A Microsoft executive claims that Windows users faced fewer days of security risk last year than users of other operating systems, because the company ships patches more quickly than rivals Apple, Novell, Red Hat and Sun.
The findings, from Jeff Jones, strategy director at Microsoft's security technology unit, are the latest version of a long-standing Microsoft criticism of open source and other operating systems. This time round, the data seems to be more complete, and Jones has backing from Symantec.
Jones posted findings in his blog that show Microsoft released patches for vulnerabilities in Windows faster than its four competitors did for flaws in their software. Microsoft's last monthly "Patch Tuesday" was on June 12, when it claimed to have fixed 15 vulnerabilities. A Symantec executive acknowledged the accuracy of Jones' data.
In two entries on his blog, Jones laid out his analysis of "days of risk", a term that Microsoft has been using in marketing campaigns against Linux, at least since 2003 when it called in Forrester Research, who eventually produced a report in 2004 backing the company's claim that it patched more quickly than its rivals. "Days of risk" describes the time from when a vulnerability is announced to when the vendor releases a fix. Another Microsoft-sponsored report found Windows to be more secure than Linux in 2005.
In this latest version of the campaign, Jones' calculations found that Windows boasted an average days-of-risk last year of just under 29 days, compared to Mac OS X's 46 days, SuSE Linux Enterprise's 74, Red Hat Enterprise Linux's 107 and Sun Solaris' 168.
That puts Microsoft 159 percent faster than Apple in preparing and distributing patches, 255 percent faster than Novell and 579 percent faster than Sun.
When Jones focused on specific operating system clients, such as Windows XP SP2, Mac OS X 10.4, Red Hat Enterprise Linux 4 Workstation and SuSE Linux Enterprise Desktop 9, Microsoft still took first place although the race was tighter.
Windows XP was patched after an average of 53.3 days of risk, just 1.6 percent faster than Apple's Tiger at 54.2 days of risk. SuSE and Red Hat came in third and fourth, with 56.2 and 70.5 days, respectively.
Alfred Huger, vice president engineering at Symantec's security response group, said Jones' numbers looked reasonable: "Our latest ISTRs (Internet security threat reports) had more or less the same." In its most recent report, Symantec pegged Windows' average days of risk for the last six months of 2006 at 21 days, Red Hat's at 58, Mac OS X's at 66, and Sun's at 122.
But some readers of Jones' postings had questions. One asked where the data was, and others wanted to know how many vulnerabilities were included in each count. Jones responded to the latter, citing that in 2006 Windows XP was patched for 90 bugs, Mac OS X for 129, SuSE for 232 and Red Hat for 301.