Windows has 'fewer flaws' than Linux

Irrelevant comparison

Jones compares Windows "disclosed" vulnerabilities to open source systems that don't hide anything.

Posted by jhansonxi, 20 Aug 2007

Apples and oranges II

"applications not installed by default were not counted"

So were comparing Windows XP and Vista, that come with notepad with Ubuntu and other Linux distros that by default install hundreds of productive apps.

Truly amusing,

Rich D.

Posted by Rich D, 20 Aug 2007

Linux patching applications?

Are applications which are installed by default in Linux included in the count? I notice that MS Office is not included, so fixes for Open Office should not be either. Drawn out to all applications, and not operating system vulnerabilities, what is the amended count then?

Also, a simple numerical count does not expose the severity of some of these problems. In particular, the ones which are able to be REMOTELY EXPLOITED WITH NO USER INTERVENTION. MS has had a significantly higher number of these than Linux.

The other thing which is not mentioned, is the amount of time to issue patches. Once again, Linux companies have a better track record in getting patches out faster than MS.

These are important considerations when choosing an operating system. The raw numbers do not tell the whole story.

Hamish

Posted by Hamish, 20 Aug 2007

Microsoft are the best....

... but Ubuntu Linux is the better OS. Who did say Windows has 'fewer flaws' than Linux? A guy from Microsoft - I never trust what Microsoft says - Microsoft only want our money. I said goodby Microsoft since 6 month and I am so happy to risk this step.

Try first www.Ubuntu.org on a live CD - you never will rue it, but it takes some time to get used to.

Posted by turox, 20 Aug 2007

Not so fast...

Everybody knows microsoft has many unfixed flaws e.g. .ani flaw 10 year old...linux takes a couple a hours to fix flaws..Microsoft are still figuring out many flaws years old...linux is the most stable operating system on record with the most drivers and language support that any other operating system to date...hence the frequent updates...Obviously the title is F.U.D. wars...

Posted by shane, 20 Aug 2007

Apples & Oranges

The June report was shown to be bogus--that is, FUD or marketing hype.

What the sited report does show is that Linux vendors are more honest than Microsoft, that is, when a "flaw" is found, the vendor announces it and the community fixes it. Microsoft does not do this.

The sited report compares Windows reported "flaws" rather than actual "flaws". The reported "flaws" comes from Microsoft and does not include independent investiagtors. The number of actual "flaws" in Windows is actually higher than known "flaws". This has been shown numerious times in the Tech press reports. Point in fact is the slipstreaming of fixes by Microsoft when no "flaw" has been annouced and the refusal to consider certain bug reports as "flaws".

What the sited report does show is that Linux vendors are more honest than Microsoft, that is, when a "flaw" is found, the vendor announces it and the community fixes it. Microsoft does not do this.

Posted by hike, 20 Aug 2007

Wrong conclusion

That MS released fewer patches only goes to show how fast they can release patches, and has no bearing on how secure the operating system is. Get a grip on reality. All operating systems are as vunerable as the operating system, how it is configured, and all the applications running. This article is just another round of *Nix bashing.

Posted by Unix User, 20 Aug 2007

Apples to Oranges - Not kernel to kernel

Microsoft Windows is an OS, web browser and an email client, that's it. RedHat Enterprise has literally hundreds of programs, from mail servers to database servers to office suites to pdf readers, etc.
Microsoft patches Windows, but doesn't consider a MS Office patch a Windows patch. A Microsoft Exchange patch is also not considered a Windows patch. MS separates out each of its products. RedHat includes all the distro's software in its updates.
So, on the surface, Windows has less patches, but in reality would you rather have a system where all known vulnerabilities are patched by the same system (RH) or use MS and individually patch Windows, then patch MS Office, then patch MS Exchange, then patch all third party apps necessary to make Windows useable. If you choose the latter, be careful not to miss any ; )

Cheers,

Alex C.

Posted by Alex Chejlyk, 20 Aug 2007

Low number = good?

That appears to be his conclusion. According to that logic, if Microsoft issues zero security fixes, that would be a panacea in utopia??

Yeah, I haven't fixed my car in two years, so I feel pretty good about driving it cross country...

