Filed under: Analysis / Opinion, Apple, Security
FUD: Windows is "most secure OS"
Andy Patrizio has an incredibly sloppy story entitled "Surprise, Microsoft Listed as Most Secure OS" at internetnews.com, which purports to summarize the recently released Symantec Internet Security Thread Report Volume XI. But if you look closely at the actual report (PDF), you'll see that this claim that Windows is "Most Secure" is based merely on Microsoft's relative speediness in patching security holes. That is, what apparently makes Windows "most secure" is that in the Jul-Dec 2006 timeframe Microsoft took an average of only 21 days to patch holes, while Red Hat (linux) took took 58 and Apple took 66. Okay, so Microsoft is best right? But that's silly, why would the speed of responding to holes by itself determine which OS is most secure? It should clearly matter how serious the holes were in the first place! If you're slow to patch relatively innocuous holes, is that not better than quickly patching a larger number of more serious holes? And when we look at the breakdown we see that in this period Microsoft had 39 disclosed vulnerabilities, and "12 were considered high severity, 20 were medium." Apple, on the other hand, issued 43 patches, and only "one was considered high severity, 31 were medium." So basically, Microsoft is quicker at patching 12 times as many high severity vulnerabilities, and that apparently makes Windows "more secure."Now it's worth noting that none of this settles the question of which OS is more secure, but it does show the completely specious reasoning behind that headline claiming Windows is the "Most Secure OS." And of course it's this sort of lazy reporting (compounded by Patrizio's sniffing at Apple's advertising of better security) that creates a meme that others may pick up and pass on without quite realizing that it based on a straightforward misreading. In other words, it's pure FUD.
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
derek said 8:11PM on 3-22-2007
i agree with you 100%
Reply
Johnny Thrash said 8:14PM on 3-22-2007
So it obviously doesn't matter that:
1) Every virus that exists will tear Windows to shreds;
2) Every piece of SpyWare is a Windows-based application;
3) Every Microsoft Service Pack fixes 50 problems and creates 50 new ones;
4) and Vista is buggier than Windows 3.1 was...
How in the hell does anyone figure Windows is the most secure operating system?
Reply
greg Mays said 8:19PM on 3-22-2007
"Fud, a Scottish colloquialism for vagina"? lol...couldn't resist
Reply
Quix said 8:32PM on 3-22-2007
The Windows horde is giddy with this so-called "news" on Digg:
http://digg.com/microsoft/Hell_freezes_Windows_listed_as_most_secure_OS
Anyone who questions the flawed logic leading to this conclusion is dugg down to oblivion. Which is fine - intelligence is not a trait normally associated with the Windows masses. But anyone who has used both Windows and OS X knows that they aren't even in the same universe where security attacks are concerned. The story is, indeed, the pinnacle of FUD.
Digg needs a "Buried for Hilarity" button.
Reply
Mark Benson said 9:27PM on 3-22-2007
Oh brother, who writes this kinda BS. Their order to be mandatory electrocutions (not fatal, just painful) for people who leap to this kinda conclusion. I skimmed the actual Symantec report and found nothing there that even came close to stating what is in this article. They did praise Microsoft's fast response to threats, but also pointed out key facts like 12 vulnerabilities in Windows were considered Critical, against 2 in Linux and 1 in PS X over the same timescale. That does NOT tell me Windows is a helm of security...
Reply
Xof said 9:41PM on 3-22-2007
Thanks to that stupid report, Symantec is becoming less credible!
Reply
Hawthorne said 10:33PM on 3-22-2007
So if I understand this logic, Windows is more secure because it's patched quicker.
Which is like saying a boat with a good bilge pump but more holes than swiss cheese is more seaworthy than one with a pinprick and a bucket.
I know which one I'd rather sail on...
Reply
liquidmark said 11:01PM on 3-22-2007
Symantic, the company that makes it's bread and butter off of Windows vulnerabilities, says that Windows is the most secure OS ever.
This is like hearing the folks that manufacture PENICILLIN say that STD's don't exist anymore!
