Despite this week's major batch of software patches, Microsoft has claimed that Windows is more secure than Linux. It's a claim that the company has made regularly for some years - and strangely enough, usually right after a major security issue of its own.
"Even with the relatively large number of bulletins we released this week, we compare favorably," Microsoft's chief security executive, Mike Nash, told Information Week. "Year-to-date for 2005, Microsoft has fixed 15 vulnerabilities affecting Windows Server 2003. In the same time period, for just this year, Red Hat Enterprise Linux 3 users have had to patch 34 vulnerabilities and SuSE Enterprise Linux 9 users have had to patch over 78 vulnerabilities."
Just counting patches isn't enough of course, says Nash (elsewhere, it has been pointed out that on this measure, Microsoft would be doing "better" if it left a hole unpatched). He goes on to claim that Microsoft is actually even further ahead than this measure might suggest, quoting "progress" in things like security guidance and manageability.
Last year, Microsoft took a more sophisticated swipe at Linux security, when it persuaded Forrester Research to put its name to the so-called Days of Risk report, right after a major "security rethink", in which Microsoft changed its patch distribution process and bolted lots of security features onto its main products.
The Days of Risk report found that Windows holes were patched more quickly than those in Linux, since Microsoft holds source and distribution code, while Linux flaws must be fixed in the source and then distributed by different companies. "Microsoft took on average 25 days to release a patch; Red Hat and Debian 57, SUSE 74 and MandrakeSoft 82," said the report, which was the subject of arguments before its publication.
Pulling the mote from its brother's eye, to distract attention from the plank in its own, is a chronic behaviour pattern at Microsoft, which has had regular security blitzes for some time now, starting with the "war on hostile code" of 2001.
When Microsoft launched its Trustworthy Computing slogan in 2002, it told this reporter it was more secure than those open-source hippies. "We must lead a security initiative across the whole industry," Steve Adler, the Microsoft consultant pushing Trustworthy Computing in Europe, said (the interview is still sort-of online at ZDNet).
Back then, Microsoft had yet to take Linux seriously, so his examples of slack open source security were the Apache web server and the Kerberos transaction processing system - which, Adler claimed, had an undiscovered vulnerability for ten years.
The enemy was clearly the same as it is now though, and Microsoft was keen to label critics as bigots: "People who read Slashdot take things out of context," said Adler in 2003. "What do you do to change their opinions? You tell them the Earth is round, and they say it is flat."