Windows vs Linux – Workstation – Q3 2006 addendum (High+Remote)

This post is dedicated to n00dles, for daring to ask for even more detail ;-) and should be considered as an addendum to Windows vs Linux – Workstation Comparison – Q3 2006.  Same caveats apply: 

NOTE:  I am not asserting that my vulnerability analysis demonstrates that Windows is more secure.  Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows.  The “unsupported” part of that bothers me, so I check for myself.  What I keep finding is that Linux distributions have more vulnerabilities, more serious vulnerabilities and the data does not support the assertions of security superiority for Linux and Open Source software. Also, this is my own work and any mistakes and opinions are mine and not necessarily those of Microsoft.

n00dles wondered how the picture looked if you just looked at High Severity, Remotely Exploitable vulnerabilities.  Could it be possible that I was omitting an angle that would put Windows in a worse light?  (n00dles didn’t imply that, but I like the dramatic build up)  Surely, with all of those optional server components excluded from Linux, many of the vulnerabilities would fall in the category of Locally exploitable?  Let’s see.

First, let’s look at the quarter.  Windows had 12, Red Hat had 31, and Ubuntu had 14. 

Next, let’s look at the High, Remote vulnerabilities per day for the year.  (Note that Vw doesn’t add any value since we’re explicitly excluding Medium and Low, so we’re just dividing the vuln count by the days in the period.)  We need to normalize by days since Ubuntu has only been available since June 1.  The figure below charts the High, Remote vulns fixed per day for the three workstation products.

Finally, let’s look at one more chart that shows the High, Remote vulns per day for the Lifetime of the products.  Obviously, Ubuntu’s will be the same as before, but note that Red Hat’s rate stays exactly the same as well and Windows XP drops only slightly to 0.10 from 0.11.


There you go, n00dles! 

About the Author
Jeff Jones

Principal Cybersecurity Strategist

Jeff Jones a 27-year security industry professional that has spent the last decade at Microsoft working with enterprise CSOs and Microsoft's internal teams to drive practical and measurable security improvements into Microsoft products and services. Additionally, Jeff analyzes vulnerability trends Read more »