Q1 2008 - Client OS Vulnerability Scorecard

re: Q1 2008 - Client OS Vulnerability Scorecard

tower defense — Tue, 14 Apr 2009 10:10:53 GMT

The report mentions vulnerabilities that were addressed, but not vulnerabilities that were identified. And you'll notice that all of vista's vulnerabilities and most of xp's that were fixed were critical... meaning they don't fix the smaller ones.

re: Q1 2008 - Client OS Vulnerability Scorecard

Keep_FreeBSD_FREE — Sat, 21 Mar 2009 08:23:57 GMT

Well how come FreeBSD didn't figure in this survey... Oh that's because its only had 2 security vulnerabilities in the core Kernel in 10 YEARS...

Someone spouted about how good Vista is security wise... forget it.. Swiss Cheese springs to mind when I see some of the "known" unfixed vulnerablilities... At least someone fixes them (or you can try to fix them yourself with Linux because you have access to the source code...)

Come on Microsoft release the source under the GPL... let everyone have a laugh at how bad your code really is....

re: Q1 2008 - Client OS Vulnerability Scorecard

Jason — Fri, 05 Sep 2008 00:51:49 GMT

I would like to have the listed vulnerabilities for investigating, as I cannot find this list. The score card lists the locatsions, but I would like to analyze your compiled data.

I think this is to be a fair enough request, so your investigation can be scrutinized openly.

re: Q1 2008 - Client OS Vulnerability Scorecard

Paul M — Mon, 01 Sep 2008 17:37:33 GMT

one of the bigger issues with windows is that there are quite a number of severe bugs which have been in it a long time - not just days and weeks but months and years.

therefore to properly compare, you need a measurement of bug severity multiplied by the number of days the bug remained unfixed.

re: Q1 2008 - Client OS Vulnerability Scorecard

Charalampos — Thu, 21 Aug 2008 00:55:04 GMT

Hi this is a very informative site!,

re: Q1 2008 - Client OS Vulnerability Scorecard

Kostas — Thu, 21 Aug 2008 00:54:57 GMT

Hi this is a very informative site!,

re: Q1 2008 - Client OS Vulnerability Scorecard

Kleanthe — Thu, 21 Aug 2008 00:54:53 GMT

The site�s very professional! Keep up the good work!,

re: Q1 2008 - Client OS Vulnerability Scorecard

Martinos — Wed, 20 Aug 2008 22:51:00 GMT

Here is intresting people� Lets talk!,

re: Q1 2008 - Client OS Vulnerability Scorecard

Vlad — Tue, 29 Jul 2008 06:31:33 GMT

To Luke B: - what a bunch of unreasonable and illogical statements!

"a patched vulnerability isn't a vulnerability any more"

"AND CLOSE THEM (as in stop them being a vulnerability any more)"

- This is nonsense! It shows that your understanding of the problem is very shallow. Do you really believe that every O/S installation gets patched immediately after a new security fix released? In fact releasing a patch makes the vuln even more dangerous since the patch could be relatively easily reverse engineered and exploited.

"Microsoft, arguably the biggest, most influential software company on the planet, managed to close only 9 of the potentially millions of software bugs and security bugs (both known, and as yet unknown) in it's core OS."

- You're blaming MSFT for producing and reporting less security bugs than competitors? That sounds like blaming Honda or Toyota for making fewer recalls than other companies, or accusing people of not reporting their home security codes and time of absence to public.

Every published vulnerability, even fixed and "closed", is a threat to large number of customers and is by far more dangerous than an undiscovered one.

"Microsoft seem only to be interested in plugging a few of the biggest security holes, and probably not until they are discovered and become quite high profile. Apple and most Linux Distros on the other hand, seem committed to closing as many holes as possible, big or small, before they have the chance to be exploited on any large scale."

- I understand your skepticism but be a little bit more fair in your assumptions. Give us some facts rather than just empty rhetoric. No one tries to pretend that there are not more unpatched security holes in Vista. However, also take into consideration that Vista is being much heavily pentested than any other O/S and don't forget that only little market share prevents Mac and Linux customers from being targeted by criminals on a much larger scale.

re: Q1 2008 - Client OS Vulnerability Scorecard

Luke B — Mon, 28 Jul 2008 12:42:55 GMT

What absolute garbage. This positions itself as a tally of how many security vulnerabilities were found, when in fact it is a tally of who PATCHED the most vulnerabilities.

I can't believe Microsoft is spinning the fact that Apple found and CLOSED more security holes in OS X than Microsoft did in Windows as a positive thing.

I have never seen such nonsense. Guess what moron... a patched vulnerability isn't a vulnerability any more... Every piece of software has security holes in it, all this report proves is that on an Apple or Linux OS you're about 4 times more likely to see those holes plugged than on Windows.

And don't try to pretend that there are not more unpatched security holes in vista... there are, otherwise you would have used the figures for the number of holes detected, or the percentage of known holes which were patched, but you didn't

In fact by your own admission, this is not even a measure of the security of an OS. Taken from the report itself, you claim...

"Is there anything in this analysis which will prove one piece of software is “more secure” than another?

No, not really."

So if you know it is not a measure of security, why does Microsoft use this on their "learn the truth" about vista campaign to claim vista is "89% fewer vulnerabilities than Mac OS X Leopard".

FACT. In the first three months of the year, Microsoft, arguably the biggest, most influential software company on the planet, managed to close only 9 of the potentially millions of software bugs and security bugs (both known, and as yet unknown) in it's core OS.

FACT. In the same time period, most linux distros, mostly staffed by hobbyists and noble-do-gooders, managed to find on average about 70 vulnerabilities AND CLOSE THEM (as in stop them being a vulnerability any more) out of the millions of potential (discovered and as yet undiscovered) security vulnerabilities out there.

FACT. In the same time period Apple, a company with arguably the least reason to need to patch major security vulnerabilities (Small consumer market share, but very very small market share in business and enterprise, where these potential vulnerabilities can be really devastating) managed to CLOSE the most vulnerabilities of everyone. They found and closed approaching 90 of the potentially millions of discovered and undiscovered software bugs in it's core OS.

Does that mean that Mac OS X is the most secure then? NO, that's the point, the software is different, no-one knows how many bugs there are in the software, they're undiscovered. The difference is this, Microsoft seem only to be interested in plugging a few of the biggest security holes, and probably not until they are discovered and become quite high profile, Apple and most Linux Distros on the other hand, seem committed to closing as many holes as possible, big or small, before they have the chance to be exploited on any large scale.

It's easy to say "We had to put out the least fixes, so our OS must be the most secure", but the facts just don't support that hypothesis. And the real world experience doesn't match up either. Find me a Mac user who has been affected by one of these unpatched vulnerabilities, and i will show you 500 Windows users who claim to have been hacked, had spyware silently installed, downloaded virus's and generally mucked up their windows computer. You can't convince someone their real life experience isn't real just by quoting numbers at them... the fact remains, their windows OS is still slowed down to a crawl by malware, and all the software they run to stop it. And all it takes is one peice of malware, and all your good work is ruined, it can open up as many security holes as it likes.