Recently Jeff Jones (strategy director in the Microsoft Security Technology Unit) released an updated "one year vulnerability report" regarding Windows Vista. The data in the report shows how Vista compares to Windows XP, Red Hat Enterprise Linux 4 Workstation, Ubuntu 6.06, and Mac OS X 10.4 in terms of vulnerabilities during each OS's first year in the marketplace.
Jones used a variety of criteria for the comparison, including limiting the applications that he analyzed for the sake of keeping the competing OSs in line with a typical Vista installation. For example, RedHat and Ubuntu ship with OpenOffice installed by default on desktop systems. Jones didn't consider vulnerabilities in OpenOffice as part of his analysis. Other omissions were made of tools such as the Gimp graphics program and the gcc compiler, depending on the OS.
When the results were tallied, Jones found that during Vista's first year, 36 vulnerabilities were fixed by 17 patches in 9 patch events. The events were regular due to Microsoft's scheduled monthly patch releases. XP on the other hand experienced 65 vulnerability fixes in 30 patches for a total of 26 events. Quite a difference, as should be the case at this point in Windows' evolution.
RedHat Enterprise Linux 4 Workstation experienced 360 vulnerability fixes in 125 patches in 64 patch events. Ubuntu 6.06 experienced 224 vulnerability fixes in 80 patches in 65 patch events. OS X 10.4 experienced 116 vulnerability fixes in 17 patches in 17 patch events.
The low number of patch events for Vista and OS X are due to Microsoft's and Apple's routine of issuing patches on relatively fixed schedules. RedHat and Ubuntu on the other hand publish security patches immediately after they become available. So there's a trade-off involved: The approach used by Microsoft and Apple reduces the amount of administrative overhead but leaves customers exposed to security risks longer than if patches were issued immediately upon creation.
Near the beginning of the report, Jones suggests how the data might be useful by posing two questions: "All other things being equal, is it easier to mediate risk on a system that has 10 vulnerabilities in a year or one that has 100 vulnerabilities in a year?" And, "Which has a more negative impact on your security team and risk management process - deploying 10 security updates per year or deploying 100 security updates per year?"
The answer to first question is rather obvious: Of course it's easier to handle risk on systems with fewer vulnerabilities, assuming that we're talking only about patching holes and nothing else. The second question is too narrow because it overlooks the fact that Windows is the most targeted OS on the planet. Maybe asking yourselves how that fact affects your security team and risk management process would be more realistic. That aside, some of us would rather have patches immediately even if that means installing patches 100 times throughout the year.
Another issue not taken into consideration when posing those questions is the issue of downtime. To give you a good idea of the ramifications of less-than-stellar patch installation processes, refer to my editorial of March 5, 2008, "Windows Server: The New King of Downtime" (URL below). You might recall that according to Yankee Group, Windows Server has the worst downtime record of any mainstream server OS. The downtime record is due almost entirely to patch management.
When patching any version of Windows, a reboot is often required, and in many cases the OS must be made unavailable to help manage the patch process. By comparison, UNIX and Linux systems typically don't experience such extreme burdens. For example, I've loaded many security patches on Ubuntu desktops and servers, and so far I've never had to reboot the systems nor take them offline--even systems that run high-traffic Apache and MySQL servers. Nor have I ever experienced a patch that breaks system components or services. Maybe I'm just lucky, but I don't think so.
Last week I did a complete OS upgrade on some Ubuntu desktops. The upgrade required the installation of 1,234 new packages. The upgrade ran completely in the background and didn't interrupt system use during installation. The systems were down for a total of about 30 seconds due to a need to reboot because the upgrades were major--similar to upgrading Vista with SP1. As far as I can see Linux is far easier to upgrade or patch than Windows.
Although I don't think Jones's report is anything to give a lot of weight to, if you're interested in reading it you can download a copy in PDF format at Jones's blog at the first URL below. And, if you're interested to see how Windows is still the most targeted OS on the planet, get a copy of Microsoft's new Security Intelligence Report at the second URL below.
Microsoft has a long way to go to improve its patch management process. It needs to be more transparent, and patches need to be more thoroughly tested before they become available. If Microsoft could achieve that, then the company could ditch its monthly patch release schedule and make patches available immediately as in the past, but this time without putting a huge burden on administrators and end users. As things stand now, there's fear every Patch Tuesday that a patch is going to break systems. I bet that, like me, many of you never experience that fear with your Linux platforms.