A Microsoft executive has claimed that Windows users faced fewer days of security risks on average last year than users of rival operating systems from Apple, Novell, Red Hat and Sun.
Jeff Jones, strategy director at Microsoft's security technology unit, has posted findings that show Microsoft released patches for vulnerabilities in Windows faster than its four competitors did for flaws in their software. Microsoft's last monthly "Patch Tuesday" was on June 12, when it claimed to have fixed 15 vulnerabilities. A Symantec executive acknowledged the accuracy of Jones' data.
In two entries on his blog, Jones laid out his analysis of "days of risk", a term that describes the time from when a vulnerability is announced to when the vendor releases a fix.
By Jones' calculations, Windows boasted an average days of risk last year of just under 29 days, compared to Mac OS X's 46 days, SuSE Linux Enterprise's 74, Red Hat Enterprise Linux's 107 and Sun Solaris' 168.
That puts Microsoft 159% faster than Apple in preparing and distributing patches, 255% faster than Novell and 579% faster than Sun.
When Jones focused on specific operating system clients, such as Windows XP SP2, Mac OS X 10.4, Red Hat Enterprise Linux 4 Workstation and SuSE Linux Enterprise Desktop 9, Microsoft still took first place although the race was tighter.
Windows XP was patched after an average of 53.3 DoR, just 1.6% faster than Apple's Tiger at 54.2 days of risk. SuSE and Red Hat came in third and fourth, with 56.2 and 70.5 days respectively.
Alfred Huger, vice president engineering at Symantec's security response group, said Jones' numbers looked reasonable: "Our latest ISTRs (internet security threat reports) had more or less the same." In its most recent report, Symantec pegged Windows' average days of risk for the last six months of 2006 at 21 days, Red Hat's at 58, Mac OS X's at 66, and Sun's at 122.
But some readers of Jones' postings had questions. One asked where the data was, and others wanted to know how many vulnerabilities were included in each count. Jones responded to the latter, citing that in 2006 Windows XP was patched for 90 bugs, Mac OS X for 129, SuSE for 232 and Red Hat for 301.