Those MS numbers

June 22, 2007

Nearly every tech site has something up about the presentation of some numbers purporting to show Vista as more secure in its first six months according to a certain metric than other OSes. It’s obvious flamebait, and the comments sections of all of those sites are filled with idiotic statements from all sides. I think the most obvious comment from the Linux pov is that Linux vendors release patches and vulnerability statements for all of the software they package. (And, in fact, most of what Linux vendors do is just bundle software written by others and make sure it integrates well and fills their customers’ needs.) Comparing this with just Vista or XP is “absurd. The best expression of this I found was:

He published the data in an effort to show how Microsoft’s software development methodology, called the Security Development Lifecycle (SDL) is yielding dividends. But his method of comparing Windows to Linux and Mac OS X is problematic, according to some.

“This is an apples-to-oranges comparison,” said HD Moore, one of the hackers behind the popular Metasploit penetration testing toolkit. “If you want a more accurate view, try comparing the number of flaws between Microsoft-developed software and vendor-X-developed software. Most Linux vendors don’t actually write the majority of the packages they include,” he said via e-mail.

“Alternatively, force Microsoft to include all vulnerabilities in common third-party software,” he added. “For example, the thousands of exploitable ActiveX controls that… vendors include with a Windows system.”

( – Microsoft better at patching XP than Vista)

One of the more common comments – in articles as well as reader comments sections – was “where’s his data?” But actually he’s rather clear about where his numbers came from, and what his methodology was. He did not, however present a breakdown of the consolidated data. So I hope someone will start tracking down those numbers, and respond to the appropriateness of the comparison.

The author himself says:

Note that this chart is showing the reduced Linux builds that exclude non-default and optional components without equivalents on WIndows.

But that is in no way a clear definition.

Elsewhere he offers the best advice one can ever offer on security:

Still, I like to be practical about security. Does your team have deep Unix skills and no experience on Windows? If so, your risk will be better managed on some sort of Unix system, regardless of whether Microsoft security is better, worse or indifferent.

The story of Mr. Jones’ cursed luggage also makes a great read (definitely read the “prologue” which for some reason describes the end of the story.)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: