Submitted by Microsoft is frequently dinged for having insecure products, with security holes and vulnerabilities. But Symantec, no friend of Microsoft, said in its latest research report that when it comes to widely-used operating systems, Microsoft is doing better overall than its leading commercial competitors. The information was a part of Symantec’s 11th Internet Security Threat Report. The report, released this week, covered a huge range of security and vulnerability issues over the last six months of 2006, including operating systems.
I already knew that!
I read the ads here.
Comment like above sucks!
somebody tell them they have a typographical error in that article.
I guess Microsoft will buy Symantec soon.
And according to ExtremeHypedMotor, my 1991 Toyota Camry is the fatest vehicle in the world. LOL.
Edited 2007-03-22 16:30
First of all, the 5 listed operating systems are not all operating systems.
Besides, the statement is based on average time to patch a “security threat”. For some reason, since Solaris and HP-ux is last, I’d say it’s likely there is nothing that would estimate the level of threat the actual bug represents. I’d say the MS bugs would likely be like open doorway while solaris/hp-ux ones might be that if you break in to the place, rape the sysadmin to give you the root password, then Solaris/HP-ux won’t be safe. The bug being that it’s red hat linux handling the lock to the door ;P
Ah well… to make it interesting, throw OpenBSD in there and see what happens, I’m sure MS would be moved to slot 2 in an instant!
This could really hurt Symantec sales on Linux!
It may be that Microsoft is improving and patching Windows, but when it doesn’t make these patches available for the windows installs without a valid product key it does not improve the situation of the bot-nets
It does make the patches available regardless of a valid product key. I will install all updates via automatic updates (just not windowsupdate.com). You can’t get all the new optional stuff (WMP, etc) but, all security updates will be received though.
Edited 2007-03-22 16:45
Ya’ll can try http://www.autopatcher.com It’s an offline system update website.
… how do they measure security threats that are unpatched by vendors after a while? Cause Microsoft products always have a few unpatched ones…. low priority, but threats anyway. Do they count it as one infinitum (laid 8)? 😀
Edited 2007-03-22 16:38
Microsoft is not an OS.
That’s Microsoft Bob they were talking about!
Please, you almost made me spit my coffee all over my LCD screen. How about a little warning next time. 🙂
It is linux that is not an OS. It’s only a kernel.
Ah ok. Let’s apply the same logic to it all then…Windows isn’t an operating system. Windows 98, ME, 2000, XP etc are. But not Windows.
See, I can nitpick as well!
Anyways, how did Microsoft get away with trademarking a common word, which is supposedly illegal to do?
Dave
And who said it is? I only said the title was wrong, so there’s no need to feel attacked by a pro-linux guy. Besides, you are not even contradicting me, just asserting something different, true, but different. And what I said still holds true, no matter how much you try to confuse things.
Edited 2007-03-23 00:08 UTC
Actually, if you read the article carefully it is worded in such a way that it could be considered a one horse race. Since Windows is the only “widely available commercial” OS you could hardly reach any other conclusion. Looks to me like Symantec is ready to run up the white flag. 🙂
Flawed.
Funny.
Avoid.
[rant target=”Symantec” style=”vitriol:pure; reason:experience; justified:you-betcha”]
Personally, I just hope Symantec will just *go to hell*. And die.
They turned Norton Antivirus into a flaming pile of shit.
Norton Internet Security was BORN a flaming pile of shit.
Symantec is desperately seeking to remain relevant ever since the first Norton Utilities suite which was compatible with FAT32 (I can’t quite remember if that was version 3 or 4). From that time on, EVERY, and I mean EVERY release of ANY software of theirs became exponentially buggier, even outright DAMAGING to system stability.
Nowadays you just can’t expect to install Norton Antivirus and then UNINSTALL IT GRACEFULLY after it “downgrades” your shiny brand-new dual-core computer to Pentium II speeds. It sticks like tar. Tar at least smells better.
Now that they completely blew their products (at least to those not used to get all their software from Ma&Pa store shelves and actually CARE to sort out the differences among what’s offered and then CHOOSE based on technical merits instead of name branding), they’re trying to leverage that name branding and pose themselves as “security watchdogs”.
Hello?? Symantec can’t even cope with keeping their own Windows products from shooting EVERYTHING in the foot (like preventing legitimate SMTP connections — even SSL’d ones! –, causing any number of incompatibilities with 3rd party software —-gawd, remember Norton CrashGuard?!—-, and the classic “bringing your computer performance to a grinding halt”). What the hell are they fussing with HP-UX and Solaris anyway?!
What the hell do they know about Mac OS X? Judging from how difficult it was to them to adapt their products, and how fast the competition churned out WAY better products in far less time, I’d say *very little*.
