Vulnerability counts do matter

It happened again! I got into yet another argument…er…heated discussion over the security of Microsoft Windows versus some other operating system. Usually it starts with some reader's knee-jerk emotional reaction -- saying "Windows sucks!" or something like that.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

When faced with a knee-jerker (aka "jerk"), I often point out that it's easy for any OS to be insecure if the admin doesn't follow best practices, but it's just as simple for me to secure almost most any OS if I follow basic security practices.

Normally, my critics counter that remark by saying that because Windows has so many more vulnerabilities than the average competing OS, it's easier to secure those other OSes. Unless you're running OpenBSD, this statement is usually untrue. All of those other OSes end up with a fair amount of published vulnerabilities that need to be patched.

These days it's easy for me to point to vulnerability counts as a metric of Microsoft's better job at security. (My favorite site for vulnerability statistics is Secunia.com, and their Software Inspector scanner is a good source.) For instance, IIS 5 had 14 announced holes. IIS 6, released almost four years ago in March 2003, has had three known holes, none popularly exploited. Apache Web server, IIS's nearest competitor, has had more than 33 vulnerabilities in the same time period.

How about ASP.Net versus PHP? Not even close: ASP.Net has had seven exploits, none popularly used, whereas PHP has had dozens of bugs that led to worm and spam bot takeovers on hundreds of thousands of Web servers. If you're tired of spam in your inbox, tell your friendly PHP coder to learn more about security.

But Internet Explorer is Microsoft's real weak link, right? Well, yes it is. IE 6 had 16 exploits announced in 2006. Firefox 1.x was released in 2006 to prove that the open source community could make a secure browser -- it had 13 announced vulnerabilities. 

Thirteen vulnerabilities with just 5 to 10 percent of the market share? Is that the product that's supposed to show how secure open source coding gets done?

Well, then the core Windows OS is ultra-insecure, right? Let's look at the numbers: Windows XP Pro had 45 announced holes in 2006, Mac OS X only had 24. That means that OS X is at least twice as secure as Windows.

Well, not exactly. Many of the Mac announcements close dozens of security holes at once. One OS X announcement at Secunia closes 31 Mac holes and another 15. If I count each announced vulnerability separately, OS X ends up with more than 100 holes in 2006, far surpassing the individual hole count I could find in Windows XP Pro. And that doesn't include the exploit-a-day announcements Apple faced last month.