Tell you what, if ANYONE believes this, and uses Windows, they should simply remove all of their Anti Virus, Spyware, Adware, Malware and go bareback from now on. Symantic has said the last word on it. The dark times are over as Microsoft has finally defeated the specter of malicious software, which has plagued them for far too long.
I'm serious
I mean, I don't use any of those things in my main OS and don't have any problems, so they'll be doing GREAT!
I'm gonna go delete all of my anti-virus, spyware, adware, malware from my XP partition RIGHT NOW! ^_^
Oh happy day! I can now look at hard-core pornographies in Internet Explorer (the way nature intended), without any worries!
Be right back! ;)
Reply
Nick said 4:00AM on 3-23-2007
Presumably, if Windows is "the most secure OS" in Patrizio's book, it actually rates as more secure than OpenBSD. OK, OpenBSD's record is not quite as impressive as it was; it has now had its *second* remote hole in the default install, in more than 10 years:
http://www.darkreading.com/document.asp?doc_id=119685&WT.svl=cmpnews1_1
To anyone with any sense, Patrizio has merely made himself himself look silly. But well done for showing that he is the fool and not Symantec, who never said what he implied they had.
But, unfortunately, as you say, "that [is a notion] that others may pick up and pass on without ... realizing that it based on a ... misreading".
Reply
Brakki said 7:28AM on 3-23-2007
I don't understand why it's so hard to believe. Patching is indeed a measure of security, and if you can more quickly issue patches to fix vulnerabilities, you've made the system that much stronger (incidentally, the quick patching is one of the appeals of open source software).
"Which is fine - intelligence is not a trait normally associated with the Windows masses."
Nor is it a trait associated with Mac masses.
Reply
Sam said 8:50AM on 3-23-2007
I've just skimmed the report, and nowhere could I find a breakdown of each vendor's patch time by vulnerability severity. I think making that distinction is quite important - I obviously care about how quickly high severity patches are released, more than I do that of those for vulnerabilities that are less severe.
Also remember that, although the number of high severity vulnerabilities for Apple software is still very small, and I find comfort in knowing I use Mac OS X every day, it's been shown recently that more and more ppl are buying their first Mac. We are likely to see more and more not-quite-so security savvy Mac users, the profile of Mac OS X is going to go up, making the Mac user base a bigger target overall.
I occasionally let my friends and family use my Mac, and I'm dreading the day that their lack of security sense will require me to bog it down with antivirus/antispyware software.
Sam
Reply
Malfoy Roark said 9:51AM on 3-23-2007
Mr. Blogger, where is ur CS degree from? or is a degree in info security? Honesty, I just love when people have to go hate on a topic they really have no business hating on. You don't have to like the results. I find the results a bit eh, but don't talk like you know how it should be done. Symantec makes their money off cleaning up other peoples mistakes on windows. If despite that, them and their techies believe its the most secure. Well, you are in no real position to argue. One day, when Apple has greater than 50% market share (let us dream for a sec) and people decide to target it, Symantec and company will be there to clean up the mess too.
There are a few things more humorous than this, one involves euro teenagers on irc discussing U.S. foreign policy. Could someone be less qualified to be part of that discussion? Probably not.
Reply
Skinto McGinto said 9:59AM on 3-23-2007
Well, from Edinburgh, and by the sounds of it, the report writer is definitely a bit of an Ashley Judd....
Reply
Johnny Thrash said 1:01PM on 3-23-2007
I'm glad security functionality and stability.
All these people defending Windows. I'm glad I don't need an extra 300$ in security tools, spyware tools, and antivirus tools JUST to run my operating system with any sense of security, even if it is false.
I've been a programmer, developer, administrator and technician on Windows systems for over 15 years. Nothing has really changed with it. I finally got tired of the neverending battle and switched to something that just does what I want it to... not what IT wants to.
Thank you Apple for security, stability, beauty, functionality, design, and most of all ... thank you for my Macintosh.
Reply
JulesLt said 2:19PM on 3-23-2007
Malfoy - Mr.Blogger doesn't need a degree in security to criticise a journalist - Andy Patrizio - for their interpretation of Symantec's data, especially when they reach a conclusion Symantec don't support. Their techies don't believe it's the most secure OS, but that MS are the most responsive.
