March 23, 2007 9:34 AM PDT

Study: Windows has fewest security holes

Microsoft Windows has the lowest number of vulnerabilities and the fastest turnaround time for patches of all commercial operating systems--but it also has the most serious flaws, according to Symantec.

Despite having the fewest security holes, Windows was hit by more critical flaws than either Red Hat Linux or Mac OS X, Symantec found.

Symantec's latest "Internet Security Threat Report" (PDF) reveals 39 security holes were discovered in Windows during the second half of 2006, with an average patch development turnaround time of 21 days, up from the 22 Windows holes found in the first six months of the year.

Red Hat Linux had 208 vulnerabilities for the same period with an average patch time of 58 days, a huge increase on the 42 patched vulnerabilities for the first half of the year.

Apple's Mac OS X had 43 vulnerabilities--more than double the number for the first half of 2006--and an average patch time of 66 days.

But almost one-third of the 39 Windows holes were high severity, and 20 were medium severity. Just two of the 208 Red Hat Linux security holes discovered were high severity, with 130 medium severity and 70 low severity. Only one of the Mac OS X holes was considered high severity, with 31 classed as medium and 11 as low severity.

The report found that Windows also had the most vulnerabilities with exploit code and exploit activity, which Symantec claims may be one explanation why Microsoft has been pressured to develop and issue patches more quickly than other vendors.

Mozilla Web browsers, such as Firefox, are also more secure than Microsoft's Internet Explorer, according to the report.

It found 54 holes in IE during the second half of 2006, with one of these being of high severity, compared with 40 holes in Mozilla browsers, which had no high-severity vulnerabilities. Only four holes were found in the Safari and Opera browsers over the same period.

The latest Symantec threat report, which covers the six-month period from July 1 to December 31, 2006, also reveals the number of "zombie" PCs hijacked by hackers and used to launch denial-of-service attacks or send out spam has risen by almost 30 percent in the past year.

Arthur Wong, senior vice president for Symantec Security Response and Managed Security Services, said attack methods used by cybercriminals are becoming more complex and sophisticated to escape detection.

See more CNET content tagged:
severity, Red Hat Linux, security hole, Red Hat Inc., Symantec Corp.

24 comments

Join the conversation!
Add your comment
The key statement in the report is:
"Microsoft Windows was the operating system that had the most
vulnerabilities with associated exploit code and exploit activity in
the wild."

And that is all that matters.
Posted by rcrusoe (1305 comments )
Reply Link Flag
"Microsoft Windows...
... has the lowest number of vulnerabilities and the fastest turnaround time for patches of all commercial operating systems--but it also has the most serious flaws, according to Symantec...". What else to expect from a scenario such as this when Microsoft Windows (Code-Base OS/2)--from all appearances are still works-in-progress and also commands 90% plus market share!
Posted by Commander_Spock (3123 comments )
Reply Link Flag
Commander_Spock is a talkbot
Not human.
Posted by lesfilip (496 comments )
Link Flag
Am I blind?
Have a look at known vulnerabilities at Mozilla's official site:

<a class="jive-link-external" href="http://www.mozilla.org/projects/security/known-vulnerabilities.html" target="_newWindow">http://www.mozilla.org/projects/security/known-vulnerabilities.html</a>

There at at least 5 critical vulnerabilities reported in the second half of 2006, and Mozilla defines "critical" as "Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing."
Posted by dpff (1 comment )
Reply Link Flag
I was wondering that too...
I was wondering that too... I guess Symantec doesn't think Mozilla has the right to classify vulnerabilities.
Posted by timber2005 (720 comments )
Link Flag
But...
How often do these things actually pan out? Very rarely!

IE holes, on the other hand, are exploited quite regularly.
Posted by ddesy (4336 comments )
Link Flag
yes, because you missed something:
Mozilla != Linux. ;)

/P
Posted by Penguinisto (5042 comments )
Link Flag
Need to learn Microsoft lingo...
Critical in Microsoft's vocabulary means critical to their corporate future sales.

Microsoft NEVER talks on the same wave length as the rest of the security industry.

Walt
Posted by wbenton (522 comments )
Link Flag
"Symantec's" AV Products+MS Windows =...
... Bloated Source-Code OS/2. LOL!
Posted by Commander_Spock (3123 comments )
Reply Link Flag
Okay....
The OS/2 obsession is getting rather old!
Posted by ddesy (4336 comments )
Link Flag
If Symantec says so it must be true....
OMG, but isn't this akin to Lucifer knocking on your door and saying "Hi, I'm here on behalf of Vacation in Hell Tours and we're offering a free all-expense paid trip if only you'll sign right here obligating you to believe that Windows is secure...and that you'll buy all Symantec products to assure so."
Posted by Schratboy (122 comments )
Reply Link Flag
OS flaws verses program flaws
Is it right to bunch flaws with the operating system with flaws
from 3rd party applications? Certainly MS, Apple and Red Hat
aren't responsible for bugs found in others manufacturers
products?

I'm also not really keen on the 'security researchers'. Heaven
knows I'd love to have a job where I point out someone else's
flaws all day but is is really all that beneficial?

I'd love to see a study on how much of these increases can be
attributed to the exploits being 'known' (i.e. reverse engineered
from the patches) versus them being genuinely exploited?
Posted by mathue_tax (56 comments )
Reply Link Flag
Added to...
... to the bunching of "flaws with the operating system with flaws from 3rd party applications... are the overarching questions of certain computing functionalities/limitations--when are these issues (that might really matter) are really going to be addressed after over two decades and counting!
Posted by Commander_Spock (3123 comments )
Link Flag
Headline does not reflect actual conent of story!
CNET's headline writers ought to spend more time reading the content that they attempt to summarize in a few words, because the headline of this particular is quite misleading. Based on the text of article, better, more accurate headlines ought to say:

Windows Security Holes Are Most Critical

Windows Has Most Critical Security Holes

Security Holes in Windows Rated Most Critical

Security Holes in Windows Tend Toward Most Severe


I think those tell the story better than the current distorting headline
Posted by jmbattaglia (5 comments )
Reply Link Flag
The funny thing though...
... even if CNET's headlines repeated state "Windows Security Holes Are Most Critical Windows Has Most Critical Security Holes Security Holes in Windows Rated Most Critical Security Holes in Windows Tend Toward Most Severe... will these "Security Holes" stop users from opening their pocket books to purchase even more Windows and Windows Products; besides, wouldn't articles like these (as one poster stated above) make companies like Symantec rush to smilingly offer super "Vacation in Hell Tours"!
Posted by Commander_Spock (3123 comments )
Link Flag
No kidding!
You'd almost think Miscrosoft owns CNET too...
Posted by hounddoglgs (74 comments )
Link Flag
very technical indeed
Windows has fewer problems only because they fix the holes quicker and more people reported the bugs. More people worked on the bugs/problems. Norton/Symantec did an unbias study despite of their displeasure of Microsoft. I appluded them for that effort. Apple OS and Linux have more problems just because they took their time to fix their tech issues. In the other hand, Microsoft has more problems popping up everytime and more conflicts with software like Firefox browser or even with their own family of software like Windows Media Player. These are remaining ever ending vicious cycle of OS manufactures to deal with more the quicker the hacker hack the OS systems or softwares.
Posted by ilovewoofs2 (7 comments )
Reply Link Flag
(* ROFLMAO *)
After reading the title... I didn't feel like reading the rest of the story...

Such a farse of a title deserves to be ignored!!!

Walt
Posted by wbenton (522 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.