Same goes to Linux. What product does Symantec offer for Linux systems anyway? Maybe they DO offer some, but it just might be so irrelevant that I never happened to hear about ANY.
Windows? Well, I guess few of us have never gone that route before. Some of us might even have chipped tooth because of cringing at their software.
I believe they’ll never get their act together ever again, and THEY DESERVED it. I’ve completely lost count of how many people called me to “fix their computers” and the root of all evil was some Symantec product.
THEY DESERVED IT.
[/rant]
[mood style=”feeling:MUCH-better”]
Wow. And people say I’m capable of hate!
Dude, you so hit the nail on the head with that one! I can’t remember the amount of times I was called in to flush out a bug ridden system only to find the real problem was a Symantec product. Man, those guy’s deserve every word of your rant!
Agree with you entirely re. Symantec ‘security’ products.
– add McAfee to that list,too.
As soon as either is uninstalled and the computer rebooted,
some semblance of efficiency returns.
Run a cleaner or two,as well,
and things get better again
as you start to clean out the ‘tar’ mentioned earlier.
Yes..it dismays me when I hear ppl say
how they just went out and bought,
i.e. pd.ca$h for, Norton This or That.
They turned Norton Antivirus into a flaming pile of shit.
Norton Internet Security was BORN a flaming pile of shit.
actually… NIS was another product gobbled up and destroyed by Symantec. Long long ago in the before time there was an awesome little firewall… @gate firewall.
I was going to vote your score higher, but it’s already maxed out.
Norton’s utilities were good, but I cannot recommend any of them.
You can’t shut off Ghost.
Their firewall crashes often.
The whole concept of a security center, or an anything center is a waste of memory and processor time.
Marketing people should not design software!
They survive for the same reason Windows is the dominant OS, not because it is better, but because it is what people have come to know. As an example, I was in Staples yesterday and one of the sales people was helping a ldy with AV software. She insisted that she had to have Symantecs AV, I refuse to call it Norton’s as I think he is probably as disgusted with the product as I am, and so that is what they sold her.
As a side note, I beta tested for many years for Syamntec and I have to agree that they have taken many a good product and turned it into crap. Quite frankly, I would take anything coming out of there with a whole shaker full of salt. Given the conditions of the test the results are actually pretty accurate. The same test could be set up in such a way that Windows 98 comes out on top.
My research study results come to the conclusion that this is money talking and bullshit walking.
Yes.
It just kills me that these people don’t seem to realize that the number of patches doesn’t have a whole lot to do with how secure the system is. I would *rather* see more patches, because that means that the vendor is finding bugs and holes and actually fixing them.
” I would *rather* see more patches,
because that means that the vendor is finding bugs and holes and actually fixing them.” – you say…
and you’re right!
No-one ever made a perfect OS and didn’t have to patch it.
Not MAC, not Linux, no-one.
And yet we somehow continue to pretend or expect
that somehow the next flashy OS to come out will be ‘perfect’
and never need patches.
What is it? a freak?
I read through relevant sections of the report pdf file, and I see that they only differentiated the Operating Systems for that one “patch time” section. I guess that this one measurement is all that was considered when InternetNews.com declared Microsoft as “Most Secure OS” (a point which was never claimed in the report at all).
The other sections on Vendor responsiveness, Zero-day vulnerabilities, and the various Malicious Code Trends they documented all were a composite across all computing platforms.
A nice analysis (with only one small section that compared different OSes), but a rather broad conclusion has been drawn from that one tiny section (2 pages out of 104). I don’t think that this report was intended to draw that type of conclusion, as there isn’t enough other information available to get the full picture.
The fact that a Microsoft system won’t last a week without a good anti-virus program, and that Microsoft doesn’t provide one, is the whole reason Symantec has a business. Telling people the truth, that Microsoft security sucks so badly that they should go elsewhere, would mean telling them not only to stop buying Microsoft, but to stop buying Symantec as well.
With Vista, Microsoft might try to cut off the anti-virus vendors, so maybe they won’t be such good buddies in the future. But Windows has been Symantec’s meal ticket.
“The fact that a Microsoft system won’t last a week without a good anti-virus program…”
Since when was that a fact? I’ve run many versions of Windows for years without ever touching an antivirus program. And I’ve never had a problem. A firewall is the key.
Yeah ?
And your bot-netted zombie machine has been sending me spam for years….
Windows users should run a virus scanner by default… just in case.
Firewalls are not the key. Malware authors know what port 80 is for, and they use it.
Since when was that a fact? I’ve run many versions of Windows for years without ever touching an antivirus program. And I’ve never had a problem. A firewall is the key.
