When I was working security, we had standards for fixing problems. Well since we were a consumer, it was a standard of installing fixes from the vendor.
It was something like this: 48 hours for high risk problems 7 days for medium risk problems 30 days for low risk problems Under that form of evaluation, vendors should be judged by their percent of attainment. If a fix is delivered for a high risk problem in one day, that would be 25%. If the fix takes 14 days, thats 200%. My guess would be since a much higher percentage of windows were "high", that scoring this way would make a big difference. One also wonders if internetnews.com or the author were "paid off" in some way to use an evaluation scheme which makes MS look the best. I would say that it does not matter if a vendor's numbers are skewed by 3rd party fixes (like somebody argued here). It doesn't matter if my computer is compromised, or is an argument for getting software from an integrated vendor to avoid that problem. Now it might well be relevant to separate web servers, since a high security company will have their most critical data on servers that do not have a web interface. I disagree with the internet news statement: "But Symantec, no friend <http://www.internetnews.com/ent-news/article.php/3607456> of Microsoft, said in its latest research report that when it comes to widely-used operating systems, Microsoft is doing better overall than its leading commercial competitors." I believe it is a love-hate relationship. (1) most of their product sales are for Windows. If fewer computers ran windows, fewer would run symantec, so they have a vested interest to make windows look good enough the people will continue to use it (2) it wouldn't surprise me if they made a killing from their lawsuit, again making windows good for them and (3) IMHO the symantec report is not nearly as positive to windows as the Internetnews report. I also didn't see anybody else suggest, as some anecdotal evidence in the past has substantiated, that for windows most all "low" and many "medium" security problems are not reported as security issues, and are either not fixed, fixed just as a "driver update", or not until the next release. I can certainly see MS making such a policy decision in an effort to improve their numbers. In Linux this could not be done, since the source is visible and anybody could look and realize that the fix was correcting a security issue. If a windows driver fixes it from crashing, who can say that the "crashing" wasn't caused by, say, a buffer overrun, which could be exploited once sufficiently explored? Even if all problems were reported, isn't anybody concerned that maybe the important measure is the number of HIGH RISK exposures? Microsoft: 12 Mac OSX: 1 Red Hat: 2 ---After this point, I had to go to the symantec report directly-- HPUX: 2 Solaris: 1 IE: 1 Mozilla: 0 Opera: 0 Safari: 0 For browsers: Symantec documented 54 vulnerabilities in Microsoft Internet Explorer, 40 in the Mozilla browsers, and four each in Apple Safari and Opera. I thought Firefox was a rewrite of mozilla. Should that be "25 in mozilla and 15 in Firefox" or maybe "30 in mozilla and 20 in Firefox" if there is some overlap? Is every single exposure exactly matched in both browsers? The symantec report talks about 12 zero day vulnerabilities, but I could not find a breakdown by OS. -- --Carey Tyler Schug ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
