Management
Technology
- Applications
- Business Intelligence
- Development
- Hardware
- Mobile & Wireless
- Networking
- Internet
- Operating Systems
- Security Products
- Servers & Datacentre
- Storage
Toolbox
Training
Books
White Papers
Webcast
Resource Centre
June 21, 2007
Microsoft: We patch faster than Apple, Novell and Red Hat
Claims based on counting 'days of risk'
By Gregg Keizer
A Microsoft executive has claimed that Windows users faced fewer days of security risks on average last year than users of rival operating systems from Apple, Novell, Red Hat and Sun.
Advert
Jeff Jones, strategy director at Microsoft's security technology unit, has posted findings that show Microsoft released patches for vulnerabilities in Windows faster than its four competitors did for flaws in their software. Microsoft's last monthly "Patch Tuesday" was on June 12, when it claimed to have fixed 15 vulnerabilities. A Symantec executive acknowledged the accuracy of Jones' data.
In two entries on his blog, Jones laid out his analysis of "days of risk", a term that describes the time from when a vulnerability is announced to when the vendor releases a fix.
By Jones' calculations, Windows boasted an average days of risk last year of just under 29 days, compared to Mac OS X's 46 days, SuSE Linux Enterprise's 74, Red Hat Enterprise Linux's 107 and Sun Solaris' 168.
That puts Microsoft 159% faster than Apple in preparing and distributing patches, 255% faster than Novell and 579% faster than Sun.
When Jones focused on specific operating system clients, such as Windows XP SP2, Mac OS X 10.4, Red Hat Enterprise Linux 4 Workstation and SuSE Linux Enterprise Desktop 9, Microsoft still took first place although the race was tighter.
Windows XP was patched after an average of 53.3 DoR, just 1.6% faster than Apple's Tiger at 54.2 days of risk. SuSE and Red Hat came in third and fourth, with 56.2 and 70.5 days respectively.
Alfred Huger, vice president engineering at Symantec's security response group, said Jones' numbers looked reasonable: "Our latest ISTRs (internet security threat reports) had more or less the same." In its most recent report, Symantec pegged Windows' average days of risk for the last six months of 2006 at 21 days, Red Hat's at 58, Mac OS X's at 66, and Sun's at 122.
But some readers of Jones' postings had questions. One asked where the data was, and others wanted to know how many vulnerabilities were included in each count. Jones responded to the latter, citing that in 2006 Windows XP was patched for 90 bugs, Mac OS X for 129, SuSE for 232 and Red Hat for 301.
Follow highlights from ComputerworldUK on Twitter
Sign up for our Daily Newsletter
The UK IT News widget Get it for your site!
« prev article | more security products news | next article »
Advert
Email this article to a friend or colleague:
PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.
- This article is now being printed.
What are your views on this subject? Use the form below to post a comment on this article up to 1000 characters.
Click below to add 'Microsoft: We patch faster than Apple, Novell and Red Hat - Prevention - ComputerworldUK' to your blog.
If you do not have a ComputerworldUK Account and would like to use this feature, please Register.
If you are a registered, logged-in user, this will post the title and first paragraph of this story to your blog to share with your readers.
Advert
Newsletters
Your daily injection of CW news and expert analysis: we’ll bring the news to you.
WHITE PAPERS
-
Legal risks: Employee use of the internet and email
Exploring the challenges facing IT Mangers today and vital steps to ensure safe internet an email use by employees. -
Phishing for victims
This White Paper examines the phenomenon of phishing. It explains the potentially catastrophic threat it presents to all kinds of organisation. Exploding some widespread myths, it lights up the murky waters where phishing first emerged and where it continues to evolve. But it also highlights what your business can do to blunt the threat.
