'

Fewer patches != safer OS

Does one OS having fewer security patches than another operating system mean that the OS with the fewer patches is the safest OS? You know, I'm not sold of that concept.

Does one OS having fewer security patches than another operating system mean that the OS with the fewer patches is the safest OS?  You know, I'm not sold of that concept.

Sure, patch numbers make good talking points, but any conclusions drawn from them are shaky at bestAs we near the first anniversary of the consumer launch of Windows Vista we'll be seeing pundits all over the media taking a look back at the Vista's first year.  One aspect of Vista that some will undoubtedly be looking at is patches and how many have been issued for Vista (in fact, my blogging colleague Ed Bott's already done this).  Many will interpret the fact that XP has had more patches rated critical and important than Vista as an indication that Vista is safer than XP (in fact, this is the conclusion that Ed himself came to). 

In the same way that I don't automatically believe that more patches means an insecure OS, I'm equally not convinced that fewer patches are an indication of a secure OS.  That's far too simplistic because each patched vulnerability ends up only being a problem for those who've not applied the appropriate patches.  Like road side punctures, how many you've had in the last few months says little about your chances of getting the next puncture (unless you spend all your time driving over stingers).  The number of patched vulnerabilities says nothing about how many are left.  Because it's difficult (if not close to impossible) to come up with a sensible metric for security, this void is filled with meaningless metrics.  Sure, patch numbers make good talking points, but any conclusions drawn from them are shaky at best.

What, if anything, the past year has shown us is that yes, just like XP before it, Vista also contains critical bugs (swap Tiger and Leopard for XP and Vista in that previous sentence if that makes you feel better).  If we'd had a situation where a year on there's been no critical/important bugs discovered, that might have made me sit up and pay attention, but even that wouldn't make me drop my guard.

Another thing about vulnerabilities is that they either affect you or they don't.  As a rule, most pass you by unnoticed.  You apply the patch and get on with life.  If you're hit by a vulnerability then it's time to stop relying solely on vendor patches, take some proactive steps and install third-party protection (love them or hate them, security firms plug security holes pretty quickly these days). 

Any time you see someone going to the bother of counting patches take time to remind yourself of that old adage popularized by Mark Twain - lies, damned lies, and statistic.

Thoughts?