Windows v Linux - Days of risk in 2006

Windows v Linux - Days of risk in 2006

Summary: Microsoft's Jeff Jones has released his "days of risk" comparison of security vulnerabilities fixed in the major workstation operating systems in an attempt to prove his controversial argument that Windows users are arguably safer than those using Linux, Mac OS X or Solaris.I recently wrote about Jones' presentation this year's TechEd conference where he discussed the metrics and techniques used to keep track of OS vulnerabilities and offered an early glimpse at his ongoing 2007 report card.


Microsoft's Jeff Jones has released his "days of risk" comparison of security vulnerabilities fixed in the major workstation operating systems in an attempt to prove his controversial argument that Windows users are arguably safer than those using Linux, Mac OS X or Solaris.

I recently wrote about Jones' presentation this year's TechEd conference where he discussed the metrics and techniques used to keep track of OS vulnerabilities and offered an early glimpse at his ongoing 2007 report card.

On his CSO blog, Jones is providing more data, including this chart showing the average days-of-risk in 2006.

days of risk "We see in this first chart of the average Days-of-Risk that during 2006, Microsoft provided fixes for publicly disclosed vulnerabilities the quickest on average at about 29 days and Sun came in at the far end with the highest average DoR," Jones writes.

He has not yet released the promised data for the patch count during the first six months of commercial availability of each operating system. These numbers, Jones argues, will show Windows Vista has the best security profile when compared with the major Linux distributions.

Topics: Linux, Open Source, Operating Systems, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • So Microsoft?s Jeff Jones really said that? Really?

    After all, it is Jeff Jones' job to say that Microsoft products are the best, most secure, and have the lowest total cost of ownership of any available in the market. That is precisely what Microsoft pays him to do. I can't fault him for doing his job.
    • Never fault anyone for lack of integrity

      When it comes to some people, their job, integrity, morality and dignity never enter into the picture, just ask the President as he's still wondering around Iraq looking for weapons of mass destruction. Too bad they only found oil !
  • Ordinarilly I'd let this one go

    ...but today for some reason I just can't. What the heck are you doing even posting this? Mr. Jones works for MS. Hello.... extreme conflict of intrest for $1000 Alex?

    Even if his numbers (and implications) were 100% accurate, there's no way I could take this seriously.
    • Why not?

      I do not mean this as a flame or insult, but if the numbers, in your words, were 100% accurate, why would you not take the results seriously?
      Hallowed are the Ori
      • the numbers may be accurate

        but if they only use the numbers they want to use, why would you take them seriously?
      • Um Because he works for Microsoft?

        And employee for a corporation's first job is to SELL, no matter what their job title is.
      • Number are misleading.

        When you cherry pick the numbers (use only the ones that support your agenda),
        the numbers can in fact be 100% accurate, but mean nothing. It's the old "4 out of
        5 dentist" thing all over again. 9 out of 10 windows users recommend you buy
        windows, because it's all they know. A few years back, I did an informal survey.
        Outside CompUSA I asked 50 people (over the course of two weeks) what OS they
        used. Here are my results.
        Eight said they used Mac OS X (16%)
        Four said they used windows xp pro (08%)
        Seven said they has xp home (14%)
        Ten said the had windows* (20%)
        Fifteen said their OS was AOL (30%)
        Six had absolutely no clue (12%)

        The overwhelming majority (62%) didn't have a clue as to which OS they were
        actually using. Now if I repeated this exercise, at a different location (say Best Buy,
        or an Apple store) the numbers would be different. It's all about how you set the
        parameters. Some people will take the numbers and proclaim them to be absolute,
        which is what Microsoft?s Jeff Jones is doing. This is why the numbers are flawed.
        He is either incompetent or misleading. Either way, his opinion is nothing more
        than a PR bulletin.

        (but didn't know what version)
        • Numbers aren't misleading - users are :-)

          Two small points:
          1. It isn't the numbers that mislead, it is the "creative" uses to which they are put.
          The best protection a reader can have is know the SOURCE of the data and infer reality from there.
          It's wonderful that so many "presentations"/articles are so easy to check the origins for, out in the Cyberbog.
          There is no such animal as an objective person. Only hungry tigers are objective.

