It's obvious that you're biased towards Windows. That's okay, but the study you cite is almost comparing apples to oranges. With Linux, you get the OS plus all of the applications, and the distribution vendor ships bug fixes for everything. With windows, you get the OS plus a few apps, and Microsoft ships bug fixes for the OS and their apps only.

Another thing to consider is that with mainstream OSS software, the bugs are usually fixed more quickly than vendors can ship patches. So, if you're maintaining a critical software package, you can deploy the fix yourself, without having to wait for the vendor. I know that not everyone wants to do that or has time to do that, but it is certainly not an option with proprietary software.

As for Microsoft fixing 100% of vulnerabilities during the report time period, as the Microsoft site suggests -- that's simply hogwash. Maybe it depends on how they choose to define "publicly known vulnerability".

Overall, I've personally observed far better response time from RedHat than from Microsoft. That's not to say that Linux and all of the applications that come with it are more secure all of the time, but in general, I'm more pleased with the approach to security from Linux vendors.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/269/28657#28657