14 DAY TRIAL // Outside of the race for the lion's share of the operating system market, the platforms from Microsoft, Apple and various distributions of Linux are also disputing their position in a much more subjective ranking in accordance with the security standard each manages to deliver. As far as consumer perception goes, Linux and Mac OS X are products inherently associated with a high degree of security. The relative obscurity due to the small market shares of both Linux and Mac OS X, in combination with the inexistent threat environment are synonymous with an aura of foolproof products for the open source and the UNIX-based operating systems.
In contrast, Microsoft's Windows is the underdog when it comes down to security. Windows is without a doubt the most attacked platform worldwide. This status is a reflection of the near monopoly Microsoft enjoys with Windows, and the only downside to its success. But this position has also trained Microsoft to react and address security issues in a superior manner to that of Apple, Red Hat, Sun or HP. Security company Symantec presented the conclusion in its Internet Security Threat Report - Trends for January-June 07.
"Of the five operating systems tracked in the first six months of 2007 (image at the bottom of this article), Microsoft had the shortest average patch development time at 18 days, based on a sample set of 38 patched vulnerabilities. Of the 38 vulnerabilities, two affected third-party applications. This is lower than the average patch development time of 23 days in the second half of 2006 based on a sample set of 50 vulnerabilities, seven of which affected third-party applications," Symantec revealed.
A window of exposure is the amount of time that passes between the moment when information related to a certain vulnerability is disclosed, and when the developer manages to issue a security patch to address the issue. You can clearly see from the graphic at the bottom that Microsoft's security model for delivering updates on a monthly basis allows for a superior patch development time compared to its competitors.
"Red Hat had the second shortest average patch development time in the first six months of 2007, with an average of 36 days for a sample set of 91 vulnerabilities. Of these, 90 affected third-party applications. The average patch development time is down from 49 days in the second half of 2006, which was based on 149 vulnerabilities, all of which affected third-party applications," Symantec added.
Of course that having the top average patch time is not an actual measure of security for Windows. It is representative of the amount of efforts Microsoft is pouring into keeping users of its operating system safe, but it does not actually make Windows secure, or more secure than its direct rivals. Still, the large amounts of time Red Hat and Apple spent fixing vulnerabilities raise questions of how protected users will be in the eventuality of a real threat.
"Apple had the third shortest average patch development time in the first half of 2007; it was 43 days for a sample set of 59 vulnerabilities. Nine of those vulnerabilities affected third-party applications. This is a shorter average patch development time than the 49 days reported in the second half of 2006, which was based on a sample set of 32 vulnerabilities, including 12 that affected third-party applications," Symantec said.
To complete its analysis, Symatec also referenced Sun and HP. The former had an average patch development time of 110 days for a 73 security flaws, while the latter took 112 days to resolve just 30 vulnerabilities.