What exactly are you people doing? Seriously, I don’t use a virus-scanner for exactly the reason people say, i.e. there are none available anymore that don’t eat 90% of CPU time just because they can. Likewise, I don’t use any firewall software because it makes everything a giant hastle and, again, wastes memory and CPU time…
Now, I run a random virus check about once a month, I’ve never once been infected. I run spyware/adware checks, never have a damn thing pop up…
Admittedly, I turn off any windows services I don’t actually need (all but 4 of them are unneeded, 8 if you do really weird things) and restrict anonymous access (gets rid of SMB exploits, etc., only takes changing a 1 to a 0 in the registry), but these are things you all certainly do since it takes about 30 seconds to complete?
At what point do you suddenly need anti-virus software and firewalls? o.O Yes, I know for “ideal” security you install them, but I’ve never once seen any benefit from them, and I’m online all friggin day long.
I mean, come on, I use cable-access internet in a city of 580,000 people (read: horribly insecure) and still don’t have any odd problems.
Microsoft is doing better overall than its leading commercial competitors
That leaves, uh, apple?
That leaves, uh, apple?
OSX only counts if you count open-source software as commercial software.
In other words, if you don’t, then it amounts to:
“Microsoft [Windows] is the only widely available commercial OS. Microsoft [Windows] is the most secure widely available commercial OS.”
I suspect even Homer Simpson could work out that sentence 2 in the above follows inexorably from sentence 2, without any reference whatsoever to other OSes, good or bad.
Oh, and by the way: Most of the stuff Apple builds on top of its OSS OS is proprietary.
In other words, if you don’t, then it amounts to:
“Microsoft [Windows] is the only widely available commercial OS. Microsoft [Windows] is the most secure widely available commercial OS.”
I wasn’t saying Windows was the only serious commercial OS. I was just contesting that OSX was.
Actually, it even leaves out Apple since it says”widely available commercial OS”. I can positively state that Windows is not more secure than OS X as I have used both. 🙂
Just because you’ve used both means that OS X is more secure than Windows? Perhaps you didn’t know how to keep your Windows box secure? When was the last time you used Windows? OS X? The fact you used both does nothing to convince me.
Now I have administered both XP and OS X, and I have found that it is not too hard to keep a Windows box safe. Firewall, spyware scanner, and a good(read not Norton) AV package. after that, they are both pretty secure. The real secret is not to let your users run as admin, but we all knew that.
Users running as admin is the REAL security problem with Windows, you really don’t need a spyware scanner if you run as a normal user, and probably could get away with out AV software too, but I’m too chicken, lol
Oh come off it. Can Windows be run without getting infected? Yes, I have done it. I used to beta test for Symantec AV and I used live virus files to do it. (They about had a fit when they found I was testing the product against live virus files, BTW).
I can definitely state the OS X, (and Linux and BSD for that matter), is more secure than any of the Windows OS’s I have run, (except Vista and since I haven’t run that I can’t comment on it). I can secure a Mac and a Linux/BSD machine in a matter of minutes. To get the same level of security in Windows takes a lot longer. And that is why most people will never properly secure their Windows machine. They don’t know how and even if they did they would not want to take the time required.
Linux/BSD and OS X are far more secure out of the box than Windows. All of them can be made more secure, but at this time only with Windows is is absolutely essential that you do so. I would never hook any computer straight to an always on connection regardless of the OS running on it. But a lot of people hook Windows up that way. So yes, Windows is less secure by default.
Yes, you are right, which is what I said. But the reason it is so insecure is that everyone runs as administrator, take that away, and a lot of the exploits through IE, for example, would no longer work.
enough times someone will actually believe it. Besides it would seem the way that they are securing systems in Vista is to annoy the hell out of you with confirmation’s to do anything..
BAH! FUD.
-nX
“You are about to release a heavily-biased ‘security’ study which will be widely criticised and derided by independent researchers:
Confirm or deny?”
We often disagree on some topics but I have to say I am in full agreement with you on this one!
Of course, I mean “Cancel or allow?”
I am no where near as well read on the the types of exploits as many who frequent this site, but I am pretty sure that the patches that are being done to many of the Linux distro’s are in the vein of:
“If you leave you wallet out AND some one shady finds it AND they can get into your house AND hold you hostage they MIGHT be able to gain control of your XMMS”
as opposed to the typical Windows exploit:
“If you open IE you will get pwned.”
Yeah, I know, a bit over the top. But you guys get the idea.
I bet it’s all because of Symantecs security tools/products. Damn, I wish I have those tools for Linux, wait a minute, I don’t really need it.
So let me get this right according to the article Microsoft had the fewest number of vulenerabilities, but still had the higest number in terms of high risk. The thing that kills me is that these studies include software from opensource projects installed on the OS vs the windows vulnerabilities usually lie in the OS itself not the addon software.
