Forrestor recently produced a report claiming that Windows is a safer platform than Linux. They said that Microsoft responded faster to vulnerabilities, that they were the only company to fix 100% of all vulnerabilities during the life of the study and that “Windows has the fewest vulnerabilities and the fewest “high severity” vulnerabilities of any platform measured”. Microsoft, of course, are crowing about this report and have linked to it from their Get the Facts site.
In the interest of getting the facts, Nicholas Petreley has written an article debunking the Forrestor report and Microsoft’s claims. Some of the points he makes are:
1. Claiming that Windows is more secure than Linux, because the time from discovery of vulnerability to release of patch is greater for Linux, ignores the importance of the reported vulnerability i.e. the more critical the vulnerability, the faster a fix needs to be produced.
2. There are Microsoft Security Bulletins saying some flaws will never be fixed. The existence of these bulletins makes it hard to understand how Microsoft’s fix rate could ever be 100 per cent.
3. Vulnerability metrics used by the US Computer Emergency Readiness Team (CERT) return 250 results for Microsoft, with 39 having a severity rating of 40 or greater, and 46 for Red Hat, with only three scoring over 40!
Having said all that, with Microsoft’s marketing machine being the monster that it is, it is unlikely that most people will come across Mr. Petreley’s informative report and will instead believe the lie that Microsoft is the safer platform.