Fear, Uncertainty, and Doubt! Oh, my!
Mike Nash, Microsoft’s new Chief Security Officer, just made the claim that Windows is more secure than Linux becuase they “fixed 15 vulnerabilities affecting Windows Server 2003″ for this year and Red Hat and SuSE Linux users have patched 3 or 4 times that many vulnerablities.
Now, before I start bashing, keep in mind that I am a .NET developer. I use Windows daily. The Microsoft platform is what puts food on the plate. But when I read stuff like this, it just boggles my mind and makes me say, “WTF??” (Yes, I actually pronounce it as wutuf).
I mean, come on! You can’t base the product’s security based on the number of patches released without considering severity or other unpatched security vulnarabilities still out there in the wild. Microsoft has a long history of patching only the security flaws for which exists an exploit. The others they tend to leave alone. On the other hand, the Linux community is quick to jump on ANY security hole and have it patched almost immediately. That would be the reason for the higher number of patches.
Pretend you were evaluating server software for a company. If you saw that company A released patches for problems that have been exploited, and company B released patches for all known problems, wouldn’t you be more inclined to consider company B as more secure? I know I sure would.
Check out the Secunia link for Windows Server 2003 and Secunia link for Red Hat Enterprise Linux WS 3. Windows has 5 of 44 security vulnerabilities unpatched to date (oddly different than Nash’ statement), and Red Hat has 0 of 130 unpatched security vulnerabilities. Hmm… Would you really trust a system with known security flaws where a patch isn’t available?