Windows stats are about 1/2 of all vulnerabilities are high risk. I’m sorry but this sounds as safe as a defective rear-end exploading ford police car.
Edited 2007-03-22 18:11
Yes, talk about misleading.
OS X is given is lower rating because they took an average 66 days compared to MS’s 58 to patch. Then in the next sentence they say only 1 was critical on OS X and 12 were critical on Windows. We’ll I guess getting a fix 1 week faster on average is more important than having much less critical flaws. 😎
Microsoft – 58(days) x 12(vulns) = 696
Apple – 66{days) x 1(vuln) = 66
So Microsoft must be more secure – right? It’s a bigger number!
:}
I have never heard of an OS called Microsoft.
Sure I heard of a company called Microsoft.
You must be referring to Windows?
If you just read past comments you’ll see that kind of question is already said.
I’ve been reading through comments here, and I’ve come to one conclusion. No one commenting has an open mind at all. This is not specific to this thread or topic either. The only reason that you are even reading these posts and comments are to reconfirm your own per existing beliefs. If something does not conform to your beliefs it would not matter how much actual data is presented, the basis for the articles conclusions would be in error. Everything you are reading you are filtering based on the flawed logic that all your current beliefs are 100% fact. I’m sure I don’t have to tell you how stupid this makes you appear.
I’ve been reading through comments here, and I’ve come to one conclusion. No one commenting has an open mind at all. This is not specific to this thread or topic either. The only reason that you are even reading these posts and comments are to reconfirm your own per existing beliefs. If something does not conform to your beliefs it would not matter how much actual data is presented, the basis for the articles conclusions would be in error. Everything you are reading you are filtering based on the flawed logic that all your current beliefs are 100% fact. I’m sure I don’t have to tell you how stupid this makes you appear.
Nice rant. Unfortunately for you, no matter how biased we are or you accuse us of being, that won’t change the fact that this study is deeply flawed, and is going to be seen widely as being so.
The question is did you read the article it is heavily bias again the numbers show that 1/2 of all windows vulnerabilities were high risk. Number 2 if we are comparing OSes we need to eliminate the the opensource projects and focus on Linux the OS which is not what these studies take into account.
The problem is that the need to look at Linux, Linux is not Openoffice, it is not apache, those are applications installed just as Nero is not windows however they do not split those vulnerabilities out, because of either bias or lack of knowledge.
Need I remind you that the bugs in the Month of Apple bugs included things like VLC which is a add on program not a OS.
Everything you read, hear, say, write etc. is subject to influence and bias based on your culture, experience, interests, etc. That is the nature of being human – while we can strive to be objective, it is naturally difficult to do so.
Using our personal biases to denounce our ideas outright is not a very effective form of arguing. You would be listened to by other here if you can try to find fault in the arguments presented in this thread, not faults in the people who post them – like I pointed out, we all have our biases, even you.
Honestly, did you really expect anything else?
As if you hold the Holy Grail of Truth in your hands.
Ahahah.
I have never known anybody who does not let they’re bias in any way influence how they see the world. Even the supposed holy of subjectivity, science, is not immune to this.
Telling people they are biased and/or stupid when they take what is obviously a flawed statement (yes, it is very much flawed – read the actual pdf this statement is supposedly based on for the truth of the matter) without giving any valid reasons is a very stupid thing to do and frankly, you deserve all the scorn you are getting.
Exactly right, sir!
Why, thank you sir! Seems to me you are doing nicely yourself 😉
I’ve been reading through comments here, and I’ve come to one conclusion. No one commenting has an open mind at all. This is not specific to this thread or topic either. The only reason that you are even reading these posts and comments are to reconfirm your own per existing beliefs. If something does not conform to your beliefs it would not matter how much actual data is presented, the basis for the articles conclusions would be in error. Everything you are reading you are filtering based on the flawed logic that all your current beliefs are 100% fact. I’m sure I don’t have to tell you how stupid this makes you appear.
Lol, what are you confused about?
I have an open mind, unfortunately Windows has too many open holes so it’s more of a swiss cheese than an operating system.
And what you term as a belief I call first hand experience.
I guess you never experienced having Windows powned by a warm 2 minutes after a fresh install.
Well, I have experience that, so my “belief” is based on personal experience.
I don’t think some ridiculous study will change my “belief” based on years of personal experience.
Good analogy:
I get burned by fire. From then on I don’t just believe that fire will hurt me. I KNOW that fire WILL HURT me.
And no matter how many times someone will tell me that it’s ok to put my hand in a fire, I know better (from experience).
Besides, even comparing a toy os like Windows to heavy duty os’s like HP Unix or Solaris that run big iron servers with uptime and reliability Windows can only have wet dreams about, is ridiculous.
