Symantec: Windows flaws more severe

Although Windows required fewer patches in the second half of 2006, the vulnerabilities were more critical, according to the security vendor

Windows requires fewer patches and has faster patch turnaround times than some other large vendors, yet Microsoft software flaws are still more severe, according to Symantec.

In its comprehensive Internet Security Threat Report Volume XI, which covers the period from July to December 2006, Symantec said that out of 39 Microsoft vulnerabilities disclosed during this period, 12 were of high severity, 20 were of medium severity, and seven were less severe.

By comparison, although Red Hat Linux had 208 disclosed vulnerabilities during the second half of 2006, only two were considered high severity, while 130 were medium severity and 76 low.

Apple fared better than Red Hat. Out of 43 vulnerabilities reported in Mac OS X, one was considered high severity, 31 were medium severity and 11 were low.

Despite having the greatest number of serious flaws, Microsoft had the fastest patch turnaround times overall. Windows had an average patch development time of 21 days, based on the sample set of 39 patched vulnerabilities. Red Hat Linux had the second shortest average patch development time with 58 days, while Apple came third at 66 days.

Symantec said that Microsoft had to develop patches more quickly because it had the most vulnerabilities with associated exploit code.

"The risk of exploitation in the wild is a major driving force in the development of patches," stated the Internet Security Threat Report. "As with previous periods, Microsoft Windows was the operating system that had the most vulnerabilities with associated exploit code and exploit activity in the wild. This may have pressured Microsoft to develop and issue patches more quickly than other vendors. Another pressure that may have influenced Microsoft's relatively short patch development time is the development of unofficial patches by third parties in response to high-profile vulnerabilities," the Internet Security Threat Report continued.

Third-party patches for Windows in the second half of 2006 include a patch developed by the Zero-day Emergency Response Team (ZERT) for a flaw affecting Windows 2000, Windows XP and Windows Server 2003 in October.