The startling conclusion that Microsoft has the most secure OS isn’t mine (although I don’t find it all that fantastically unlikely), but that of some observors who came to that conclusion after looking at Symantec’s  Internet Security Threat Report Volume IX (http://www.symantec.com/enterprise/theme.jsp?themeid=threatreport) that covers the second half of 2006.

Here’s a quick look at a few of the relevant numbers; see what you make of them:

  • For the period of  July 1, 2006, through December 31, 2006
  • Windows had 12 severe threats with the total of 39 vulnerabilities fixed in an average of 21 days.
  • Mac OS X had 1 severe threat but Apple had an average 66 day turn-around for the entire 43 vulnerabilities reported.
  • Red Hat Linux was actually faster than OS X with a 58-day average time to fix a total of 208 vulnerabilities.
  • Of those Red Hat threats, 2 were critical and 130 were rated medium severity.
  • HP-UX had 98 vulnerabilities and needed an average of 101 days to fix them.

Still, pity the poor Sun users who waited an average of 122 days for fixes of the 63 Solaris vulnerabilities.

Mozilla users rejoice – the average time to patch a vulnerability was the best of any browser, only 2 days, vital if you are facing a zero-day threat.

What shouldn’t come as a surprise is Symantec’s report that the biggest vulnerability threat is found in the newest hot branch of software – Web apps!

Another unsurprising (at least to me) part of the report was the first paragraph of the Executive Summary:

“Over the past two reporting periods, Symantec has observed a fundamental shift in Internet security ctivity. The current threat environment is characterized by an increase in data theft and data leakage, and the creation of malicious code that targets specific organizations for information that can be used forfinancial gain.”

Also, right in line with my recent report here on the California Secretary of State’s exposure of hundreds of thousands of individuals’ Social Security Numbers on their official Web site, Symantec reports that the government sector in total was responsible for 25 percent of the identity theft activity related to online security breaches.

Comming in second as the biggest threat to your personal identity were educational-related sites, with medical sites taking a close third.

Of course those are the groups that keep the largest amount of personal information outside the three highly centralized credit reporting agencies, so perhaps it really shouldn’t be surprising to anyone that the most data theft came from the places with the most personal information.

77% of all Web browser attacks were aimed at Internet Explorer (the biggest target obviously, so no surprise there).

There is a lot of useful information to be gleaned from this Symantec report and every security professional needs to download and study a FREE copy. It not only tells you what category of threats you need to protect against most, it also includes a lot of useful information about which regions have the most infected computers (and that therefore you should be especially wary of Web sites in those areas and emails from people in those locations. By the way, the U.S. is the origin of more attacks than any other country (probably has the most computers also) and, on average, China has the most bot-infested computers in the world, but the U.S. ranks second in the number of infected systems while Israel has the highest percentage of hackers per PC.

But there is good news for IT security managers too; the home user is the subject of targeted attacks more than 90 percent of the time, which means that your workers aren’t.

SPAM now makes up about 59% of all email traffic and 65% of that is in English (a lot of it pretty broken English in my experience).

A really alarming statistic was that Symantec had only identified 1 zero-day threat in the first half of 2006 but the security company documented 12 in the second half.

The report also details the percentages of each kind of malware detected and has a vast amount of useful information, not the least of which is the headline-making finding that Microsoft is currently the best performing company when it comes to the speed of fixing vulnerabilities in a major OS.

I would only be fair to remind everyone that Microsoft also mainly sticks to a regular monthly security patch release, with only an occasional mid-month release in extreme cases. I wonder what Microsoft’s numbers would have been if they released patches as soon as they were available?

I also feel compelled to point out that the #1 ranking was based only on the speed with which the companies responded to threats, not the severety of the threats or how much trouble the patches caused.

Nevertheless, this report from a company that is finding itself more and more in competition with Microsoft in the security market (and therefore probably isn’t cutting Microsoft any slack) is certainly a good one for the folks at Redmond.

So, why does nearly everyone seem to believe Microsoft is so slow to provide patched code?

I feel it is just just like Detroit, which now makes pretty good cars and trucks but is still considered by many to turn out inferior quality products; it may take a LONG time to convince people that Windows is actually pretty secure and Microsoft is very responsive to threats.

Detroit will have to keep proving that it can make reliable vehicles for a long time to overcome the advantage some foreign makes have. (Turning out more popular designs with better gas mileage couldn’t hurt either – I’m NOT Detroit-bashing – I have a lot of old Detroit Iron, including some with very big displacement engines from the muscle-car era – several 460’s and one 455.)

Likewise, Microsoft is going to have to keep being the fastest to patch its most basic product for a long time to convince people that it is really doing a good job.

(Making a much smaller and highly secure alternative to Vista would also be a good place to earn some points – at least with me.) 

How about YOU? What do you think of the implications in this Symantec report?