Basically Symantec is sucking up to Microsoft because without Windows they have no product to sell.
I don’t know about you, but I’ve run many computers with no problems on WinXP SP2 without any antivirus, and only using windows builtin firewall. I admit. before SP2 it was different story, but after their fixes with it, I’ve been running all my systems stable leaving them on and online for months at a time. Rock solid.
I’m not dissing other OSs either, if you want mac or linux that’s great. I just don’t see the point in tearing down a product, when the development of it has been steadily improving. Microsoft is doing better, and responding to problems faster, they should be commended for their improvment.
I admit. before SP2 it was different story, but after their fixes with it, I’ve been running all my systems stable leaving them on and online for months at a time. Rock solid.
I worry about people who feel the need to tell us how they’ve left their XP, SP2 no less, machines on and connected to the internet for months and months. And then they add the ubiquitous ‘rock solid’ statement at the end.
“I worry about people who feel the need to tell us how they’ve left their XP, SP2 no less, machines on and connected to the internet for months and months. And then they add the ubiquitous ‘rock solid’ statement at the end.”
Why do you think we have all these trojans and viruses floating around? 🙂
Like the almighty coming down to scold us you tell us how we are all bias because we point out an article that shall we say, uses creative interpretation of facts to make a point. (Windows being most secure OS) Obviously some people are gonna bash MS no matter what, but many of us are a little more knowledgeable and able to understand the problems with that article.
Then you use your OWN bias to tell us you have no problems with Windows security, hence it must be OK. I hear people use this all the time as an argument. Obviously a single case cannot prove a statement, only disapprove one.
That fact that many of us make a living based on Windows problems indicates that there are indeed true issues. Some will argue its secure, but the users does things to make it vulnerable; than that is a design flaw in the OS to allow users to do that or to make a condition where users would want to do it. (If the LUA dialogs are so annoying that it causes people to turn it off, that’s a design flaw.)
I don’t care what OS anyone uses, but there is so much BS floating around end users can’t make a truly fair, informed decision, and that is what this whole argument comes down to. Most people won’t read that article, they’ll just see that headline and take it for truth and pass it on. Be nice if end users were more informed, but they won’t be, history shows people just follow the leader. (ex. MS, Hitler, Tattoos, fashion.)
If it wasn’t for competition and users who questioned articles like this, don’t kid yourself, whether Apple, MS, Sun or IBM, they wouldn’t be making these improvements that even you acknowledged. (or they would be a lot slower.)
With any operating or security system, the largest security hole is the user. With the human element it is imposible to make something completly secure. This is why large companies have employees educated on security concerns and best practices. You see comercials about how information is the anti-drug, well I would say that information is the best anti-virus as well. I don’t feel that the answer to security problems is to add more and more restrictions to the user, just educate them.
BTW, I was not supporting or denying the thread topic. My original post was just pointing out what I’ve been seeing any many threads, finally decided to say something about it.
“Basically Symantec is sucking up to Microsoft
because without Windows they have no product to sell.
– and any anti-Symantec sentiment expressed here
is due to experience and the school of hard knocks,
not becoz we simply feel like trashing Norton and Co.
In my early (Mac) days, Norton was a decent utility
that pulled me out of my first few system crashes,
and I admired and appreciated it greatly..
but over the years it just got bloated and overbearing,
ripping off clock cycles like it paid for the computer
and generally earning itself a bad/unpleasant reputation!
Argue with that.
– but you can’t, coz everyone has had pretty much the same experience
over the last 10 yrs. or so.
Dude, the real question here is not why some people are being a bit overzealous in calling foul on an operating system that has consistently had more security holes than a piece of swiss cheese for over a decade running, backed by a company engaging in court-proven illegal business practices, communicating lies and half-truths to it’s customers, and interfering with democratic processes around the world.
The real question is, what the hell posesses someone like you to donate their time to defending such an entity?
I like the teaser to this article, in which it claims that Symantec is no friend of Microsoft. While Symantec may no agree with everything Microsoft does, I ask you how Symantec could not be friends with Microsoft when they are a Microsoft vendor and make all their money selling Windows products.
I like the teaser to this article, in which it claims that Symantec is no friend of Microsoft. While Symantec may no agree with everything Microsoft does, I ask you how Symantec could not be friends with Microsoft when they are a Microsoft vendor and make all their money selling Windows products.
Question of the Third Millennium!
are similar. Both are huge monolithic kernels with lots of code for buffer overflows.
Go ahead and censor/delete this message.
Good ole osnews/slashdot fairness!
Weapons of mass destruction were found in Baghdad.
George Bush to head Greenpeace.
Al Gore accepts position as CEO of Exxon.
SCO code found in Window Kernel source, Darl McBride to replace Ballmer.
