…or at least according to Microsoft’s latest patch count!
I read this article, titled “Microsoft: Vista Least-Flawed OS” this morning. Microsoft counted the number of patches required to a variety of different operating systems, and claim that, because Vista required the least number of patches in its first year, it must be more secure than everything else out there.
This, of course, completely ignores the criticality and exploitability of the vulnerabilities in question, as pointed out by Rich Mogul in the above article.
Also, Microsoft have always been in the habit of counting every single bug that shows up in the GNU/Linux distros they’re using for comparison. This is pointless, as the distros contain thousands of packages, some of which are core requirements (like the kernel, shells, core utils etc.) and the rest are optional extras (eg. OpenOffice.org, XOrg etc.).
I use Debian Linux on my desktop, my laptop and a few servers. I use Debian Stable on the servers, and the number of security updates to these servers is quite low and infrequent. As well as this, in the recent past I can only recall one instance where an update required downtime to complete. I installed server specific packages, omitting a GUI and GUI applications for the servers, since they’re not required. On my desktop and laptop, I use the Gnome desktop environment, but KDE is also available as an option. I generally install OpenOffice.org as the office suite, but again, there are other packages provided to choose from for this. Basically, what I’m trying to illustrate is that Linux distros provide much more choice than Windows does, and include packages that Windows doesn’t (eg. office suite). Microsoft try to hold this against the distros by counting bugs identified in every single package, and not taking into account the number of affected users.
These security analyses that Microsoft do aren’t comparing like with like, and shouldn’t be considered as anything more than marketing fluff.