Secunia Report: Microsoft Apps More Secure Than 3rd Parties?

"A typical end-user PC with 50 programs installed had 3.5 times more vulnerabilities in the 24 3rd party programs installed than in the 26 Microsoft programs installed. We expect this ratio to increase to 4.4 in 2010."

Full article here: http://www.pcmag.com/article2/0,2817,2366360,00.asp.

Perhaps it's getting closer to the, imho, already overdue time to lose the Microsoft bashing.

 

Numbers of vulnerabilities don't mean much. For instance, what if those vulns in the third party programs were all of minor/moderate severity while the ones in MS products were all critical/highly critical? I would rather have more very minor vulns than fewer critical ones. And even if we want to compare numbers, it isn't fair because M$ is closed-source and proprietary. They don't have to release any vulns they find in house. Without more info and context, the numbers mean next to nothing. What matters is how fast the vendor patches them. Microsoft loses this battle when compared to a lot of the open-source projects.

Another big problem, as Secunia points out in their report, is there is no easy way for users to update third-party software. This has always been a huge problem on Windows because Windows was designed as sort of a mish-mash OS -- that is, MS provides the core and leaves the user on his own for finding applications that actually make the OS worth using. On my Linux box, I can update every piece of software on the whole machine with a single click. Making the system work as a single unit is something sorely missing from the Windows world. The Secunia report brings this point home several times.

 

You made a lot of good points there. I tend to agree that numbers of vulnerabilities don't mean as much as severity, but you do try to avoid having as few as possible. I LOVE the way most Linux distros handle updates, having that in Windows would be nothing short of amazing.

 

... No, thanks. Why would you want an update system that left users behind the newest Firefox 3.6.4 update for weeks?

Windows is fine the way it is.

 

Secunia PSI does a nice job of consolidating everything and provides a one click update function for individually selected programs and patches. Just clear the checkbox "Start Secunia PSI on boot" and "Enable program monitoring" if you don't want it running full time.

 

I agree, but the updates are mainly for Windows anyway. My Ubuntu, Mint and PCLinuxOS can live a bit longer with the 'outdated' Firefox version quite safely.

 

Actually, you too have a good point. It is EASIER to have one place to go for your updates, but yeah, if updates aren't released into the repository for ages, it doesn't do you a lot of good.

@wat0114: Is PSI still having the same issue on Win 7 with the "can't find a suitable browser" error when trying to download updates from within it? I haven't used it in a few weeks due to that. I tried all of the ideas in their forum, but none worked.

 

You haven't used Linux, have you? If you did you would know that security updates are applied almost immediately. This is not necessarily true for updates that introduce other features. If you want them you have the choice of adding plenty of ppa's to your repos that contain the latest versions.

 

The topic you chose for this thread is misleading. Patches for Microsoft apps are applied more frequently. That's is not the case for 3rd party apps because of the lack of a centralized update mechanism (or because only a handful of Windows users use Secunia PSI or similar solutions). Thus this doesn't tell us anything about the quality of Microsoft products being better or worse than 3rd party products.

 

Yes, I knew that security updates were sent out quickly. I was referring to non-security updates, sorry I didn't make that clear. I think the official repositories should release newer updates a bit more quickly, but at the same time, I understand the desire to keep stability in mind.

 

Point taken

 

Considering that Firefox 3.6.4 fixed 4 critical vulnerabilities and 2 moderate ones, it would seem that your argument isn't exactly waterproof.

There was another instance in the past regarding a vulnerable version of Java staying for a significant period of time in the Ubuntu repos as well, IIRC.

Where exactly in the report is your claim evidenced by research data and/or methodology? Admittedly I didn't scrutinize it as closely as I could have, but I don't recall the report supporting such a claim.

 

I haven't encountered that issuse using Win7x64, Ultimate on one pc and HP on another.

 

If this is true I find it to be an extremely rare occurrence. Ubuntu is one of the best about speedy security updates (usually within the same day as the vendor).

Uh, no it's not, and the Secunia paper argues this point. Updating third party apps has always been a huge mess in Windows mainly because Windows was not designed to be a complete system like the BSD's and the Linux distros.

 

Sorry, but I prefer to look at results instead of rhetoric.

My Windows installation has always been able to be updated with new versions of software as they were released. Thanks to Ubuntu's repository update policies, the same is not true for my Linux installation.

 

Well, 3.6.4 was released by Mozilla on June 22, and added to the Ubuntu repo on June 28 due to several necessary changes for this version. One should also keep in mind that the maintainers had to make sure that it would be also running smoothly on older Ubuntu versions.

Sun Java is no longer maintained in universe but available now from the official partner repo. Thus this should be a problem of the past.

It should have been obvious that I meant: Patches for 3rd party apps are less frequently applied by the users.

Secunia report p. 13:

.. and:

Hardly surprising.

 

I think that's actually part of the problem: various programs always seem to be held back due to "stability testing". It never fails to puzzle me why Windows, Mac OS, and even some other Linux distros don't seem to need this extra testing, or change anything to prepare themselves for a web browser, and why the people in charge of this at Ubuntu invariably fail to finish test programs during their alpha, beta, and/or RC periods (which lasted for months for Firefox 3.6.4).

That SPECIFIC problem is. Only that that particular problem isn't the entire problem itself, it's only an example of a larger issue.

The report does present some background on why they're doing research on 3rd-party apps, but the actual report data itself is merely a comparison between the vulnerabilities that appear in Microsoft's products vs other vendors. So, yes, assuming the report data is valid, I don't think it's unfair to say that - as the OP did - it may be time to reconsider the usual anti-MS rhetoric.

The 3rd-party app updating mechanisms on Windows aren't perfect. But most of them are actually pretty good, and compared to Ubuntu's single-point-of-failure system, and often the inability to keep your system truly updated even when the update system DOES work as intended, I'd go with the situation in Windows anytime.

 

Because Mozilla makes sure their browser works for Windows when they release it since Windows is, you know, 90% of the market. And this is easy for them to do since Windows has a stable API. As for Linux, Mozilla only releases the source code and leaves it up to the various Linux distros to compile themselves. (Actually Mozilla does run its own Ubuntu PPA, but that isn't part of the 'official' repos).

And a browser is a major piece of software that Ubuntu is going to make sure they get right. Most other software updates do not take a week, or whatever the time frame was, to hit the repos. It is usually a day or so.

EDIT: And keep in mind that Ubuntu (and most other distros) treat security updates differently from feature updates. They will usually release a certain version of a piece of software and keep that version (even if the upstream developer has updated it since) until the next version of Ubuntu is released -- that is unless there is a security update. If there's a security update, the update hits the repos, on average, pretty damn quickly. If the user wants the latest and greatest version of a piece of software he can install a PPA or compile it himself.