George Bush to head Greenpeace.
LOL.
“SCO code found in Window Kernel source, Darl McBride to replace Ballmer.”
Oh crap, don’t give them any ideas.
Microsoft – 12 severe vulnerabilities
Redhat – 2 severe vulnerabilities
Mac – 1 severe vulnerability
Therefore Microsoft is the most secure (hey, the conclusion was known at the start, if you are Symantec, you want people to use insecure operating systems so you need their products).
That’s what I understood too… MS has the smaller number total BUT the highest of severe ones…
/LOL
Symantec both makes bloatware
Hum… let me see i spend at least a day every week removing virus and spyware from costumers pc’s… and with my mac, my linux server and my solaris server i spend… oh wait… i dont… so the logical conclusion: windows is more secure… oh yea… (i know im not using numbers to sustent my post, but this is my experience)
Hum… let me see i spend at least a day every week removing virus and spyware from costumers pc’s… and with my mac, my linux server and my solaris server i spend… oh wait… i dont… so the logical conclusion: windows is more secure… oh yea… (i know im not using numbers to sustent my post, but this is my experience)
Just curious… but can anyone here actually list a single virus of spyrware/adware instance that affects OS X, Linux, or Solaris? (yes, I know, theoretically there has been that one virus on OS X, etc, but really, without a google search can you list something?)
Yeah, Microsoft needs to stop hiring interns to make their software, no argument here against that… but virus occurrence in comparing Windows to three systems where viruses don’t actually exist is sort of… not relevant to anything, security or otherwise?
Also, unlike your customers, I assume you are not a retarded monkey… you could likely use windows with the same results (I spend all day cleaning other peoples PCs but never have to clean my own becayse I don’t do stupid crap with it)
Windows is the most secure wide-spread OS.
It’s the only wide-spread OS ::)
The conclusions provided by the “internetnews.com” piece and the Symantec “Internet Security Threat Report” don’t seem to be exactly in line with one another. The “internetnews.com” article is based on a very small portion of the entire “threat report” (as pointed out in previous posts). They declare a “most secure OS” based solely on number of days to patch.
I’ve always wondered how true of an objective metric that is, since there really isn’t “full-disclosure” of OS vulnerabilities in the first place. So how do we know how long it actually takes for vendors to produce patches? Even in Symantec’s report they state “68 percent of documented vulnerabilities were not confirmed by the affected vendor”.
Also from Symantec’s report,
– “Home users were the most highly targeted sector, accounting for 93 percent of all targeted attacks.”
– “Microsoft Internet Explorer was targeted by 77 percent of all attacks specifically targeting Web browsers.”
And what OS do you think these targets are using? Good thing it’s the “most secure OS” then or I might have to switch to Solaris or something!
Everybody can make their products secure, if they really care. It’s nor rocket science, there are rules that need to be followed. If Windows are not secure enogh now, they will be someday.
I don’t like the way the Windows are secure. There is a lot of services in Windows that are open to the network. Fair share of them can not or should not be shut down. In fact, there is only a vague idea of what they do. I hope that Microsoft engineers are the exception to this.
Instead of shutting down those services, one must put machine behind the firewall, either personal or common, or make sure that they are patched properly.
On UNIX and similar systems, one just shuts down services that are not needed. If one does not need NTP service, the solution is to prevent it from starting. That is the way to avoid a lot of problems, without wasting effort on them.
…. is it 1st April already?????
I was just thinking the same…
MS is doing great helping them sell a ton of anti-virus and anti-malware software.
I’m sure they feel MS is doing great on security as its making them freakin’ billions.
Symantec found 43 vulnerabilities in Mac OS X and a 66 day turnaround on fixes. Fortunately, only one was high priority.
This goes high in my list of unintentionally hilarious “attacks” by Unable-To-Compete poster children. Where did they get the info? Reading Slashdot? They know nothing about Mac’s, judging by their attempts to penetrate that market with a worthwhile product. I’d purely love to hear the community response if they tried to market something on Linux.
Microsoft is doing better overall… at selling Symantec products. MS’s clueless, marketing driven product lines justify the existence of Symantec, despite their high prices and extremely poor quality. (What can I say? Windows usability and stability are what they are, and they’re a whole lot worse with anything by Symantec installed. And, since Symantec products often can’t be uninstalled….)
In short, I don’t consider Symantec credible on this or any other topic except marketing, which is OT. Move on, folks.
Per the internetnews article:
During this period, 39 vulnerabilities, 12 of which were ranked high priority or severe, were found in Microsoft Windows…
… of the 208 Red Hat vulnerabilities, the most of the top five operating systems, only two were considered high severity…
…43 vulnerabilities in Mac OS X and a 66 day turnaround on fixes. Fortunately, only one was high priority.
