“Symantec’s comprehensive security report on the malware industry from July 1 to December 31, 2007, is now available in its 100+ page glory. Symantec broke down information on patch development time by operating system and by the type of vulnerability encountered. Surprisingly, Microsoft had the shortest time-to-patch over both halves of 2007. In the first part of the year, Microsoft released 38 patches (two of which involved third-party applications) with an average deployment time of 18 days. From July to December, Microsoft released 22 patches with an average patch time of six days. Red Hat came in second, at 32 days for the second half of the year and 36 days in the first half. That’s quite a bit higher than Microsoft’s average, but of the 227 vulnerabilities Red Hat patched in 2007, 226 of them involved third-party applications. Apple, Sun, and HP all lag well behind Microsoft and Red Hat, though the gap for each company differs significantly between the first and second halves of last year.”
I know this is pretty much flamebait…
Maybe Microsoft is so fast because they have had tons of practice over the last 10 years, and probably have HUGE divisions devoted to the analysis, development, testing, and deployment of patches.
It actually sounds like a good thing to me.
Your thought is probably accurate. What makes you think that’s flamebait?
I was thinking that Microsoft is the quickest because they don’t fix it correctly and they have to issue patch after patch until they (hopefully) finally correct it at some point in time.
Then again, Sun is a mess for whatever reason. Somehow, I’d hope that they’d be consistent in keeping the code clean since they built their business to keep other people’s data safe and healthy.
Windows is insecure by default and with in insecure base fixing bugs at not time is a must. But then, we’re speaking of Windows – the buggiest of OS of the planet
When you have 95% of market share, you better make sure your patches are out ASAP
Just this morning I installed patches for Windows XP, and it got stuck in a continuous cycle of crashing and rebooting.
Maybe they’re fastest, but that isn’t always everything At least I have it fixed for now, or at least I hope so.
Pardon my skepticism, but I am supposed to believe a report put out by a company who is almost entirely dependent on Ms products for its revenue? Enough said.
So. I have a product. I find a hole. I patch it. I announce it. I release the patch. You see, I have some more holes here. Oh, you can’t see them. Bummer.
What they don’t tell you is the severity of these security flaws; there is a marked difference between a security flaw which is invoked by standing on ones head, hand the left arm out the window whilst singing the national anthem versus a security vulnerability exploitable by simply connecting to the internet.
This is the problem with fanboys and so-called security experts; they all have their sacred cows (good lord; Symantec couldn’t possible slam Microsoft; after all, Microsoft suggests THEIR security products, and Symantec are reliant on Microsoft’s products – they have a symbiotic relationship!) – and we have people here who suck down that kool aide without question.
A good point. But then…
What would explain this?
http://www.mcafee.com/us/local_content/misc/vista_position.pdf
(The top google result for “McAfee Slams Microsoft”, BTW)
Of course – but it’s the content of the McAfee report that should be addressed, not the reputations of the report’s author or subject. Otherwise, that’s the very definition of ad hominem argument (except directed at an organization rather than a person).
> What would explain this?
Even Microsoft hates Vista, that link doesn’t invalidate the argument of a symbiotic relationship – it perpetuates it!
Do you mean much like the IE7 exploits when compared to the recent Safari exploit?
It’s clean that the secure development cycle at Microsoft is working, they’ve made great strides and have made the old “Windows is insecure” criticism mostly irrelevant moving forward.
They win but it doesn’t matter as they are evil anyway.
… that doesn’t say much about how safe you are using their software. So they ship patches out the fastest (if that report was unbiased which I’m not just going to take for granted). I still feel all warm and safe when I use Ubuntu.
The fact that Microsoft releases their patches faster doesn’t necessarily mean that Microsoft’s products are more secure. Just look at the difference when not counting third-party. If Microsoft was able to patch 36 times more than RedHat, think about how many more flaws exist compared to RedHat (and ultimately Linux).
Also, as mentioned in previous comments, check out the difference in employee count. According to Wikipedia, as of 2007, Microsoft has 79,000 employees compare to RedHat’s 2,200. Fascinatingly enough, the difference is almost exactly 36 times.
Edited 2008-04-11 06:57 UTC
…but RedHat doesn’t have to patch everything themselves. That’s the great thing about community software. It even says in the article that they patched 226 third party applications. Gnu/Linux as a whole is probably patched quicker than Microsoft patches the various aspects of Windows (including Office software and Web browsers).
Of course, I don’t have data for that, it’s a hunch. But the article is flawed.
That is the dilemma with security comparisons of any large GNU/Linux distro with Windows.
To be able to even make a comparison, one would have to look at the functions Windows provides, and exclude any security issues of programs from the GNU/Linux distro that have no functional match in the compared Windows installation.
Then the flaws have to be ordered by severity and how many days each flaw was unpatched and publicly known.
Then we can start a discussion if the numbers we see actually mean anything.
If one counts the numbers of cracked webservers per million installed servers, Linux comes off slightly worse than Windows. Nobody knows why, probably Linux machines are seen by their admins as “inherently safe” and are therefore left unpatched. On the other hand, there still does not exist a really successful virus for Linux, but Windows machines are cracked by the millions through viruses.
