Wondering through the web I came upon a blog by a Jeff Jones who has completed a very detailed study in which he compares DoR [Days of Risk] for various operating systems. After compiling his data for the DoR report, which includes all types of graphs and charts, and incorporating some other gee whiz factors, he has concluded that Windows has a lower DoR than other operating systems like Apple Or Linux. Really. I kid you not.

Jeff also mentions the following as to where he obtained his data:

For severity information, I used the US Department of Homeland Security sponsored National Vulnerability Database (NVD, http://nvd.nist.gov) as a source for independent severity ratings that were defined across all of the products.

For the dates of public disclosure, I used my own disclosure database which I have compiled over the past several years. In general, the process is as follows for each vulnerability:

It was interesting to read what Jeff had to say and read about his collusions. It was also interesting to see who Jeff Jones is:

Jeff Jones is a Security Strategy Director in Microsoft’s Trustworthy Computing group. In this role, Jeff draws upon his security experience to work with enterprise CSOs and Microsoft’s internal security teams to drive practical and measurable security improvements into Microsoft process and products.

He also has written a article about how much more Vista is compared to other operating systems as well. Again he backs up his conclusions with data. Lots of data. He states:

The results of the analysis show that Windows Vista continues to show a trend of fewer total and fewer High severity vulnerabilities at the 6 month mark compared to its predecessor product Windows XP (which did not benefit from the SDL) and compared to other modern competitive workstation OSes (which also did not benefit from an SDL-like process).

If you share the opinion that Windows and applications ported to Windows get a higher level of researcher scrutiny than other OSes, then the 6-month results are even more positive. If you don’t share that opinion, then they still stand on their own …

Let’s face it. For some who read Jeff’s conclusions they will scream that he is a paid shill for Microsoft. He had to conclude that Windows is more secure because that is his job.

Or, we could look at this with a open mind. For years all we have read is about the vulnerabilities of Windows or other Microsoft products. It was unusual for us to hear about patches or fixes for other products. Just just a short time ago Apple put out what I believe were 26 fixes. Does that make Apple less secure than Windows? I think not.

If one were to write an article about how insecure Apple, or Linux or any other operating was, I would guarantee you that there would be a uproar and a lot of finger pointing at Windows indicating how bad Windows is. It is no fun picking on Apple or Linux since for the most part they are fairly well liked. But Microsoft is far game since they are the evil empire and known as the ‘thugs from Redmond.” Their questionable business practices speak volumes.

But the topic is whether Windows is more secure than other operating systems, or have we been brain washed into thinking that this is not the case? Or is what Jeff is saying just more FUD?

What do you think?

Please. No Apple, Linux is better than Windows comments. 🙂 TIA
Articles on Jeff’s blog are located here.

[tags]windows, linux, apple, security, comparison, [/tags]