There is a lot of pushing and shoving about the security issue, since this has become a pain point for most companies as they cope with security holes, worms, viruses, and other intrusions.
The ubiquity of Windows (as the departmental servers in enterprises and as the main boxes in small and midsized shops), coupled with the sheer number of Windows servers (on the order of 9.5 million Windows machines are still installed around the world) and the tendency for hackers to try to attack Windows machines explicitly, can make it seem like Windows is less secure than Linux. Maybe it is, and maybe it isn’t.
Forrester Research has tried to quantify how Windows stacks up again Linux by looking at the number and frequency of publicly reported high-severity vulnerabilities and the time it takes Microsoft or the open source community (in conjunction with the commercial Linux distributors) to make patches for those vulnerabilities.
The Forrester analysts compared all Windows platforms between June 1, 2002, and May 31, 2003, with all variants of the Linux distributions from Debian, MandrakeSoft, Red Hat, and SuSE (which is now owned by Novell Inc).
The vulnerability tracking and patch distribution methods of these five platforms are quite different, and the definition of a high-severity vulnerability also has varied over time. (Microsoft, for instance, reclassified its vulnerability rating system last year.)
Nonetheless, Forrester says that it normalized these differences as much as possible to try to measure the platforms against each other. It used the National Institute of Standards and Technology’s ICAT definition of high severity to classify vulnerabilities.
Basically, if a vulnerability allows a hacker to violate the security of a system, or to gain control of it, or the Computer Emergency Response Team (CERT) issues a warning, then, Forrester says, it is a high-severity vulnerability.
Content from our partners
Two metrics are important in talking about security exposure, according to the Forrester report. One is the total days of risk that a system is at risk, from the moment that vulnerability is disclosed until the fix is deployed to the user community. The other is the time between when a fix is available and when it is deployed.
Forrester calls the former all days of risk and the latter distribution days of risk. Because Microsoft is the supplier of patches for the Windows stack, there is only one number for its platform. The difference between all days of risk and distribution days of risk is a measurement of how long it takes the Linux distributors to get a patch from one of the thousands of programs in their distributions, into their patch processes to their customers.
By Forrester’s counting, the Windows platform (which includes popular programs like Internet Explorer, the SQL Server database, and such) had 126 security flaws in its stack in that year’s time, with 67% of them being high-severity vulnerabilities (that’s 86).
Microsoft fixed all 128 flaws in an average of 25 days. Red Hat had 229 flaws, of which 56% (128) were high severity flaws. Red Hat fixed 99.6% of all flaws during that time, and the average days of risk for the Red Hat platform was 57, with 47 days of distribution risk.
In other words, there was a 10-day lag between a patch being announced for a Linux component by its maintainer and the patch being released by Red Hat as part of its security updates.
Debian’s Linux had 286 flaws reported, with 57% being high severity; it fixed 96.2% of those total flaws, and averaged 57 days of risk, but only 32 days of distribution risk.
This means Debian has a greater time lag in getting fixes from its component suppliers, but somehow Forrester wanted to spin this as a good thing. Any Linux distribution is only going to be as good as all of its components in getting fixes out the door quickly.
Forrester said that Mandrake’s Linux distribution had 199 flaws reported in that year, with 120, or 60 percent, being high severity. Mandrake fixed 99% of its total flaws but averaged 82 days of risk overall, with 56 days of distribution risk.
And, finally, SuSE had 176 flaws reported, with 111 of them, or 63 percent, being high severity. SuSE fixed 97.7% of them and had an average of 74 days of risk for high severity flaws and 54 days of distribution risk.
There will be plenty of bickering about what all of this means, but Forrester has posted the full table of the vulnerabilities it tracked on its Web site, so everyone can pick it apart.
This article is based on material originally published by ComputerWire
