Microsoft's Security Chief Says Windows Safer Than Linux

Mike Nash, Microsoft's Security Chief, recently compared Microsoft's security record this year with that of Red Hat and Novell. From the article:
“Even with the relatively large number of bulletins we released this week, we compare favorably,” he said. “Year-to-date for 2005, Microsoft has fixed 15 vulnerabilities affecting Windows Server 2003. In the same time period, for just this year, Red Hat Enterprise Linux 3 users have had to patch 34 vulnerabilities and SuSE Enterprise Linux 9 users have had to patch over 78 vulnerabilities.”
Now, on to why that is a silly and meaningless comparison. First, Microsoft tends to post security patches only after a vulnerability or flaw has been made public. On the flip side, patches for Open Source programs are often preemptive. More importantly, comparing “Windows Server 2003” with a full Linux distro is a bit misleading, when used in this context. It's comparing a core OS with a full blown OS with the works. How many patches are there for a Windows 2003 install that includes Office, Visual Studio and the myriad other programs that it would take to match the functionality of the distro's they are comparing to? …and could you get security updates for such a configured Windows system from one single vendor (answer: no)? Finally, it also ignores ease of exploit and nature of exploit. It puts a local non-root exploit in mpg123 on even ground with a remote code execution with privilege escalation in IE. You put all that together and what do you get? The quoted stats are not only useless, but misleading. I'm sure that won't stop them from getting quoted everywhere though. Now, don't take this post as an indication that I think Linux security is perfect, quite simply it isn't. In fact, we still have a long way to go. It's just better than Windows, which one must admit has set the bar fairly low.
–jeremy
Tags: Linux, Microsoft, Security