Posted by appcrawler, 20 Aug 2007

Non-Sense

Research done by MSFT will of course always show favor to MSFT. This is non-sense

Posted by chris, 20 Aug 2007

Real world

Ignoring Microsoft's FUD machine, in the real world there are tens of millions of Windows zombie machines - and no known Mac or Linux zombie machines. I wonder how Microsoft explains that inconvenient fact away.

Posted by Joe Ragosta, 20 Aug 2007

Incorrectly titled article

The article only says how many patches were issued, not how many problems there are in either OS. It's not valid to draw a conclusion on how many vulnerabilities there are in a product from the number of patches released. How many un-patched issues are there in the products?

Maybe the title should read "Microsoft PATCHES fewer flaws than Linux."

Posted by Kevin, 20 Aug 2007

But remember:

It's not the number of flaws and/or patches.
You also have to take into consideration how long the time between a flaw being discovered and a patch being made.
And you also have to take into consideration the severity of the flaws.

There was a paper a while back that discussed this. (And for the life of me I can't remember where it was. And I know I have it printed out somewhere...)

Posted by James Penketh, 20 Aug 2007

What is patched?

One of the points I combed for is what is being patched. "Applications not installed by default, such as Microsoft Office, were not counted." However, there is no definition of "by default" for the Linux server distros. For example, RHEL 4 gives the user the choice to install Firefox, so does that constitute "by default"? In any case, there is a ton more software available to install from the disks for Linux than for Windows, which means a lot more to patch.

To compare apples to apples, what flaws are being counted for patches, what software within the Linux distros are being compared? This is a glaring lack of a "per-capita" type of statistic. Where is the source information for those seemingly accurate graphs?

It does smell of PR/Marketing hype rather than true fact.

Posted by Tom, 20 Aug 2007

Article Title Should Be:

Article title should be: "Linux flaws are being repaired much more quickly than Windows."

While Windows may have 'fewer flaws' that we *know about*, the reality is that there are quite possibly far more flaws that we don't know about, simply because Windows is closed-source. The fact that more flaws are being fixed in Linux is a *good* thing, IMO.

Posted by Ed, 20 Aug 2007

Misleading article title!

First, the title SHOULD be "Windows has fewer flaws PATCHED than Linux".

Also, the conclusions are also misleading.

By nature open source software will have more eyes looking at the code, resulting in more bugs found, and with the ability to patch quickly, more bug to fix turn-around.

Also, what is the package comparison?
A base install of WinXP inherently has less software than an average desktop install of a distro. Do the Windows test also include the software that COULD be common to both Windows and Linux (ex: Firefox, OpenOffice, Apache, MySQL, etc??)

Also, interpretation of the statistics is easily manipulated... I could look at this and say that Linux/Mac have a much higher rate of getting their bugs fixed.

Posted by Mike Cahill, 20 Aug 2007

Linux vendors patch everything

Microsoft only has to patch the OS itself. Linux vendors patch the kernel, hundreds of libraries, and lots of the third-party software. Microsoft having to patch 43 flaws would be like Linux patching 43 flaws in just the kernel and a few key packages. Linux vendors also patch the flaws that are not actively exploited instead of waiting for a problem to happen and looking like big heroes.

Posted by Ryan, 20 Aug 2007

apples and oranges

of course they patch fewer bugs, they ship only the basic OS and a notepad. Every linux distro is lot more than basic OS. It usually has one or two desktop environments, one or two databases and DVD load of other software, from development tools to games.

Posted by ph, 20 Aug 2007

Apple to Orange comparison

The Linux numbers cited include many items that are not part of linux, hence the count is exaggerated. It includes many other GPL items such as clamav (anti-virus), gpg (pgp equivalent) , etc.

Posted by Glenn Branch, 20 Aug 2007

Maybe MS is getting caught up

Before we have the knee-jerk reaction of "it must be a lie", could it be possible that MS is getting caught up? Remember that most of the software on Red Hat, Novell, etc doesn't come from them but largely comes from Open Source projects. That being said, these companies have to patch software they didn't write.
Doesn't it make sense that MS could actually have less things to patch since there'd actually be less software they offer in the first place?

Posted by Hebi-kai, 20 Aug 2007

Not this again..

