Linked by Thom Holwerda on Thu 10th Apr 2008 21:38 UTC, submitted by SReilly
Privacy, Security, Encryption "Symantec's comprehensive security report on the malware industry from July 1 to December 31, 2007, is now available in its 100+ page glory. Symantec broke down information on patch development time by operating system and by the type of vulnerability encountered. Surprisingly, Microsoft had the shortest time-to-patch over both halves of 2007. In the first part of the year, Microsoft released 38 patches (two of which involved third-party applications) with an average deployment time of 18 days. From July to December, Microsoft released 22 patches with an average patch time of six days. Red Hat came in second, at 32 days for the second half of the year and 36 days in the first half. That's quite a bit higher than Microsoft's average, but of the 227 vulnerabilities Red Hat patched in 2007, 226 of them involved third-party applications. Apple, Sun, and HP all lag well behind Microsoft and Red Hat, though the gap for each company differs significantly between the first and second halves of last year."
Order by: Score:
Lots of practice :)
by umccullough on Thu 10th Apr 2008 21:44 UTC
umccullough
Member since:
2006-01-26

I know this is pretty much flamebait...

Maybe Microsoft is so fast because they have had tons of practice over the last 10 years, and probably have HUGE divisions devoted to the analysis, development, testing, and deployment of patches.

:)

Reply Score: 8

RE: Lots of practice :)
by sukru on Thu 10th Apr 2008 21:49 UTC in reply to "Lots of practice :)"
sukru Member since:
2006-11-19

I know this is pretty much flamebait...

Maybe Microsoft is so fast because they have had tons of practice over the last 10 years, and probably have HUGE divisions devoted to the analysis, development, testing, and deployment of patches.

:)


It actually sounds like a good thing to me.

Reply Score: 10

RE: Lots of practice :)
by PlatformAgnostic on Fri 11th Apr 2008 04:00 UTC in reply to "Lots of practice :)"
PlatformAgnostic Member since:
2006-01-02

Your thought is probably accurate. What makes you think that's flamebait?

Reply Score: 0

RE: Lots of practice :)
by bousozoku on Fri 11th Apr 2008 06:43 UTC in reply to "Lots of practice :)"
bousozoku Member since:
2006-01-23

I know this is pretty much flamebait...

Maybe Microsoft is so fast because they have had tons of practice over the last 10 years, and probably have HUGE divisions devoted to the analysis, development, testing, and deployment of patches.

:)


I was thinking that Microsoft is the quickest because they don't fix it correctly and they have to issue patch after patch until they (hopefully) finally correct it at some point in time.

Then again, Sun is a mess for whatever reason. Somehow, I'd hope that they'd be consistent in keeping the code clean since they built their business to keep other people's data safe and healthy.

Reply Score: 4

v Comment by Oliver
by Oliver on Thu 10th Apr 2008 23:52 UTC
95 %
by Different on Fri 11th Apr 2008 02:06 UTC
Different
Member since:
2007-07-03

When you have 95% of market share, you better make sure your patches are out ASAP ;)

Reply Score: 3

v Well...
by kcowolf on Fri 11th Apr 2008 02:51 UTC
MS quickest to patch?
by protagonist on Fri 11th Apr 2008 04:41 UTC
protagonist
Member since:
2005-07-06

Pardon my skepticism, but I am supposed to believe a report put out by a company who is almost entirely dependent on Ms products for its revenue? Enough said.

Reply Score: 6

statistics
by l3v1 on Fri 11th Apr 2008 05:06 UTC
l3v1
Member since:
2005-07-06

So. I have a product. I find a hole. I patch it. I announce it. I release the patch. You see, I have some more holes here. Oh, you can't see them. Bummer.

Reply Score: 4

What they don't tell you
by kaiwai on Fri 11th Apr 2008 05:08 UTC
kaiwai
Member since:
2005-07-06

What they don't tell you is the severity of these security flaws; there is a marked difference between a security flaw which is invoked by standing on ones head, hand the left arm out the window whilst singing the national anthem versus a security vulnerability exploitable by simply connecting to the internet.

This is the problem with fanboys and so-called security experts; they all have their sacred cows (good lord; Symantec couldn't possible slam Microsoft; after all, Microsoft suggests THEIR security products, and Symantec are reliant on Microsoft's products - they have a symbiotic relationship!) - and we have people here who suck down that kool aide without question.

