Symantec’s 11th Internet Security Threat Report, released this week, discusses security and vulnerability issues from the last six months of 2006 and according to enterprise IT planet “Microsoft Windows had the fewest number of patches and the shortest average patch development time … Red Hat Linux ranks second, OS X third, and Solaris dead last.”
This comes on the heels of this post by Microsoft strategy director for security technology, Jeff Jones which shows Vista doing substantially better in it’s first three months than any other OS.
Don’t buy the hype.
Of the three months that Jeff Jones is comparing, Windows Vista has only been publicly available for one month — the first two months are the time it was available only on enterprise MSDN subscriptions. Although I was running it during that time, the scarcity of drivers and software that worked in Vista during that pre-public release made it very clear that this was not really a “launched” OS.
Buck back to the new report from Symantec — presumably no friend of Microsoft’s, and with a vested interest in making Windows sound frighteningly vulnerable. The new report ranks Microsoft first in their security chart, and that’s what the Enterprise IT article is touting.
However, despite having the “fewest number of patches and the shortest average patch development time” — patching vulnerabilities on average in three weeks — Microsoft Windows had 12 severe or high-priority vulnerabilities out of 39 total. Basically, 1/3 of the vulnerabilities discovered in Windows were considered high priority — even though on average Symantec only rated four percent of all vulnerabilities as high priority.
Although Mac OS X was ranked third according to the article, it had only 3 more vulnerabilities than Windows, and although on average they took nearly three times as long to respond, perhaps they can afford to take their time, since OS X had only one high priority vulnerability. Red Hat —which they ranked second based on their response time— had a whopping 208 vulnerabilities, but it still only had 2 that were considered high severity. All in all, it’s hard to justify ranking by patch time .
More interestingly…
To me, the most interesting thing in the report wasn’t mentioned in the article linked above: the United States not only has the highest number of bot command-and-control computers (40% of the worldwide total) but also accounted for more malicious activity than any other country (nearly 1/3 of all tracked activity), more spam email hosts, and more phishing hosts… in second place, China only accounted for 1/3 as much “malicious activity” as the US. Forget your notion that hackers are Eastern European malcontents: the United States accounts for 19 percent of the world’s Internet users, and 30% of malicious activity.
Another interesting point: worms are down from 75 to only 52 percent of the volume of malicious code … replaced by Trojans, which are up from 23 to 45% of the top malicious code threats. When it comes to actual infections, Trojans measure 60% while traditional “viruses” account for only 5% of all infections!
By the way, at what point do other countries start accusing the US of being a hotbed of international computer crime and demanding that we crack down on this stuff?