Being that Microsoft has lied on countless occasions, was caught faking evidence in a court of law, and regularly spreads FUD (Fear, Uncertainty, Doubt), what did you expect them to say? That Linux and Mac are better than Windows? Microsoft will never admit that Mac and Linux are better operating systems, despite how obvious it is.

Linux receives many updates because the developers actually update flaws, whereas flaws in Microsoft products have been known to go without needed updates for years (IE anyone?).

For people who know and use Linux, no explanation is necessary. For people who don't know and use Linux, no explanation would suffice.

Posted by Ian MacGregor, 20 Aug 2007

They're both the same

Wondows is only attacked so often because its what most people have on there pc. ANY operating system will be able to be attacked in some way or another...so get used to using anti-spy and anti-virus for some years to come

Posted by Chris, 20 Aug 2007

Yeah, and pigs really can fly!!

Posted by D9, 20 Aug 2007

OSX FLAWS

If there are so many flaws in OSX, how come my PowerBook works perfectly and only gets a restart when there is a system upgrade? I beat the hell out of it. It's on and working 24/7. A three year old computer running the latest software.

I'd rather be right with Jobs than err with Gates.

John Davis

Posted by John Davis, 20 Aug 2007

What'd you think they would report?

Microsoft, "Sorry customers our OS is crap. Looks like Linux has us beat!"

Posted by Myke, 20 Aug 2007

Windows has fewer flaws than linux kernel?

So, looking at the distribution's patchlist, most of these patches affect '3rd party' software -- IE, it didn't come from kernel.org.

Also, If you look into the kernel patches, you'd see that a lot of the patches are split into many smaller patches in different subsystems, vs microsoft's 'global' patches.

It doesn't take a math major to see the FUD here.

Posted by Kamilion, 21 Aug 2007

More Microsoft FUD

This is good for Linux - it now has that many less problems to fix. How many unknown Windows flaws remain?
Of course most Linux distros include the full Open Office Suite, several e-mail clients/ servers, databases, and drawing programs etc. These are all included in updates to Linux.
The figures in the report are therefore meaningless.

Posted by A Wilson, 21 Aug 2007

Of course, a screwdriver has less flaws than a car

"Applications not installed by default, such as Microsoft Office, were not counted." --They say
But, when ubuntu releases a patch, is it for the operating system? Or for one of the multiple applications that you can install with it?

If we talk only about the default installation of the operating system, tell me, what are you supposed to do with a fresh and empty installation of windows. Won't you need something else?

Posted by Ruben Tolosa, 21 Aug 2007

Can't trust M$

How can we trust this it is microsoft saying it

it is just that they just didn't find 2000+ other bugs in windows keep looking M$

Posted by standleydj, 21 Aug 2007

Interesting

I have always found these "reports" interesting. For some reason Microsoft only counts the flaws in their base operating system. In Linux they are not only counting the base of the operating system but all the applications that are installed by default. This includes more than just "Linux". So when Ubuntu has a fix for Rhythmbox or when Kubuntu has a fix for Amarok Microsoft is more than willing to count that as one of the "Linux flaws". These reports have and never will mean much.

Posted by Joe, 21 Aug 2007

Even if it were true...

...they're not comparing like with like. A typical distro will have thousands of applications, whereas windows comes with next to nothing.

Posted by A Ward, 21 Aug 2007

It´s true...

To those sceptics that refuse to believe that the Windows series of OSes have fewer flaws than GNU/Linux... start believing!

The reason why the flaw count for Windows is so low is that Windows in-of-itself is considered a flaw; it just happens to host a family of flaws around one rather large flaw.

...so it is true!

Posted by Dara, 21 Aug 2007

Is this a useful comparison?

I wonder, is this a useful comparison?

1. Take OS X, this comes with lots of open source components like secure shell (ssh) and a secure shell server (sshd). Almost nobody uses it, but it requires patching nonetheless. Are the OS's comparable in this way?

2. Secondly, given the open nature of many components i nLinux and OS X what is patched in Windows might not be visible as a security patch on the outside, while it in fact is. The same is true for stuff patched in OS X with a OS update.

So, I wonder if counting *publicized* patched flaws is reliable.

Maybe it is more reliable to look at actual exploits as a measure for trustworthyness, but that assumes all OS's get the same attention and that is not by definition true.

Posted by Gerben Wierda, 21 Aug 2007

But the fact is...

