Microsoft has denied the existence of the so-called ”Days of Risk” marketing campaign. However, the denial rings strangely, as the company admitted that the “days of risk” research does exist and that Microsoft was already using it to argue that Microsoft products are more secure than their Linux equivalents. The part that isn’t there may be the independent validation of the research, since the first research firm mentioned by Microsoft has denied any involvement.
The research was carried out by Microsoft and is apparently being “validated” by analysts, according to Microsoft executives presenting at Microsoft’s IT Forum event in Copenhagen. However, Microsoft people say that Forrester Research is checking the research over, while Forrester people say this is “extremely unlikely”.
“It is Forrester’s own independent study, based on our research,” said Bradley Tipp, Microsoft’s National Systems Engineer for the UK, who has been presenting sessions about open source software, at IT Forum. “Open source systems are likely to be at risk for more days than Windows systems.”
“It is incredibly unlikely that we would be involved in anything like this,” said Clive Savage, Forrester’s European spokesman. “It would be too damaging for our independence.” Only two months ago, Forrester subsidiary Giga produced a widely discredited report commissioned by Microsoft, which purported to prove that the cost of ownership of Windows was less than that for open source systems.
The cost of ownership was never intended as a public report, but was consultancy work commissioned by Microsoft and then misused, said Savage: “I truly doubt that Forrester would be in any way responsible for authoring research on behalf of Microsoft. Under our reiterated Integrity Policy, we would be very careful not to undertake this kind of engagement.”
Forrester’s published research on Microsoft and security is much more sceptical than that: “Today's approach to Windows security isn't working - and just exhorting firms to try harder isn't the answer,” said Forrester’s Laura Koetzle in a March report. “Instead, Microsoft must forge a new security partnership with both users and ISVs.”
Given that any reputable research organisation would take the same view, it looks like Microsoft will have to assert the truth if its own ideas, standing on its own two feet. And those ideas hinge on the difference between free distributions of Linux and supported products from companies such as Red Hat and SUSE.
All business users will not be on free distributions but supported products, says Microsoft, and this may delay the arrival of patches. While patches are produced quickly for the Linux kernel, they are not released as supported patches for individual distributions for up to three months, said Tipp.
“Users at universities using a free distribution can pull down a patch and implement it the same day,” said Tony Poll, technical services manager for user groups in Europe. “If you have a supported version of the operating system, this may break the agreement you have with the software vendor.”
The actual patch issued by the open source vendor may be slightly different from the first open source patch, said Tipp, since the vendor would have to check it for compatibility with other patches it has issued.
The situation is made worse, by the fact that many vulnerabilities are not exploited until a patch is issued, said Steven Adler, Microsoft’s senior security strategist for Europe. Because the open source patch cycle happens in the open, hackers actually have more days to exploit the vulnerability while distro vendors work to make the patch available.
So, now the precise argument is in the open, we await the Linux defence.