"Symantec's comprehensive security report on the malware industry from July 1 to December 31, 2007, is now available in its 100+ page glory. Symantec broke down information on patch development time by operating system and by the type of vulnerability encountered. Surprisingly, Microsoft had the shortest time-to-patch over both halves of 2007. In the first part of the year, Microsoft released 38 patches (two of which involved third-party applications) with an average deployment time of 18 days. From July to December, Microsoft released 22 patches with an average patch time of six days. Red Hat came in second, at 32 days for the second half of the year and 36 days in the first half. That's quite a bit higher than Microsoft's average, but of the 227 vulnerabilities Red Hat patched in 2007, 226 of them involved third-party applications. Apple, Sun, and HP all lag well behind Microsoft and Red Hat, though the gap for each company differs significantly between the first and second halves of last year."
Post a Comment
Member since:
2006-01-26
Fans: 24
Member since:2006-11-19
Fans: 1
Maybe Microsoft is so fast because they have had tons of practice over the last 10 years, and probably have HUGE divisions devoted to the analysis, development, testing, and deployment of patches.
:)
It actually sounds like a good thing to me.
Member since:2006-01-02
Fans: 7
Member since:2006-01-23
Fans: 0
Maybe Microsoft is so fast because they have had tons of practice over the last 10 years, and probably have HUGE divisions devoted to the analysis, development, testing, and deployment of patches.
:)
I was thinking that Microsoft is the quickest because they don't fix it correctly and they have to issue patch after patch until they (hopefully) finally correct it at some point in time.
Then again, Sun is a mess for whatever reason. Somehow, I'd hope that they'd be consistent in keeping the code clean since they built their business to keep other people's data safe and healthy.
Member since:
2007-07-03
Fans: 0
Member since:
2005-07-06
Fans: 0
Member since:
2005-07-06
Fans: 1
Member since:
2005-07-06
Fans: 16
What they don't tell you is the severity of these security flaws; there is a marked difference between a security flaw which is invoked by standing on ones head, hand the left arm out the window whilst singing the national anthem versus a security vulnerability exploitable by simply connecting to the internet.
This is the problem with fanboys and so-called security experts; they all have their sacred cows (good lord; Symantec couldn't possible slam Microsoft; after all, Microsoft suggests THEIR security products, and Symantec are reliant on Microsoft's products - they have a symbiotic relationship!) - and we have people here who suck down that kool aide without question.
Member since:2005-07-06
Fans: 4
A good point. But then...
What would explain this?
http://www.mcafee.com/us/local_content/misc/vista_position.pdf
(The top google result for "McAfee Slams Microsoft", BTW)
Of course - but it's the content of the McAfee report that should be addressed, not the reputations of the report's author or subject. Otherwise, that's the very definition of ad hominem argument (except directed at an organization rather than a person).
Member since:2005-10-09
Fans: 6
Member since:2005-11-29
Fans: 2
Do you mean much like the IE7 exploits when compared to the recent Safari exploit?
It's clean that the secure development cycle at Microsoft is working, they've made great strides and have made the old "Windows is insecure" criticism mostly irrelevant moving forward.
Member since:
2005-07-06
Fans: 1
Member since:
2006-05-29
Fans: 0
Member since:
2005-12-04
Fans: 0
The fact that Microsoft releases their patches faster doesn't necessarily mean that Microsoft's products are more secure. Just look at the difference when not counting third-party. If Microsoft was able to patch 36 times more than RedHat, think about how many more flaws exist compared to RedHat (and ultimately Linux).
Also, as mentioned in previous comments, check out the difference in employee count. According to Wikipedia, as of 2007, Microsoft has 79,000 employees compare to RedHat's 2,200. Fascinatingly enough, the difference is almost exactly 36 times.
Edited 2008-04-11 06:57 UTC
Member since:
2007-05-16
Fans: 0
...but RedHat doesn't have to patch everything themselves. That's the great thing about community software. It even says in the article that they patched 226 third party applications. Gnu/Linux as a whole is probably patched quicker than Microsoft patches the various aspects of Windows (including Office software and Web browsers).
Of course, I don't have data for that, it's a hunch. But the article is flawed.
Member since:2006-01-19
Fans: 0
Of course, I don't have data for that, it's a hunch. But the article is flawed.
That is the dilemma with security comparisons of any large GNU/Linux distro with Windows.
To be able to even make a comparison, one would have to look at the functions Windows provides, and exclude any security issues of programs from the GNU/Linux distro that have no functional match in the compared Windows installation.
Then the flaws have to be ordered by severity and how many days each flaw was unpatched and publicly known.
Then we can start a discussion if the numbers we see actually mean anything.
If one counts the numbers of cracked webservers per million installed servers, Linux comes off slightly worse than Windows. Nobody knows why, probably Linux machines are seen by their admins as "inherently safe" and are therefore left unpatched. On the other hand, there still does not exist a really successful virus for Linux, but Windows machines are cracked by the millions through viruses.
The answer to the question "which operating system is more secure" is hard to give as it involves sociological as well as technical aspects.
Edited 2008-04-11 20:07 UTC
Member since:
2006-09-01
Fans: 0
If you install Mandriva today you are going to install the version patched untill 15 days ago. But if you wanna install WinXP you'll install the version made 5 years ago with its milion holes.
You cannot get the WinXPv3 with the service pack 3 modification of files from scratch.
You must install very very old and unpached system and then download 700 MB of patch.
That they do because they wanna. No excuse. Every other little company with no big profits can have their OSes patched except Microsoft.
