[NYLoCo] Microsoft Report on Vulnerability
Brion Swanson
brions at usalug.net
Thu Apr 17 20:00:23 BST 2008
I read through parts of it (particularly the RHEL and Ubuntu parts as well
as the conclusion and FAQ) and he does a decent analysis by taking all
products in their first year of "life" to get a fairer comparison and also
only counts products with long-term support as those are the only ones
likely to be considered by business customers. An second analysis using
8.04 LTS (which I believe it's supposed to be) would be interesting, but
that's not out yet and this was done in January of this year.
The glaring hole he side-steps around for me is a transparency issue. The
numbers heavily favor Microsoft Vista because they have the lowest number of
vulnerabilities publicly disclosed and still open at the end of the first
year. RedHat had the most with Ubuntu in second place. However both Vista
and OS X released their patches far fewer times per year than RH or Ubuntu
implying (sometimes) more fixes per patch, and fewer updates (read: headache
for system admins).
He downplays "silent fixes" which are non-public vulnerabilities fixed in
patches by somewhat rightly stating that there's no way to tell how many
vulnerabilities are actually fixed with each patch - only that the publicly
reported vulnerabilities are fixed or not. Fewer public vulnerabilities
makes any system look more secure (whether it is or isn't).
My personal belief is that RH and Ubuntu are likely more secure if only
because they are more responsive to vulnerabilities and said vulnerabilities
are publicly disclosed when discovered so there is a pressure to fix them
more rapidly. How long as IE had security vulnerabilities before certain
ones were exploited? I recall one (can't remember the details), but the
vulnerability ran all they way back to IE 3.0 and another Windows
vulnerability ran back to Windows 95. Public disclosure increases
accountability, so to me the more bugs disclosed and the rate and volume of
fixes is more important that simply looking at the totals in the end (which
is what he essentially does).
Nice report, but as well all know there's three types of untruths: lies,
damn lies, and statistics. :)
Brion
On Thu, Apr 17, 2008 at 2:49 PM, Brandon Peterman <brpeterman at gmail.com>
wrote:
> 6.06? They're only two years off...
>
> On Thu, Apr 17, 2008 at 2:26 PM, Artem Ervits <artemervits at gmail.com>
> wrote:
>
> > hey guys, check this out, they mention Ubuntu:
> >
> >
> > http://www.microsoft.com/windowsserver/compare/ReportsDetails.mspx?recid=54
> >
> > --
> > Artem
> > --
> > Ubuntu-us-ny mailing list
> > Ubuntu-us-ny at lists.ubuntu.com
> > Modify settings or unsubscribe at:
> > https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-ny
> >
> >
>
>
> --
> --Brandon Peterman
> --
> Ubuntu-us-ny mailing list
> Ubuntu-us-ny at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-ny
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-us-ny/attachments/20080417/d7b405c2/attachment.htm
More information about the Ubuntu-us-ny
mailing list