>There are a few things more humorous than this, >one involves euro teenagers on irc discussing
>U.S. foreign policy. Could someone be less
>qualified to be part of that discussion?
>Probably not.
Because, as we all know, only Americans are allowed to have opinions about US Foreign Policy. Ever noticed the Foreign bit in that phrase? It's about what you're doing in the rest of the world, and guess what, the rest of the world has an opinion about it! Not that America's ever made a mistake in it's foreign policy, of course.
Reply
John Strachan said 3:21PM on 3-23-2007
I just skimmed the whole report. The reason that Apple Safari (and it is the Safari web browser, not the whole OS) gets any kind of a black mark is because the one vulnerabilty in the second half of the 2006 that was identified took over 62 days to patch. However, in the paper, Symantec takes care to mention that "this increase is based on a sample set of only one vulnerabilty, a sample size that is too small to ensure valid conclusions." They also mention that the problem "affected a third-party HTML rendering component, so it is possible that the third-party nature may have slowed the patch release time." (Pg 44). Also the total number of vulnerabilites identified for this time period were 4, two less than in 2005.
Meanwhile, for the same time period, MSIE had 54 vulnerabilities identified, an increase from the 25 documented in the second half of 2005. The sample size chosen for Microsoft was 15 as opposed to Safari's 1 and the patches had a maximum development time of 78 days.
So in other words, although MSIE had 50 more vulnerabilities, increased the number of vulnerabilities over the past year (as opposed to Safari's reduction) and actually took longer to sort out at least the worst one, it supposedly is more secure ... right?
This is as poor a case of reporting as I have seen. Obviously the writer can't read, because it looks like he simply looked at the bar graphs and wrote his article.
Reply
John Strachan said 3:25PM on 3-23-2007
I reread the report after actually Patrizio's article and I stand corrected. There were actually patches in MacOSX that were mentioned in the white page. However, Patrizio's article did gloss over a couple of points ...
Firstly, the white paper makes no mention about the absolute number of vulnerabilities in the operating system, it just discusses the fact that the MS numbers are based on a sample set of 39 whereas the MacOSX numbers are based on a sample set of 43. You cannot use absolute numbers when you are talking about a SAMPLE set.
It is also interesting to note that the wording used by Symantec is "Of the 39 Microsoft vulnerabilities DISCLOSED" whereas there is no mention of disclosure in the Apple analysis "Out of the 43 vulnerabilities in Mac OSX". Makes you wonder exactly who did the disclosure and whether Symantec took the vendor's word on how many vulnerabilities were found. Even if the number for MS is accurate, is it better that a vendor actually FINDS vulnerabilities or is it more important that the number is low and there may be unknown vulnerabilities lurking out there?
Reply
Lima said 3:32PM on 3-23-2007
This dumb article is based on a statistics created by M$ using the following parameters:
1) first, choose a range of dates when other OS has received more patches than Vista
2) publish a graphic telling HEY, VISTA IS MORE SECURE THAN ALL OTHER SYSTEMS, LOOK AT HOW MANY HOLES WE HAVE DISCOVERED THIS MONTH!
Using this method you can say the Mojave Desert has more rain than London and Boston. Just wait for the day when you have rain in the Mojave Desert and no rain in London and Boston. Let's talk about number of vulnerabilities x lifespan. Tiger has 2 years. Let's Vista complete 2 years and compare vulnerabilities then.
Micro$oft do not realizes that nobody buys these crap it pumps outside Redmond.
M$ has to realize that nothing can be done to prevent it from going down in free fall, as it is doing since 2003.
Reply
Bob Calhoun said 6:54PM on 3-23-2007
If Windows is more secure than other operating systems then Symantec's products are even less necessary on a Windows machine than on my Macintosh.
I have zero need for any Symantec product on my Macintosh.
Reply
liquidmark said 9:01PM on 3-23-2007
@Malfoy Roark
It's called an opinion. Live with it.
Reply