Reply Score: 7

RE: What they don't tell you
by StephenBeDoper on Fri 11th Apr 2008 17:54 UTC in reply to "What they don't tell you"
StephenBeDoper Member since:
2005-07-06

What they don't tell you is the severity of these security flaws;


A good point. But then...

This is the problem with fanboys and so-called security experts; they all have their sacred cows (good lord; Symantec couldn't possible slam Microsoft; after all, Microsoft suggests THEIR security products, and Symantec are reliant on Microsoft's products - they have a symbiotic relationship!)


What would explain this?

http://www.mcafee.com/us/local_content/misc/vista_position.pdf

(The top google result for "McAfee Slams Microsoft", BTW)

- and we have people here who suck down that kool aide without question.


Of course - but it's the content of the McAfee report that should be addressed, not the reputations of the report's author or subject. Otherwise, that's the very definition of ad hominem argument (except directed at an organization rather than a person).

Reply Score: 3

RE[2]: What they don't tell you
by ormandj on Sat 12th Apr 2008 14:28 UTC in reply to "RE: What they don't tell you"
ormandj Member since:
2005-10-09

> What would explain this?

Even Microsoft hates Vista, that link doesn't invalidate the argument of a symbiotic relationship - it perpetuates it! ;)

Reply Score: 3

RE: What they don't tell you
by Nelson on Fri 11th Apr 2008 19:08 UTC in reply to "What they don't tell you"
Nelson Member since:
2005-11-29

Do you mean much like the IE7 exploits when compared to the recent Safari exploit?

It's clean that the secure development cycle at Microsoft is working, they've made great strides and have made the old "Windows is insecure" criticism mostly irrelevant moving forward.

Reply Score: 2

Comment by Bending Unit
by Bending Unit on Fri 11th Apr 2008 05:20 UTC
Bending Unit
Member since:
2005-07-06

They win but it doesn't matter as they are evil anyway.

Reply Score: 3

Since they are the number one target...
by Alleister on Fri 11th Apr 2008 06:09 UTC
Alleister
Member since:
2006-05-29

... that doesn't say much about how safe you are using their software. So they ship patches out the fastest (if that report was unbiased which I'm not just going to take for granted). I still feel all warm and safe when I use Ubuntu.

Reply Score: 3

Who cares?
by Frobozz on Fri 11th Apr 2008 06:54 UTC
Frobozz
Member since:
2005-12-04

The fact that Microsoft releases their patches faster doesn't necessarily mean that Microsoft's products are more secure. Just look at the difference when not counting third-party. If Microsoft was able to patch 36 times more than RedHat, think about how many more flaws exist compared to RedHat (and ultimately Linux).

Also, as mentioned in previous comments, check out the difference in employee count. According to Wikipedia, as of 2007, Microsoft has 79,000 employees compare to RedHat's 2,200. Fascinatingly enough, the difference is almost exactly 36 times.

Edited 2008-04-11 06:57 UTC

Reply Score: 3

Hate to point out the obvious...
by MiliTux on Fri 11th Apr 2008 07:33 UTC
MiliTux
Member since:
2007-05-16

...but RedHat doesn't have to patch everything themselves. That's the great thing about community software. It even says in the article that they patched 226 third party applications. Gnu/Linux as a whole is probably patched quicker than Microsoft patches the various aspects of Windows (including Office software and Web browsers).

Of course, I don't have data for that, it's a hunch. But the article is flawed.

Reply Score: 2

RE: Hate to point out the obvious...
by gustl on Fri 11th Apr 2008 20:01 UTC in reply to "Hate to point out the obvious..."
gustl Member since:
2006-01-19

Gnu/Linux as a whole is probably patched quicker than Microsoft patches the various aspects of Windows (including Office software and Web browsers).

Of course, I don't have data for that, it's a hunch. But the article is flawed.


That is the dilemma with security comparisons of any large GNU/Linux distro with Windows.

To be able to even make a comparison, one would have to look at the functions Windows provides, and exclude any security issues of programs from the GNU/Linux distro that have no functional match in the compared Windows installation.
Then the flaws have to be ordered by severity and how many days each flaw was unpatched and publicly known.

Then we can start a discussion if the numbers we see actually mean anything.
If one counts the numbers of cracked webservers per million installed servers, Linux comes off slightly worse than Windows. Nobody knows why, probably Linux machines are seen by their admins as "inherently safe" and are therefore left unpatched. On the other hand, there still does not exist a really successful virus for Linux, but Windows machines are cracked by the millions through viruses.

