Linked by Thom Holwerda on Thu 10th Apr 2008 21:38 UTC, submitted by SReilly
Privacy, Security, Encryption "Symantec's comprehensive security report on the malware industry from July 1 to December 31, 2007, is now available in its 100+ page glory. Symantec broke down information on patch development time by operating system and by the type of vulnerability encountered. Surprisingly, Microsoft had the shortest time-to-patch over both halves of 2007. In the first part of the year, Microsoft released 38 patches (two of which involved third-party applications) with an average deployment time of 18 days. From July to December, Microsoft released 22 patches with an average patch time of six days. Red Hat came in second, at 32 days for the second half of the year and 36 days in the first half. That's quite a bit higher than Microsoft's average, but of the 227 vulnerabilities Red Hat patched in 2007, 226 of them involved third-party applications. Apple, Sun, and HP all lag well behind Microsoft and Red Hat, though the gap for each company differs significantly between the first and second halves of last year."
Thread beginning with comment 309142
To read all comments associated with this story, please click here.
Microsoft was good
by lindkvis on Fri 11th Apr 2008 10:33 UTC
lindkvis
Member since:
2006-11-21

Please give credit when they deserve it, Microsoft did well in this survey.

However, the Symantec report does mention (in small print) that Microsoft was unique in not shipping with many third-party applications. Thus their job is considerably easier than the job the other vendors do.

On a Windows platform each application manufacturer is responsible for providing an update system for their application. This is why a Windows XP box often has lots of different "update managers" (Adobe update, Java update, InstallShield update, Windows update, etc).

In contrast for Red Hat, these updates are mostly handled by Red Hat themselves, which is made possible by Red Hat following/contributing to upstream projects and applying patches from these projects. Still, the patch/deployment team has to work with a much larger range of applications.

Thus this is comparing apples with oranges. To make this completely "fair", you would have to compare several production machines from all OSes performing various tasks including all the necessary third party applications.

Reply Score: 4

RE: Microsoft was good
by BluenoseJake on Fri 11th Apr 2008 14:16 in reply to "Microsoft was good"
BluenoseJake Member since:
2005-08-11

"However, the Symantec report does mention (in small print) that Microsoft was unique in not shipping with many third-party applications. Thus their job is considerably easier than the job the other vendors do."

Unless you realize that with Open source, you have many 3rd party apps being patched by the 3rd party developers, so RedHat's job, for example, is made easier because they do not have to develop all the patches in house, but just merge the finished patches into their code (after testing, of course).

Either way, patching holes is a tough job, regardless who's doing the patching

Reply Parent Score: 2