Durr.. it seems to me what really counts here is 1) the number of high priority/severe vulnerabilities; and 2) the amount of time it took to fix those high priority/severe vulnerabilities.
High priority/severe vulnerabilities:
* MS Windows – 12
* RHEL – 2
* Mac OS X – 1
Misleading article.
http://secunia.com/product/22/
Vulnerability Report: Microsoft Windows XP Professional
Affected By 179 Secunia advisories
Unpatched 18% (33 of 179 Secunia advisories)
http://secunia.com/product/22/?task=statistics
http://www.redhat.com/magazine/017mar06/features/riskreport/
Vulnerability Report: RedHat Enterprise Linux AS 4
Affected By 268 Secunia advisories
Unpatched 0% (0 of 268 Secunia advisories)
http://www.osnews.com/story.php/17488/OpenBSD-Gets-Its-Second-Remot…
I can’t even understand why people bother to comment or listen to this….
I don’t care if Red Hat spends a tad bit longer as long as I don’t have open holes like MS…
Hmm I was almost as bad as the report, comparing wrong products…
so here we go:
Microsoft Windows Server 2003 Enterprise Edition
Affected By 120 Secunia advisories
Unpatched 9% (11 of 120 Secunia advisories)
http://secunia.com/product/1174/?task=statistics
Edited 2007-03-22 21:21
Well posted. Would have been even better to state the number of severe threats etc in each case as well, to show that GNU/Linux has fewer. Time to patch data would have been good as well. I know I can go and hunt this data down, but I’m lazy. Good work.
Dave
That is funny, now show me the REAL report.
Using the arguments of this pseudo-study I can conclude that CP/M is the most secure OS of the world. There are no security vulnerabilities reported nor viruses/malwares .
Linux can have many reported bugs because it is part of free software developing process. The important is that the ritm of patching is more intense and there are no taxes for updating the operating system
actually, this is said 70 times here, but i want to say it too for fun:
i will not believe symantec even they tell me, that i cant believe them
blessed the day, when i said goodbye to their products
Hackers have shifted their focus away from the OS and are now using vulnerabilities in the apps that are installed on the OS. e.g Word, Excel, IE as these products will be trusted by the firewall and allowed to access the internet.
Brutal assaults on the OS are no longer necessary. Now it’s the apps turn to feel the heat. So the OS can be as “secure” as ya’ll wanna say but it won’t mean diddly squat if you are using buggy, vulnerable programs on it. It’ll get “owned” if the right measures are not taken. And there is the slight chance of a zero-day exploit doing a number on you.
Edited 2007-03-23 00:36
{Hackers have shifted their focus away from the OS and are now using vulnerabilities in the apps that are installed on the OS. e.g Word, Excel, IE as these products will be trusted by the firewall and allowed to access the internet.
Brutal assaults on the OS are no longer necessary. Now it’s the apps turn to feel the heat. So the OS can be as “secure” as ya’ll wanna say but it won’t mean diddly squat if you are using buggy, vulnerable programs on it. It’ll get “owned” if the right measures are not taken. And there is the slight chance of a zero-day exploit doing a number on you. }
If you are a “black hat” person wanting to write an exploit so that you can “own” a system, you might use an application as a route to get your exploit code installed onto the target system, but the exploit code itself has to target the OS, not applications.
It isn’t much use “owning” a system only when it happens to be running Powerpoint, for example. To be useful, you must “own” the system full-time. That means “owning” the OS itself.
Black hats may be targetting vulnerabilities of applications in order to gain access into systems (ie, to get past firewalls as an example you gave), but that does not mean that “Hackers have shifted their focus away from the OS”.
BTW, on Windows systems, black hats do not have to rely on particular applications being installed in order to have potential holes in firewalls. Microsoft have built in several nice holes deliberately … WGA checks, Windows update, remote desktop, online help, DRM checks, new codecs … there are already quite a few exploitable holes pre-installed on Windows systems without any applications at all!
Edited 2007-03-23 02:20
Er. Yes and no. Malware commonly uses the fact that certain applications are trusted by the firewall to get around it. But most of the time malware isn’t actually using an exploit in the app. Rather it’s using a rather bad design decision on Windows named:
CreateRemoteThread
http://msdn2.microsoft.com/en-us/library/ms682437.aspx
On linux we have equivalent posix functions.
On both systems you need to have the correct privileges to open the process.
The difference? On Windows, the user often has those privileges, on linux, not as much. And SeDebugPrivilege.
SO if you want your threat to ensure the only way that you can be deleted is with a reboot, you inject into System.
If you want to get around the firewall, you inject into IE.
You don’t need to exploit anything.
