I saw this post from Jeff Jones over at Microsoft today. He mentions that Red Hat Enterprise Linux 4 recently patched their 1000th vulnerability, and provides a quote from Truth Happens(direct link to post), which is a Red Hat blog. I suggest you at least read Jeff’s post, since he quotes the relevant point of the Truth article.

I read both of these blogs, and I’m frankly disgusted by the way both sides are treating the data. I understand that statistics are often more useful for what they hide, than what they show. In this case, the 2 competing ideas seem to be: “We fix more bugs, which means we’re working harder to protect you”, vs. “we fix fewer bugs because we have fewer bugs, so we’re working harder to protect you”. I think both of these arguments are invalid, so I hope both sides see this and pay attention.

  1. Jeff Jones: Jeff does a very interesting quarterly (or so) patch report – what OS’s have had the most patches applied in “xx” time frame (past quarter, past year, etc.). I get a lot of out this report, and he does very good trending. Find them on his blog and read them.To that end, he does a very good job selling Microsoft as a security company. By purely counting “number of patches submitted”, Microsoft will automatically look better, simply because “Windows (XP and 2003 combined)” has fewer features than “Red Hat Enterprise Linux” or “SUSE Enterprise Linux” or “Ubuntu Desktop Edition”.Jeff makes a point that Microsoft has only released patches for 649 security vulnerabilities across all Microsoft products in 7 years, but…What Windows does have that the GNU/Linux variants don’t have: .NET Framework, which is a HUGE project, but when it’s updated, you get a single update, so it counts as “1″ in Jeff’s analysis. Also, Microsoft doesn’t have conflicting software product lines – they have the Office team which has swallowed the “Works” team, but there are at least 3 “Office” suites in any GNU/Linux distro (OOo, koffice for KDE, and the suite including ABIWord for gnome).

    Then we can discuss kernels – when there is a driver update for a 3rd party product (Intel i810/845/945 motherboard, for example), it’s a module in the kernel, which requires an updated kernel package from the GNU/Linux distributors, but when there’s a driver update for a 3rd party application, Microsoft doesn’t even have to count it, since it’s “3rd party.” And on the subject of kernels, I don’t recall ever seeing an actual “kernel” update for Windows that wasn’t included in a service pack, or a box on a shelf.

  2. Truth Happens writers: Selling “look how many bugs we fix” to a corporation is a pretty crappy way of doing business, in my opinion. That I can put an appointment in my calendar for 3pm the 2nd Tuesday of each month to review patches, test them that afternoon, and start rolling them out to QA the next morning, is a fantastic way to work. When Red Hat comes out with an update, it’s at a random time, and I have to review each one individually against what I may have installed on my systems.Now, this isn’t a dig against any GNU/Linux distribution out there – free (Ubuntu) or enterprise (Novell / Red Hat) – they are forced into this disclosure/fix model by the fact that these packages are not maintained solely by the companies that are pushing the fixes. In fact, in these cases, the patches have to be done on a “per-report” basis because of how most open-source software vulnerabilities are reported.This is a great time to ask: why is OOo included in a server distro? There *has* to be some GPL or package management reason behind it, but I’d be really interested to know.

So here we see 2 points of view: MS’s (Jeff Jones’) “we’re great because we don’t have a lot of patches, which means we’re more secure;” and RH’s (Truth Happens’) “we’re great because we’ve patched all of the bugs that have been found, no matter how small.” In truth, I think the real point should be that they are 2 completely different companies with huge differences in their offerings in the “Operating System” category. To have both representatives of both companies post what amount to “nyah nyah, we’re better than you are” blogs, keeps the entire discourse of security at a childish level that helps nobody.

So, to both Jeff and the writers of “Truth Happens”: please, out of respect for your readers, look deeper into the numbers and provide some insight, don’t just knock your competition.