The answer to the question "which operating system is more secure" is hard to give as it involves sociological as well as technical aspects.

Edited 2008-04-11 20:07 UTC

Reply Score: 4

IT IS FALSE. FULLY MISTAKEN!!!
by eduardp on Fri 11th Apr 2008 08:23 UTC
eduardp
Member since:
2006-09-01

If you install Mandriva today you are going to install the version patched untill 15 days ago. But if you wanna install WinXP you'll install the version made 5 years ago with its milion holes.

You cannot get the WinXPv3 with the service pack 3 modification of files from scratch.

You must install very very old and unpached system and then download 700 MB of patch.

That they do because they wanna. No excuse. Every other little company with no big profits can have their OSes patched except Microsoft.

So how does it matter if they release fast patches if most people don't know how to download them and anyway don't have the broadband/time/disk space necessary to download a SP3 that should never have existed because they should have installed an already patched WinXP2008 at the first time?

Reply Score: 0

Ultimatebadass Member since:
2006-01-08

You cannot get the WinXPv3 with the service pack 3 modification of files from scratch.
You must install very very old and unpached system and then download 700 MB of patch.


What? All new XPs are shipped with SP2c pre-integrated.

Reply Score: 7

RE: IT IS FALSE. FULLY MISTAKEN!!!
by rft183 on Fri 11th Apr 2008 13:47 UTC in reply to "IT IS FALSE. FULLY MISTAKEN!!!"
rft183 Member since:
2005-08-11

If you install Mandriva today, you are not going to be installing the version released 5 years ago. Otherwise, you will have a really difficult time patching it. You need to compare "Mandriva today" with Windows today, which is Vista.

With that said, your argument is still fairly valid, as Microsoft sure took a long time to release Vista.

Reply Score: 1

Microsoft was good
by lindkvis on Fri 11th Apr 2008 10:33 UTC
lindkvis
Member since:
2006-11-21

Please give credit when they deserve it, Microsoft did well in this survey.

However, the Symantec report does mention (in small print) that Microsoft was unique in not shipping with many third-party applications. Thus their job is considerably easier than the job the other vendors do.

On a Windows platform each application manufacturer is responsible for providing an update system for their application. This is why a Windows XP box often has lots of different "update managers" (Adobe update, Java update, InstallShield update, Windows update, etc).

In contrast for Red Hat, these updates are mostly handled by Red Hat themselves, which is made possible by Red Hat following/contributing to upstream projects and applying patches from these projects. Still, the patch/deployment team has to work with a much larger range of applications.

Thus this is comparing apples with oranges. To make this completely "fair", you would have to compare several production machines from all OSes performing various tasks including all the necessary third party applications.

Reply Score: 4

RE: Microsoft was good
by BluenoseJake on Fri 11th Apr 2008 14:16 UTC in reply to "Microsoft was good"
BluenoseJake Member since:
2005-08-11

"However, the Symantec report does mention (in small print) that Microsoft was unique in not shipping with many third-party applications. Thus their job is considerably easier than the job the other vendors do."

Unless you realize that with Open source, you have many 3rd party apps being patched by the 3rd party developers, so RedHat's job, for example, is made easier because they do not have to develop all the patches in house, but just merge the finished patches into their code (after testing, of course).

Either way, patching holes is a tough job, regardless who's doing the patching

Reply Score: 2

Oh come on
by jack_perry on Fri 11th Apr 2008 14:07 UTC
jack_perry
Member since:
2005-07-06

Actually the article is quite interesting and not at all worshiping at the altar of Microsoft.

The Symantec report identifies plenty of problems with Microsoft products. The one big baddie is ActiveX, causing a whopping 89%-79% of browser security risks. (A joke is made about Java increasing from 2% to 5%, therefore being the most insecure, but it's a joke.) Given the data on vulnerability distribution, I wouldn't want to run a browser, or any other client-side software on a Microsoft machine, either.

Reply Score: 3

tricky comparisons
by ameasures on Fri 11th Apr 2008 14:34 UTC
ameasures
Member since:
2006-01-09

There are two things that muddy any clear comparison.

Firstly, how do any of us know when MS are aware of a security flaw? If they are slow to own up then they will inevitably look better than they ought to. With a tiny organization it is less of an issue but with MS it is a real question.

Secondly, comparisons often end up comparing different things based on what comes with the operating system.