The answer to the question “which operating system is more secure” is hard to give as it involves sociological as well as technical aspects.
Edited 2008-04-11 20:07 UTC
If you install Mandriva today you are going to install the version patched untill 15 days ago. But if you wanna install WinXP you’ll install the version made 5 years ago with its milion holes.
You cannot get the WinXPv3 with the service pack 3 modification of files from scratch.
You must install very very old and unpached system and then download 700 MB of patch.
That they do because they wanna. No excuse. Every other little company with no big profits can have their OSes patched except Microsoft.
So how does it matter if they release fast patches if most people don’t know how to download them and anyway don’t have the broadband/time/disk space necessary to download a SP3 that should never have existed because they should have installed an already patched WinXP2008 at the first time?
You cannot get the WinXPv3 with the service pack 3 modification of files from scratch.
You must install very very old and unpached system and then download 700 MB of patch.
What? All new XPs are shipped with SP2c pre-integrated.
If you install Mandriva today, you are not going to be installing the version released 5 years ago. Otherwise, you will have a really difficult time patching it. You need to compare “Mandriva today” with Windows today, which is Vista.
With that said, your argument is still fairly valid, as Microsoft sure took a long time to release Vista.
Please give credit when they deserve it, Microsoft did well in this survey.
However, the Symantec report does mention (in small print) that Microsoft was unique in not shipping with many third-party applications. Thus their job is considerably easier than the job the other vendors do.
On a Windows platform each application manufacturer is responsible for providing an update system for their application. This is why a Windows XP box often has lots of different “update managers” (Adobe update, Java update, InstallShield update, Windows update, etc).
In contrast for Red Hat, these updates are mostly handled by Red Hat themselves, which is made possible by Red Hat following/contributing to upstream projects and applying patches from these projects. Still, the patch/deployment team has to work with a much larger range of applications.
Thus this is comparing apples with oranges. To make this completely “fair”, you would have to compare several production machines from all OSes performing various tasks including all the necessary third party applications.
“However, the Symantec report does mention (in small print) that Microsoft was unique in not shipping with many third-party applications. Thus their job is considerably easier than the job the other vendors do.”
Unless you realize that with Open source, you have many 3rd party apps being patched by the 3rd party developers, so RedHat’s job, for example, is made easier because they do not have to develop all the patches in house, but just merge the finished patches into their code (after testing, of course).
Either way, patching holes is a tough job, regardless who’s doing the patching
Actually the article is quite interesting and not at all worshiping at the altar of Microsoft.
The Symantec report identifies plenty of problems with Microsoft products. The one big baddie is ActiveX, causing a whopping 89%-79% of browser security risks. (A joke is made about Java increasing from 2% to 5%, therefore being the most insecure, but it’s a joke.) Given the data on vulnerability distribution, I wouldn’t want to run a browser, or any other client-side software on a Microsoft machine, either.
There are two things that muddy any clear comparison.
Firstly, how do any of us know when MS are aware of a security flaw? If they are slow to own up then they will inevitably look better than they ought to. With a tiny organization it is less of an issue but with MS it is a real question.
Secondly, comparisons often end up comparing different things based on what comes with the operating system.
Undoubtedly MS work hard and throw resources at patching security problems but their efforts to make every operating system fully backward compatible means they are trying to push water up hill… if anyone can do it … they have the budget!
Security through obscurity doesn’t work, as a general rule. Holes are found, even when someone doesn’t “own up”.
This really isn’t an issue. With MS, everything that ships on the Windows disc is part of Windows. If you want to grouse about what Linux “is” — since there are so many different distros — then that’s a separate issue.
Well, I refuse to acknowledge this due to the fact that these ARE the Jokers that put out the bloatware knows as Norton. Wasn’t it proven years ago that running there crap will actually slow down your OS?
I think so.
Anyway, MS HAS to patch and stuff. Bigger company, more flaws, lesser coding standards to get a piece of crap out (Vista).
Sorry, but i just don’t trust anything that has anything to do with Norton.
I think Symantec could be just as evil as Microsoft but they’re too busy messing up people’s machines with their software/crashware.
In a couple of cases on Mac OS X, they’ve sounded the alarm for exploits, but it almost seems as if they created them or paid to have them created.
Just so we’re clear: If the report had said that Microsoft is the slowest to patch, then you’d still be dismissing the report because it came from “the Jokers that put out Norton”. Is this correct?
I think most of us recognize the limitations and potential biases of all of these reports, view them as a bunch of noise, and rely more upon our own experiences and observations, anyway.
I usually don’t even bother with articles like this one, regardless of what they conclude. I just happened to notice this thread under “recent comments” else I wouldn’t be posting this.
A wise decision. My personal experience is that Microsoft is quick to fix the easy problems, and slow to fix the severe ones (with some exception). Whereas other operating systems do it the other way around. Whether this allows MS (and their lackeys) to claim MS “fixes things faster”, I don’t know. I do know that I take any such report with a huge grain of salt.
For me, however, anything favourable to Microsoft gets examined under a microscope in my world (when I can be bothered to waste the time). They seem to have this reputation for buying opinions, votes, governments, etc. A well deserved reputation in my experience dealing with them and looking at their business practices. All 24 years worth in my case.