Symantec: Windows flaws more severe

Symantec: Windows flaws more severe

Summary: Although Windows required fewer patches in the second half of 2006, the vulnerabilities were more critical, according to the security vendor

SHARE:
TOPICS: Security
1

Windows requires fewer patches and has faster patch turnaround times than some other large vendors, yet Microsoft software flaws are still more severe, according to Symantec.

In its comprehensive Internet Security Threat Report Volume XI, which covers the period from July to December 2006, Symantec said that out of 39 Microsoft vulnerabilities disclosed during this period, 12 were of high severity, 20 were of medium severity, and seven were less severe.

By comparison, although Red Hat Linux had 208 disclosed vulnerabilities during the second half of 2006, only two were considered high severity, while 130 were medium severity and 76 low.

Apple fared better than Red Hat. Out of 43 vulnerabilities reported in Mac OS X, one was considered high severity, 31 were medium severity and 11 were low.

Despite having the greatest number of serious flaws, Microsoft had the fastest patch turnaround times overall. Windows had an average patch development time of 21 days, based on the sample set of 39 patched vulnerabilities. Red Hat Linux had the second shortest average patch development time with 58 days, while Apple came third at 66 days.

Symantec said that Microsoft had to develop patches more quickly because it had the most vulnerabilities with associated exploit code.

"The risk of exploitation in the wild is a major driving force in the development of patches," stated the Internet Security Threat Report. "As with previous periods, Microsoft Windows was the operating system that had the most vulnerabilities with associated exploit code and exploit activity in the wild. This may have pressured Microsoft to develop and issue patches more quickly than other vendors. Another pressure that may have influenced Microsoft's relatively short patch development time is the development of unofficial patches by third parties in response to high-profile vulnerabilities," the Internet Security Threat Report continued.

Third-party patches for Windows in the second half of 2006 include a patch developed by the Zero-day Emergency Response Team (ZERT) for a flaw affecting Windows 2000, Windows XP and Windows Server 2003 in October.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • zombies

    Until there's a significant and permanent drop in zombied or otherwise compromised systems in the world I know what my conclusion is of the security of this or that.

    It's been only, what, 10 years now or so to make that happen but quite the opposite seems to have been reached, year in, year out.

    The only thing sure for now is that systems get slower and slower until the latest 'most secure ever' version is released and then the circle repeats again.
    arthur-b9