I just read an article this morning on Linux servers under the Phalanx gun: A problem with people, not code. There were quite some things which made me think when I read it:
There was a statement in there, which I – obviously – did not like at all: Linux may be inherently more secure as a system, which is always an interesting discussion. The guy writing the blog post claims that Linux is easier to secure than Windows, which I completely disagree with. If you know what you do you can secure each and every system. However, we do a great deal of work to make sure that our systems are as secure as possible by default and additional provide you with tools (like the Security Configuration Wizard) to make sure you can secure the system as far as possible and additionally run as secure as possible. We know and proved it with a lot of figures that our systems have by far less vulnerabilities than others (e.g. http://blogs.technet.com/security/archive/2008/05/15/q1-2008-client-os-vulnerability-scorecard.aspx) and third-party research showed clearly that our systems are less at risk than others.
But as I commented several times already, this discussion does not really lead to more secure systems but just some entertainment for people who like these debates.
Coming back to the article above: One of the conclusions in the article is, that patching is often a people and process problem, rather than a technology problem. This is not new either. The question to me is, why do people not deploy? We do customer surveys about their satisfaction with Microsoft every now and then. People are still not too satisfied with the security of our products. So, there is still a lot of work to do. However, if we ask then whether our updates are easy to deploy, we get a very, very high rating all across the segments and audiences. So, why do they not deploy? Is it because they are afraid of the downtime? Could be, so we have to work harder to reduce the number of reboots (is this different in other OS? I do not know but I doubt). Is it the tools? Is it lack of knowledge? Is it ignorance?
I do not know but would love to understand
> So, why do they not deploy?
Because of the number of bad patches Microsoft has released over time, causing many problems with software that worked fine before.
People are afraid of "What will fail now after i deploy this patch?"
While it's nothing different for any OS, it still is one of the considerations, and having a bad track record doesn't help.
> Is it because they are afraid of the downtime?
Definitly, not so much the downtime that is caused by a reboot.
But more for the interactions with other software running on the box. People need to do QA on all used applications in an environment before they can deploy an update.
This is not only because of the bad track record MS has with patches, but it doesn't contribute in a positive way of how people think about patches.
>Could be, so we have to work harder to reduce the number of
> reboots (is this different in other OS? I do not know but I
Yes it's different for other OS's. This is one of the several fundamental design flaws of Windows.
> Is it the tools?
I don't think so.
> Is it lack of knowledge?
It's a factor.
> Is it ignorance?
That's another factor, but i rather would pile that up with lack of knowledge. Because they don't know they don't care..
Especially marketing the product as the "safest" windows yet, while entirely true, does tend to decrease the emphasis on security that everyone should have.
And security doesn't stop at updating the OS with bugfixes.
It doesn't even start with that.