Ask youself one question. Which operating system is practically ALL malware/spyware/adware/Virii etc. written for... Humm.. That'd be Windows!!! So you're still much "safer" running Mac OS or a "main-stream" Linux Distrubution.

Posted by Chris C-T, 21 Aug 2007

Windows is not comparable to a Linux distributions

This study is useless as the author don't tell if the whole software stack is equivalent. For instance, Red Hat,Suse or Ubuntu include OpenOffice, Gimp, several mail servers,... whereas Windows not (I don't consider wordpad or paint are equivalent). AFAIK, Red Hat Enterprise includes 4 CDs whereas Windows has only one.
So, they should compare what is comparable.

Posted by Xavier, 21 Aug 2007

Microsoft's contempt

The comments posted here have made perfectly clear that nobody believes these kind of "report".
Everyone can see that the way the flaws of each operating system is counted is, well... flawed.
And yet, there is still a manager of some sort who is shamelessly telling us the same crap.
What strikes me here is the contempt in which they are holding their customers. They are just insulting their intelligence.
But I suppose that it is not a problem for them, as long as their monopoly still holds... For now.

Posted by Marc Elson, 22 Aug 2007

LOL

"The study only takes into account vulnerabilities patched by the vendor, and does not record such things as current zero-day flaws.

The report also does not mention vulnerabilities that were or are currently being actively exploited, an area where Microsoft continues to be far more prone than its competitors."

Oh, so this is the catch! :)

Hey, win98 has no patches at all! I have to install it in place of my buggy Linux :/

Posted by ultr, 23 Aug 2007

Absolute Numbers...

This report is utterly the same in sound as the '6 months Vista vulnerability report'... but this time posted on a different blog.

For everybody interested : it is a serious flaw to a report, to compare absolute numbers from statistically independent systems... As Windows users and developers base differs from any Open Source users and developers base, (everybody knows that, too) we can assume they are statistically independent. And the above is only the beginning of the differences...
As this manner is greatly used in many kinds of reports (say, 4/5 looks better than 55/60, but is essentially greater - compare the numbers on the 6months Vista report) this looks as used with a hidden agenda;
What will mr. Jones say on this ?

Posted by el_es, 28 Aug 2007

That sounds natural...

Being the single most bashed opperating system in the world (due to it´s high populatiry), it is only natural that with microsoft´s unlimited investment power, their opperating system becomes, in time, the safest.

While APPLE programmers are desperately trying to figure out how to make their desktop shinier and even more glossy and reflective, WIN guys are fighting off hackers and seriously maliciuous software writers.

Between the two, some linux enthusiast is watching the tree on his desktop catch on fire, while he boots up Windows on his notebook for some serious work.

Whose OS do YOU want to have?

Posted by Andre T., 28 Jul 2008

Windows has MORE flaws than Linux.

The end of the article turns the headline on it's head. furthermore, it makes the statement that "A Microsoft vulnerability report SUGGESTS (how?) that Windows suffers fewer flaws than open source software."

So here's the statement that proves the rest of the article wrong: "The study only takes into account vulnerabilities patched by the vendor...The report also does not mention vulnerabilities that were or are currently being actively exploited," (in other words the study only says how many patches are made, not how many flaws there are that weren't patched,) "an area where Microsoft continues to be far more prone than its competitors."

Microsoft has things backwards. Which is worse - having more vulnerabilities but fixing less of them (Windows) or fixing more vulnerabilities and having less problems? (Linux.) It looks like Microsoft is trying to whitewash Windows many problems (especially Vista) by spreading propaganda.

Posted by Jeff Thompson, 26 Jul 2008

Patches issued?

The problem with this is that Microsoft does not always patch bugs, quite a few times they just issue a gag order.
Anyway, all that a graph like that would mean (if Microsoft, Apple, and Novell/Redhat were on the same scale) is that the *nix companies issue fixes faster, were as Microsoft will be patching WindowsXP in to the next millennium.
I think that there should be a comparison between the remote exploits of Microsoft Windows to OpenBSD. then we will see who wines about fairness.

Posted by I, 16 Jan 2009

Upside down

Does the fact, that Microsoft has released less patches for their system means, that it is more secure, or that MS programists haven't noticed them? Anwser yourself...

Posted by samaelszafran, 04 Aug 2009