Undoubtedly MS work hard and throw resources at patching security problems but their efforts to make every operating system fully backward compatible means they are trying to push water up hill... if anyone can do it ... they have the budget!

Reply Score: 2

RE: tricky comparisons
by tomcat on Fri 11th Apr 2008 19:48 UTC in reply to "tricky comparisons"
tomcat Member since:
2006-01-06

Firstly, how do any of us know when MS are aware of a security flaw? If they are slow to own up then they will inevitably look better than they ought to. With a tiny organization it is less of an issue but with MS it is a real question.


Security through obscurity doesn't work, as a general rule. Holes are found, even when someone doesn't "own up".

Secondly, comparisons often end up comparing different things based on what comes with the operating system.


This really isn't an issue. With MS, everything that ships on the Windows disc is part of Windows. If you want to grouse about what Linux "is" -- since there are so many different distros -- then that's a separate issue.

Reply Score: 2

Norton
by SoloDeveloper on Fri 11th Apr 2008 15:05 UTC
SoloDeveloper
Member since:
2008-03-16

Well, I refuse to acknowledge this due to the fact that these ARE the Jokers that put out the bloatware knows as Norton. Wasn't it proven years ago that running there crap will actually slow down your OS?

I think so.

Anyway, MS HAS to patch and stuff. Bigger company, more flaws, lesser coding standards to get a piece of crap out (Vista).

Sorry, but i just don't trust anything that has anything to do with Norton.

Reply Score: 1

RE: Norton
by bousozoku on Fri 11th Apr 2008 17:44 UTC in reply to "Norton"
bousozoku Member since:
2006-01-23

Well, I refuse to acknowledge this due to the fact that these ARE the Jokers that put out the bloatware knows as Norton. Wasn't it proven years ago that running there crap will actually slow down your OS?

I think so.

Anyway, MS HAS to patch and stuff. Bigger company, more flaws, lesser coding standards to get a piece of crap out (Vista).

Sorry, but i just don't trust anything that has anything to do with Norton.


I think Symantec could be just as evil as Microsoft but they're too busy messing up people's machines with their software/crashware.

In a couple of cases on Mac OS X, they've sounded the alarm for exploits, but it almost seems as if they created them or paid to have them created.

Reply Score: 2

RE: Norton
by MollyC on Fri 11th Apr 2008 18:36 UTC in reply to "Norton"
MollyC Member since:
2006-07-04

Well, I refuse to acknowledge this due to the fact that these ARE the Jokers that put out the bloatware knows as Norton. Wasn't it proven years ago that running there crap will actually slow down your OS?

I think so.

Anyway, MS HAS to patch and stuff. Bigger company, more flaws, lesser coding standards to get a piece of crap out (Vista).

Sorry, but i just don't trust anything that has anything to do with Norton.


Just so we're clear: If the report had said that Microsoft is the slowest to patch, then you'd still be dismissing the report because it came from "the Jokers that put out Norton". Is this correct?

Reply Score: 3

RE[2]: Norton
by sbergman27 on Fri 11th Apr 2008 18:45 UTC in reply to "RE: Norton"
sbergman27 Member since:
2005-07-24

Is this correct?

I think most of us recognize the limitations and potential biases of all of these reports, view them as a bunch of noise, and rely more upon our own experiences and observations, anyway.
I usually don't even bother with articles like this one, regardless of what they conclude. I just happened to notice this thread under "recent comments" else I wouldn't be posting this.

Reply Score: 2

RE[3]: Norton
by driftwolf on Mon 14th Apr 2008 04:45 UTC in reply to "RE[2]: Norton"
driftwolf Member since:
2006-11-30

"Is this correct?

I think most of us recognize the limitations and potential biases of all of these reports, view them as a bunch of noise, and rely more upon our own experiences and observations, anyway.
"

A wise decision. My personal experience is that Microsoft is quick to fix the easy problems, and slow to fix the severe ones (with some exception). Whereas other operating systems do it the other way around. Whether this allows MS (and their lackeys) to claim MS "fixes things faster", I don't know. I do know that I take any such report with a huge grain of salt.

For me, however, anything favourable to Microsoft gets examined under a microscope in my world (when I can be bothered to waste the time). They seem to have this reputation for buying opinions, votes, governments, etc. A well deserved reputation in my experience dealing with them and looking at their business practices. All 24 years worth in my case.

Reply Score: 1