Microsoft's Windows operating system is more secure than Mac OS X, Linux and Sun Solaris, if you take into consideration the volume of patched vulnerabilities affecting each operating system in the first half of 2007. According to the Symantec Internet Security Threat Report - Trends for January-June 07, Microsoft patched a lower number of security flaws impacting its platform, compared to rivals Apple, Red Hat and Sun. While Symantec has played the vulnerabilities counting game, in the report it restrained from offering any real conclusions as to the security level inherent to the operating system. Still, judging exclusively by the patching process, Microsoft is the software maker that has had the least work in the first half of this year.
"In the first half of 2007, Symantec disclosed 38 vulnerabilities for Microsoft Windows that were patched. Fifteen affected Web browsers, 13 were client-side issues, eight were locally exploitable, and two affected servers. The 50 vulnerabilities patched by Microsoft during the second half of 2006 consisted of 15 browser issues, 20 client-side vulnerabilities, three issues that were local, and 12 that affected servers," Symantec stated in the report.

By comparison, Apple, Microsoft's main competitor on the operating system market, had to spend a tad more time than the Redmond company patching Mac OS X. "Of the 59 patched vulnerabilities that affected Apple Mac OS X in the first half of 2007, eight affected browsers, 21 were client-side vulnerabilities, 17 were local, 11 affected servers, and two vulnerabilities did not fit into any of these categories. During the last six months of 2006, Apple had one patched browser vulnerability, 18 client-side vulnerabilities, seven that were local, four in servers, and two that could not be categorized," Symantec revealed.

The Cupertino-based security company also focused on HP-UX, Red Hat Linux and Sun Solaris. HP's UNIX is the less patched platform in 2007. Additionally, HP managed to drastically reduce the number of vulnerabilities from the second half of 2006 to January-June 2007. But of course that security is without a doubt one of the main pillars of UNIX platforms and HP's solution makes no exception in this respect.

"There were 30 patched vulnerabilities disclosed during this period that affected HP-UX. Of these, 13 affected browsers, three were client-side, three were local, nine affected servers, and two could not be categorized. From a sample set of 70 patched vulnerabilities in the second half of 2006, 50 affected browsers, four were client-side issues, one was locally exploitable, 13 affected servers, and two fell outside of these categories," Symantec added.

Overall, Symantec reported that the vast majority of security flaws were client side vulnerabilities. Have a look at the graphic on the left in order to make an idea of the components affected. You must understand that the main characteristic of client-side flaws is the fact that they require user interaction. Without this aspect, an exploit cannot be successful.

"The set of patched vulnerabilities for Red Hat Linux during this reporting period consisted of 91 vulnerabilities. Eighteen of these issues affected browsers, 31 were client-side, 10 were local, and 13 affected servers. The remaining 19 were unclassifiable according to the criteria for this metric. Of the 149 Red Hat Linux vulnerabilities in the previous reporting period, 47 affected browsers, 53 were client-side issues, 22 were local, 12 affected servers, and 15 did not fit into any of these categories," reads an excerpt of the Symantec report.

The resource that the Cupertino-based security company put together is not a real measure of the security delivered by any of the operating systems mentioned above. It is however a clear indication of the work that each vendor has had to put into patching their respective products, with Microsoft and HP performing the least amount of effort.

"Of 73 patched vulnerabilities in Sun Solaris during the first six months of 2007, 41 affected browsers, nine were client-side issues, 11 were local, nine affected servers, and three could not be categorized. During the second half of 2006, 35 patched vulnerabilities were categorized. Of these, 25 affected browsers, one was a client-side vulnerability, four were local, and four affected servers. One vulnerability could not be categorized," Symanted concluded.