A senior security director at Symantec has praised Microsoft's efforts to issue patches for security vulnerabilities in its Windows OS, but has dismissed claims that that in turn makes it more secure.

Symantec director Oliver Friedrichs was responding to an earlier report by Jeff Jones, strategy director at Microsoft's security technology unit. In the report, Jones said that Wndows Vista had suffered fewer vulnerabilities in the its first 90 days than either Linux or Mac OS X had in the same period.

Jones said that just one bug had been discovered in Windows Vista when it was rolled out to business in November, but that during the same period Windows XP had 14 bugs, Mac OS X 10.4 had 20 bugs, Red Hat scored 137 bugs, Ubuntu had 71 and SuSE notched up 80.

Commenting on the report Symantec's Friedrichs said: "The severity of a vulnerability plays into this, too. A single vulnerability that has a high severity could lead to the next Sasser or Blaster worm, but an OS with a larger bug count, but with [ones rated] less high may be in a better defensive position overall."

Dominance plus flaws = damage

Friedrichs also warned that Microsoft's dominance had a big part to play in the impact that vulnerabilities had, simply because of its dominant market position:

"A high-severity vulnerability may not receive widespread exploitation on another OS," he said. "That's not uncommon. It doesn't diminish the criticality of the vulnerability itself, of course. For that vendor's customer base it does present a serious risk, but the overall risk to the Internet may not be much."

He also said that it was hard to truly assess an OS in just 90-day period, especially when Vista was only available to business users during that time. Enterprise is much more likely to take security seriously than home users do. Symantec says 93% of all exploits are aimed at home users, rather than businesses.

Friedrichs did, however, praise Microsoft for the speed with which it patched flaws in Windows, compared to those found in rival operating systems. It took Microsoft an average of 21 days to patch 39 vulnerabilities in the second half of 2006, compared to 66 days for Mac OS X and 58 days for Red Hat, according to a Symantec report.

The numbers that matter

The Internet Security Report Volume XI has been seized on by some tech journalists as proof that Windows is a more secure OS than its rivals. However their reports have tended to focus on the number of patches and the speed with which they were issued, rather than the severity of the vulnerabilities themselves:

  • Microsoft actually took longer (21 days on average) to patch its Windows vulnerabilities in the second half of 2006, than in the first half (13 days)
  • Of the 39 vulnerabilities exposed, 12 were considered high severity; 20 medium severity and 7 low severity. That's worse than in the first half of the year when there were just 5 high severity risks, according to Symantec
  • Of Red Hat's vulnerabilities for the second half of 2006, 2 were considered high severity; 130 were considered medium severity and 76 were low severity
  • Mac OS X had one high severity risk; 31 medium severity risks; and six low severity risks

Web apps pose biggest threat

Symantec also looked at threats posed to web browsers. It discovered that one program - Microsoft's Internet Explorer - was targeted in 77 per cent of all web browser attacks. It also said that browsers and other web apps accounted for 66% of attacks on computers in the second half of 2006. Hackers are increasingly using medium-severity attacks as a way of exploiting PC programs too. The numbers stack up like this:

  • Internet Explorer had 54 vulnerabilities in the second half of last year; 1 of these was considered to be high severity; 13 medium severity and 40 low severity
  • Mozilla browsers (e.g. Firefox) had 40 vulnerabilities for the same period; 35 of these was considered to be medium severity and 5 low severity
  • Opera had 4 vulnerabilities, again for the same period; 2 were considered to be medium severity and two low severity
  • Apple's Safari had 4 vulnerabiities, again for the same period; 2 were considered to be medium severity and two low severity