• United States

Is Windows safer than Linux?

Apr 12, 20042 mins
Enterprise ApplicationsLinux

* Report suggests Linux vendors take longer to produce patches than Microsoft

A recent study comparing Windows and Linux vulnerabilities showed that Microsoft is quicker at responding to problems in its software, while many of the leading Linux distributions lag in reaction time.

The study conducted by Forrester Research, of Cambridge, Mass., compared Microsoft Windows products with Linux operating systems from Debian, Mandrake, Red Hat and SuSE. The research firm looked at security-related bugs, and the subsequent patch fixes that were released between 2002 and 2003.

These “days at risk,” as Forrester put it, accounts the time a security bug is discovered to a patch being issued. Forrester also looked at the gravity of reported software security flaws, as characterized by such organizations as the National Institute of Standards and Technology’s ICAT project for classifying the severity of computer-related vulnerabilities.

What came out of the research was that Microsoft was the quickest to release fixes for its security flaws, taking an average of 25 days between the reporting and patch release. After Microsoft, Red Hat and Debian both took twice as long to get patches out – 57 days. SuSE took 74 days to fix its flaws, and Mandrake took 82 days.

Shortly after the report was released, the four Linux companies involved issued a statement critical of Forrester’s methodology. The companies said that Forrester’s data is not representative of Linux’s overall “safeness” because it averages in the severity of all vulnerabilities when determining its “days at risk” ranking. Severe problems were fixed in very short turn-around times, they claim, while minor problems were addressed over a longer period. 

Forrester last year drew some heat from the Linux community when it published an ROI study on Linux showing that there was little cost savings involved in migrating from Windows to Linux. The heat was turned up when it was reported that that Microsoft had co-sponsored the research. This time around, no vendor sponsored the Linux/Windows research and Forrester allowed Linux vendors to view its data before publishing.

Next issue: More Linux research controversy.