Windows is more secure?

If Steve Ballmer hadn't been tapped for his post at Microsoft, his talent for spinning facts and spreading FUD would have made him a natural for American politics. Microsoft, with Ballmer at the lead, is busy again trying to convince the tech world that Linux and open source leave users more vulnerable to security issues than Microsoft's own products. They've used study after study to try to come up with "facts" that bolster the case that Windows is better, faster, cheaper or more secure than Linux. The problem is, as Ronald Reagan once said, "facts are stupid things." By honing in on just a few facts, rather than the comprehensive bigger picture, it's possible to use a few facts to support almost any position. In this case, Microsoft uses a Forrester study to claim that Microsoft is more responsive to security issues, more thorough in correcting flaws, and suffers from fewer "high severity" vulnerabilities. Nick Petreley debunks the Microsoft spin rather handily, noting that Forrester's metrics don't really tell the full picture.

If we reality-check these conclusions against another scale, we find that vulnerability metrics used by the US Computer Emergency Readiness Team (CERT) return 250 results for Microsoft, with 39 having a severity rating of 40 or greater, and 46 for Red Hat, with only three scoring over 40. So simply making claims based on that one metric (as Steve Ballmer did, again, earlier this week) is like judging a hospital's effectiveness in dealing with emergency cardiac care from its average speed in dealing with all patients.

As someone who works with Linux day in and day out, I can tell you that I see a number of security advisories for Linux. But when I say "for Linux," that includes the core OS and its many applications. One of the facts Microsoft would like to sweep under the rug is that your average Linux distribution includes far more software than Microsoft Windows. Download Fedora Core 2 or Debian GNU/Linux (just as examples), and you have access to the OS, development tools, Apache, PostgreSQL and MySQL, PHP, Perl, Samba, X.org and an array of desktop software that dwarfs the pitiful selection of software one gets with a stock install of Windows XP or Windows 2003 Server. When reading claims that Windows is more secure than Linux, I often wonder who might be convinced. It certainly isn't the desktop users who have been hit with one of the many viruses that infect Microsoft Windows or Microsoft Office. The system administrators who have to deal with the after-effects of a server-clogging mail-borne piece of malware are also likely to be skeptical. The fact that several companies have grown fat and happy selling anti-virus products for Windows should also be a clue as to the inherent security of the platform. When Symantec, McAfee and other anti-virus vendors start going out of business (or switching to all-Linux product lines) then Ballmers' claims that Microsoft Windows is more secure might seem a bit more credible.