large holes might be preferable, because there will be only one repair to make. If I have the option of keeping the ship in dry dock (by disabling the Internet Connection) until the hole is patched, this analogy would make Microsoft look even better. However, Microsoft has offered no automated mechanism that would disable all network traffic as soon as 'Critical Vulnerabilities' are discovered, unless/until (1) the 'Critical Update' is released (2) I manually activate the connection, because maybe I decide it's worth the risk, or I don't run that type of traffic on my network, or I just have to use the Internet for some Important Financial Reason. On the other hand, if I think of my operating system as a wall, rather than accepting the lame excuse that third-party software (anti-virus, firewall, adware, I'm getting tired here...) is solely responsible for security, then I would prefer small holes, even if there are slightly more of them. One hole big enough to drive a tank through is all it takes to get a tank onto the wrong side of a wall. It takes a great many holes the size of an infantryman to be as problematic as one hole the size of a tank. Whatever the purpose of a computer [b]is[/b], the purpose of a computer [b]is not[/b] to have something that's challenging to keep 'afloat'. Windows is fine for client workstations, as long as they're behind secure firewalls, but the 'Home User' boxes should come with a warning label, not a EULA.

Neon Samurai
Neon Samurai

I think I'd still prefer to have a bunch of smal holes slowly filling the boat while I stuff them with waddign or rowed for shore. Even a single large whole would allow a gush rather than spray of water. Even the last leaky, half rotten life boat would be better than remaining aboard the titanic with the captain and band.

Absolutely
Absolutely

for trying to give Microsoft the benefit of the doubt, I guess.

georgeou
georgeou

There's no way most of those vulnerabilities for other OSes were "moderately" dangerous. It's a fine line and a judgment call. Symantec is up to the usual of banging the FUD drum to drum up business. Just in the first 3 months of 2007 alone there were 62 critical Mac OS X vulnerabilities.

simon
simon

Given the disparity in the method of bug detections how can this report be accurate? Am I wrong in believing that with MS the numbers of flaws identified is the number that have been found and announced by MS. Whereas anyone can announce a vulnerabilities in the Open Source systems, with MS vulnerabilities can exist for months before MS "discovers" them. So in fact MS admitted to having less vulnerabilities, many more will have been found and sent in to Redmond who may or may not decide to publish them, if they feel like it.

TechExec2
TechExec2

. [b][i]"...Symantec is up to the usual of banging the FUD drum to drum up business..."[/i][/b] Symantec is not the only one banging the FUD drum. Microsoft is banging it regarding Vista's "security record" and Microsoft supporters are, including some here on TR. Vista has only been on sale since January 30. It is way too early, and pure FUD, to crow about Vista's "security record". Windows Vista is like the alcoholic and DUI convict who has been dry for a little under two months after getting out of rehab (and jail). Much more time is needed to know if he can remain dry and can be trusted behind the wheel. [b][i]"...Just in the first 3 months of 2007 alone there were 62 critical Mac OS X vulnerabilities..."[/i][/b] This is a direct result of the MOAB (Month of Apple Bugs). "Security researchers" (formerly called "hackers" and sometimes criminals) are at war with Apple because Apple mistreated them (did not give proper attribution and payment). They are finding and immediately publishing as many Apple vulnerabilities as they possibly can to punish Apple. Very irresponsible. Citing this stat without including this explanation for the spike is an excellent example of FUD. [b]Vulnerabilities are not exploits![/b] What counts most are exploits in the wild (the number of burglars prowling in the neighborhood). Vulnerabilities are much less significant (the number of times you forgot to lock your door). Windows XP/2000: The king, by far, for exploits in the wild. Windows Vista: Too early to crow about security. Very commendable effort and promising, but unproven. edit: typo

Neon Samurai
Neon Samurai

"This is a direct result of the MOAB (Month of Apple Bugs). "Security researchers" (formerly called "hackers" and sometimes criminals) are at war with Apple because Apple mistreated them (did not give proper attribution and payment). They are finding and immediately publishing as many Apple vulnerabilities as they possibly can to punish Apple. Very irresponsible." It's a little irresponsible that they are focusing on Apple specifically but I understand where it comes from. bug reporting has always been a big part of FOSS but proprietary software sees bug reports as a negative even unless they come from inside the organization; saving face and all that. There are also the "macs are impervious" marketing lines and general arrogance of the Cult of Mac. Apple makes a good product but the culture that's evolved around can be as abnoxious as any of the other extremist software fans. On the other hand, BSD stands to gain from the attention and so do Apple's customers. There are wider benifits even though they're banging on the same brand name.

