Modify Colors
Microsoft's Security Claims Don't Stand Up to Scrutiny
One of the things that annoys me the most about Microsoft is their love of FUD (fear, uncertainty, and doubt.) I have no problem with companies marketing their products to customers, but I do object to false conclusions that cannot be backed by real, relevant facts. One argument that bothers me in particular goes like this: our product has fewer security vulnerabilities than yours so it is better. This argument works great for headlines, but when you really look at it, it falls apart. Below are two examples of these claims:
- Jeff Jones, a security expert for Microsoft, claims Vista is more secure than Ubuntu 6.06 LTS
- Windows Server is more secure than Red Hat Enterprise Linux, according to a Microsoft FUD site
As I said, these claims are full of issues. Here are the problems with the arguments: (not every such argument suffers from all these flaws, but all of them suffer from one or more of them)
- The severity of the vulnerabilities is not included. Security vulnerabilities are ranked by what kind of a threat they pose. If this data is not included, a product with 100 minor glitches of almost no consequence would be considered less secure than a product with 75 major glitches. (The kind of thing where a hacker can take control of your computer.)
- There is no consideration of the status of a vulnerability. If a vulnerability is quickely fixed it is counted the same as if it has been weeks or months and is still unfixed.
- Not all companies admit to all the bugs that exist. In an open-source project like Ubuntu, if a bug is found and can be duplicated, it is known and reported, but not all companies act this way.
When you fill in the missing data, you get a very different conclusion from what Microsoft would like you to believe. I will only go through the data pertaining to Microsoft’s FUD site claim, but you can do the same thing for Jeff Jones’s claim.
(All of the below data is from Secunia, solving the problem of companies not reporting all the bugs that exist.)
Starting with the severity of the vulnerabilities, here is the data:
As you can see, Ubuntu has less critical vulnerabilities. The data is even more impressive for fixed and unfixed vulnerabilities:
Here Ubuntu has a perfect record, having fixed all of the flaws.
In conclusion, Microsoft’s argument is flawed and their conclusion is incorrect. This will not be news to many of you, but hopefully you will appreciate seeing real numbers behind it.
Related posts:
- Statistic Are Lies: Vista is Not the Most Secure OS Once every couple of months someone claims that product x...
- A Rant On "Real Security" And Windows The evidence shows that Microsoft’s marketing department has not done...
- JVC The Latest to be Cought in the Microsoft Patent Deal Scam It appears that JVC is the latest company to sign...
- What Do Microsoft Patent Deal Mean for Linux UMPCs? Nothing. A recent iTWire article suggests that when Xandros’s patent deal...
- Brilliant Brainstorms #60 – Newbie Security Brilliant Brainstorms is a (usually) weekly summary of some of...
“….you could also argue that the Ubuntu developers have had more time to fix vulnerabilities.”
A good point – thanks for that!
William – On the other hand, however, you could also argue that the Ubuntu developers have had more time to fix vulnerabilities. Anyway, here are links to the data for each from 2008 so far:
Ubuntu 6.06 – http://secunia.com/product/10611/?task=statistics_2008
Vista – http://secunia.com/product/13223/?task=statistics_2008
Only about a month might not be very representative, but you can get to all the data from those links, so use whatever range you think is best.
Regarding the comments about Vista not being around in 2003: Doesn’t this just make the argument even MORE compelling that (Ubuntu in this case) has had a better proven track record for a lower number of Extremely/Highly critical vulnerabilities and fixes supplied?
That Vista has had a higher percentage of Extremely/Highly critical vulnerabilities in it’s short tenure thus far (compared with an older apparently ‘less secure’ linux distro), certainly doesn’t bode well.
I’m sure if InTheLoop did the same date span with XP, then the only difference would be that the gap (gulf) between the two would be wider?
The data is from 2003 to current, so it is true that Ubuntu 6.06 has been around longer, but that could go both ways.
gizmo – What do you mean by that?
Andrea – Another good point, which just makes the argument more convincing, although I am not sure if Securnia counts vulnerabilities in included software.
I think that you should consider that vulnerabilities are accounted for linux including all applications supported by the distro, which is a lot of software, doing much more than what windows does by itself.
Could you post this at zdnet.com?
2003 ? there was no vista
Not to quibble, but technically Vista was not around in 2003 for general consumption. So I’d have to say the graphs are worthless of the data is based on that fact.