Edited 2007-03-23 03:16
Actually, what you are saying is not a bug, it’s just that when you run Windows as an Admin, it allows you to run CreateRemoteThread. You are exploiting something, but it is not a bug, it’s a problem with the defautl settings, and a problem with the culture of Windows users.
From the article:
“The risk of exploitation in the wild is a major driving force in the development of patches. As with
previous periods, Microsoft Windows was the operating system that had the most vulnerabilities with
associated exploit code and exploit activity in the wild. This may have pressured Microsoft to develop
and issue patches more quickly than other vendors. Another pressure that may have influenced
Microsoft’s relatively short patch development time is the development of unofficial patches by third-
parties in response to high-profile vulnerabilities.”
I already knew that Windows was the cheapest, and the best performing OS. Thanks to Symantec, I know now the whole truth, it is also the safest. And the fact that Windows is their only market changes nothing to it. Is’s proven…mmm…
We live in a world of fairy tales. It’s wonderful.
Microsoft has competitors!!?? That’s got to be a short list. Did they throw Win3.1 in there for filler?
Competition would be all over the place if Red Hat & Novell and the rest would market by pre-loading their operating systems on pc/laptop configs…
Marketing is the key to success on the desktop from what I understand Dell & HP are listening to the end user now and loading a pre-installed Linux distro (kudos).
In the meantime I would not give any merit these ‘threat reports’ or any of this non-sense.
Fedora Core user here…
Symantec is just turning crazy, they come up saying that Windows is more secure but in the same time they say this,
http://www.macworld.com/news/2007/03/20/browser/index.php?lsrc=mwrs…
Well not very consistant knowing that IE only runs on well ……..Windows.
I just wonder what the guys working at Symantec are thinking???
Everybody had a great laugh.
We may now get on with our lives.
I use Linux (Gentoo) and I don’t use ad-aware or virus scanners, they are simply not needed, I believe MAC users don have a need for them too. And now that Microsofts OS is the most secure one, who needs Symantec, Norton and gang?
And what operating system is the driving force behind the gigantic bot-networks? SUN?
Tuaw has a good post on this story,
http://www.tuaw.com/2007/03/22/fud-windows-is-most-secure-os/
It seems that this statement saying that Windows is most secure OS does not really belong to Symantec per say, but to the person who wrote this article (if of course i can call this thing an article, in reality probably not!!!), Andy Patrizio, who seems having quite a lot of difficulties to understand things correctly. So it seems that our friend Andy is a fan of lazy reporting, he reads something, he does not understand it, and finally he end up claiming BS. Why BS, well Tuaw sumarizes it well,
“hat is, what apparently makes Windows “most secure” is that in the Jul-Dec 2006 timeframe Microsoft took an average of only 21 days to patch holes, while Red Hat (linux) took took 58 and Apple took 66. Okay, so Microsoft is best right? But that’s silly, why would the speed of responding to holes by itself determine which OS is most secure? It should clearly matter how serious the holes were in the first place! If you’re slow to patch relatively innocuous holes, is that not better than quickly patching a larger number of more serious holes? And when we look at the breakdown we see that in this period Microsoft had 39 disclosed vulnerabilities, and “12 were considered high severity, 20 were medium.” Apple, on the other hand, issued 43 patches, and only “one was considered high severity, 31 were medium.” So basically, Microsoft is quicker at patching 12 times as many high severity vulnerabilities, and that apparently makes Windows “more secure.””
Having 12 times more serious vulnerabilities than OS X makes Microsoft patching them more quickly, i guess they better do that,this explains that …………. only Patrizio does not get it…..
1. Surprise, Microsoft Listed as Most Secure OS
Microsoft is not an operating system.
2. Symantec, no friend of Microsoft
If Microsoft’s products were secure, Symantec would have gone out of business years ago. Microsoft’s product’s insecurity is Symantec’s excuse for existence. Not friends? In my opinion, they are not only friends, they are sexually intimate friends.
What are the major competitors to windows? Apple & MS are the only companies that I ever seen a OS ad for. So it is easy for MS to come out ontop, cause windows is what like 98% of the market share?
If you weigh the severity of the flaws, Microsoft gets knocked down fairly well ( likely removing its crown if mathematically applied and balanced ).
Scoring Vulnerabilities:
Critical: 50
Can take over PC Controls, full access
Severe: 40
Full access, but cannot interfere with user.
High: 30
Full Read, with possible write access, but not be
able to execute anything.
Medium: 20
Can cause a program crash, but cannot cause other
‘permanent’ damage. Some times these can load
trojans, but the trojans may be nearly ‘harmless’.
Low: 10
Requires user-action to accomplish. Cannot take
over machine, but may be able to cause temporary
instability.
Someone else do the scoring 🙂
–The loon