Windows vs. Mac vs. Linux - Which is more secure?

Windows vs. Mac vs. Linux - Which is more secure?

Summary: Is Windows Vista really more secure than Mac and Linux platforms?


According to a report released by Jeff Jones, the security strategy director in Microsoft's Trustworthy Computing Group, if you look at the number of publicly disclosed security vulnerabilities during the first 90 days of availability, Windows Vista turned out to be more secure than Windows XP, Red Hat Enterprise Linux 4 Workstation, Ubuntu 6.06 LTS, Ubuntu 6.06 LTS - Reduced Component Set, Novell SUSE Linux Enterprise Desktop 10.8, Novell SLED 10 - Reduced Component Set and Mac OS X v10.4.

Here's the graph that basically summarizes the report:

Windows vs. Mac vs. Linux - Which is more secure?

I've been through the report [PDF] and I can't see any kind of underhanded tweaking of the numbers to make Windows Vista come out as the most secure OS in the list.  I also can't see any tweaking that makes the other operating systems seem less favorable.  So I'm left with a couple of questions that need answering:

Question #1: Is Windows Vista really more secure than Mac and Linux platforms?

Question #2: If, despite reading the report, you're still convinced that a Mac or Linux platform is more secure than Windows Vista, how do you bend your "reality" around this report?


[Updated: June 22, 2007 @ 6.40 am] - Many of you seem to have misread what I wrote and think that I'm agreeing with the conclusions of the report.  Nowhere have I said that.  Don't shoot the messenger.

[Updated: June 22, 2007 @ 6.47 am] - Looks like we killed the TalkBack server.

Topics: Windows, Apple, Hardware, Linux, Microsoft, Open Source

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Of course you didn't see the tweaks

    Simple questions:

    1) Microsoft admits that they find and secretly fix security bugs without ever disclosing them. Are these counted? Does Red Hat do the same?
    2) Did Microsoft include Apache in the RHEL set? Did it include IIS in the Microsoft set? Similarly for and MSOffice, etc.
    3) Microsoft often takes months to acknowledge publicly-disclosed bugs (including so-called "zero-day" bugs which are discovered by finding exploits in the wild.) Are the "days of vulnerability" counted from MS' public disclosure or the original one?

    In general, if you're looking for a "tweak" in plain sight it's best to consider the terms and definitions.
    Yagotta B. Kidding
    • What's wrong with that?

      "Microsoft admits that they find and secretly fix security bugs without ever disclosing them."

      Companies have been doing that for years.
      Adrian Kingsley-Hughes
      • What's wrong with it?

        It's deceptive as we can't rely on the numbers. We know Microsoft's vulnerability count is more than they've publicly announced. Therefore what they've provided in this report is known to be inaccurate in favor of Microsoft. It's dishonest plain and simple.
        • What's deceptive ...?

          The report clearly says publicly disclosed vulnerabilities?
          Adrian Kingsley-Hughes
          • Adrian thanks to Ryan Naraine we all know better now . <NT>

            I'm Ye, the MS SHILL .
          • The argument is flawed ...

            The argument is flawed.

            "On the other hand, white hat hackers warn that silent fixes is a dangerous practice because exploit writers already have the tools to reverse-engineer a Microsoft patch to find all the silently fixed issues."

            So what. Apply the patches and your patched. Whether the vulnerability is spelled out or has to be reverse engineered, the issue only affects those who don't apply the patch. Is the point you are clumsily trying to make is that is all highly critical vulnerabilities for Vista were made public, it would look worse than say SUSE, Ubuntu or Mac OS?
            Adrian Kingsley-Hughes
          • I f they're silent

            Then you don't know they're there, or what they patch, or what the effects might be. It's more than hard to judge how something you don't know is there is going to affect your systems. Also, for very good reasons not everyone follows "patch tuesday" cycles, and unles they see a pressing need for patching will postpone the day. Fun times if you're getting hammered by a flaw that you didn't even know was patched because it wasn't reported.

            Please note, hackers very often just take the patch tuesday thing and kind of reverse engineer to see what it did to what programs and work from there, comparing what was announced and what wasn't. It gives them a greater surface of attack.
          • it does indeed,

            But it is unfair towards those that disclose all vulnerabilities because of their open nature....

            That's the problem with it. What I miss is an appendix with all the vulnerabilities which should accompany such a report, how else can we assess his count....
          • It's deceptive because it doesn't tell the whole story.

            It under reports the number of vulnerabilities for their product.
          • So what?

            It's the same everywhere: one group of people wants to appear superior to another
            group. It can be said of Microsoft, Apple, Linux, you name it. Everyone lies or

            Here's my favorite tall tale from the Linux camp: "[i]Use Linux and gain total control
            of your computer![/i]" What's your favorite?
          • If everyone jumped off a cliff would you?

          • Plain sight

            [i]The report clearly says publicly disclosed vulnerabilities?[/i]

            And if I tell you that a pickup truck is faster around Laguna Seca than a Maserati, will you believe me?

            It's all in how you set up the comparison.
            Yagotta B. Kidding
          • DECEPTIVE?

            OK, maybe not deceptive. It is simply a matter of unknown origin of data. It thus, is not necessarily trustworthy. Example, it appears that the "days of vulnerability" are counted from the day that Microsoft first admitted it to exist. So many of us question <b>how long</b> they knew about it <b>before</b> that admission. How many <b>days</b> then were <b>not counted?</b>

            While the same might also be questioned about Linux. However, the communities long history of airing all its laundry in public tends to lessen the impact of such a question.
      • Not "wrong" exactly

        [i]Companies have been doing that for years.[/i]

        Yes, and their customers have been getting burned by it.

        However, the point is that it's a way of putting your thumb on your scales: it's an apples-and-oranges comparison.
        Yagotta B. Kidding
    • Oh, and one more

      4) Do [url=]"haven't been patched at all yet"[/url] count as days since disclosure or are they just not counted?
      Yagotta B. Kidding
  • Reality distortion field in action

    The field is strong today when the best you come up with is ad hominem arguments. Well, I dismiss your reality and replace it with my own.
    Adrian Kingsley-Hughes
    • Message has been deleted.

      I'm Ye, the MS SHILL .
    • Today? This is his standard MO.

      "The field is strong today when the best you come up with is ad hominem arguments."
      • Ye you know as well as I do that this report is deceiving .

        He could have come up with a better story for this weekend , but noo, he chose this one for a flame war . Adrian I'm not buying that bogus report , especially if Microsoft is behind it .
        I'm Ye, the MS SHILL .
        • OK ...

          Tell me, why is is bogus? Saying it or wishing it was doesn't make is bogus.
          Adrian Kingsley-Hughes