That comment was part of a joint statement by representatives of Red Hat, Novell’s SuSE business, MandrakeSoft, and Debian, in response to Forrester report Is Linux more secure than Windows?.
That report was published last week and compared the number and frequency of publicly reported high-severity vulnerabilities in Windows and Linux and the time it takes Microsoft Corp or the open source community to make patches available for those vulnerabilities.
In order to assess the time taken to respond to faults Forrester produced two metrics for Linux: all days of risk and distribution days of risk with the difference being a measurement of how long it takes the Linux distributors to get a patch into their patch processes to their customers. As Microsoft is the supplier of patches for the Windows stack, there is only one number for its platform.
It is this issue, rather than research firm’s figures about the number of vulnerabilities, that has inflamed a response from the Linux distributors. Our users will know that for critical flaws we can respond within hours. This prioritization means that lower severity issues will often be delayed to let the more important issues get resolved first, read the statement.
Even though the Forrester report claims so, it does not make that distinction when it measures the time elapsed between the public knowledge of a security flaw and the availability of a vendor’s fix. For each vendor the report gives just a simple average, the ‘all/distribution days of risk’, which gives an inconclusive picture of the reality that users experience. The average erroneously treats all vulnerabilities as equal, regardless of the risk they pose.
In publishing the report Forrester said that it had normalized differences in vulnerability categorization as much as possible to try to measure the platforms against each other. It used the National Institute of Standards and Technology’s ICAT definition of high severity to classify vulnerabilities.
The Linux distributors also cast doubt on the Forrester statements regarding Windows vulnerabilities. The openness, transparency and traceability of the source code is added value in addition to the larger variety of software packages available. Finally, the claim that one software vendor had fixed 100% of their flaws during the period of the report should be incentive for a closer investigation of the conclusions the report presents, it read.
The research firm found that the Windows platform had 126 security flaws in its stack between June 1, 2002 and May 31, 2003, with 67% of them being high-severity vulnerabilities, and that Microsoft fixed all 128 flaws in an average of 25 days.
This article is based on material originally published by ComputerWire
