OS security scorecard for Q1 08 - Do patch numbers mean anything to anyone?

Jeff Jones, director of security strategy for Microsoft, has published two papers this week which look at OS vulnerabilities. According to Jones, Windows sees fewer patches than any of the other operating systems looked at.

If you're in the mood for a read, here are the papers:

• Windows Vista vs Windows XP SP2 Vulnerability Report 2007
• Q1 2008 - Client OS Vulnerability Scorecard

Here are the charts that sum up the information:

Rather than get into a discussion about security or whether Microsoft fiddles the numbers by releasing stealth updates, let's look at this purely from an admin point of view. While those charts make the patch workload seem heavy, given that all the operating systems update it pretty much a fuss-free fashion, I really don't see the issue of patch numbers being that important any more. Sure, with each patch comes the chance that a spanner will be thrown in the works, this doesn't really happen all that often. In fact, the people I hear complain the most about patches are home users, and their complaints fall into one of three categories:

• The time it takes to patch a system
• The sluggishness of the system while patching is taking place
• The fact that many patches (Windows patches at any rate) require a reboot

I think you'll admit that these are minor quibbles compared to having the system compromised. 

Let the patches roll in!