So how does it matter if they release fast patches if most people don't know how to download them and anyway don't have the broadband/time/disk space necessary to download a SP3 that should never have existed because they should have installed an already patched WinXP2008 at the first time?
Member since:2006-01-08
Fans: 0
Member since:2005-08-11
Fans: 0
If you install Mandriva today, you are not going to be installing the version released 5 years ago. Otherwise, you will have a really difficult time patching it. You need to compare "Mandriva today" with Windows today, which is Vista.
With that said, your argument is still fairly valid, as Microsoft sure took a long time to release Vista.
Member since:
2006-11-21
Fans: 0
Please give credit when they deserve it, Microsoft did well in this survey.
However, the Symantec report does mention (in small print) that Microsoft was unique in not shipping with many third-party applications. Thus their job is considerably easier than the job the other vendors do.
On a Windows platform each application manufacturer is responsible for providing an update system for their application. This is why a Windows XP box often has lots of different "update managers" (Adobe update, Java update, InstallShield update, Windows update, etc).
In contrast for Red Hat, these updates are mostly handled by Red Hat themselves, which is made possible by Red Hat following/contributing to upstream projects and applying patches from these projects. Still, the patch/deployment team has to work with a much larger range of applications.
Thus this is comparing apples with oranges. To make this completely "fair", you would have to compare several production machines from all OSes performing various tasks including all the necessary third party applications.
Member since:2005-08-11
Fans: 7
"However, the Symantec report does mention (in small print) that Microsoft was unique in not shipping with many third-party applications. Thus their job is considerably easier than the job the other vendors do."
Unless you realize that with Open source, you have many 3rd party apps being patched by the 3rd party developers, so RedHat's job, for example, is made easier because they do not have to develop all the patches in house, but just merge the finished patches into their code (after testing, of course).
Either way, patching holes is a tough job, regardless who's doing the patching
Member since:
2005-07-06
Fans: 0
Actually the article is quite interesting and not at all worshiping at the altar of Microsoft.
The Symantec report identifies plenty of problems with Microsoft products. The one big baddie is ActiveX, causing a whopping 89%-79% of browser security risks. (A joke is made about Java increasing from 2% to 5%, therefore being the most insecure, but it's a joke.) Given the data on vulnerability distribution, I wouldn't want to run a browser, or any other client-side software on a Microsoft machine, either.
Member since:
2006-01-09
Fans: 1
There are two things that muddy any clear comparison.
Firstly, how do any of us know when MS are aware of a security flaw? If they are slow to own up then they will inevitably look better than they ought to. With a tiny organization it is less of an issue but with MS it is a real question.
Secondly, comparisons often end up comparing different things based on what comes with the operating system.
Undoubtedly MS work hard and throw resources at patching security problems but their efforts to make every operating system fully backward compatible means they are trying to push water up hill... if anyone can do it ... they have the budget!
Member since:2006-01-06
Fans: 7
Security through obscurity doesn't work, as a general rule. Holes are found, even when someone doesn't "own up".
This really isn't an issue. With MS, everything that ships on the Windows disc is part of Windows. If you want to grouse about what Linux "is" -- since there are so many different distros -- then that's a separate issue.
Member since:
2008-03-16
Fans: 0
Well, I refuse to acknowledge this due to the fact that these ARE the Jokers that put out the bloatware knows as Norton. Wasn't it proven years ago that running there crap will actually slow down your OS?
I think so.
Anyway, MS HAS to patch and stuff. Bigger company, more flaws, lesser coding standards to get a piece of crap out (Vista).
Sorry, but i just don't trust anything that has anything to do with Norton.
Member since:2006-01-23
Fans: 0
I think so.
Anyway, MS HAS to patch and stuff. Bigger company, more flaws, lesser coding standards to get a piece of crap out (Vista).
Sorry, but i just don't trust anything that has anything to do with Norton.
I think Symantec could be just as evil as Microsoft but they're too busy messing up people's machines with their software/crashware.
In a couple of cases on Mac OS X, they've sounded the alarm for exploits, but it almost seems as if they created them or paid to have them created.
Member since:2006-07-04
Fans: 36
I think so.
Anyway, MS HAS to patch and stuff. Bigger company, more flaws, lesser coding standards to get a piece of crap out (Vista).
Sorry, but i just don't trust anything that has anything to do with Norton.
Just so we're clear: If the report had said that Microsoft is the slowest to patch, then you'd still be dismissing the report because it came from "the Jokers that put out Norton". Is this correct?
Member since:2005-07-24
Fans: 33
I think most of us recognize the limitations and potential biases of all of these reports, view them as a bunch of noise, and rely more upon our own experiences and observations, anyway.
I usually don't even bother with articles like this one, regardless of what they conclude. I just happened to notice this thread under "recent comments" else I wouldn't be posting this.
Member since:2006-11-30
Fans: 0
I think most of us recognize the limitations and potential biases of all of these reports, view them as a bunch of noise, and rely more upon our own experiences and observations, anyway. "
A wise decision. My personal experience is that Microsoft is quick to fix the easy problems, and slow to fix the severe ones (with some exception). Whereas other operating systems do it the other way around. Whether this allows MS (and their lackeys) to claim MS "fixes things faster", I don't know. I do know that I take any such report with a huge grain of salt.
For me, however, anything favourable to Microsoft gets examined under a microscope in my world (when I can be bothered to waste the time). They seem to have this reputation for buying opinions, votes, governments, etc. A well deserved reputation in my experience dealing with them and looking at their business practices. All 24 years worth in my case.