Comments received
mdhills said on Thursday, 21 June 2007
He's talking about purely a theoretical risk. Good that they are fixing things quickly. From end-user perspective, seems like they'd be more concerned about real days of risk:
reals days of risk = # days unpatched for which a virus/exploit is in the wild
Tom B said on Thursday, 21 June 2007
Goodness, if I had a "swiss cheese" OS, I bet I'd get really fast at patching. too. Did he mention that no has yet produced a serious hijack-your-machine vulnerability in Mac OS X (though, I won't say such an expolit isn't theoretically possible)?
Chris R. said on Thursday, 21 June 2007
"In two entries on his blog, Jones laid out his analysis of "days of risk", a term that describes the time from when a vulnerability is announced to when the vendor releases a fix."
I thinks days since discovery would be a better metric seeing as the company doesn't have to make an announcement when a vulnerability is found. I assume that with open source the announcement is made when the vulnerability is found since it might not be a company that find the vulnerability..
It's also better if the foundation of your statement it's made of "swiss cheese" ether.
Phil said on Thursday, 21 June 2007
I'd like to have more details on the nature of the exposures. For example, if there is an exploit discovered against Firefox, does that count against Linux? I don't think it should. If he's going to make claims/comparisons of OS vs OS, it should be just the OS. Admittedly this might be a little unfailr towards Windows since I would include IE in this. However it was MS's choice to so tightly integrate IE into the OS. They made their security bed, they'll have to lie in it.
I would also like to see some weighting on the relative severity of the exposures. It is one thing if someone can do a DOS attack on your browser, crash it out, etc. It is another matter entirely if they can become root/admin and run arbitrary code. Not all security risks are equal.
midi-man said on Thursday, 21 June 2007
I still use any OS for mission critical stuff. Windows is not there yet.
great scott said on Thursday, 21 June 2007
This is silly. So you were able to patch those critical Windows security flaws in a mere 21 days? Crackers only had 21 days to gain admin-level access to your server.
Without adding the severity of the flaws into the equation, the results are meaningless.
Other MS slogans in the news... said on Thursday, 21 June 2007
MS: "We're cheaper and more reliable than Linux."
MS: "We're more 'open' than 'open source.'"
MS: "We're not the same as "Ms." so stop calling us that!"
MS: "You can't say "MS" without saying "Mess"
Other MS slogans in the news... said on Thursday, 21 June 2007
MS: "We're cheaper and more reliable than Linux."
MS: "We're more 'open' than 'open source.'"
MS: "We're not the same as "Ms." so stop calling us that!"
MS: "You can't say "MS" without saying "Mess"
maceto said on Thursday, 21 June 2007
yes we all know some bugs are fixed at MS that have not been known to the public, that makes a nice tur around time...
Rich said on Thursday, 21 June 2007
interesting that symantec ads are placed at the top and bottom of this story.
Randy said on Friday, 22 June 2007
Didn't see the Symantec ads. My Linux firewall is set up to block a lot of notorious ad urls.
Jean said on Friday, 22 June 2007
SUSE and Red Hat include a lot more than an OS, Did the MS numbers include Office, IIS, SQL Server, etc? For example, Red Hat list includes Firefox, gimp, squirrelmail, tomcat, samba, postgresql, php, cups, kerb5, squid, xen, etc. Some of these could also be running on some MS servers, like tomcat, php, postgresql, and you are not vikely to find to whole lot on Linux servers or workstation, unless an install everything was done....
JG said on Friday, 22 June 2007
Yeah ... sure, but hen you have soooo much to patch ... all that flaky knocked-off code.
If you opened the code, we'd fix it in a flash :)
JoeLinux said on Friday, 22 June 2007
You can NOT just look at the counts of patches.
Patches for GNU/Linux are delivered for all the apps and libraries, this is more than 15000 packages for Debian/Ubuntu. This is because most software is availble from one depot and all fixes are (including kernel fixes) put in that depot.
On the other hand, patches from Microsoft only covers Microsoft product.
Divide number of patches delivered by the number of software packages covered by these patches and you'll draw a different conclusion than this article does.