Ziskey
Ziskey

"This is a direct result of the MOAB (Month of Apple Bugs). "Security researchers" (formerly called "hackers" and sometimes criminals) are at war with Apple because Apple mistreated them (did not give proper attribution and payment). They are finding and immediately publishing as many Apple vulnerabilities as they possible can to punish Apple. Very irresponsible." Isn't this the same argument some MS fans use when they try to rationalize the number of Windows flaws? This argument has always been weak and using it to defend Apple doesn't suddenly make it valid. I understand the "Security Researchers" should be disclosing any vulnerability to Apple quietly instead of publicly, but the fact remains they exist.

TechExec2
TechExec2

. [b][i]"...Mr Ou made a comment regarding the first 3 months of 2007. Being a few days away from the end of the quarter, I don?t see that as an underhanded way to state the number of vulnerabilities. Had he used a timeframe such as January (during the MOAB project) I could see how it would appear misleading..."[/i][/b] Those are your words, not mine. I said [i]"...Citing this stat without including this explanation for the [unprecedented] spike is an excellent example of FUD..."[/i]. [b][i]"...I don?t think every comment needs to come with an excuse..."[/i][/b] It's not an excuse to note the reason for the unprecedented spike in Apple vulnerabilities. It's a critical omission to leave it out. Everything we read has an agenda behind it. This was no exception. [b][i]"...Are you saying there?s no organized effort to discover Windows, IE, Linux, Firefox, or other high profile vulnerabilities?..."[/i][/b] Once again, those are your words. I simply said [i]"...Citing this stat without including this explanation for the [unprecedented] spike is an excellent example of FUD..."[/i]. It's too bad you cannot put your words in my mouth, huh? It would be a lot easier to argue against them that way. :^0 [b][i]"...However, the ?FUD? accusations seem to get tossed around way too often..."[/i][/b] Wrong. There are not enough FUD accusations. The FUD is everywhere. There is so much FUD and there are so many misleading (and sometimes untruthful) statements from many sources including manufacturers, fanboys, and others with an agenda, it is difficult to see what the truth is. That is the motiviation for my post. That's [u]my[/u] agenda. I call the FUD as I see it. [b]Now, the question is...[/b] Now, the question is... Why are you arguing with me? You're not providing any information here at all. You're not challenging the truthfulness or validity of the information I provided. All you are doing is complaining about what I posted, and about me, and making "straw man" arguments. Apparently you simply want me to be quiet. What is [u]your[/u] agenda? I guarantee you have one. And, I bet you won't come clean and clearly state what it is.

Ziskey
Ziskey

Mr Ou made a comment regarding the first 3 months of 2007. Being a few days away from the end of the quarter, I don?t see that as an underhanded way to state the number of vulnerabilities. Had he used a timeframe such as January (during the MOAB project) I could see how it would appear misleading. I don?t think every comment needs to come with an excuse. Are you saying there?s no organized effort to discover Windows, IE, Linux, Firefox, or other high profile vulnerabilities? If the general online public knew what kind of target they?ve become, I doubt they?d turn their computers on regardless of the operating system. I don?t disagree with the vulnerability/exploit argument. However, the ?FUD? accusations seem to get tossed around way too often.

TechExec2
TechExec2

. [b][i]"...Isn't this the same argument some MS fans use when they try to rationalize the number of Windows flaws?..."[/i][/b] How exactly is that paragraph of mine rationalizing Apple MacOS X flaws? You missed the point entirely! Those vulnerabilities in MacOS are real and need to be fixed as soon as possible. The point in my paragraph was about the FUD. Quoting myself: [b][i]"...Citing this stat without including this explanation for the spike is an excellent example of FUD..."[/i][/b] I further went on to clarify that exploits in the wild are far more important than vulnerabilities. But, vulnerabilities are not un-important. When your young child forgets to lock the front door, it matters. But, it matters a lot more when you live in a bad neighborhood with lots of burglars like the one Windows runs in.