          2. The point in an earlier post about spelling: it was always a good indicator of scholarship, but today, the teachers are barely literate and the "dumbing down" process is very effective.
          "Who needs to read anyway and who cares about language today?" Seems to be official policy.
          I know a great young programmer, who I thought was dyslexic - but he just can't read or spell. I correct his complex code for him - just the English!

          Reading/spelling is now more important than ever before as mistakes can have much greater consequences today than ever before.
      • Numbers?

        There is an old saying that has been around since the beginning of statistical studies. Figures don't lie, but liars can figure.
    • i'm a clown

      I take it seriously
  • I thought I would share...

    I posted this in another discussion thread, and got blasted for it. So before reading this article please keep in mind that it is taken from the normal user's stand point, and the OS has not had any third party security software installed. A Mr.Grimes posts an interesting discussion in the threads on this page. Keep in mind that he works for MS and has a strong opinion. I am not the bringer of bad news, just referring to it.-
    • Not really sure what to make of that

      Mr. Grimes has some very valid points. I think the article is discussing the underlying OS, and whether it is more secure. The security measures put in place on Vista make it a more secure OS than XP, but the article ignores some of those. Most notibly the UAC. It seems to me that if a user chooses to allow a program to install, there's not a whole lot that can be done to stop them. No matter what OS you're using.

      Bottom line is Windows is constantly being targeted by the hackers. No one should ever run a Windows box without additional security software and or hardware. For now, Apple and Linux have enjoyed some annonimity in that respect but my guess is that will change before long.
      • Anonymity

        Probably as soon as a lot of people who are using "AOL" as an operating system and a lot of those who have no idea what an OS is are using Mac OS or Linux, there'll be serious hacker attention.

        For now, there remains the user-competence barrier.
    • Roger A. Grimes is right for Vista's and WS Longhorn's Security.

      Sorry, I don't buy that from the likes of Mario Morejon. :(
      Grayson Peddie
  • I'd question that "28.9" number

    Frankly, many holes have been left open for years and/or have had to wait 2+ months for a fix. Were they included in the numbers?

    And frankly, holes should be fixed within a week, not within a month. A month or longer is way too long.

    These numbers demonstrate how badly "responsible disclosure" really works.
    • I am going...

      to cut MS some slack. The whole thing about holes being repaired within a week, may
      not be possible. I argue MS biggest problem is the OS design. I think it would do
      them well to scrap, and start over, the way Apple did. Yes, Apple may not have
      written the OS from scratch, but who cares. Yes, there will be some unhappy people,
      but I would rather there be some then continue with this useless patching system.
      The way virtualization is coming along, they could run all there OS as virtual OSs for
      those who either can not or will not make the move.
      • They already did

        scrap it all and start over. What is more, they largely succeeded! The problem is, they did not DEFAULT the increased security features to ON - and far too many people know nothing of their existence, let alone how to use them. They underestimated the scope of the problem (as did nearly everyone) - and are now paying the price.

        Now - what they have to do is figure out how to enable the security without confusing the kind of people who thing that MS Word or AOL is the OS....
      • too much cash

        to be made from putting out crap.

        A friends ACER laptop (bought this year) has a standard XP FAT32 file system as default. It lasted two weeks before it went belly up.

        ACER told us the warranty expired a year from the day it left the factory (jan 2006). It was purchased less than a month ago from officeworks (may 07).

        As you can see, as is most usual, big corporations care little about anything other than making money.
  • (nt)Using one metric to evalutate anything is idiotic

  • Seems to be apples to oranges

    I looked at the list of vulnerabilities for RedHat Enterprise v5, it includes PostgreSQL, MySQL, Gnome, KDE and other bugs. I'm just speaking from experience, but its pretty easy to uninstall any of these that you aren't using. The number of defects in uninstalled software is always zero.

    I looked at the list for Windows Server 2003, I only saw issues for Windows and essential components, like IE that you have to install. So, with Linux I can remove even the GUI and with Windows I have to have the code for IE on my server.

    In contrast with the RedHat reports, the Windows vulnerability reports seem to include the server but exclude the services. You are the journalist, do you care to investigate? This isn't exactly new, Microsoft always includes as little as possible in their lists of vulnerabilities and always finds a way to include the list of vulnerabilities for all software in a Linux distro. I'm getting tired of journalists that get info from PR statements and who don't bother to investigate.