One of the things that annoys me the most about Microsoft is their love of FUD (fear, uncertainty, and doubt.) I have no problem with companies marketing their products to customers, but I do object to false conclusions that cannot be backed by real, relevant facts. One argument that bothers me in particular goes like this: our product has fewer security vulnerabilities than yours so it is better. This argument works great for headlines, but when you really look at it, it falls apart. Below are two examples of these claims:

• Jeff Jones, a security expert for Microsoft, claims Vista is more secure than Ubuntu 6.06 LTS
• Windows Server is more secure than Red Hat Enterprise Linux, according to a Microsoft FUD site

As I said, these claims are full of issues. Here are the problems with the arguments: (not every such argument suffers from all these flaws, but all of them suffer from one or more of them)

• The severity of the vulnerabilities is not included. Security vulnerabilities are ranked by what kind of a threat they pose. If this data is not included, a product with 100 minor glitches of almost no consequence would be considered less secure than a product with 75 major glitches. (The kind of thing where a hacker can take control of your computer.)
• There is no consideration of the status of a vulnerability. If a vulnerability is quickely fixed it is counted the same as if it has been weeks or months and is still unfixed.
• Not all companies admit to all the bugs that exist. In an open-source project like Ubuntu, if a bug is found and can be duplicated, it is known and reported, but not all companies act this way.

When you fill in the missing data, you get a very different conclusion from what Microsoft would like you to believe. I will only go through the data pertaining to Microsoft’s FUD site claim, but you can do the same thing for Jeff Jones’s claim.

(All of the below data is from Secunia, solving the problem of companies not reporting all the bugs that exist.)

Starting with the severity of the vulnerabilities, here is the data:

As you can see, Ubuntu has less critical vulnerabilities. The data is even more impressive for fixed and unfixed vulnerabilities:

Here Ubuntu has a perfect record, having fixed all of the flaws.

In conclusion, Microsoft’s argument is flawed and their conclusion is incorrect. This will not be news to many of you, but hopefully you will appreciate seeing real numbers behind it.